USN-864-1: Linux kernel vulnerabilities

5 December 2009

linux, linux-source-2.6.15 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software Description

  • linux
  • linux-source-2.6.15

Details

It was discovered that the AX.25 network subsystem did not correctly check integer signedness in certain setsockopt calls. A local attacker could exploit this to crash the system, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-2909)

Jan Beulich discovered that the kernel could leak register contents to 32-bit processes that were switched to 64-bit mode. A local attacker could run a specially crafted binary to read register values from an earlier process, leading to a loss of privacy. (CVE-2009-2910)

Dave Jones discovered that the gdth SCSI driver did not correctly validate array indexes in certain ioctl calls. A local attacker could exploit this to crash the system or gain elevated privileges. (CVE-2009-3080)

Eric Dumazet and Jiri Pirko discovered that the TC and CLS subsystems would leak kernel memory via uninitialized structure members. A local attacker could exploit this to read several bytes of kernel memory, leading to a loss of privacy. (CVE-2009-3228, CVE-2009-3612)

Earl Chew discovered race conditions in pipe handling. A local attacker could exploit anonymous pipes via /proc/*/fd/ and crash the system or gain root privileges. (CVE-2009-3547)

Dave Jones and Francois Romieu discovered that the r8169 network driver could be made to leak kernel memory. A remote attacker could send a large number of jumbo frames until the system memory was exhausted, leading to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-3613).

Ben Hutchings discovered that the ATI Rage 128 video driver did not correctly validate initialization states. A local attacker could make specially crafted ioctl calls to crash the system or gain root privileges. (CVE-2009-3620)

Tomoki Sekiyama discovered that Unix sockets did not correctly verify namespaces. A local attacker could exploit this to cause a system hang, leading to a denial of service. (CVE-2009-3621)

J. Bruce Fields discovered that NFSv4 did not correctly use the credential cache. A local attacker using a mount with AUTH_NULL authentication could exploit this to crash the system or gain root privileges. Only Ubuntu 9.10 was affected. (CVE-2009-3623)

Alexander Zangerl discovered that the kernel keyring did not correctly reference count. A local attacker could issue a series of specially crafted keyring calls to crash the system or gain root privileges. Only Ubuntu 9.10 was affected. (CVE-2009-3624)

David Wagner discovered that KVM did not correctly bounds-check CPUID entries. A local attacker could exploit this to crash the system or possibly gain elevated privileges. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3638)

Avi Kivity discovered that KVM did not correctly check privileges when accessing debug registers. A local attacker could exploit this to crash a host system from within a guest system, leading to a denial of service. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3722)

Philip Reisner discovered that the connector layer for uvesafb, pohmelfs, dst, and dm did not correctly check capabilties. A local attacker could exploit this to crash the system or gain elevated privileges. Ubuntu 6.06 was not affected. (CVE-2009-3725)

Trond Myklebust discovered that NFSv4 clients did not robustly verify attributes. A malicious remote NFSv4 server could exploit this to crash a client or gain root privileges. Ubuntu 9.10 was not affected. (CVE-2009-3726)

Robin Getz discovered that NOMMU systems did not correctly validate NULL pointers in do_mmap_pgoff calls. A local attacker could attempt to allocate large amounts of memory to crash the system, leading to a denial of service. Only Ubuntu 6.06 and 9.10 were affected. (CVE-2009-3888)

Joseph Malicki discovered that the MegaRAID SAS driver had world-writable option files. A local attacker could exploit these to disrupt the behavior of the controller, leading to a denial of service. (CVE-2009-3889, CVE-2009-3939)

Roel Kluin discovered that the Hisax ISDN driver did not correctly check the size of packets. A remote attacker could send specially crafted packets to cause a system crash, leading to a denial of service. (CVE-2009-4005)

