USN-281-1: Linux kernel vulnerabilities

4 May 2006

linux-source-2.6.10, linux-source-2.6.12 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.10
  • Ubuntu 5.04

Software Description

Details

The sys_mbind() function did not properly verify the validity of the ‘maxnod’ argument. A local user could exploit this to trigger a buffer overflow, which caused a kernel crash. (CVE-2006-0557)

The SELinux module did not correctly handle the tracer SID when a process was already being traced. A local attacker could exploit this to cause a kernel crash. (CVE-2006-1052)

Al Viro discovered a local Denial of Service in the sysfs write buffer handling. By writing a block with a length exactly equal to the processor’s page size to any writable file in /sys, a local attacker could cause a kernel crash. (CVE-2006-1055)

John Blackwood discovered a race condition with single-step debugging multiple processes at the same time. A local attacker could exploit this to crash the system. This only affects the amd64 platform. (CVE-2006-1066)

Marco Ivaldi discovered a flaw in the handling of the ID number of IP packets. This number was incremented after receiving unsolicited TCP SYN-ACK packets. A remote attacker could exploit this to conduct port scans with the ‘Idle scan’ method (nmap -sI), which bypassed intended port scan protections. (CVE-2006-1242)

Pavel Kankovsky discovered that the getsockopt() function, when called with an SO_ORIGINAL_DST argument, does not properly clear the returned structure, so that a random piece of kernel memory is exposed to the user. This could potentially reveal sensitive data like passwords or encryption keys. (CVE-2006-1343)

A buffer overflow was discovered in the USB Gadget RNDIS implementation. While creating a reply message, the driver did not allocate enough memory for the reply structure. A remote attacker could exploit this to cause a kernel crash. (CVE-2006-1368)

Alexandra Kossovsky discovered an invalid memory access in the ip_route_input() function. By using the ‘ip’ command in a particular way to retrieve multicast routes, a local attacker could exploit this to crash the kernel. (CVE-2006-1525)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.10
linux-image-2.6.10-6-386
linux-image-2.6.10-6-686
linux-image-2.6.10-6-686-smp
linux-image-2.6.10-6-amd64-generic
linux-image-2.6.10-6-amd64-k8
linux-image-2.6.10-6-amd64-k8-smp
linux-image-2.6.10-6-amd64-xeon
linux-image-2.6.10-6-itanium
linux-image-2.6.10-6-itanium-smp
linux-image-2.6.10-6-k7
linux-image-2.6.10-6-k7-smp
linux-image-2.6.10-6-mckinley
linux-image-2.6.10-6-mckinley-smp
linux-image-2.6.10-6-power3
linux-image-2.6.10-6-power3-smp
linux-image-2.6.10-6-power4
linux-image-2.6.10-6-power4-smp
linux-image-2.6.10-6-powerpc
linux-image-2.6.10-6-powerpc-smp
linux-image-2.6.12-10-386
linux-image-2.6.12-10-686
linux-image-2.6.12-10-686-smp
linux-image-2.6.12-10-amd64-generic
linux-image-2.6.12-10-amd64-k8
linux-image-2.6.12-10-amd64-k8-smp
linux-image-2.6.12-10-amd64-xeon
linux-image-2.6.12-10-hppa32
linux-image-2.6.12-10-hppa32-smp
linux-image-2.6.12-10-hppa64
linux-image-2.6.12-10-hppa64-smp
linux-image-2.6.12-10-iseries-smp
linux-image-2.6.12-10-itanium
linux-image-2.6.12-10-itanium-smp
linux-image-2.6.12-10-k7
linux-image-2.6.12-10-k7-smp
linux-image-2.6.12-10-mckinley
linux-image-2.6.12-10-mckinley-smp
linux-image-2.6.12-10-powerpc
linux-image-2.6.12-10-powerpc-smp
linux-image-2.6.12-10-powerpc64-smp
linux-patch-ubuntu-2.6.10
linux-patch-ubuntu-2.6.12
Ubuntu 5.04
linux-image-2.6.10-6-386
linux-image-2.6.10-6-686
linux-image-2.6.10-6-686-smp
linux-image-2.6.10-6-amd64-generic
linux-image-2.6.10-6-amd64-k8
linux-image-2.6.10-6-amd64-k8-smp
linux-image-2.6.10-6-amd64-xeon
linux-image-2.6.10-6-itanium
linux-image-2.6.10-6-itanium-smp
linux-image-2.6.10-6-k7
linux-image-2.6.10-6-k7-smp
linux-image-2.6.10-6-mckinley
linux-image-2.6.10-6-mckinley-smp
linux-image-2.6.10-6-power3
linux-image-2.6.10-6-power3-smp
linux-image-2.6.10-6-power4
linux-image-2.6.10-6-power4-smp
linux-image-2.6.10-6-powerpc
linux-image-2.6.10-6-powerpc-smp
linux-image-2.6.12-10-386
linux-image-2.6.12-10-686
linux-image-2.6.12-10-686-smp
linux-image-2.6.12-10-amd64-generic
linux-image-2.6.12-10-amd64-k8
linux-image-2.6.12-10-amd64-k8-smp
linux-image-2.6.12-10-amd64-xeon
linux-image-2.6.12-10-hppa32
linux-image-2.6.12-10-hppa32-smp
linux-image-2.6.12-10-hppa64
linux-image-2.6.12-10-hppa64-smp
linux-image-2.6.12-10-iseries-smp
linux-image-2.6.12-10-itanium
linux-image-2.6.12-10-itanium-smp
linux-image-2.6.12-10-k7
linux-image-2.6.12-10-k7-smp
linux-image-2.6.12-10-mckinley
linux-image-2.6.12-10-mckinley-smp
linux-image-2.6.12-10-powerpc
linux-image-2.6.12-10-powerpc-smp
linux-image-2.6.12-10-powerpc64-smp
linux-patch-ubuntu-2.6.10
linux-patch-ubuntu-2.6.12

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References