Debian DSA-1436-1 : linux-2.6 - several vulnerabilities

High Nessus Plugin ID 29756

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote Debian host is missing a security-related update.

Description

Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem.

- CVE-2007-5966 Warren Togami discovered an issue in the hrtimer subsystem that allows a local user to cause a DoS (soft lockup) by requesting a timer sleep for a long period of time leading to an integer overflow.

- CVE-2007-6063 Venustech AD-LAB discovered a buffer overflow in the isdn ioctl handling, exploitable by a local user.

- CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information.

- CVE-2007-6417 Hugh Dickins discovered an issue in the tmpfs filesystem where, under a rare circumstance, a kernel page may be improperly cleared, leaking sensitive kernel memory to userspace or resulting in a DoS (crash).

These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch6.

The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update :

Debian 4.0 (etch) fai-kernels 1.17+etch.13etch6 user-mode-linux 2.6.18-1um-2etch.13etch6

Solution

Upgrade the kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes.

See Also

https://security-tracker.debian.org/tracker/CVE-2006-6058

https://security-tracker.debian.org/tracker/CVE-2007-5966

https://security-tracker.debian.org/tracker/CVE-2007-6063

https://security-tracker.debian.org/tracker/CVE-2007-6206

https://security-tracker.debian.org/tracker/CVE-2007-6417

https://www.debian.org/security/2007/dsa-1436

Plugin Details

Severity: High

ID: 29756

File Name: debian_DSA-1436.nasl

Version: 1.20

Type: local

Agent: unix

Published: 2007/12/24

Updated: 2019/08/02

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:linux-2.6, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 2007/12/20

Reference Information

CVE: CVE-2006-6058, CVE-2007-5966, CVE-2007-6063, CVE-2007-6206, CVE-2007-6417

DSA: 1436

CWE: 16, 119, 189, 200, 399