USN-852-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-852-1

21st October, 2009

linux, linux-source-2.6.15 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software description

  • linux
  • linux-source-2.6.15

Details

Solar Designer discovered that the z90crypt driver did not correctly
check capabilities. A local attacker could exploit this to shut down
the device, leading to a denial of service. Only affected Ubuntu 6.06.
(CVE-2009-1883)

Michael Buesch discovered that the SGI GRU driver did not correctly check
the length when setting options. A local attacker could exploit this
to write to the kernel stack, leading to root privilege escalation or
a denial of service. Only affected Ubuntu 8.10 and 9.04. (CVE-2009-2584)

It was discovered that SELinux did not fully implement the mmap_min_addr
restrictions. A local attacker could exploit this to allocate the
NULL memory page which could lead to further attacks against kernel
NULL-dereference vulnerabilities. Ubuntu 6.06 was not affected.
(CVE-2009-2695)

Cagri Coltekin discovered that the UDP stack did not correctly handle
certain flags. A local user could send specially crafted commands and
traffic to gain root privileges or crash the systeam, leading to a denial
of service. Only affected Ubuntu 6.06. (CVE-2009-2698)

Hiroshi Shimamoto discovered that monotonic timers did not correctly
validate parameters. A local user could make a specially crafted timer
request to gain root privileges or crash the system, leading to a denial
of service. Only affected Ubuntu 9.04. (CVE-2009-2767)

Michael Buesch discovered that the HPPA ISA EEPROM driver did not
correctly validate positions. A local user could make a specially crafted
request to gain root privileges or crash the system, leading to a denial
of service. (CVE-2009-2846)

Ulrich Drepper discovered that kernel signal stacks were not being
correctly padded on 64-bit systems. A local attacker could send specially
crafted calls to expose 4 bytes of kernel stack memory, leading to a
loss of privacy. (CVE-2009-2847)

Jens Rosenboom discovered that the clone method did not correctly clear
certain fields. A local attacker could exploit this to gain privileges
or crash the system, leading to a denial of service. (CVE-2009-2848)

It was discovered that the MD driver did not check certain sysfs files.
A local attacker with write access to /sys could exploit this to cause
a system crash, leading to a denial of service. Ubuntu 6.06 was not
affected. (CVE-2009-2849)

Mark Smith discovered that the AppleTalk stack did not correctly
manage memory. A remote attacker could send specially crafted traffic
to cause the system to consume all available memory, leading to a denial
of service. (CVE-2009-2903)

Loïc Minier discovered that eCryptfs did not correctly handle writing
to certain deleted files. A local attacker could exploit this to gain
root privileges or crash the system, leading to a denial of service.
Ubuntu 6.06 was not affected. (CVE-2009-2908)

It was discovered that the LLC, AppleTalk, IR, EConet, Netrom, and
ROSE network stacks did not correctly initialize their data structures.
A local attacker could make specially crafted calls to read kernel memory,
leading to a loss of privacy. (CVE-2009-3001, CVE-2009-3002)

It was discovered that the randomization used for Address Space Layout
Randomization was predictable within a small window of time. A local
attacker could exploit this to leverage further attacks that require
knowledge of userspace memory layouts. (CVE-2009-3238)

Eric Paris discovered that NFSv4 did not correctly handle file creation
failures. An attacker with write access to an NFSv4 share could exploit
this to create files with arbitrary mode bits, leading to privilege
escalation or a loss of privacy. (CVE-2009-3286)

Bob Tracy discovered that the SCSI generic driver did not correctly use
the right index for array access. A local attacker with write access
to a CDR could exploit this to crash the system, leading to a denial
of service. Only Ubuntu 9.04 was affected. (CVE-2009-3288)

