Debian DSA-2126-1 : linux-2.6 - privilege escalation/denial of service/information leak

high Nessus Plugin ID 50825

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2010-2963 Kees Cook discovered an issue in the v4l 32-bit compatibility layer for 64-bit systems that allows local users with /dev/video write permission to overwrite arbitrary kernel memory, potentially leading to a privilege escalation. On Debian systems, access to /dev/video devices is restricted to members of the 'video' group by default.

- CVE-2010-3067 Tavis Ormandy discovered an issue in the io_submit system call. Local users can cause an integer overflow resulting in a denial of service.

- CVE-2010-3296 Dan Rosenberg discovered an issue in the cxgb network driver that allows unprivileged users to obtain the contents of sensitive kernel memory.

- CVE-2010-3297 Dan Rosenberg discovered an issue in the eql network driver that allows local users to obtain the contents of sensitive kernel memory.

- CVE-2010-3310 Dan Rosenberg discovered an issue in the ROSE socket implementation. On systems with a rose device, local users can cause a denial of service (kernel memory corruption).

- CVE-2010-3432 Thomas Dreibholz discovered an issue in the SCTP protocol that permits a remote user to cause a denial of service (kernel panic).

- CVE-2010-3437 Dan Rosenberg discovered an issue in the pktcdvd driver.
Local users with permission to open /dev/pktcdvd/control can obtain the contents of sensitive kernel memory or cause a denial of service. By default on Debian systems, this access is restricted to members of the group 'cdrom'.

- CVE-2010-3442 Dan Rosenberg discovered an issue in the ALSA sound system. Local users with permission to open /dev/snd/controlC0 can create an integer overflow condition that causes a denial of service. By default on Debian systems, this access is restricted to members of the group 'audio'.

- CVE-2010-3448 Dan Jacobson reported an issue in the thinkpad-acpi driver. On certain Thinkpad systems, local users can cause a denial of service (X.org crash) by reading /proc/acpi/ibm/video.

- CVE-2010-3477 Jeff Mahoney discovered an issue in the Traffic Policing (act_police) module that allows local users to obtain the contents of sensitive kernel memory.

- CVE-2010-3705 Dan Rosenberg reported an issue in the HMAC processing code in the SCTP protocol that allows remote users to create a denial of service (memory corruption).

- CVE-2010-3848 Nelson Elhage discovered an issue in the Econet protocol. Local users can cause a stack overflow condition with large msg->msgiovlen values that can result in a denial of service or privilege escalation.

- CVE-2010-3849 Nelson Elhage discovered an issue in the Econet protocol. Local users can cause a denial of service (oops) if a NULL remote addr value is passed as a parameter to sendmsg().

- CVE-2010-3850 Nelson Elhage discovered an issue in the Econet protocol. Local users can assign econet addresses to arbitrary interfaces due to a missing capabilities check.

- CVE-2010-3858 Brad Spengler reported an issue in the setup_arg_pages() function. Due to a bounds-checking failure, local users can create a denial of service (kernel oops).

- CVE-2010-3859 Dan Rosenberg reported an issue in the TIPC protocol.
When the tipc module is loaded, local users can gain elevated privileges via the sendmsg() system call.

- CVE-2010-3873 Dan Rosenberg reported an issue in the X.25 network protocol. Local users can cause heap corruption, resulting in a denial of service (kernel panic).

- CVE-2010-3874 Dan Rosenberg discovered an issue in the Control Area Network (CAN) subsystem on 64-bit systems. Local users may be able to cause a denial of service (heap corruption).

- CVE-2010-3875 Vasiliy Kulikov discovered an issue in the AX.25 protocol. Local users can obtain the contents of sensitive kernel memory.

- CVE-2010-3876 Vasiliy Kulikov discovered an issue in the Packet protocol. Local users can obtain the contents of sensitive kernel memory.

- CVE-2010-3877 Vasiliy Kulikov discovered an issue in the TIPC protocol. Local users can obtain the contents of sensitive kernel memory.

- CVE-2010-3880 Nelson Elhage discovered an issue in the INET_DIAG subsystem. Local users can cause the kernel to execute unaudited INET_DIAG bytecode, resulting in a denial of service.

- CVE-2010-4072 Kees Cook discovered an issue in the System V shared memory subsystem. Local users can obtain the contents of sensitive kernel memory.

- CVE-2010-4073 Dan Rosenberg discovered an issue in the System V shared memory subsystem. Local users on 64-bit system can obtain the contents of sensitive kernel memory via the 32-bit compatible semctl() system call.

- CVE-2010-4074 Dan Rosenberg reported issues in the mos7720 and mos7840 drivers for USB serial converter devices. Local users with access to these devices can obtain the contents of sensitive kernel memory.

