Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel before 2.6.28-rc1 might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.

From Red Hat Security Advisory 2009:0014 :

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update addresses the following security issues :

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service.
(CVE-2008-5029, Important)

* a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate)

* a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low)

* the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low)

* a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low)

This update also fixes the following bugs :

* when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use.

* mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this.

* attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail.

* after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime.

* writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations.

* on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes.

* a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes.

* a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved.

* the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network.

* the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization.

All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.

This update addresses the following security issues :

  - the sendmsg() function in the Linux kernel did not block     during UNIX socket garbage collection. This could,     potentially, lead to a local denial of service.
    (CVE-2008-5300, Important)

  - when fput() was called to close a socket, the
    __scm_destroy() function in the Linux kernel could make     indirect recursive calls to itself. This could,     potentially, lead to a local denial of service.
    (CVE-2008-5029, Important)

  - a deficiency was found in the Linux kernel virtual file     system (VFS) implementation. This could allow a local,     unprivileged user to make a series of file creations     within deleted directories, possibly causing a denial of     service. (CVE-2008-3275, Moderate)

  - a buffer underflow flaw was found in the Linux kernel     IB700 SBC watchdog timer driver. This deficiency could     lead to a possible information leak. By default, the     '/dev/watchdog' device is accessible only to the root     user. (CVE-2008-5702, Low)

  - the hfs and hfsplus file systems code failed to properly     handle corrupted data structures. This could,     potentially, lead to a local denial of service.
    (CVE-2008-4933, CVE-2008-5025, Low)

  - a flaw was found in the hfsplus file system     implementation. This could, potentially, lead to a local     denial of service when write operations were performed.
    (CVE-2008-4934, Low)

This update also fixes the following bugs :

  - when running Red Hat Enterprise Linux 4.6 and 4.7 on     some systems running Intel&reg; CPUs, the cpuspeed     daemon did not run, preventing the CPU speed from being     changed, such as not being reduced to an idle state when     not in use.

  - mmap() could be used to gain access to beyond the first     megabyte of RAM, due to insufficient checks in the Linux     kernel code. Checks have been added to prevent this.

  - attempting to turn keyboard LEDs on and off rapidly on     keyboards with slow keyboard controllers, may have     caused key presses to fail.

  - after migrating a hypervisor guest, the MAC address     table was not updated, causing packet loss and     preventing network connections to the guest. Now, a     gratuitous ARP request is sent after migration. This     refreshes the ARP caches, minimizing network downtime.

  - writing crash dumps with diskdump may have caused a     kernel panic on Non-Uniform Memory Access (NUMA) systems     with certain memory configurations.

  - on big-endian systems, such as PowerPC, the getsockopt()     function incorrectly returned 0 depending on the     parameters passed to it when the time to live (TTL)     value equaled 255, possibly causing memory corruption     and application crashes.

  - a problem in the kernel packages provided by the     RHSA-2008:0508 advisory caused the Linux kernel's     built-in memory copy procedure to return the wrong error     code after recovering from a page fault on AMD64 and     Intel 64 systems. This may have caused other Linux     kernel functions to return wrong error codes.

  - a divide-by-zero bug in the Linux kernel process     scheduler, which may have caused kernel panics on     certain systems, has been resolved.

  - the netconsole kernel module caused the Linux kernel to     hang when slave interfaces of bonded network interfaces     were started, resulting in a system hang or kernel panic     when restarting the network.

  - the '/proc/xen/' directory existed even if systems were     not running Red Hat Virtualization. This may have caused     problems for third-party software that checks     virtualization-ability based on the existence of     '/proc/xen/'. Note: this update will remove the     '/proc/xen/' directory on systems not running Red Hat     Virtualization.

This updated kernel-utils package adds an enhancement in the way of proper support for user-space frequency-scaling on multi-core systems.

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update addresses the following security issues :

* the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important)

* when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service.
(CVE-2008-5029, Important)

* a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate)

* a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low)

* the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low)

* a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low)

This update also fixes the following bugs :

* when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use.

* mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this.

* attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail.

* after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime.

* writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations.

* on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes.

* a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes.

* a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved.

* the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network.

* the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization.

All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.

This update fixes various security issues and several bugs in the openSUSE 11.0 kernel. It was also updated to the stable version 2.6.25.20.

CVE-2008-5702: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.

CVE-2008-5700: libata did not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program.

CVE-2008-5079: net/atm/svc.c in the ATM subsystem allowed local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table.

CVE-2008-5300: Linux kernel 2.6.28 allows local users to cause a denial of service ('soft lockup' and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.

CVE-2008-5029: The __scm_destroy function in net/core/scm.c makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.

CVE-2008-4933: Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function.

