The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2009-0264 advisory.

    - [security] introduce missing kfree (Jiri Pirko ) [480597 480598] {CVE-2009-0031}
    - [net] sctp: overflow with bad stream ID in FWD-TSN chunk (Eugene Teo ) [478804 478805] {CVE-2009-0065}
    - [net] add preemption point in qdisc_run (Jiri Pirko ) [477746 471398] {CVE-2008-5713}
    - [fs] hfsplus: fix buffer overflow with a corrupted image (Anton Arapov ) [469637 469638] {CVE-2008-4933}
    - [fs] hfsplus: check read_mapping_page return value (Anton Arapov ) [469644 469645] {CVE-2008-4934}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2009:0014 :

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update addresses the following security issues :

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service.
(CVE-2008-5029, Important)

* a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate)

* a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low)

* the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low)

* a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low)

This update also fixes the following bugs :

* when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use.

* mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this.

* attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail.

* after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime.

* writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations.

* on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes.

* a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes.

* a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved.

* the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network.

* the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization.

All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.

This update addresses the following security issues :

  - a memory leak in keyctl handling. A local user could use     this flaw to deplete kernel memory, eventually leading     to a denial of service. (CVE-2009-0031, Important)

  - a buffer overflow in the Linux kernel Partial Reliable     Stream Control Transmission Protocol (PR-SCTP)     implementation. This could, potentially, lead to a     denial of service if a Forward-TSN chunk is received     with a large stream ID. (CVE-2009-0065, Important)

  - a flaw when handling heavy network traffic on an SMP     system with many cores. An attacker who could send a     large amount of network traffic could create a denial of     service. (CVE-2008-5713, Important)

  - the code for the HFS and HFS Plus (HFS+) file systems     failed to properly handle corrupted data structures.
    This could, potentially, lead to a local denial of     service. (CVE-2008-4933, CVE-2008-5025, Low)

  - a flaw was found in the HFS Plus (HFS+) file system     implementation. This could, potentially, lead to a local     denial of service when write operations are performed.
    (CVE-2008-4934, Low)

  - when fput() was called to close a socket, the
    __scm_destroy() function in the Linux kernel could make     indirect recursive calls to itself. This could,     potentially, lead to a denial of service issue.
    (CVE-2008-5029, Important)

  - a flaw was found in the Asynchronous Transfer Mode (ATM)     subsystem. A local, unprivileged user could use the flaw     to listen on the same socket more than once, possibly     causing a denial of service. (CVE-2008-5079, Important)

  - a race condition was found in the Linux kernel 'inotify'     watch removal and umount implementation. This could     allow a local, unprivileged user to cause a privilege     escalation or a denial of service. (CVE-2008-5182,     Important)

** Bug fixes and enhancements are provided for :

  - support for specific NICs, including products from the     following manufacturers: Broadcom Chelsio Cisco Intel     Marvell NetXen Realtek Sun

  - Fiber Channel support, including support for Qlogic     qla2xxx, qla4xxx, and qla84xx HBAs and the FCoE, FCP,     and zFCP protocols.

  - support for various CPUs, including: AMD Opteron     processors with 45 nm SOI ('Shanghai') AMD Turion Ultra     processors Cell processors Intel Core i7 processors

  - Xen support, including issues specific to the IA64     platform, systems using AMD processors, and Dell     Optiplex GX280 systems

  - ext3, ext4, GFS2, NFS, and SPUFS

  - Infiniband (including eHCA, eHEA, and IPoIB) support

  - common I/O (CIO), direct I/O (DIO), and queued direct     I/O (qdio) support

  - the kernel distributed lock manager (DLM)

  - hardware issues with: SCSI, IEEE 1394 (FireWire), RAID     (including issues specific to Adaptec controllers), SATA     (including NCQ), PCI, audio, serial connections,     tape-drives, and USB

  - ACPI, some of a general nature and some related to     specific hardware including: certain Lenovo Thinkpad     notebooks, HP DC7700 systems, and certain machines based     on Intel Centrino processor technology.

