Ubuntu 4.10 / 5.04 : linux-source-2.6.10, linux-source-18.104.22.168 vulnerabilities (USN-199-1)
Low Nessus Plugin ID 20613
SynopsisThe remote Ubuntu host is missing one or more security-related patches.
DescriptionA Denial of Service vulnerability was discovered in the sys_set_mempolicy() function. By calling the function with a negative first argument, a local attacker could cause a kernel crash.
A race condition was discovered in the handling of shared memory mappings with CLONE_VM. A local attacker could exploit this to cause a deadlock (Denial of Service) by triggering a core dump while waiting for a thread which had just performed an exec() system call.
A race condition was found in the handling of traced processes. When one thread was tracing another thread that shared the same memory map, a local attacker could trigger a deadlock (Denial of Service) by forcing a core dump when the traced thread was in the TASK_TRACED state. (CAN-2005-3107)
A vulnerability has been found in the 'ioremap' module. By performing certain IO mapping operations, a local attacker could either read memory pages he has not normally access to (information leak) or cause a kernel crash (Denial of Service). This only affects the amd64 platform. (CAN-2005-3108)
The HFS and HFS+ file system drivers did not properly verify that the file system that was attempted to be mounted really was HFS/HFS+. On machines which allow users to mount arbitrary removable devices as HFS or HFS+ with an /etc/fstab entry, this could be exploited to trigger a kernel crash. (CAN-2005-3109)
Steve Herrel discovered a race condition in the 'ebtables' netfilter module. A remote attacker could exploit this by sending specially crafted packets that caused a value to be modified after it had been read but before it had been locked. This eventually lead to a kernel crash. This only affects multiprocessor machines (SMP).
Robert Derr discovered a memory leak in the system call auditing code.
On a kernel which has the CONFIG_AUDITSYSCALL option enabled, this leads to memory exhaustion and eventually a Denial of Service. A local attacker could also speed this up by excessively calling system calls.
This only affects customized kernels built from the kernel source packages. The standard Ubuntu kernel does not have the CONFIG_AUDITSYSCALL option enabled, and is therefore not affected by this.
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected packages.