CVE-2008-5025: Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.

CVE-2008-5182: The inotify functionality might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.

CVE-2008-3831: The i915 driver in drivers/char/drm/i915_dma.c does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration.

CVE-2008-4554: The do_splice_from function in fs/splice.c did not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.

This kernel update for openSUSE 10.3 fixes some bugs and several security problems.

The following security issues are fixed: A local denial of service problem in the splice(2) system call.

CVE-2009-0834: The audit_syscall_entry function in the Linux kernel on the x86_64 platform did not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls.

CVE-2009-1072: nfsd in the Linux kernel did not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

CVE-2009-0835 The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod.

CVE-2009-1439: Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) or potential code execution via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.

This requires that kernel can be made to mount a 'cifs' filesystem from a malicious CIFS server.

CVE-2009-1337: The exit_notify function in kernel/exit.c in the Linux kernel did not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.

CVE-2009-0859: The shm_get_stat function in ipc/shm.c in the shm subsystem in the Linux kernel, when CONFIG_SHMEM is disabled, misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang) via an SHM_INFO shmctl call, as demonstrated by running the ipcs program. (SUSE is enabling CONFIG_SHMEM, so is by default not affected, the fix is just for completeness).

CVE-2009-1265: Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel might allow attackers to obtain sensitive information via a large length value, which causes 'garbage' memory to be sent.

CVE-2009-0028: The clone system call in the Linux kernel allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.

CVE-2009-0676: The sock_getsockopt function in net/core/sock.c in the Linux kernel does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.

CVE-2009-0322: drivers/firmware/dell_rbu.c in the Linux kernel allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.

CVE-2009-0269: fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.

CVE-2009-0065: Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.

CVE-2008-5702: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.

CVE-2008-4554: The do_splice_from function in fs/splice.c in the Linux kernel does not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.

Some other non-security bugs were fixed, please see the RPM changelog.

Several vulnerabilities have been discovered in the Linux kernel that may lead to denial of service, privilege escalation, or information leak. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-4307     Bryn M. Reeves reported a denial of service in the NFS     filesystem. Local users can trigger a kernel BUG() due     to a race condition in the do_setlk function.

  - CVE-2008-5395     Helge Deller discovered a denial of service condition     that allows local users on PA-RISC to crash the system     by attempting to unwind a stack containing userspace     addresses.

  - CVE-2008-5701     Vlad Malov reported an issue on 64-bit MIPS where a     local user could cause a system crash by crafting a     malicious binary which makes o32 syscalls with a number     less than 4000.

  - CVE-2008-5702     Zvonimir Rakamaric reported an off-by-one error in the     ib700wdt watchdog driver which allows local users to     cause a buffer underflow by making a specially crafted     WDIOC_SETTIMEOUT ioctl call.

  - CVE-2008-5713     Flavio Leitner discovered that a local user can cause a     denial of service by generating large amounts of traffic     on a large SMP system, resulting in soft lockups.

  - CVE-2009-0028     Chris Evans discovered a situation in which a child     process can send an arbitrary signal to its parent.

  - CVE-2009-0029     Christian Borntraeger discovered an issue effecting the     alpha, mips, powerpc, s390 and sparc64 architectures     that allows local users to cause a denial of service or     potentially gain elevated privileges.

  - CVE-2009-0031     Vegard Nossum discovered a memory leak in the keyctl     subsystem that allows local users to cause a denial of     service by consuming all available kernel memory.

  - CVE-2009-0065     Wei Yongjun discovered a memory overflow in the SCTP     implementation that can be triggered by remote users,     permitting remote code execution.

  - CVE-2009-0322     Pavel Roskin provided a fix for an issue in the dell_rbu     driver that allows a local user to cause a denial of     service (oops) by reading 0 bytes from a sysfs entry.

  - CVE-2009-0675     Roel Kluin discovered inverted logic in the skfddi     driver that permits local, unprivileged users to reset     the driver statistics.

  - CVE-2009-0676     Clement LECIGNE discovered a bug in the sock_getsockopt     function that may result in leaking sensitive kernel     memory.

  - CVE-2009-0834     Roland McGrath discovered an issue on amd64 kernels that     allows local users to circumvent system call audit     configurations which filter based on the syscall numbers     or argument details.

  - CVE-2009-0859     Jiri Olsa discovered that a local user can cause a     denial of service (system hang) using a SHM_INFO shmctl     call on kernels compiled with CONFIG_SHMEM disabled.
    This issue does not affect prebuilt Debian kernels.

  - CVE-2009-1192     Shaohua Li reported an issue in the AGP subsystem that     may allow local users to read sensitive kernel memory     due to a leak of uninitialized memory.