- CVE-2010-4078 Dan Rosenberg reported an issue in the framebuffer driver for SiS graphics chipsets (sisfb). Local users with access to the framebuffer device can obtain the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl.

- CVE-2010-4079 Dan Rosenberg reported an issue in the ivtvfb driver used for the Hauppauge PVR-350 card. Local users with access to the framebuffer device can obtain the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl.

- CVE-2010-4080 Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP audio devices. Local users with access to the audio device can obtain the contents of sensitive kernel memory via the SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl.

- CVE-2010-4081 Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP MADI audio devices. Local users with access to the audio device can obtain the contents of sensitive kernel memory via the SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl.

- CVE-2010-4083 Dan Rosenberg discovered an issue in the semctl system call. Local users can obtain the contents of sensitive kernel memory through usage of the semid_ds structure.

- CVE-2010-4164 Dan Rosenberg discovered an issue in the X.25 network protocol. Remote users can achieve a denial of service (infinite loop) by taking advantage of an integer underflow in the facility parsing code.

Solution

Upgrade the linux-2.6 and user-mode-linux packages.

For the stable distribution (lenny), this problem has been fixed in version 2.6.26-26lenny1.

The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update :

Debian 5.0 (lenny) user-mode-linux 2.6.26-1um-2+26lenny1

See Also

https://security-tracker.debian.org/tracker/CVE-2010-2963

https://security-tracker.debian.org/tracker/CVE-2010-3067

https://security-tracker.debian.org/tracker/CVE-2010-3296

https://security-tracker.debian.org/tracker/CVE-2010-3297

https://security-tracker.debian.org/tracker/CVE-2010-3310

https://security-tracker.debian.org/tracker/CVE-2010-3432

https://security-tracker.debian.org/tracker/CVE-2010-3437

https://security-tracker.debian.org/tracker/CVE-2010-3442

https://security-tracker.debian.org/tracker/CVE-2010-3448

https://security-tracker.debian.org/tracker/CVE-2010-3477

https://security-tracker.debian.org/tracker/CVE-2010-3705

https://security-tracker.debian.org/tracker/CVE-2010-3848

https://security-tracker.debian.org/tracker/CVE-2010-3849

https://security-tracker.debian.org/tracker/CVE-2010-3850

https://security-tracker.debian.org/tracker/CVE-2010-3858

https://security-tracker.debian.org/tracker/CVE-2010-3859

https://security-tracker.debian.org/tracker/CVE-2010-3873

https://security-tracker.debian.org/tracker/CVE-2010-3874

https://security-tracker.debian.org/tracker/CVE-2010-3875

https://security-tracker.debian.org/tracker/CVE-2010-3876

https://security-tracker.debian.org/tracker/CVE-2010-3877

https://security-tracker.debian.org/tracker/CVE-2010-3880

https://security-tracker.debian.org/tracker/CVE-2010-4072

https://security-tracker.debian.org/tracker/CVE-2010-4073

https://security-tracker.debian.org/tracker/CVE-2010-4074

https://security-tracker.debian.org/tracker/CVE-2010-4078

https://security-tracker.debian.org/tracker/CVE-2010-4079

https://security-tracker.debian.org/tracker/CVE-2010-4080

https://security-tracker.debian.org/tracker/CVE-2010-4081

https://security-tracker.debian.org/tracker/CVE-2010-4083

https://security-tracker.debian.org/tracker/CVE-2010-4164

https://www.debian.org/security/2010/dsa-2126

Plugin Details

Severity: High

ID: 50825

File Name: debian_DSA-2126.nasl

Version: 1.16

Type: local

Agent: unix

Published: 11/29/2010

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.9

CVSS v2

Risk Factor: High

Base Score: 8.3

Temporal Score: 7.2

Vector: CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:linux-2.6, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/26/2010

Vulnerability Publication Date: 9/21/2010

Reference Information

CVE: CVE-2010-2963, CVE-2010-3067, CVE-2010-3296, CVE-2010-3297, CVE-2010-3310, CVE-2010-3432, CVE-2010-3437, CVE-2010-3442, CVE-2010-3448, CVE-2010-3477, CVE-2010-3705, CVE-2010-3848, CVE-2010-3849, CVE-2010-3850, CVE-2010-3858, CVE-2010-3859, CVE-2010-3873, CVE-2010-3874, CVE-2010-3875, CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-4072, CVE-2010-4073, CVE-2010-4074, CVE-2010-4078, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4083, CVE-2010-4164

BID: 38607, 42529, 43221, 43229, 43353, 43368, 43480, 43551, 43701, 43787, 43809, 43810, 44242, 44301, 44354, 44630, 44642, 44661, 44665, 45054, 45055, 45058, 45062, 45063

DSA: 2126