  - CIFS, including Kerberos support and a tech-preview of     DFS support

  - networking support, including IPv6, PPPoE, and IPSec

  - support for Intel chipsets, including: Intel Cantiga     chipsets Intel Eagle Lake chipsets Intel i915 chipsets     Intel i965 chipsets Intel Ibex Peak chipsets Intel     chipsets offering QuickPath Interconnects (QPI)

  - device mapping issues, including some in device mapper     itself

  - various issues specific to IA64 and PPC

  - CCISS, including support for Compaq SMART Array     controllers P711m and P712m and other new hardware

  - various issues affecting specific HP systems, including:
    DL785G5 XW4800 XW8600 XW8600 XW9400

  - IOMMU support, including specific issues with AMD and     IBM Calgary hardware

  - the audit subsystem

  - DASD support

  - iSCSI support, including issues specific to Chelsio T3     adapters

  - LVM issues

  - SCTP management information base (MIB) support

  - issues with: autofs, kdump, kobject_add, libata, lpar,     ptrace, and utrace

  - platforms using Intel Enhanced Error Handling (EEH)

  - EDAC issues for AMD K8 and Intel i5000

  - ALSA, including support for new hardware

  - futex support

  - hugepage support

  - Intelligent Platform Management Interface (IPMI) support

  - issues affecting NEC/Stratus servers

  - OFED support

  - SELinux

  - various Virtio issues

  - when using the nfsd daemon in a clustered setup, kernel     panics appeared seemingly at random. These panics were     caused by a race condition in the device-mapper mirror     target.

  - the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall     returned a smaller timespec value than the result of     previous clock_gettime() function execution, which     resulted in a negative, and nonsensical, elapsed time     value.

  - nfs_create_rpc_client was called with a 'flavor'     parameter which was usually ignored and ended up     unconditionally creating the RPC client with an     AUTH_UNIX flavor. This caused problems on AUTH_GSS     mounts when the credentials needed to be refreshed. The     credops did not match the authorization type, which     resulted in the credops dereferencing an incorrect part     of the AUTH_UNIX rpc_auth struct.

  - when copy_user_c terminated prematurely due to reading     beyond the end of the user buffer and the kernel jumped     to the exception table entry, the rsi register was not     cleared. This resulted in exiting back to user code with     garbage in the rsi register.

  - the hexdump data in s390dbf traces was incomplete. The     length of the data traced was incorrect and the SAN     payload was read from a different place then it was     written to.

  - when using connected mode (CM) in IPoIB on ehca2     hardware, it was not possible to transmit any data.

  - when an application called fork() and pthread_create()     many times and, at some point, a thread forked a child     and then attempted to call the setpgid() function, then     this function failed and returned and ESRCH error value.

This update addresses the following security issues :

  - the sendmsg() function in the Linux kernel did not block     during UNIX socket garbage collection. This could,     potentially, lead to a local denial of service.
    (CVE-2008-5300, Important)

  - when fput() was called to close a socket, the
    __scm_destroy() function in the Linux kernel could make     indirect recursive calls to itself. This could,     potentially, lead to a local denial of service.
    (CVE-2008-5029, Important)

  - a deficiency was found in the Linux kernel virtual file     system (VFS) implementation. This could allow a local,     unprivileged user to make a series of file creations     within deleted directories, possibly causing a denial of     service. (CVE-2008-3275, Moderate)

  - a buffer underflow flaw was found in the Linux kernel     IB700 SBC watchdog timer driver. This deficiency could     lead to a possible information leak. By default, the     '/dev/watchdog' device is accessible only to the root     user. (CVE-2008-5702, Low)

  - the hfs and hfsplus file systems code failed to properly     handle corrupted data structures. This could,     potentially, lead to a local denial of service.
    (CVE-2008-4933, CVE-2008-5025, Low)

  - a flaw was found in the hfsplus file system     implementation. This could, potentially, lead to a local     denial of service when write operations were performed.
    (CVE-2008-4934, Low)

This update also fixes the following bugs :

  - when running Red Hat Enterprise Linux 4.6 and 4.7 on     some systems running Intel&reg; CPUs, the cpuspeed     daemon did not run, preventing the CPU speed from being     changed, such as not being reduced to an idle state when     not in use.