  - CVE-2009-1265     Thomas Pollet reported an overflow in the af_rose     implementation that allows remote attackers to retrieve     uninitialized kernel memory that may contain sensitive     data.

  - CVE-2009-1336     Trond Myklebust reported an issue in the encode_lookup()     function in the nfs server subsystem that allows local     users to cause a denial of service (oops in     encode_lookup()) by use of a long filename.

  - CVE-2009-1337     Oleg Nesterov discovered an issue in the exit_notify     function that allows local users to send an arbitrary     signal to a process by running a program that modifies     the exit_signal field and then uses an exec system call     to launch a setuid application.

  - CVE-2009-1439     Pavan Naregundi reported an issue in the CIFS filesystem     code that allows remote users to overwrite memory via a     long nativeFileSystem field in a Tree Connect response     during mount.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-4307     Bryn M. Reeves reported a denial of service in the NFS     filesystem. Local users can trigger a kernel BUG() due     to a race condition in the do_setlk function.

  - CVE-2008-5079     Hugo Dias reported a DoS condition in the ATM subsystem     that can be triggered by a local user by calling the     svc_listen function twice on the same socket and reading     /proc/net/atm/*vc.

  - CVE-2008-5395     Helge Deller discovered a denial of service condition     that allows local users on PA-RISC systems to crash a     system by attempting to unwind a stack containing     userspace addresses.

  - CVE-2008-5700     Alan Cox discovered a lack of minimum timeouts on SG_IO     requests, which allows local users of systems using ATA     to cause a denial of service by forcing drives into PIO     mode.

  - CVE-2008-5701     Vlad Malov reported an issue on 64-bit MIPS systems     where a local user could cause a system crash by crafing     a malicious binary which makes o32 syscalls with a     number less than 4000.

  - CVE-2008-5702     Zvonimir Rakamaric reported an off-by-one error in the     ib700wdt watchdog driver which allows local users to     cause a buffer underflow by making a specially crafted     WDIOC_SETTIMEOUT ioctl call.

  - CVE-2009-0028     Chris Evans discovered a situation in which a child     process can send an arbitrary signal to its parent.

  - CVE-2009-0029     Christian Borntraeger discovered an issue effecting the     alpha, mips, powerpc, s390 and sparc64 architectures     that allows local users to cause a denial of service or     potentially gain elevated privileges.

  - CVE-2009-0031     Vegard Nossum discovered a memory leak in the keyctl     subsystem that allows local users to cause a denial of     service by consuming all of kernel memory.

  - CVE-2009-0065     Wei Yongjun discovered a memory overflow in the SCTP     implementation that can be triggered by remote users,     permitting remote code execution.

  - CVE-2009-0269     Duane Griffin provided a fix for an issue in the     eCryptfs subsystem which allows local users to cause a     denial of service (fault or memory corruption).

  - CVE-2009-0322     Pavel Roskin provided a fix for an issue in the dell_rbu     driver that allows a local user to cause a denial of     service (oops) by reading 0 bytes from a sysfs entry.

  - CVE-2009-0675     Roel Kluin discovered inverted logic in the skfddi     driver that permits local, unprivileged users to reset     the driver statistics.

  - CVE-2009-0676     Clement LECIGNE discovered a bug in the sock_getsockopt     function that may result in leaking sensitive kernel     memory.

  - CVE-2009-0745     Peter Kerwien discovered an issue in the ext4 filesystem     that allows local users to cause a denial of service     (kernel oops) during a resize operation.

  - CVE-2009-0834     Roland McGrath discovered an issue on amd64 kernels that     allows local users to circumvent system call audit     configurations which filter based on the syscall numbers     or argument details.

  - CVE-2009-0859     Jiri Olsa discovered that a local user can cause a     denial of service (system hang) using a SHM_INFO shmctl     call on kernels compiled with CONFIG_SHMEM disabled.
    This issue does not affect prebuilt Debian kernels.

  - CVE-2009-1046     Mikulas Patocka reported an issue in the console     subsystem that allows a local user to cause memory     corruption by selecting a small number of 3-byte UTF-8     characters.

  - CVE-2009-1192     Shaohua Li reported an issue in the AGP subsystem that     may allow local users to read sensitive kernel memory     due to a leak of uninitialized memory.

  - CVE-2009-1242     Benjamin Gilbert reported a local denial of service     vulnerability in the KVM VMX implementation that allows     local users to trigger an oops.

  - CVE-2009-1265     Thomas Pollet reported an overflow in the af_rose     implementation that allows remote attackers to retrieve     uninitialized kernel memory that may contain sensitive     data.

  - CVE-2009-1337     Oleg Nesterov discovered an issue in the exit_notify     function that allows local users to send an arbitrary     signal to a process by running a program that modifies     the exit_signal field and then uses an exec system call     to launch a setuid application.

