SUSE-SA:2008:030

30000

30818

30849

30920

31107

DSA-1592

MDVSA-2008:112

MDVSA-2008:167

RHSA-2008:0519

29603

1020211

USN-625-1

https://bugzilla.redhat.com/show_bug.cgi?id=447389

linux-kernel-dccpfeatchange-bo(43034)

oval:org.mitre.oval:def:9644

FEDORA-2008-5893

The remote OracleVM system is missing necessary patches to address critical security updates :

  - fix utrace dead_engine ops race

  - fix ptrace_attach leak

  - CVE-2007-5093: kernel PWC driver DoS

  - CVE-2007-6282: IPSec ESP kernel panics

  - CVE-2007-6712: kernel: infinite loop in highres timers     (kernel hang)

  - CVE-2008-1615: kernel: ptrace: Unprivileged crash on     x86_64 %cs corruption

  - CVE-2008-1294: kernel: setrlimit(RLIMIT_CPUINFO) with     zero value doesn't inherit properly across children

  - CVE-2008-2136: kernel: sit memory leak

  - CVE-2008-2812: kernel: NULL ptr dereference in multiple     network drivers due to missing checks in tty code

  - restore     linux-2.6-x86-clear-df-flag-for-signal-handlers.patch

  - restore linux-2.6-utrace.patch /     linux-2.6-xen-utrace.patch

  - Kernel security erratas for OVM 2.1.2 from bz#5932 :

  - CVE-2007-6063: isdn: fix possible isdn_net buffer     overflows

  - CVE-2007-3104 Null pointer to an inode in a dentry can     cause an oops in sysfs_readdir

  - CVE-2008-0598: write system call vulnerability

  - CVE-2008-1375: kernel: race condition in dnotify

  - CVE-2008-0001: kernel: filesystem corruption by     unprivileged user via directory truncation

  - CVE-2008-2358: dccp: sanity check feature length

  - CVE-2007-5938: NULL dereference in iwl driver

  - RHSA-2008:0508: kernel: [x86_64] The string instruction     version didn't zero the output on exception.

  - kernel: clear df flag for signal handlers

  - fs: missing dput in do_lookup error leaks dentries

  - sysfs: fix condition check in sysfs_drop_dentry

  - sysfs: fix race condition around sd->s_dentry

  - ieee80211: off-by-two integer underflow

From Red Hat Security Advisory 2008:0519 :

Updated kernel packages that fix various security issues and a bug are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

These updated packages fix the following security issues :

* A security flaw was found in the Linux kernel memory copy routines, when running on certain AMD64 systems. If an unsuccessful attempt to copy kernel memory from source to destination memory locations occurred, the copy routines did not zero the content at the destination memory location. This could allow a local unprivileged user to view potentially sensitive data. (CVE-2008-2729, Important)

* Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary, which would use this deficiency to leak uninitialized and potentially sensitive data.
(CVE-2008-0598, Important)

* Brandon Edwards discovered a missing length validation check in the Linux kernel DCCP module reconciliation feature. This could allow a local unprivileged user to cause a heap overflow, gaining privileges for arbitrary code execution. (CVE-2008-2358, Moderate)

As well, these updated packages fix the following bug :

* Due to a regression, 'gettimeofday' may have gone backwards on certain x86 hardware. This issue was quite dangerous for time-sensitive systems, such as those used for transaction systems and databases, and may have caused applications to produce incorrect results, or even crash.

Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

These updated packages fix the following security issues :

  - A security flaw was found in the Linux kernel memory     copy routines, when running on certain AMD64 systems. If     an unsuccessful attempt to copy kernel memory from     source to destination memory locations occurred, the     copy routines did not zero the content at the     destination memory location. This could allow a local     unprivileged user to view potentially sensitive data.
    (CVE-2008-2729, Important)

  - Tavis Ormandy discovered a deficiency in the Linux     kernel 32-bit and 64-bit emulation. This could allow a     local unprivileged user to prepare and run a specially     crafted binary, which would use this deficiency to leak     uninitialized and potentially sensitive data.
    (CVE-2008-0598, Important)

  - Brandon Edwards discovered a missing length validation     check in the Linux kernel DCCP module reconciliation     feature. This could allow a local unprivileged user to     cause a heap overflow, gaining privileges for arbitrary     code execution. (CVE-2008-2358, Moderate)

As well, these updated packages fix the following bug :

  - Due to a regression, 'gettimeofday' may have gone     backwards on certain x86 hardware. This issue was quite     dangerous for time-sensitive systems, such as those used     for transaction systems and databases, and may have     caused applications to produce incorrect results, or     even crash.