Lennert Buytenhek discovered that certain 802.11 states were not handled correctly. A physically-proximate remote attacker could send specially crafted wireless traffic that would crash the system, leading to a denial of service. Only Ubuntu 9.10 was affected. (CVE-2009-4026, CVE-2009-4027)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
linux-image-2.6.31-16-386 - 2.6.31-16.52
linux-image-2.6.31-16-generic - 2.6.31-16.52
linux-image-2.6.31-16-generic-pae - 2.6.31-16.52
linux-image-2.6.31-16-ia64 - 2.6.31-16.52
linux-image-2.6.31-16-lpia - 2.6.31-16.52
linux-image-2.6.31-16-powerpc - 2.6.31-16.52
linux-image-2.6.31-16-powerpc-smp - 2.6.31-16.52
linux-image-2.6.31-16-powerpc64-smp - 2.6.31-16.52
linux-image-2.6.31-16-server - 2.6.31-16.52
linux-image-2.6.31-16-sparc64 - 2.6.31-16.52
linux-image-2.6.31-16-sparc64-smp - 2.6.31-16.52
linux-image-2.6.31-16-virtual - 2.6.31-16.52
Ubuntu 9.04
linux-image-2.6.28-17-generic - 2.6.28-17.58
linux-image-2.6.28-17-imx51 - 2.6.28-17.58
linux-image-2.6.28-17-iop32x - 2.6.28-17.58
linux-image-2.6.28-17-ixp4xx - 2.6.28-17.58
linux-image-2.6.28-17-lpia - 2.6.28-17.58
linux-image-2.6.28-17-server - 2.6.28-17.58
linux-image-2.6.28-17-versatile - 2.6.28-17.58
linux-image-2.6.28-17-virtual - 2.6.28-17.58
Ubuntu 8.10
linux-image-2.6.27-16-generic - 2.6.27-16.44
linux-image-2.6.27-16-server - 2.6.27-16.44
linux-image-2.6.27-16-virtual - 2.6.27-16.44
Ubuntu 8.04 LTS
linux-image-2.6.24-26-386 - 2.6.24-26.64
linux-image-2.6.24-26-generic - 2.6.24-26.64
linux-image-2.6.24-26-hppa32 - 2.6.24-26.64
linux-image-2.6.24-26-hppa64 - 2.6.24-26.64
linux-image-2.6.24-26-itanium - 2.6.24-26.64
linux-image-2.6.24-26-lpia - 2.6.24-26.64
linux-image-2.6.24-26-lpiacompat - 2.6.24-26.64
linux-image-2.6.24-26-mckinley - 2.6.24-26.64
linux-image-2.6.24-26-openvz - 2.6.24-26.64
linux-image-2.6.24-26-powerpc - 2.6.24-26.64
linux-image-2.6.24-26-powerpc-smp - 2.6.24-26.64
linux-image-2.6.24-26-powerpc64-smp - 2.6.24-26.64
linux-image-2.6.24-26-rt - 2.6.24-26.64
linux-image-2.6.24-26-server - 2.6.24-26.64
linux-image-2.6.24-26-sparc64 - 2.6.24-26.64
linux-image-2.6.24-26-sparc64-smp - 2.6.24-26.64
linux-image-2.6.24-26-virtual - 2.6.24-26.64
linux-image-2.6.24-26-xen - 2.6.24-26.64
usb-modules-2.6.24-26-sparc64-di - 2.6.24-26.64
Ubuntu 6.06 LTS
linux-image-2.6.15-55-386 - 2.6.15-55.81
linux-image-2.6.15-55-686 - 2.6.15-55.81
linux-image-2.6.15-55-amd64-generic - 2.6.15-55.81
linux-image-2.6.15-55-amd64-k8 - 2.6.15-55.81
linux-image-2.6.15-55-amd64-server - 2.6.15-55.81
linux-image-2.6.15-55-amd64-xeon - 2.6.15-55.81
linux-image-2.6.15-55-hppa32 - 2.6.15-55.81
linux-image-2.6.15-55-hppa32-smp - 2.6.15-55.81
linux-image-2.6.15-55-hppa64 - 2.6.15-55.81
linux-image-2.6.15-55-hppa64-smp - 2.6.15-55.81
linux-image-2.6.15-55-itanium - 2.6.15-55.81
linux-image-2.6.15-55-itanium-smp - 2.6.15-55.81
linux-image-2.6.15-55-k7 - 2.6.15-55.81
linux-image-2.6.15-55-mckinley - 2.6.15-55.81
linux-image-2.6.15-55-mckinley-smp - 2.6.15-55.81
linux-image-2.6.15-55-powerpc - 2.6.15-55.81
linux-image-2.6.15-55-powerpc-smp - 2.6.15-55.81
linux-image-2.6.15-55-powerpc64-smp - 2.6.15-55.81
linux-image-2.6.15-55-server - 2.6.15-55.81
linux-image-2.6.15-55-server-bigiron - 2.6.15-55.81
linux-image-2.6.15-55-sparc64 - 2.6.15-55.81
linux-image-2.6.15-55-sparc64-smp - 2.6.15-55.81

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to reboot your computer to effect the necessary changes.

ATTENTION: Due to an unavoidable ABI change (except for Ubuntu 6.06) the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well.

References