http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.2

26389

26450

26500

26643

26664

26760

27227

DSA-1356

MDVSA-2008:105

SUSE-SA:2007:051

SUSE-SA:2007:053

RHSA-2007:0705

25263

USN-509-1

USN-510-1

ADV-2007-2854

https://issues.rpath.com/browse/RPL-1620

oval:org.mitre.oval:def:11196

From Red Hat Security Advisory 2007:0705 :

Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the following security issues :

* a flaw in the DRM driver for Intel graphics cards that allowed a local user to access any part of the main memory. To access the DRM functionality a user must have access to the X server which is granted through the graphical login. This also only affected systems with an Intel 965 or later graphic chipset. (CVE-2007-3851, Important)

* a flaw in the VFAT compat ioctl handling on 64-bit systems that allowed a local user to corrupt a kernel_dirent struct and cause a denial of service (system crash). (CVE-2007-2878, Important)

* a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important)

* flaw in the CIFS filesystem which could cause the umask values of a process to not be honored. This affected CIFS filesystems where the Unix extensions are supported. (CVE-2007-3740, Important)

* a flaw in the stack expansion when using the hugetlb kernel on PowerPC systems that allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate)

* a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim's machine. (CVE-2007-1217, Moderate)

* a flaw in the cpuset support that allowed a local user to obtain sensitive information from kernel memory. To exploit this the cpuset filesystem would have to already be mounted. (CVE-2007-2875, Moderate)

* a flaw in the CIFS handling of the mount option 'sec=' that didn't enable integrity checking and didn't produce any error message.
(CVE-2007-3843, Low)

Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues.

This kernel update fixes the following security problems :

  - The IPv6 protocol allows remote attackers to cause a     denial of service via crafted IPv6 type 0 route headers     (IPV6_RTHDR_TYPE_0) that create network amplification     between two routers. (CVE-2007-2242)

    The default is that RH0 is disabled now. To adjust this,     write to the file /proc/net/accept_source_route6.

  - The random number feature in the Linux kernel 2.6 (1)     did not properly seed pools when there is no entropy, or     (2) used an incorrect cast when extracting entropy,     which might have caused the random number generator to     provide the same values after reboots on systems without     an entropy source. (CVE-2007-2453)

  - A NULL pointer dereference in SCTP connection tracking     could be caused by a remote attacker by sending     specially crafted packets. Note that this requires SCTP     set-up and active to be exploitable. (CVE-2007-2876)

  - Stack-based buffer overflow in the random number     generator (RNG) implementation in the Linux kernel     before 2.6.22 might allow local root users to cause a     denial of service or gain privileges by setting the     default wakeup threshold to a value greater than the     output pool size, which triggers writing random numbers     to the stack by the pool transfer function involving     'bound check ordering'. (CVE-2007-3105)

    Since this value can only be changed by a root user,     exploitability is low.

  - The signal handling in the Linux kernel, when run on     PowerPC systems using HTX, allows local users to cause a     denial of service via unspecified vectors involving     floating point corruption and concurrency.
    (CVE-2007-3107)

  - Memory leak in the PPP over Ethernet (PPPoE) socket     implementation in the Linux kernel allowed local users     to cause a denial of service (memory consumption) by     creating a socket using connect, and releasing it before     the PPPIOCGCHAN ioctl is initialized. (CVE-2007-2525)

  - The lcd_write function in drivers/usb/misc/usblcd.c in     the Linux kernel did not limit the amount of memory used     by a caller, which allowed local users to cause a denial     of service (memory consumption). (CVE-2007-3513)

  - A local attacker could send a death signal to a setuid     root program under certain conditions, potentially     causing unwanted behaviour in this program.
    (CVE-2007-3848)

  - On machines with a Intel i965 based graphics card local     users with access to the direct rendering devicenode     could overwrite memory on the machine and so gain root     privileges. (CVE-2007-3851)

  - Fixed a denial of service possibility where a local     attacker with access to a pwc camera device could hang     the USB subsystem. [#302194]

and the following non security bugs :

  - patches.arch/ppc-oprofile-970mp.patch: enable ppc64/970     MP, requires oprofile 0.9.3 [#252696]