Updated kernel packages that fix various security issues and a bug are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

These updated packages fix the following security issues :

* A security flaw was found in the Linux kernel memory copy routines, when running on certain AMD64 systems. If an unsuccessful attempt to copy kernel memory from source to destination memory locations occurred, the copy routines did not zero the content at the destination memory location. This could allow a local unprivileged user to view potentially sensitive data. (CVE-2008-2729, Important)

* Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary, which would use this deficiency to leak uninitialized and potentially sensitive data.
(CVE-2008-0598, Important)

* Brandon Edwards discovered a missing length validation check in the Linux kernel DCCP module reconciliation feature. This could allow a local unprivileged user to cause a heap overflow, gaining privileges for arbitrary code execution. (CVE-2008-2358, Moderate)

As well, these updated packages fix the following bug :

* Due to a regression, 'gettimeofday' may have gone backwards on certain x86 hardware. This issue was quite dangerous for time-sensitive systems, such as those used for transaction systems and databases, and may have caused applications to produce incorrect results, or even crash.

Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

The Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and probably other versions, does not properly check feature lengths, which might allow remote attackers to execute arbitrary code, related to an unspecified overflow. (CVE-2008-2358)

VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories. (CVE-2008-0001)

Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset.
(CVE-2008-0007)

Integer overflow in the hrtimer_start function in kernel/hrtimer.c in the Linux kernel before 2.6.23.10 allows local users to execute arbitrary code or cause a denial of service (panic) via a large relative timeout value. NOTE: some of these details are obtained from third-party information. (CVE-2007-5966)

The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does not properly clear allocated memory in some rare circumstances related to tmpfs, which might allow local users to read sensitive kernel data or cause a denial of service (crash).
(CVE-2007-6417)

The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows local users to cause a denial of service via a crafted ioctl struct in which iocts is not null terminated, which triggers a buffer overflow.
(CVE-2007-6151)

The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information. (CVE-2007-6206)

Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel 2.6.23 allows local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063)

The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third-party information. (CVE-2007-5500)

The minix filesystem code in Linux kernel 2.6.x before 2.6.24, including 2.6.18, allows local users to cause a denial of service (hang) via a malformed minix file stream that triggers an infinite loop in the minix_bmap function. NOTE: this issue might be due to an integer overflow or signedness error. (CVE-2006-6058)

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count.
(CVE-2008-2136)

The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service. (CVE-2008-2148)

Integer overflow in the dccp_feat_change function in net/dccp/feat.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and 2.6.17 through 2.6.20, allows local users to gain privileges via an invalid feature length, which leads to a heap-based buffer overflow. (CVE-2008-2358)

The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux kernel 2.6 before 2.6.26-rc6 allows remote attackers to cause a denial of service (kernel heap memory corruption and system crash) and possibly have unspecified other impact via a crafted PPPOL2TP packet that results in a large value for a certain length variable.
(CVE-2008-2750)

Linux kernel 2.6.18, and possibly other versions, when running on AMD64 architectures, allows local users to cause a denial of service (crash) via certain ptrace calls. (CVE-2008-1615)

Integer overflow in the sctp_getsockopt_local_addrs_old function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) functionality in the Linux kernel before 2.6.25.9 allows local users to cause a denial of service (resource consumption and system outage) via vectors involving a large addr_num field in an sctp_getaddrs_old data structure. (CVE-2008-2826)

Race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. (CVE-2008-1375)

The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in Linux kernel 2.6.x before 2.6.25.1 does not properly check certain information related to register size, which has unspecified impact and local attack vectors, probably related to reading or writing kernel memory. (CVE-2008-1675)

Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain re-ordered access to the descriptor table. (CVE-2008-1669)

