USN-199-1: Linux kernel vulnerabilities

11 October 2005

linux-source-2.6.10, linux-source-2.6.8.1 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.04
  • Ubuntu 4.10

Software Description

Details

A Denial of Service vulnerability was discovered in the sys_set_mempolicy() function. By calling the function with a negative first argument, a local attacker could cause a kernel crash. (CAN-2005-3053)

A race condition was discovered in the handling of shared memory mappings with CLONE_VM. A local attacker could exploit this to cause a deadlock (Denial of Service) by triggering a core dump while waiting for a thread which had just performed an exec() system call. (CAN-2005-3106)

A race condition was found in the handling of traced processes. When one thread was tracing another thread that shared the same memory map, a local attacker could trigger a deadlock (Denial of Service) by forcing a core dump when the traced thread was in the TASK_TRACED state. (CAN-2005-3107)

A vulnerability has been found in the “ioremap” module. By performing certain IO mapping operations, a local attacker could either read memory pages he has not normally access to (information leak) or cause a kernel crash (Denial of Service). This only affects the amd64 platform. (CAN-2005-3108)

The HFS and HFS+ file system drivers did not properly verify that the file system that was attempted to be mounted really was HFS/HFS+. On machines which allow users to mount arbitrary removable devices as HFS or HFS+ with an /etc/fstab entry, this could be exploited to trigger a kernel crash. (CAN-2005-3109)

Steve Herrel discovered a race condition in the “ebtables” netfilter module. A remote attacker could exploit this by sending specially crafted packets that caused a value to be modified after it had been read but before it had been locked. This eventually lead to a kernel crash. This only affects multiprocessor machines (SMP). (CAN-2005-3110)

Robert Derr discovered a memory leak in the system call auditing code. On a kernel which has the CONFIG_AUDITSYSCALL option enabled, this leads to memory exhaustion and eventually a Denial of Service. A local attacker could also speed this up by excessively calling system calls. This only affects customized kernels built from the kernel source packages. The standard Ubuntu kernel does not have the CONFIG_AUDITSYSCALL option enabled, and is therefore not affected by this. (http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=829841146878e082613a49581ae252c071057c23)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.04
linux-image-2.6.10-5-386
linux-image-2.6.10-5-686
linux-image-2.6.10-5-686-smp
linux-image-2.6.10-5-amd64-generic
linux-image-2.6.10-5-amd64-k8
linux-image-2.6.10-5-amd64-k8-smp
linux-image-2.6.10-5-amd64-xeon
linux-image-2.6.10-5-itanium
linux-image-2.6.10-5-itanium-smp
linux-image-2.6.10-5-k7
linux-image-2.6.10-5-k7-smp
linux-image-2.6.10-5-mckinley
linux-image-2.6.10-5-mckinley-smp
linux-image-2.6.10-5-power3
linux-image-2.6.10-5-power3-smp
linux-image-2.6.10-5-power4
linux-image-2.6.10-5-power4-smp
linux-image-2.6.10-5-powerpc
linux-image-2.6.10-5-powerpc-smp
linux-image-2.6.8.1-5-386
linux-image-2.6.8.1-5-686
linux-image-2.6.8.1-5-686-smp
linux-image-2.6.8.1-5-amd64-generic
linux-image-2.6.8.1-5-amd64-k8
linux-image-2.6.8.1-5-amd64-k8-smp
linux-image-2.6.8.1-5-amd64-xeon
linux-image-2.6.8.1-5-k7
linux-image-2.6.8.1-5-k7-smp
linux-image-2.6.8.1-5-power3
linux-image-2.6.8.1-5-power3-smp
linux-image-2.6.8.1-5-power4
linux-image-2.6.8.1-5-power4-smp
linux-image-2.6.8.1-5-powerpc
linux-image-2.6.8.1-5-powerpc-smp
linux-patch-debian-2.6.8.1
linux-patch-ubuntu-2.6.10
Ubuntu 4.10
linux-image-2.6.10-5-386
linux-image-2.6.10-5-686
linux-image-2.6.10-5-686-smp
linux-image-2.6.10-5-amd64-generic
linux-image-2.6.10-5-amd64-k8
linux-image-2.6.10-5-amd64-k8-smp
linux-image-2.6.10-5-amd64-xeon
linux-image-2.6.10-5-itanium
linux-image-2.6.10-5-itanium-smp
linux-image-2.6.10-5-k7
linux-image-2.6.10-5-k7-smp
linux-image-2.6.10-5-mckinley
linux-image-2.6.10-5-mckinley-smp
linux-image-2.6.10-5-power3
linux-image-2.6.10-5-power3-smp
linux-image-2.6.10-5-power4
linux-image-2.6.10-5-power4-smp
linux-image-2.6.10-5-powerpc
linux-image-2.6.10-5-powerpc-smp
linux-image-2.6.8.1-5-386
linux-image-2.6.8.1-5-686
linux-image-2.6.8.1-5-686-smp
linux-image-2.6.8.1-5-amd64-generic
linux-image-2.6.8.1-5-amd64-k8
linux-image-2.6.8.1-5-amd64-k8-smp
linux-image-2.6.8.1-5-amd64-xeon
linux-image-2.6.8.1-5-k7
linux-image-2.6.8.1-5-k7-smp
linux-image-2.6.8.1-5-power3
linux-image-2.6.8.1-5-power3-smp
linux-image-2.6.8.1-5-power4
linux-image-2.6.8.1-5-power4-smp
linux-image-2.6.8.1-5-powerpc
linux-image-2.6.8.1-5-powerpc-smp
linux-patch-debian-2.6.8.1
linux-patch-ubuntu-2.6.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References