  - patches.arch/x86_64-no-tsc-with-C3: don't use TSC on     x86_64 Intel systems when CPU has C3 [#254061]

  - patches.arch/x86_64-hpet-lost-interrupts-fix.patch:
    backport x86_64 hpet lost interrupts code [#257035]

  - patches.fixes/fusion-nat-consumption-fix: handle a     potential race in mptbase. This fixes a NaT consumption     crash [#257412]

  - patches.arch/ia64-skip-clock-calibration: enabled     [#259501]

  - patches.fixes/md-raid1-handle-read-error: Correctly     handle read errors from a failed drive in raid1     [#261459]

  - patches.arch/ia64-fix-kdump-on-init: kdump on INIT needs     multi-nodes sync-up (v.2) [#265764]

  - patches.arch/ia64-perfmon-fix-2: race condition between     pfm_context_create and pfm_read [#268131]

  - patches.fixes/cpufreq_ppc_boot_option.patch: workaround     for _PPC (BIOS cpufreq limitations) [#269579]

  - patches.arch/acpi_package_object_support.patch: ACPI     package object as method parameter support (in AML)     [#270956]

  - patches.fixes/ia64_cpufreq_PDC.patch: correctly assign     as cpufreq capable driver (_PDC) to BIOS [#270973]

  - patches.arch/ia64-kdump-hpzx1-ioc-workaround: update to     latest upstream version of the patch [#271158]

  - patches.suse/delayacct_memleak.patch: Fix delayacct     memory leak [#271187]

  - patches.fixes/fc_transport-check-portstate-before-scan:
    check FC portstates before invoking target scan     [#271338]

  - patches.fixes/unusual14cd.patch: quirk for 14cd:6600     [#274087]

  -     patches.fixes/reiserfs-change_generation_on_update_sd.di     ff: fix assertion failure in reiserfs [#274288]

  -     patches.drivers/d-link-dge-530t-should-use-the-skge-driv     er.patch: D-Link DGE-530T should use the skge driver     [#275376]

  - patches.arch/ia64-dont-unwind-running-tasks.patch: Only     unwind non-running tasks [#275854]

  - patches.fixes/dm-mpath-rdac-avt-support: short circuit     RDAC hardware handler in AVT mode [#277834]

  - patches.fixes/lkcd-re-enable-valid_phys_addr_range:
    re-enable the valid_phys_addr_range() check [#279433]

  - patches.drivers/cciss-panic-on-reboot: when root     filesystem is xfs the server cannot do a second reboot     [#279436] Also resolves same issue in [#291759].

  - patches.drivers/ide-hpt366-fix-302n-oops: fix hpt302n     oops [#279705]

  - patches.fixes/serial-8250-backup-timer-2-deadlock-fix:
    fix possible deadlock [#280771]

  - patches.fixes/nfs-osync-error-return: ensure proper     error return from O_SYNC writes [#280833]

  - patches.fixes/acpi_pci_hotplug_poweroff.patch: ACPI PCI     hotplug driver acpiphp unable to power off PCI slot     [#281234]

  -     patches.drivers/pci-hotplug-acpiphp-remove-hot-plug-para     meter-write-to-pci-host-bridge.patch: remove hot plug     parameter write to PCI host bridge [#281239]

  - patches.fixes/scsi-set-correct-resid: Incorrect 'resid'     field values when using a tape device [#281640]

  - patches.drivers/usb-edgeport-epic-support.patch: USB:
    add EPIC support to the io_edgeport driver [#281921]

  - patches.fixes/usb-hid-ncr-no-init-reports.patch: HID:
    Don't initialize reports for NCR devices [#281921]

  - patches.drivers/ppc-power6-ehea.patch: use decimal     values in sysfs propery logical_port_id, fix panic when     adding / removing logical eHEA ports [#283070]

  - patches.arch/ppc-power6-ebus.patch: DLPAR Adapter     add/remove functionality for eHEA [#283239]

  - patches.fixes/nfs-enospc: Return ENOSPC and EDQUOT to     NFS write requests more promptly [#284042]

