USN-110-1: Linux kernel vulnerabilities

11 April 2005

linux-source-2.6.8.1 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 4.10

Software Description

Details

Alexander Nyberg discovered an integer overflow in the sysfs_write_file() function. A local attacker could exploit this to crash the kernel or possibly even execute arbitrary code with root privileges by writing to an user-writable file in /sys under certain low-memory conditions. However, there are very few cases where a user-writeable sysfs file actually exists. (CAN-2005-0867)

Olof Johansson discovered a Denial of Service vulnerability in the futex functions, which provide semaphores for exclusive locking of resources. A local attacker could possibly exploit this to cause a kernel deadlock. (CAN-2005-0937)

In addition this update fixes two race conditions in the ext3 and jfs file system drivers, which could lead to a kernel crash under certain (unusual) conditions. However, these cannot easily be triggered by users, thus they are not security sensitive. (http://linux.bkbits.net:8080/linux-2.5/gnupatch@4248d87aETPJX79hVXl4owAUwu2SmQ, http://linux.bkbits.net:8080/linux-2.6/cset@1.2181.46.242)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 4.10
linux-image-2.6.8.1-5-386
linux-image-2.6.8.1-5-686
linux-image-2.6.8.1-5-686-smp
linux-image-2.6.8.1-5-amd64-generic
linux-image-2.6.8.1-5-amd64-k8
linux-image-2.6.8.1-5-amd64-k8-smp
linux-image-2.6.8.1-5-amd64-xeon
linux-image-2.6.8.1-5-k7
linux-image-2.6.8.1-5-k7-smp
linux-image-2.6.8.1-5-power3
linux-image-2.6.8.1-5-power3-smp
linux-image-2.6.8.1-5-power4
linux-image-2.6.8.1-5-power4-smp
linux-image-2.6.8.1-5-powerpc
linux-image-2.6.8.1-5-powerpc-smp
linux-patch-debian-2.6.8.1
linux-source-2.6.8.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References