  - CVE-2009-1338     Daniel Hokka Zakrisson discovered that a kill(-1) is     permitted to reach processes outside of the current     process namespace.

  - CVE-2009-1439     Pavan Naregundi reported an issue in the CIFS filesystem     code that allows remote users to overwrite memory via a     long nativeFileSystem field in a Tree Connect response     during mount.

Hugo Dias discovered that the ATM subsystem did not correctly manage socket counts. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2008-5079)

It was discovered that the libertas wireless driver did not correctly handle beacon and probe responses. A physically near-by attacker could generate specially crafted wireless network traffic and cause a denial of service. Ubuntu 6.06 was not affected. (CVE-2008-5134)

It was discovered that the inotify subsystem contained watch removal race conditions. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2008-5182)

Dann Frazier discovered that in certain situations sendmsg did not correctly release allocated memory. A local attacker could exploit this to force the system to run out of free memory, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2008-5300)

It was discovered that the ATA subsystem did not correctly set timeouts. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2008-5700)

It was discovered that the ib700 watchdog timer did not correctly check buffer sizes. A local attacker could send a specially crafted ioctl to the device to cause a system crash, leading to a denial of service. (CVE-2008-5702)

It was discovered that in certain situations the network scheduler did not correctly handle very large levels of traffic. A local attacker could produce a high volume of UDP traffic resulting in a system hang, leading to a denial of service. Ubuntu 8.04 was not affected.
(CVE-2008-5713).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Hugo Dias discovered that the ATM subsystem did not correctly manage socket counts. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2008-5079)

It was discovered that the inotify subsystem contained watch removal race conditions. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2008-5182)

Dann Frazier discovered that in certain situations sendmsg did not correctly release allocated memory. A local attacker could exploit this to force the system to run out of free memory, leading to a denial of service. (CVE-2008-5300)

Helge Deller discovered that PA-RISC stack unwinding was not handled correctly. A local attacker could exploit this to crash the system, leading do a denial of service. This did not affect official Ubuntu kernels, but was fixed in the source for anyone performing HPPA kernel builds. (CVE-2008-5395)

It was discovered that the ATA subsystem did not correctly set timeouts. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2008-5700)

It was discovered that the ib700 watchdog timer did not correctly check buffer sizes. A local attacker could send a specially crafted ioctl to the device to cause a system crash, leading to a denial of service. (CVE-2008-5702).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 10.3 kernel was updated to fix various security problems and bugs. Following security bugs were fixed :

CVE-2008-5702: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.

CVE-2008-5079: net/atm/svc.c in the ATM subsystem allowed local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table.

CVE-2008-5029: The __scm_destroy function in net/core/scm.c makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors.

CVE-2008-5134: Buffer overflow in the lbs_process_bss function in drivers/net/wireless/libertas/scan.c in the libertas subsystem allowed remote attackers to have an unknown impact via an 'invalid beacon/probe response.'

CVE-2008-4933: Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function.

CVE-2008-5025: Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.

CVE-2008-5182: The inotify functionality might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2009-0014.

ID	Name	Product	Family	Severity
67790	Oracle Linux 4 : kernel (ELSA-2009-0014)	Nessus	Oracle Linux Local Security Checks	high
60520	Scientific Linux Security Update : kernel on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
43727	CentOS 4 : kernel (CESA-2009:0014)	Nessus	CentOS Local Security Checks	high
40011	openSUSE Security Update : kernel (kernel-423)	Nessus	SuSE Local Security Checks	high
39335	openSUSE 10 Security Update : kernel (kernel-6274)	Nessus	SuSE Local Security Checks	critical
38722	Debian DSA-1794-1 : linux-2.6 - denial of service/privilege escalation/information leak	Nessus	Debian Local Security Checks	critical
38668	Debian DSA-1787-1 : linux-2.6.24 - denial of service/privilege escalation/information leak	Nessus	Debian Local Security Checks	critical
36454	Ubuntu 6.06 LTS / 7.10 / 8.04 LTS : linux-source-2.6.15/22, linux vulnerabilities (USN-714-1)	Nessus	Ubuntu Local Security Checks	critical
36279	Ubuntu 8.10 : linux vulnerabilities (USN-715-1)	Nessus	Ubuntu Local Security Checks	high
35446	openSUSE 10 Security Update : kernel (kernel-5920)	Nessus	SuSE Local Security Checks	critical
35381	RHEL 4 : kernel (RHSA-2009:0014)	Nessus	Red Hat Local Security Checks	high
801465	CentOS RHSA-2009-0014 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2008-5702

high

Tenable Plugins

high

high

high

high

critical

critical

critical

critical

high

critical

high

high