Ubuntu 6.10 / 7.04 / 7.10 : linux-source-2.6.17/20/22 vulnerabilities (USN-574-1)
High Nessus Plugin ID 30183
SynopsisThe remote Ubuntu host is missing one or more security-related patches.
DescriptionThe minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2006-6058)
The signal handling on PowerPC systems using HTX allowed local users to cause a denial of service via floating point corruption. This was only vulnerable in Ubuntu 6.10 and 7.04. (CVE-2007-3107)
The Linux kernel did not properly validate the hop-by-hop IPv6 extended header. Remote attackers could send a crafted IPv6 packet and cause a denial of service via kernel panic. This was only vulnerable in Ubuntu 7.04. (CVE-2007-4567)
The JFFS2 filesystem with ACL support enabled did not properly store permissions during inode creation and ACL setting. Local users could possibly access restricted files after a remount. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-4849)
Chris Evans discovered an issue with certain drivers that use the ieee80211_rx function. Remote attackers could send a crafted 802.11 frame and cause a denial of service via crash. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-4997)
Alex Smith discovered an issue with the pwc driver for certain webcam devices. A local user with physical access to the system could remove the device while a userspace application had it open and cause the USB subsystem to block. This was only vulnerable in Ubuntu 7.04.
Scott James Remnant discovered a coding error in ptrace. Local users could exploit this and cause the kernel to enter an infinite loop.
This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-5500)
It was discovered that the Linux kernel could dereference a NULL pointer when processing certain IPv4 TCP packets. A remote attacker could send a crafted TCP ACK response and cause a denial of service via crash. This was only vulnerable in Ubuntu 7.10. (CVE-2007-5501)
Warren Togami discovered that the hrtimer subsystem did not properly check for large relative timeouts. A local user could exploit this and cause a denial of service via soft lockup. (CVE-2007-5966)
Venustech AD-LAB discovered a buffer overflow in the isdn net subsystem. This issue is exploitable by local users via crafted input to the isdn_ioctl function. (CVE-2007-6063)
It was discovered that the isdn subsystem did not properly check for NULL termination when performing ioctl handling. A local user could exploit this to cause a denial of service. (CVE-2007-6151)
Blake Frantz discovered that when a root process overwrote an existing core file, the resulting core file retained the previous core file's ownership. Local users could exploit this to gain access to sensitive information. (CVE-2007-6206)
Hugh Dickins discovered the when using the tmpfs filesystem, under rare circumstances, a kernel page may be improperly cleared. A local user may be able to exploit this and read sensitive kernel data or cause a denial of service via crash. (CVE-2007-6417)
Bill Roman discovered that the VFS subsystem did not properly check access modes. A local user may be able to gain removal privileges on directories. (CVE-2008-0001).
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected packages.