USN-199-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-199-1

10th October, 2005

linux-source-2.6.10, linux-source-2.6.8.1 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.04
  • Ubuntu 4.10

Details

A Denial of Service vulnerability was discovered in the
sys_set_mempolicy() function. By calling the function with a negative
first argument, a local attacker could cause a kernel crash.
(CAN-2005-3053)

A race condition was discovered in the handling of shared memory
mappings with CLONE_VM. A local attacker could exploit this to cause a
deadlock (Denial of Service) by triggering a core dump while waiting
for a thread which had just performed an exec() system call.
(CAN-2005-3106)

A race condition was found in the handling of traced processes. When
one thread was tracing another thread that shared the same memory map,
a local attacker could trigger a deadlock (Denial of Service) by
forcing a core dump when the traced thread was in the TASK_TRACED
state. (CAN-2005-3107)

A vulnerability has been found in the "ioremap" module. By performing
certain IO mapping operations, a local attacker could either read
memory pages he has not normally access to (information leak) or cause
a kernel crash (Denial of Service). This only affects the amd64
platform. (CAN-2005-3108)

The HFS and HFS+ file system drivers did not properly verify that the
file system that was attempted to be mounted really was HFS/HFS+. On
machines which allow users to mount arbitrary removable devices as HFS
or HFS+ with an /etc/fstab entry, this could be exploited to trigger a
kernel crash. (CAN-2005-3109)

Steve Herrel discovered a race condition in the "ebtables" netfilter
module. A remote attacker could exploit this by sending specially
crafted packets that caused a value to be modified after it had
been read but before it had been locked. This eventually lead to a
kernel crash. This only affects multiprocessor machines (SMP).
(CAN-2005-3110)

Robert Derr discovered a memory leak in the system call auditing code.
On a kernel which has the CONFIG_AUDITSYSCALL option enabled, this
leads to memory exhaustion and eventually a Denial of Service. A local
attacker could also speed this up by excessively calling system calls.
This only affects customized kernels built from the kernel source
packages. The standard Ubuntu kernel does not have the
CONFIG_AUDITSYSCALL option enabled, and is therefore not affected by
this.
(http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=829841146878e082613a49581ae252c071057c23)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 5.04:
linux-image-2.6.8.1-5-amd64-k8-smp
linux-image-2.6.8.1-5-686
linux-image-2.6.8.1-5-amd64-generic
linux-image-2.6.8.1-5-powerpc-smp
linux-image-2.6.8.1-5-386
linux-image-2.6.8.1-5-k7-smp
linux-patch-debian-2.6.8.1
linux-image-2.6.8.1-5-power4-smp
linux-image-2.6.8.1-5-power3-smp
linux-image-2.6.8.1-5-amd64-xeon
linux-image-2.6.8.1-5-k7
linux-image-2.6.8.1-5-power3
linux-image-2.6.8.1-5-power4
linux-image-2.6.8.1-5-powerpc
linux-image-2.6.8.1-5-amd64-k8
linux-image-2.6.8.1-5-686-smp
linux-patch-ubuntu-2.6.10
linux-image-2.6.10-5-386
linux-image-2.6.10-5-itanium-smp
linux-image-2.6.10-5-power4
linux-image-2.6.10-5-amd64-k8
linux-image-2.6.10-5-mckinley-smp
linux-image-2.6.10-5-power4-smp
linux-image-2.6.10-5-amd64-k8-smp
linux-image-2.6.10-5-powerpc-smp
linux-image-2.6.10-5-mckinley
linux-image-2.6.10-5-itanium
linux-image-2.6.10-5-power3-smp
linux-image-2.6.10-5-686-smp
linux-image-2.6.10-5-power3
linux-image-2.6.10-5-powerpc
linux-image-2.6.10-5-amd64-xeon
linux-image-2.6.10-5-k7-smp
linux-image-2.6.10-5-amd64-generic
linux-image-2.6.10-5-k7
linux-image-2.6.10-5-686
Ubuntu 4.10:
linux-image-2.6.8.1-5-amd64-k8-smp
linux-image-2.6.8.1-5-686
linux-image-2.6.8.1-5-amd64-generic
linux-image-2.6.8.1-5-powerpc-smp
linux-image-2.6.8.1-5-386
linux-image-2.6.8.1-5-k7-smp
linux-patch-debian-2.6.8.1
linux-image-2.6.8.1-5-power4-smp
linux-image-2.6.8.1-5-power3-smp
linux-image-2.6.8.1-5-amd64-xeon
linux-image-2.6.8.1-5-k7
linux-image-2.6.8.1-5-power3
linux-image-2.6.8.1-5-power4
linux-image-2.6.8.1-5-powerpc
linux-image-2.6.8.1-5-amd64-k8
linux-image-2.6.8.1-5-686-smp
linux-patch-ubuntu-2.6.10
linux-image-2.6.10-5-386
linux-image-2.6.10-5-itanium-smp
linux-image-2.6.10-5-power4
linux-image-2.6.10-5-amd64-k8
linux-image-2.6.10-5-mckinley-smp
linux-image-2.6.10-5-power4-smp
linux-image-2.6.10-5-amd64-k8-smp
linux-image-2.6.10-5-powerpc-smp
linux-image-2.6.10-5-mckinley
linux-image-2.6.10-5-itanium
linux-image-2.6.10-5-power3-smp
linux-image-2.6.10-5-686-smp
linux-image-2.6.10-5-power3
linux-image-2.6.10-5-powerpc
linux-image-2.6.10-5-amd64-xeon
linux-image-2.6.10-5-k7-smp
linux-image-2.6.10-5-amd64-generic
linux-image-2.6.10-5-k7
linux-image-2.6.10-5-686

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

None

References

CVE-2005-3053, CVE-2005-3106, CVE-2005-3107, CVE-2005-3108, CVE-2005-3109, CVE-2005-3110