  - mmap() could be used to gain access to beyond the first     megabyte of RAM, due to insufficient checks in the Linux     kernel code. Checks have been added to prevent this.

  - attempting to turn keyboard LEDs on and off rapidly on     keyboards with slow keyboard controllers, may have     caused key presses to fail.

  - after migrating a hypervisor guest, the MAC address     table was not updated, causing packet loss and     preventing network connections to the guest. Now, a     gratuitous ARP request is sent after migration. This     refreshes the ARP caches, minimizing network downtime.

  - writing crash dumps with diskdump may have caused a     kernel panic on Non-Uniform Memory Access (NUMA) systems     with certain memory configurations.

  - on big-endian systems, such as PowerPC, the getsockopt()     function incorrectly returned 0 depending on the     parameters passed to it when the time to live (TTL)     value equaled 255, possibly causing memory corruption     and application crashes.

  - a problem in the kernel packages provided by the     RHSA-2008:0508 advisory caused the Linux kernel's     built-in memory copy procedure to return the wrong error     code after recovering from a page fault on AMD64 and     Intel 64 systems. This may have caused other Linux     kernel functions to return wrong error codes.

  - a divide-by-zero bug in the Linux kernel process     scheduler, which may have caused kernel panics on     certain systems, has been resolved.

  - the netconsole kernel module caused the Linux kernel to     hang when slave interfaces of bonded network interfaces     were started, resulting in a system hang or kernel panic     when restarting the network.

  - the '/proc/xen/' directory existed even if systems were     not running Red Hat Virtualization. This may have caused     problems for third-party software that checks     virtualization-ability based on the existence of     '/proc/xen/'. Note: this update will remove the     '/proc/xen/' directory on systems not running Red Hat     Virtualization.

This updated kernel-utils package adds an enhancement in the way of proper support for user-space frequency-scaling on multi-core systems.

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update addresses the following security issues :

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service.
(CVE-2008-5029, Important)

* a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate)

* a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low)

* the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low)

* a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low)

This update also fixes the following bugs :

* when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use.

* mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this.

* attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail.

* after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime.

* writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations.

* on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes.

* a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes.

* a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved.

* the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network.

* the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization.

All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function.
(CVE-2008-4933)

The hfsplus_block_allocate function in fs/hfsplus/bitmap.c in the Linux kernel before 2.6.28-rc1 does not check a certain return value from the read_mapping_page function before calling kmap, which allows attackers to cause a denial of service (system crash) via a crafted hfsplus filesystem image. (CVE-2008-4934)

The __scm_destroy function in net/core/scm.c in the Linux kernel 2.6.27.4, 2.6.26, and earlier makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. (CVE-2008-5029)

Additionaly, support for a broadcom bluetooth dongle was added to btusb driver, an eeepc shutdown hang caused by snd-hda-intel was fixed, a Realtek auto-mute bug was fixed, the pcspkr driver was reenabled, an acpi brightness setting issue on some laptops was fixed, sata_nv (NVidia) driver bugs were fixed, horizontal mousewheel scrolling with Logitech V150 mouse was fixed, and more. Check the changelog and related bugs for more details.

This kernel also fixes the driver for Intel G45/GM45 video chipsets, in a way requiring also an updated Xorg driver, which is also being provided in this update.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

It was discovered that the Xen hypervisor block driver did not correctly validate requests. A user with root privileges in a guest OS could make a malicious IO request with a large number of blocks that would crash the host OS, leading to a denial of service. This only affected Ubuntu 7.10. (CVE-2007-5498)

It was discovered the the i915 video driver did not correctly validate memory addresses. A local attacker could exploit this to remap memory that could cause a system crash, leading to a denial of service. This issue did not affect Ubuntu 6.06 and was previous fixed for Ubuntu 7.10 and 8.04 in USN-659-1. Ubuntu 8.10 has now been corrected as well. (CVE-2008-3831)

