Debian DLA-155-1 : linux-2.6 security update
Critical Nessus Plugin ID 82138
SynopsisThe remote Debian host is missing a security update.
DescriptionThis update fixes the CVEs described below.
A further issue, CVE-2014-9419, was considered, but appears to require extensive changes with a consequent high risk of regression. It is now unlikely to be fixed in squeeze-lts.
It was discovered that under specific circumstances, a combination of write operations to write-combined memory and locked CPU instructions may cause a core hang on AMD 16h 00h through 0Fh processors. A local user can use this flaw to mount a denial of service (system hang) via a crafted application.
For more information please refer to the AMD CPU erratum 793 in http://support.amd.com/TechDocs/51810_16h_00h-0Fh_Rev_Guide.
It was found that the splice() system call did not validate the given file offset and length. A local unprivileged user can use this flaw to cause filesystem corruption on ext4 filesystems, or possibly other effects.
It was found that the espfix functionality can be bypassed by installing a 16-bit RW data segment into GDT instead of LDT (which espfix checks for) and using it for stack. A local unprivileged user could potentially use this flaw to leak kernel stack addresses.
It was found that the espfix functionality is wrongly disabled in a 32-bit KVM guest. A local unprivileged user could potentially use this flaw to leak kernel stack addresses.
It was found that a netfilter (iptables or ip6tables) rule accepting packets to a specific SCTP, DCCP, GRE or UDPlite port/endpoint could result in incorrect connection tracking state. If only the generic connection tracking module (nf_conntrack) was loaded, and not the protocol-specific connection tracking module, this would allow access to any port/endpoint of the specified protocol.
It was found that the ISO-9660 filesystem implementation (isofs) follows arbitrarily long chains, including loops, of Continuation Entries (CEs). This allows local users to mount a denial of service via a crafted disc image.
It was found that the ISO-9660 filesystem implementation (isofs) does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted disc image.
It was discovered that address randomisation for the vDSO in 64-bit processes is extremely biassed. A local unprivileged user could potentially use this flaw to bypass the ASLR protection mechanism.
It was found that the SCTP implementation could free authentication state while it was still in use, resulting in heap corruption. This could allow remote users to cause a denial of service or privilege escalation.
It was found that address randomisation for the initial stack in 64-bit processes was limited to 20 rather than 22 bits of entropy. A local unprivileged user could potentially use this flaw to bypass the ASLR protection mechanism.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpgrade the affected packages.