Package name
kernel
Date
2005-06-30
Advisory ID
MDKSA-2005:110
Affected versions
MNF2.0 i586 , 10.2 x86_64 , 10.0 amd64 , 10.2 i586 , 10.1 i586 , 10.0 i586 , CS3.0 x86_64 , CS3.0 i586 , 10.1 x86_64

Problem description

Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following CVE names have been fixed in the LE2005 kernel: Colin Percival discovered a vulnerability in Intel's Hyper-Threading technology could allow a local user to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys via a timing attack on memory cache misses. This has been corrected by disabling HT support in all kernels (CAN-2005-0109). An information leak in the ext2 filesystem code in kernels prior to 2.6.11.6 was found where when a new directory is created, the ext2 block written to disk is not initialized (CAN-2005-0400). A flaw when freeing a pointer in load_elf_library was found in kernels prior to 2.6.11.6 that could be abused by a local user to potentially crash the machine causing a Denial of Service (CAN-2005-0749). A problem with the Bluetooth kernel stack in kernels 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker to gain root access or crash the machine (CAN-2005-0750). Paul Starzetz found an integer overflow in the ELF binary format loader's code dump function in kernels prior to and including 2.4.31-pre1 and 2.6.12-rc4. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges (CAN-2005-1263). The drivers for raw devices used the wrong function to pass arguments to the underlying block device in 2.6.x kernels. This made the kernel address space accessible to user-space applictions allowing any local user with at least read access to a device in /dev/raw/* (usually only root) to execute arbitrary code with kernel privileges (CAN-2005-1264). The it87 and via686a hardware monitor drivers in kernels prior to 2.6.11.8 and 2.6.12 prior to 2.6.12-rc2 created a sysfs file named 'alarms' with write permissions although they are not designed to be writable. This allowed a local user to crash the kernel by attempting to write to these files (CAN-2005-1369). In addition to the above-noted CAN-2005-0109, CAN-2005-0400, CAN-2005-0749, CAN-2005-0750, and CAN-2005-1369 fixes, the following CVE names have been fixed in the 10.1 kernel: The POSIX Capability Linux Security Module (LSM) for 2.6 kernels up to and including 2.6.8.1 did not properly handle the credentials of a process that is launched before the module is loaded, which could be used by local attackers to gain elevated privileges (CAN-2004-1337). A flaw in the Linux PPP driver in kernel 2.6.8.1 was found where on systems allowing remote users to connect to a server via PPP, a remote client could cause a crash, resulting in a Denial of Service (CAN-2005-0384). George Guninski discovered a buffer overflow in the ATM driver in kernels 2.6.10 and 2.6.11 before 2.6.11-rc4 where the atm_get_addr() function does not validate its arguments sufficiently which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could potentially lead to the execution of arbitrary code (CAN-2005-0531). The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c before kernel 2.6.11, when running on 64-bit architectures, could allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types. This could allow an attacker to overwrite kernel memory, crash the machine, or potentially obtain root access (CAN-2005-0532). A race condition in the Radeon DRI driver in kernel 2.6.8.1 allows a local user with DRI privileges to execute arbitrary code as root (CAN-2005-0767). Access was not restricted to the N_MOUSE discipline for a TTY in kernels prior to 2.6.11. This could allow local attackers to obtain elevated privileges by injecting mouse or keyboard events into other user's sessions (CAN-2005-0839). Some futex functions in futex.c in 2.6 kernels performed get_user calls while holding the mmap_sem semaphore, which could allow a local attacker to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions (CAN-2005-0937). In addition to the above-noted CAN-2004-1337, CAN-2005-0109, CAN-2005-0384, CAN-2005-0400, CAN-2005-0531, CAN-2005-0532, CAN-2005-0749, CAN-2005-0750, CAN-2005-0767, CAN-2005-0839, CAN-2005-0937, CAN-2005-1263, CAN-2005-1264, and CAN-2005-1369 fixes, the following CVE names have been fixed in the 10.0/ Corporate 3.0 kernels: A race condition in the setsid function in kernels before 2.6.8.1 could allow a local attacker to cause a Denial of Service and possibly access portions of kernel memory related to TTY changes, locking, and semaphores (CAN-2005-0178). When forwarding fragmented packets in kernel 2.6.8.1, a hardware assisted checksum could only be used once which could lead to a Denial of Service attack or crash by remote users (CAN-2005-0209). A signedness error in the copy_from_read_buf function in n_tty.c before kernel 2.6.11 allows local users to read kernel memory via a negative argument (CAN-2005-0530). A vulnerability in the fib_seq_start() function allowed a local user to crash the system by readiung /proc/net/route in a certain way, causing a Denial of Service (CAN-2005-1041). A vulnerability in the Direct Rendering Manager (DRM) driver in the 2.6 kernel does not properly check the DMA lock, which could allow remote attackers or local users to cause a Denial of Service (X Server crash) and possibly modify the video output (CAN-2004-1056).