  -     patches.drivers/pci-hotplug-acpiphp-avoid-acpiphp-cannot
    -get-bridge-info-pci-hotplug-failure.patch: PCI:
    hotplug: acpiphp: avoid acpiphp 'cannot get bridge info'     PCI hotplug failure [#286193]

  - patches.drivers/lpfc-8.1.10.9-update: lpfc update to     8.1.10.9 [#286223]

  - patches.fixes/make-swappiness-safer-to-use.patch: Handle     low swappiness gracefully [#288799]

  - patches.arch/ppc-oprofile-power5plusplus.patch: oprofile     support for Power 5++ [#289223]

  - patches.drivers/ppc-power6-ehea.patch: Fixed possible     kernel panic on VLAN packet recv [#289301]

  - patches.fixes/igrab_should_check_for_i_clear.patch:
    igrab() should check for I_CLEAR [#289576]

  - patches.fixes/wait_for_sysfs_population.diff: Driver     core: bus device event delay [#289964]

  -     patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni     ng-better: better throttling of SG_DXFER_TO_FROM_DEV     warning messages [#290117]

  -     patches.arch/mark-unwind-info-for-signal-trampolines-in-     vdsos.patch: Mark unwind info for signal trampolines in     vDSOs [#291421]

  - patches.fixes/hugetlbfs-stack-grows-fix.patch: don't     allow the stack to grow into hugetlb reserved regions     [#294021]

  - patches.drivers/alsa-post-sp1-hda-analog-update: add     support of of missing AD codecs [#294471]

  - patches.drivers/alsa-post-sp1-hda-conexant-fixes: fix     unterminated arrays [#294480]

  - patches.fixes/fix_hpet_init_race.patch: fix a race in     HPET initialization on x86_64 resulting in a lockup on     boot [#295115]

  - patches.drivers/alsa-post-sp1-hda-sigmatel-pin-fix: Fix     number of pin widgets with STAC codecs [#295653]

  -     patches.fixes/pci-pcieport-driver-remove-invalid-warning
    -message.patch: PCI: pcieport-driver: remove invalid     warning message [#297135] [#298561]

  - patches.kernel.org/patch-2.6.16.NN-$((NN+1)), NN =     18,...,52: update to Kernel 2.6.16.53; lots of bugfixes     [#298719] [#186582] [#186583] [#186584]

  - patches.fixes/ocfs2-1.2-svn-r3027.diff: proactive patch     [#298845]

  - patches.drivers/b44-phy-fix: Fix frequent PHY resets     under load on b44 [#301653]

  - dd patches.arch/ppc-eeh-node-status-okay.patch firmware     returns 'okay' instead of 'ok' for node status [#301788]

Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the following security issues :

* a flaw in the DRM driver for Intel graphics cards that allowed a local user to access any part of the main memory. To access the DRM functionality a user must have access to the X server which is granted through the graphical login. This also only affected systems with an Intel 965 or later graphic chipset. (CVE-2007-3851, Important)

* a flaw in the VFAT compat ioctl handling on 64-bit systems that allowed a local user to corrupt a kernel_dirent struct and cause a denial of service (system crash). (CVE-2007-2878, Important)

* a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important)

* flaw in the CIFS filesystem which could cause the umask values of a process to not be honored. This affected CIFS filesystems where the Unix extensions are supported. (CVE-2007-3740, Important)

* a flaw in the stack expansion when using the hugetlb kernel on PowerPC systems that allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate)

* a flaw in the ISDN CAPI subsystem that allowed a remote user to cause a denial of service or potential remote access. Exploitation would require the attacker to be able to send arbitrary frames over the ISDN network to the victim's machine. (CVE-2007-1217, Moderate)

* a flaw in the cpuset support that allowed a local user to obtain sensitive information from kernel memory. To exploit this the cpuset filesystem would have to already be mounted. (CVE-2007-2875, Moderate)

* a flaw in the CIFS handling of the mount option 'sec=' that didn't enable integrity checking and didn't produce any error message.
(CVE-2007-3843, Low)

Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to correct these issues.