Additionaly, a number of fixes has been included for the rtc driver, Arima W651DI audio chipset, unionfs, as well as Tomoyolinux has been updated to 1.6.3, UDF 2.50 support was added, and a few things more.
Check the package changelog for more details.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Dirk Nehring discovered that the IPsec protocol stack did not correctly handle fragmented ESP packets. A remote attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2007-6282)

Johannes Bauer discovered that the 64bit kernel did not correctly handle hrtimer updates. A local attacker could request a large expiration value and cause the system to hang, leading to a denial of service. (CVE-2007-6712)

Tavis Ormandy discovered that the ia32 emulation under 64bit kernels did not fully clear uninitialized data. A local attacker could read private kernel memory, leading to a loss of privacy. (CVE-2008-0598)

Jan Kratochvil discovered that PTRACE did not correctly handle certain calls when running under 64bit kernels. A local attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2008-1615)

Wei Wang discovered that the ASN.1 decoding routines in CIFS and SNMP NAT did not correctly handle certain length values. Remote attackers could exploit this to execute arbitrary code or crash the system.
(CVE-2008-1673)

Paul Marks discovered that the SIT interfaces did not correctly manage allocated memory. A remote attacker could exploit this to fill all available memory, leading to a denial of service. (CVE-2008-2136)

David Miller and Jan Lieskovsky discovered that the Sparc kernel did not correctly range-check memory regions allocated with mmap. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2008-2137)

The sys_utimensat system call did not correctly check file permissions in certain situations. A local attacker could exploit this to modify the file times of arbitrary files which could lead to a denial of service. (CVE-2008-2148)

Brandon Edwards discovered that the DCCP system in the kernel did not correctly check feature lengths. A remote attacker could exploit this to execute arbitrary code. (CVE-2008-2358)

A race condition was discovered between ptrace and utrace in the kernel. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2008-2365)

The copy_to_user routine in the kernel did not correctly clear memory destination addresses when running on 64bit kernels. A local attacker could exploit this to gain access to sensitive kernel memory, leading to a loss of privacy. (CVE-2008-2729)

The PPP over L2TP routines in the kernel did not correctly handle certain messages. A remote attacker could send a specially crafted packet that could crash the system or execute arbitrary code.
(CVE-2008-2750)

Gabriel Campana discovered that SCTP routines did not correctly check for large addresses. A local user could exploit this to allocate all available memory, leading to a denial of service. (CVE-2008-2826).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update kernel from version 2.6.25.6 to 2.6.25.9:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.7 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.9 Security updates: CVE-2008-2750: The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux kernel 2.6 before 2.6.26-rc6 allows remote attackers to cause a denial of service (kernel heap memory corruption and system crash) and possibly have unspecified other impact via a crafted PPPOL2TP packet that results in a large value for a certain length variable. CVE-2008-2358: The Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and probably other versions, does not properly check feature lengths, which might allow remote attackers to execute arbitrary code, related to an unspecified 'overflow.' Wireless driver updates: - Upstream wireless fixes from 2008-06-27 (http://marc.info/?l=linux-wireless&m=121459423021061&w=2) - Upstream wireless fixes from 2008-06-25 (http://marc.info/?l=linux- wireless&m=121440912502527&w=2) - Upstream wireless updates from 2008-06-14 (http://marc.info/?l=linux-netdev&m=121346686508160&w=2) - Upstream wireless fixes from 2008-06-09 (http://marc.info/?l=linux- kernel&m=121304710726632&w=2) - Upstream wireless updates from 2008-06-09 (http://marc.info/?l=linux-netdev&m=121304710526613&w=2) Bugs: 444694 - ALi Corporation M5253 P1394 OHCI 1.1 Controller driver causing problems in kernels newer than 2.6.24.3-50 452595 - Problem with SATA/IDE on Abit AN52 449080 - Rsync cannot copy to a vfat partition on kernel 2.6.25 with -p or -a options 449909 - User Mode Linux (UML) broken on Fedora 9 452111 - CVE-2008-2750 kernel: l2tp:
Fix potential memory corruption in pppol2tp-recvmsg() (Heap corruption DoS) [F9] 449872 - [Patch] Bluetooth keyboard not reconnecting after powersave

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This kernel update fixes the following security problems :

CVE-2008-1615: On x86_64 a denial of service attack could be used by local attackers to immediately panic / crash the machine.