Updated packages

MNF2.0 i586

 fde15b50eb6b25c01363906ac9311a99  mnf/2.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.i586.rpm
11f460372ed0f9bcbdf4d1d2ef172021  mnf/2.0/RPMS/kernel-i686-up-4GB-2.6.3.27mdk-1-1mdk.i586.rpm
c5c7869f7ba96fa2d323678aa64bbbff  mnf/2.0/RPMS/kernel-p3-smp-64GB-2.6.3.27mdk-1-1mdk.i586.rpm
c191f0627aaf8c4ec4882114241bd990  mnf/2.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.i586.rpm
e545c57e7ecd4cf7391c002f810488d2  mnf/2.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.i586.rpm
0161e0b7c6783f7484e2b13e80565a9a  mnf/2.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

10.2 x86_64

 6aa43ead23e6297fd1ca024a91b00129  x86_64/10.2/RPMS/kernel-2.6.11.12mdk-1-1mdk.x86_64.rpm
6a04e09e487c04ac9a60506fc5e37773  x86_64/10.2/RPMS/kernel-smp-2.6.11.12mdk-1-1mdk.x86_64.rpm
a3c12e575259175a5433c4aa6b282b9e  x86_64/10.2/RPMS/kernel-source-2.6-2.6.11-12mdk.x86_64.rpm
e4a470f6f4ebba211dd9dca0eb5ac246  x86_64/10.2/RPMS/kernel-source-stripped-2.6-2.6.11-12mdk.x86_64.rpm
eccc248c8d65d091a93ac01cec3f1110  x86_64/10.2/SRPMS/kernel-2.6.11.12mdk-1-1mdk.src.rpm

10.0 amd64

 e776c1c98e4030da8c836e4291257dda  amd64/10.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.amd64.rpm
bf5c1a5412f35167ef3ac32257a80d5b  amd64/10.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.amd64.rpm
fd97913601dca600a22c4c6afcd92999  amd64/10.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.amd64.rpm
0c95a5bf2565e80cdbb236c730d563c7  amd64/10.0/RPMS/kernel-source-2.6.3-27mdk.amd64.rpm
a2feebf592ad2041cfa7ec7e2758206c  amd64/10.0/RPMS/kernel-source-stripped-2.6.3-27mdk.amd64.rpm
0161e0b7c6783f7484e2b13e80565a9a  amd64/10.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

10.2 i586

 f8da585477aff19802764a73a832cb1c  10.2/RPMS/kernel-2.6.11.12mdk-1-1mdk.i586.rpm
07b27b601ebe941fbfa0f9ce61e4fc1f  10.2/RPMS/kernel-i586-up-1GB-2.6.11.12mdk-1-1mdk.i586.rpm
bc40a826454080bb9444f6572508d4d6  10.2/RPMS/kernel-i686-up-4GB-2.6.11.12mdk-1-1mdk.i586.rpm
1a7393ef7ad8a776d33577d06b666944  10.2/RPMS/kernel-smp-2.6.11.12mdk-1-1mdk.i586.rpm
81615112f862f81a0479715c590e7e06  10.2/RPMS/kernel-source-2.6-2.6.11-12mdk.i586.rpm
28fe68ece81b564741b1a679b23afe8c  10.2/RPMS/kernel-source-stripped-2.6-2.6.11-12mdk.i586.rpm
94c55fab597d0c982d092efe204f20bb  10.2/RPMS/kernel-xbox-2.6.11.12mdk-1-1mdk.i586.rpm
eccc248c8d65d091a93ac01cec3f1110  10.2/SRPMS/kernel-2.6.11.12mdk-1-1mdk.src.rpm

10.1 i586

 f9bc117f5575bb120fdae314f65ad1f9  10.1/RPMS/kernel-2.6.8.1.25mdk-1-1mdk.i586.rpm
b321c503f18429f4b3883c16230e158f  10.1/RPMS/kernel-enterprise-2.6.8.1.25mdk-1-1mdk.i586.rpm
08d2a5d4447588818f78f8ad4e9db138  10.1/RPMS/kernel-i586-up-1GB-2.6.8.1.25mdk-1-1mdk.i586.rpm
7f677908eb0fb03ff5db2a3eefc381d9  10.1/RPMS/kernel-i686-up-64GB-2.6.8.1.25mdk-1-1mdk.i586.rpm
7a1319d8c53d56582f0434f0f7898d2d  10.1/RPMS/kernel-secure-2.6.8.1.25mdk-1-1mdk.i586.rpm
352a4af3300e60399f78bca4e77945d0  10.1/RPMS/kernel-smp-2.6.8.1.25mdk-1-1mdk.i586.rpm
224358bcd6d086bf7fafa727a9322902  10.1/RPMS/kernel-source-2.6-2.6.8.1-25mdk.i586.rpm
725a2ff7ee8dee45cdf1d296c4af899c  10.1/RPMS/kernel-source-stripped-2.6-2.6.8.1-25mdk.i586.rpm
2b3bd96a8746eed953c950e13d257d5d  10.1/SRPMS/kernel-2.6.8.1.25mdk-1-1mdk.src.rpm

10.0 i586

 fde15b50eb6b25c01363906ac9311a99  10.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.i586.rpm
4bac2ba6182cfc7a0b096643e5cf4864  10.0/RPMS/kernel-enterprise-2.6.3.27mdk-1-1mdk.i586.rpm
11f460372ed0f9bcbdf4d1d2ef172021  10.0/RPMS/kernel-i686-up-4GB-2.6.3.27mdk-1-1mdk.i586.rpm
c5c7869f7ba96fa2d323678aa64bbbff  10.0/RPMS/kernel-p3-smp-64GB-2.6.3.27mdk-1-1mdk.i586.rpm
c191f0627aaf8c4ec4882114241bd990  10.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.i586.rpm
e545c57e7ecd4cf7391c002f810488d2  10.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.i586.rpm
a6ab3a8dfb0da9376a2ef75953ee4eca  10.0/RPMS/kernel-source-2.6.3-27mdk.i586.rpm
81549411e82297db4fadf45db8d91147  10.0/RPMS/kernel-source-stripped-2.6.3-27mdk.i586.rpm
0161e0b7c6783f7484e2b13e80565a9a  10.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

CS3.0 x86_64

 96fdece51d557ea9dc86b77d80ef6537  x86_64/corporate/3.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.x86_64.rpm
e89fd0dcef1c123fb5730179e9930529  x86_64/corporate/3.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.x86_64.rpm
3bac8cfb55ed2843d192e556dbafd62c  x86_64/corporate/3.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.x86_64.rpm
a77c835b23e270bb23944630e4677b1b  x86_64/corporate/3.0/RPMS/kernel-source-2.6.3-27mdk.x86_64.rpm
93ba3be628ae43ab9a2f2b2656c06f7f  x86_64/corporate/3.0/RPMS/kernel-source-stripped-2.6.3-27mdk.x86_64.rpm
0161e0b7c6783f7484e2b13e80565a9a  x86_64/corporate/3.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

CS3.0 i586

 fde15b50eb6b25c01363906ac9311a99  corporate/3.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.i586.rpm
4bac2ba6182cfc7a0b096643e5cf4864  corporate/3.0/RPMS/kernel-enterprise-2.6.3.27mdk-1-1mdk.i586.rpm
11f460372ed0f9bcbdf4d1d2ef172021  corporate/3.0/RPMS/kernel-i686-up-4GB-2.6.3.27mdk-1-1mdk.i586.rpm
c5c7869f7ba96fa2d323678aa64bbbff  corporate/3.0/RPMS/kernel-p3-smp-64GB-2.6.3.27mdk-1-1mdk.i586.rpm
c191f0627aaf8c4ec4882114241bd990  corporate/3.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.i586.rpm
e545c57e7ecd4cf7391c002f810488d2  corporate/3.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.i586.rpm
a6ab3a8dfb0da9376a2ef75953ee4eca  corporate/3.0/RPMS/kernel-source-2.6.3-27mdk.i586.rpm
81549411e82297db4fadf45db8d91147  corporate/3.0/RPMS/kernel-source-stripped-2.6.3-27mdk.i586.rpm
0161e0b7c6783f7484e2b13e80565a9a  corporate/3.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

10.1 x86_64

 deba2195393307cfbc3eda4da5ba9b55  x86_64/10.1/RPMS/kernel-2.6.8.1.25mdk-1-1mdk.x86_64.rpm
2dd4ba5eb8f59af931ea08e13895953c  x86_64/10.1/RPMS/kernel-secure-2.6.8.1.25mdk-1-1mdk.x86_64.rpm
29b46c7761117fa78b6ac84b78c2c95f  x86_64/10.1/RPMS/kernel-smp-2.6.8.1.25mdk-1-1mdk.x86_64.rpm
a5894bf0dedc2b92507c0a3aaf72b070  x86_64/10.1/RPMS/kernel-source-2.6-2.6.8.1-25mdk.x86_64.rpm
d9fc9585545fe50959ae48075bdb8611  x86_64/10.1/RPMS/kernel-source-stripped-2.6-2.6.8.1-25mdk.x86_64.rpm
2b3bd96a8746eed953c950e13d257d5d  x86_64/10.1/SRPMS/kernel-2.6.8.1.25mdk-1-1mdk.src.rpm

References