The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. (CVE-2007-3740)

The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer.
(CVE-2007-3851)

The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors. (CVE-2007-4133)

The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. This vulnerability is now being fixed in the Xen kernel too. (CVE-2007-4573)

Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two error.
(CVE-2007-4997)

The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 relies on user space to close the device, which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device. (CVE-2007-5093)

A race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. (CVE-2008-1375)

The Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain re-ordered access to the descriptor table. (CVE-2008-1669)

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525)

An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875)

Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876)

Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878)

A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104)

A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105)

A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513)

Zhongling Wen discovered that the h323 conntrack handler did not correctly handle certain bitfields. A remote attacker could send a specially crafted packet and cause a denial of service.
(CVE-2007-3642)

A flaw was discovered in the CIFS mount security checking. Remote attackers could spoof CIFS network traffic, which could lead a client to trust the connection. (CVE-2007-3843)

It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848)

The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851)

It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104)

A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105)

A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513)

It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848)

The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851)

It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-1353     Ilja van Sprundel discovered that kernel memory could be     leaked via the Bluetooth setsockopt call due to an     uninitialized stack buffer. This could be used by local     attackers to read the contents of sensitive kernel     memory.

  - CVE-2007-2172     Thomas Graf reported a typo in the DECnet protocol     handler that could be used by a local attacker to     overrun an array via crafted packets, potentially     resulting in a Denial of Service (system crash). A     similar issue exists in the IPV4 protocol handler and     will be fixed in a subsequent update.

  - CVE-2007-2453     A couple of issues with random number generation were     discovered. Slightly less random numbers resulted from     hashing a subset of the available entropy. Zero-entropy     systems were seeded with the same inputs at boot time,     resulting in repeatable series of random numbers.

  - CVE-2007-2525     Florian Zumbiehl discovered a memory leak in the PPPOE     subsystem caused by releasing a socket before     PPPIOCGCHAN is called upon it. This could be used by a     local user to DoS a system by consuming all available     memory.

  - CVE-2007-2876     Vilmos Nebehaj discovered a NULL pointer dereference     condition in the netfilter subsystem. This allows remote     systems which communicate using the SCTP protocol to     crash a system by creating a connection with an unknown     chunk type.

  - CVE-2007-3513     Oliver Neukum reported an issue in the usblcd driver     which, by not limiting the size of write buffers,     permits local users with write access to trigger a DoS     by consuming all available memory.

  - CVE-2007-3642     Zhongling Wen reported an issue in nf_conntrack_h323     where the lack of range checking may lead to NULL     pointer dereferences. Remote attackers could exploit     this to create a DoS condition (system crash).

  - CVE-2007-3848     Wojciech Purczynski discovered that pdeath_signal was     not being reset properly under certain conditions which     may allow local users to gain privileges by sending     arbitrary signals to suid binaries.

  - CVE-2007-3851     Dave Airlie reported that Intel 965 and above chipsets     have relocated their batch buffer security bits. Local X     server users may exploit this to write user data to     arbitrary physical memory addresses.

These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch1.

The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update :

                    Debian 4.0 (etch)    fai-kernels        1.17+etch4           user-mode-linux    2.6.18-1um-2etch3

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2007-0705.

ID	Name	Product	Family	Severity
67543	Oracle Linux 5 : kernel (ELSA-2007-0705)	Nessus	Oracle Linux Local Security Checks	medium
59123	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4186)	Nessus	SuSE Local Security Checks	high
43648	CentOS 5 : kernel (CESA-2007:0705)	Nessus	CentOS Local Security Checks	medium
37772	Mandriva Linux Security Advisory : kernel (MDVSA-2008:105)	Nessus	Mandriva Local Security Checks	high
29487	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4185)	Nessus	SuSE Local Security Checks	high
28114	Ubuntu 7.04 : linux-source-2.6.20 vulnerabilities (USN-510-1)	Nessus	Ubuntu Local Security Checks	high
28113	Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-509-1)	Nessus	Ubuntu Local Security Checks	medium
26050	RHEL 5 : kernel (RHSA-2007:0705)	Nessus	Red Hat Local Security Checks	medium
25909	Debian DSA-1356-1 : linux-2.6 - several vulnerabilities	Nessus	Debian Local Security Checks	high
801434	CentOS RHSA-2007-0705 Security Check	Log Correlation Engine	Generic	high

CVE-2007-3851

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins