Mandrake Linux Security Advisory : kernel-2.4 (MDKSA-2005:111)
High Nessus Plugin ID 18599
SynopsisThe remote Mandrake Linux host is missing one or more security updates.
DescriptionMultiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following have been fixed in the 2.4 kernels :
Colin Percival discovered a vulnerability in Intel's Hyper-Threading technology could allow a local user to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys via a timing attack on memory cache misses. This has been corrected by disabling HT support in all kernels (CVE-2005-0109).
When forwarding fragmented packets, a hardware assisted checksum could only be used once which could lead to a Denial of Service attack or crash by remote users (CVE-2005-0209).
A flaw in the Linux PPP driver was found where on systems allowing remote users to connect to a server via PPP, a remote client could cause a crash, resulting in a Denial of Service (CVE-2005-0384).
An information leak in the ext2 filesystem code was found where when a new directory is created, the ext2 block written to disk is not initialized (CVE-2005-0400).
A signedness error in the copy_from_read_buf function in n_tty.c allows local users to read kernel memory via a negative argument (CVE-2005-0530).
George Guninski discovered a buffer overflow in the ATM driver where the atm_get_addr() function does not validate its arguments sufficiently which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument.
This could potentially lead to the execution of arbitrary code (CVE-2005-0531).
A flaw when freeing a pointer in load_elf_library was found that could be abused by a local user to potentially crash the machine causing a Denial of Service (CVE-2005-0749).
A problem with the Bluetooth kernel stack in kernels 2.4.6 through 2.4.30-rc1 and 2.6 through 220.127.116.11 could be used by a local attacker to gain root access or crash the machine (CVE-2005-0750).
A race condition in the Radeon DRI driver allows a local user with DRI privileges to execute arbitrary code as root (CVE-2005-0767).
Paul Starzetz found an integer overflow in the ELF binary format loader's code dump function in kernels prior to and including 2.4.31-pre1 and 2.6.12-rc4. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges (CVE-2005-1263).
SolutionUpdate the affected packages.