Jan Kiszka discovered that KVM did not correctly validate certain
hypercalls. A local unprivileged attacker in a virtual guest could exploit
this to crash the guest kernel, leading to a denial of service. Ubuntu
6.06 was not affected. (CVE-2009-3290)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 9.04:
linux-image-2.6.28-16-virtual 2.6.28-16.55
linux-image-2.6.28-16-server 2.6.28-16.55
linux-image-2.6.28-16-ixp4xx 2.6.28-16.55
linux-image-2.6.28-16-lpia 2.6.28-16.55
linux-image-2.6.28-16-versatile 2.6.28-16.55
linux-image-2.6.28-16-iop32x 2.6.28-16.55
linux-image-2.6.28-16-generic 2.6.28-16.55
linux-image-2.6.28-16-imx51 2.6.28-16.55
Ubuntu 8.10:
linux-image-2.6.27-15-generic 2.6.27-15.43
linux-image-2.6.27-15-virtual 2.6.27-15.43
linux-image-2.6.27-15-server 2.6.27-15.43
Ubuntu 8.04 LTS:
linux-image-2.6.24-25-powerpc64-smp 2.6.24-25.63
linux-image-2.6.24-25-mckinley 2.6.24-25.63
linux-image-2.6.24-25-virtual 2.6.24-25.63
linux-image-2.6.24-25-hppa64 2.6.24-25.63
linux-image-2.6.24-25-sparc64-smp 2.6.24-25.63
linux-image-2.6.24-25-generic 2.6.24-25.63
linux-image-2.6.24-25-lpia 2.6.24-25.63
linux-image-2.6.24-25-powerpc-smp 2.6.24-25.63
linux-image-2.6.24-25-xen 2.6.24-25.63
linux-image-2.6.24-25-hppa32 2.6.24-25.63
linux-image-2.6.24-25-rt 2.6.24-25.63
linux-image-2.6.24-25-386 2.6.24-25.63
linux-image-2.6.24-25-powerpc 2.6.24-25.63
linux-image-2.6.24-25-openvz 2.6.24-25.63
linux-image-2.6.24-25-lpiacompat 2.6.24-25.63
linux-image-2.6.24-25-itanium 2.6.24-25.63
linux-image-2.6.24-25-sparc64 2.6.24-25.63
linux-image-2.6.24-25-server 2.6.24-25.63
Ubuntu 6.06 LTS:
linux-image-2.6.15-55-hppa64 2.6.15-55.80
linux-image-2.6.15-55-mckinley 2.6.15-55.80
linux-image-2.6.15-55-powerpc-smp 2.6.15-55.80
linux-image-2.6.15-55-hppa32-smp 2.6.15-55.80
linux-image-2.6.15-55-686 2.6.15-55.80
linux-image-2.6.15-55-amd64-k8 2.6.15-55.80
linux-image-2.6.15-55-amd64-server 2.6.15-55.80
linux-image-2.6.15-55-386 2.6.15-55.80
linux-image-2.6.15-55-sparc64-smp 2.6.15-55.80
linux-image-2.6.15-55-k7 2.6.15-55.80
linux-image-2.6.15-55-sparc64 2.6.15-55.80
linux-image-2.6.15-55-server 2.6.15-55.80
linux-image-2.6.15-55-powerpc64-smp 2.6.15-55.80
linux-image-2.6.15-55-hppa32 2.6.15-55.80
linux-image-2.6.15-55-mckinley-smp 2.6.15-55.80
linux-image-2.6.15-55-server-bigiron 2.6.15-55.80
linux-image-2.6.15-55-itanium-smp 2.6.15-55.80
linux-image-2.6.15-55-amd64-xeon 2.6.15-55.80
linux-image-2.6.15-55-powerpc 2.6.15-55.80
linux-image-2.6.15-55-amd64-generic 2.6.15-55.80
linux-image-2.6.15-55-hppa64-smp 2.6.15-55.80
linux-image-2.6.15-55-itanium 2.6.15-55.80

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2009-1883, CVE-2009-2584, CVE-2009-2695, CVE-2009-2698, CVE-2009-2767, CVE-2009-2846, CVE-2009-2847, CVE-2009-2848, CVE-2009-2849, CVE-2009-2903, CVE-2009-2908, CVE-2009-3001, CVE-2009-3002, CVE-2009-3238, CVE-2009-3286, CVE-2009-3288, CVE-2009-3290