Ubuntu 4.10 / 5.04 / 5.10 : linux-source-18.104.22.168/-2.6.10/-2.6.12 vulnerabilities (USN-231-1)
High Nessus Plugin ID 20775
SynopsisThe remote Ubuntu host is missing one or more security-related patches.
DescriptionRudolf Polzer reported an abuse of the 'loadkeys' command. By redefining one or more keys and tricking another user (like root) into logging in on a text console and typing something that involves the redefined keys, a local user could cause execution of arbitrary commands with the privileges of the target user. The updated kernel restricts the usage of 'loadkeys' to root. (CVE-2005-3257)
The ptrace() system call did not correctly check whether a process tried to attach to itself. A local attacker could exploit this to cause a kernel crash. (CVE-2005-3783)
A Denial of Service vulnerability was found in the handler that automatically cleans up and terminates child processes that are not correctly handled by their parent process ('auto-reaper'). The check did not correctly handle processes which were currently traced by another process. A local attacker could exploit this to cause a kernel crash. (CVE-2005-3784)
A locking problem was discovered in the POSIX timer cleanup handling on process exit. A local attacker could exploit this to cause the machine to hang (Denial of Service). This flaw only affects multiprocessor (SMP) systems. (CVE-2005-3805)
A Denial of Service vulnerability was discovered in the IPv6 flowlabel handling code. By invoking setsockopt(IPV6_FLOWLABEL_MGR) in a special way, a local attacker could cause memory corruption which eventually led to a kernel crash. (CVE-2005-3806)
A memory leak was discovered in the VFS lease handling. These operations are commonly executed by the Samba server, which led to steady memory exhaustion. By repeatedly triggering the affected operations in quick succession, a local attacker could exploit this to drain all memory, which leads to a Denial of Service. (CVE-2005-3807)
An integer overflow was discovered in the invalidate_inode_pages2_range() function. By issuing 64-bit mmap calls on a 32 bit system, a local user could exploit this to crash the machine, thereby causing Denial of Service. This flaw does not affect the amd64 platform, and does only affect Ubuntu 5.10. (CVE-2005-3808)
Ollie Wild discovered a memory leak in the icmp_push_reply() function.
By sending a large amount of specially crafted packets, a remote attacker could exploit this to drain all memory, which eventually leads to a Denial of Service. (CVE-2005-3848)
Chris Wrigth found a Denial of Service vulnerability in the time_out_leases() function. By allocating a large number of VFS file lock leases and having them timeout at the same time, a large number of 'printk' debugging statements was generated at the same time, which could exhaust kernel memory. (CVE-2005-3857)
Patrick McHardy discovered a memory leak in the ip6_input_finish() function. A remote attacker could exploit this by sending specially crafted IPv6 packets, which would eventually drain all available kernel memory, thus causing a Denial of Service. (CVE-2005-3858).
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected packages.