David Watson discovered that the kernel did not correctly strip permissions when creating files in setgid directories. A local user could exploit this to gain additional group privileges. This issue only affected Ubuntu 6.06. (CVE-2008-4210)

Olaf Kirch and Miklos Szeredi discovered that the Linux kernel did not correctly reject the 'append' flag when handling file splice requests.
A local attacker could bypass append mode and make changes to arbitrary locations in a file. This issue only affected Ubuntu 7.10 and 8.04. (CVE-2008-4554)

It was discovered that the SCTP stack did not correctly handle INIT-ACK. A remote user could exploit this by sending specially crafted SCTP traffic which would trigger a crash in the system, leading to a denial of service. This issue did not affect Ubuntu 8.10.
(CVE-2008-4576)

It was discovered that the SCTP stack did not correctly handle bad packet lengths. A remote user could exploit this by sending specially crafted SCTP traffic which would trigger a crash in the system, leading to a denial of service. This issue did not affect Ubuntu 8.10.
(CVE-2008-4618)

Eric Sesterhenn discovered multiple flaws in the HFS+ filesystem. If a local user or automated system were tricked into mounting a malicious HFS+ filesystem, the system could crash, leading to a denial of service. (CVE-2008-4933, CVE-2008-4934, CVE-2008-5025)

It was discovered that the Unix Socket handler did not correctly process the SCM_RIGHTS message. A local attacker could make a malicious socket request that would crash the system, leading to a denial of service. (CVE-2008-5029)

It was discovered that the driver for simple i2c audio interfaces did not correctly validate certain function pointers. A local user could exploit this to gain root privileges or crash the system, leading to a denial of service. (CVE-2008-5033).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that resolve several security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update addresses the following security issues :

* a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service.
(CVE-2009-0031, Important)

* a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important)

* a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important)

* the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low)

* a flaw was found in the HFS Plus (HFS+) file system implementation.
This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low)

In addition, these updated packages fix the following bugs :

* when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target.

* the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value.

* nfs_create_rpc_client was called with a 'flavor' parameter which was usually ignored and ended up unconditionally creating the RPC client with an AUTH_UNIX flavor. This caused problems on AUTH_GSS mounts when the credentials needed to be refreshed. The credops did not match the authorization type, which resulted in the credops dereferencing an incorrect part of the AUTH_UNIX rpc_auth struct.

* when copy_user_c terminated prematurely due to reading beyond the end of the user buffer and the kernel jumped to the exception table entry, the rsi register was not cleared. This resulted in exiting back to user code with garbage in the rsi register.

* the hexdump data in s390dbf traces was incomplete. The length of the data traced was incorrect and the SAN payload was read from a different place then it was written to.

* when using connected mode (CM) in IPoIB on ehca2 hardware, it was not possible to transmit any data.

* when an application called fork() and pthread_create() many times and, at some point, a thread forked a child and then attempted to call the setpgid() function, then this function failed and returned and ESRCH error value.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: for this update to take effect, the system must be rebooted.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-3527     Tavis Ormandy reported a local DoS and potential     privilege escalation in the Virtual Dynamic Shared     Objects (vDSO) implementation.

  - CVE-2008-3528     Eugene Teo reported a local DoS issue in the ext2 and     ext3 filesystems. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a corrupted filesystem that causes the kernel     to output error messages in an infinite loop.

  - CVE-2008-4554     Milos Szeredi reported that the usage of splice() on     files opened with O_APPEND allows users to write to the     file at arbitrary offsets, enabling a bypass of possible     assumed semantics of the O_APPEND flag.

  - CVE-2008-4576     Vlad Yasevich reported an issue in the SCTP subsystem     that may allow remote users to cause a local DoS by     triggering a kernel oops.

  - CVE-2008-4933     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that causes the     kernel to overrun a buffer, resulting in a system oops     or memory corruption.

  - CVE-2008-4934     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that results in a     kernel oops due to an unchecked return value.

  - CVE-2008-5025     Eric Sesterhenn reported a local DoS issue in the hfs     filesystem. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a filesystem with a corrupted catalog name     length, resulting in a system oops or memory corruption.