CVE-2008-2358: A security problem in DCCP was fixed, which could be used by remote attackers to crash the machine.

CVE-2007-6206: An information leakage during coredumping of root processes was fixed.

CVE-2007-6712: A integer overflow in the hrtimer_forward function (hrtimer.c) in Linux kernel, when running on 64-bit systems, allows local users to cause a denial of service (infinite loop) via a timer with a large expiry value, which causes the timer to always be expired.

CVE-2008-2136: A problem in SIT IPv6 tunnel handling could be used by remote attackers to immediately crash the machine.

CVE-2008-1669: Fixed a SMP ordering problem in fcntl_setlk could potentially allow local attackers to execute code by timing file locking.

CVE-2008-1367: Clear the 'direction' flag before calling signal handlers. For specific not yet identified programs under specific timing conditions this could potentially have caused memory corruption or code execution.

CVE-2008-1375: Fixed a dnotify race condition, which could be used by local attackers to potentially execute code.

CVE-2007-6282: A remote attacker could crash the IPSec/IPv6 stack by sending a bad ESP packet. This requires the host to be able to receive such packets (default filtered by the firewall).

CVE-2007-5500: A ptrace bug could be used by local attackers to hang their own processes indefinitely.

CVE-2007-5904: A remote buffer overflow in CIFS was fixed which could be used by remote attackers to crash the machine or potentially execute code.

And the following bugs (numbers are https://bugzilla.novell.com/ references) :

  - patches.arch/x86-nosmp-implies-noapic.patch: When     booting with nosmp or maxcpus=0 on i386 or x86-64, we     must disable the I/O APIC, otherwise the system won't     boot in most cases (bnc#308540).

  - patches.arch/i386-at-sysinfo-ehdr: i386: make     AT_SYSINFO_EHDR consistent with AT_SYSINFO (bnc#289641).

  - patches.suse/bonding-workqueue: Update to fix a hang     when closing a bonding device (342994).

  - patches.fixes/mptspi-dv-renegotiate-oops: mptlinux     crashes on kernel 2.6.22 (bnc#271749).

Two vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-1673     Wei Wang from McAfee reported a potential heap overflow     in the ASN.1 decode code that is used by the SNMP NAT     and CIFS subsystem. Exploitation of this issue may lead     to arbitrary code execution. This issue is not believed     to be exploitable with the pre-built kernel images     provided by Debian, but it might be an issue for custom     images built from the Debian-provided source package.

  - CVE-2008-2358     Brandon Edwards of McAfee Avert labs discovered an issue     in the DCCP subsystem. Due to missing feature length     checks it is possible to cause an overflow that may     result in remote arbitrary code execution.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2008-0519.

ID	Name	Product	Family	Severity
79447	OracleVM 2.1 : kernel (OVMSA-2008-2005)	Nessus	OracleVM Local Security Checks	high
67706	Oracle Linux 5 : kernel (ELSA-2008-0519)	Nessus	Oracle Linux Local Security Checks	high
60430	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
43692	CentOS 5 : kernel (CESA-2008:0519)	Nessus	CentOS Local Security Checks	high
36852	Mandriva Linux Security Advisory : kernel (MDVSA-2008:112)	Nessus	Mandriva Local Security Checks	high
36653	Mandriva Linux Security Advisory : kernel (MDVSA-2008:167)	Nessus	Mandriva Local Security Checks	high
33531	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : linux, linux-source-2.6.15/20/22 vulnerabilities (USN-625-1)	Nessus	Ubuntu Local Security Checks	critical
33404	Fedora 9 : kernel-2.6.25.9-76.fc9 (2008-5893)	Nessus	Fedora Local Security Checks	high
33377	RHEL 5 : kernel (RHSA-2008:0519)	Nessus	Red Hat Local Security Checks	high
33252	openSUSE 10 Security Update : kernel (kernel-5336)	Nessus	SuSE Local Security Checks	high
33173	Debian DSA-1592-1 : linux-2.6 - heap overflow	Nessus	Debian Local Security Checks	critical
801454	CentOS RHSA-2008-0519 Security Check	Log Correlation Engine	Generic	high

CVE-2008-2358

HIGH

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

critical

high

high

high

critical

high