  - CVE-2008-5029     Andrea Bittau reported a DoS issue in the unix socket     subsystem that allows a local user to cause memory     corruption, resulting in a kernel panic.

  - CVE-2008-5079     Hugo Dias reported a DoS condition in the ATM subsystem     that can be triggered by a local user by calling the     svc_listen function twice on the same socket and reading     /proc/net/atm/*vc.

  - CVE-2008-5182     Al Viro reported race conditions in the inotify     subsystem that may allow local users to acquire elevated     privileges.

  - CVE-2008-5300     Dann Frazier reported a DoS condition that allows local     users to cause the out of memory handler to kill off     privileged processes or trigger soft lockups due to a     starvation issue in the unix socket subsystem.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-3528     Eugene Teo reported a local DoS issue in the ext2 and     ext3 filesystems. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a corrupted filesystem that causes the kernel     to output error messages in an infinite loop.

  - CVE-2008-4554     Milos Szeredi reported that the usage of splice() on     files opened with O_APPEND allows users to write to the     file at arbitrary offsets, enabling a bypass of possible     assumed semantics of the O_APPEND flag.

  - CVE-2008-4576     Vlad Yasevich reported an issue in the SCTP subsystem     that may allow remote users to cause a local DoS by     triggering a kernel oops.

  - CVE-2008-4618     Wei Yongjun reported an issue in the SCTP subsystem that     may allow remote users to cause a local DoS by     triggering a kernel panic.

  - CVE-2008-4933     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that causes the     kernel to overrun a buffer, resulting in a system oops     or memory corruption.

  - CVE-2008-4934     Eric Sesterhenn reported a local DoS issue in the     hfsplus filesystem. Local users who have been granted     the privileges necessary to mount a filesystem would be     able to craft a corrupted filesystem that results in a     kernel oops due to an unchecked return value.

  - CVE-2008-5025     Eric Sesterhenn reported a local DoS issue in the hfs     filesystem. Local users who have been granted the     privileges necessary to mount a filesystem would be able     to craft a filesystem with a corrupted catalog name     length, resulting in a system oops or memory corruption.

  - CVE-2008-5029     Andrea Bittau reported a DoS issue in the unix socket     subsystem that allows a local user to cause memory     corruption, resulting in a kernel panic.

  - CVE-2008-5134     Johannes Berg reported a remote DoS issue in the     libertas wireless driver, which can be triggered by a     specially crafted beacon/probe response.

  - CVE-2008-5182     Al Viro reported race conditions in the inotify     subsystem that may allow local users to acquire elevated     privileges.

  - CVE-2008-5300     Dann Frazier reported a DoS condition that allows local     users to cause the out of memory handler to kill off     privileged processes or trigger soft lockups due to a     starvation issue in the unix socket subsystem.

ID	Name	Product	Family	Severity
67800	Oracle Linux 5 : kernel (ELSA-2009-0264)	Nessus	Oracle Linux Local Security Checks	medium
67790	Oracle Linux 4 : kernel (ELSA-2009-0014)	Nessus	Oracle Linux Local Security Checks	high
60532	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
60520	Scientific Linux Security Update : kernel on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
43727	CentOS 4 : kernel (CESA-2009:0014)	Nessus	CentOS Local Security Checks	high
38027	Mandriva Linux Security Advisory : kernel (MDVSA-2008:234)	Nessus	Mandriva Local Security Checks	high
37683	Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : linux, linux-source-2.6.15/22 vulnerabilities (USN-679-1)	Nessus	Ubuntu Local Security Checks	high
35645	RHEL 5 : kernel (RHSA-2009:0264)	Nessus	Red Hat Local Security Checks	critical
35381	RHEL 4 : kernel (RHSA-2009:0014)	Nessus	Red Hat Local Security Checks	high
35174	Debian DSA-1687-1 : linux-2.6 - denial of service/privilege escalation	Nessus	Debian Local Security Checks	high
35036	Debian DSA-1681-1 : linux-2.6.24 - denial of service/privilege escalation	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2008-4934

medium

Tenable Plugins

medium

high

critical

high

high

high

high

critical

high

high

critical