MDVSA-2008:008
- Package name
- kernel
- Date
- 2008-01-11
- Advisory ID
- MDVSA-2008:008
- Affected versions
- CS4.0 x86_64 , CS4.0 i586
Problem description
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:
The CIFS filesystem, when Unix extension support is enabled, does
not honor the umask of a process, which allows local users to gain
privileges. (CVE-2007-3740)
The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
units, which allows local users to cause a denial of service (panic)
via unspecified vectors. (CVE-2007-4133)
The IA32 system call emulation functionality in Linux kernel 2.4.x
and 2.6.x before 2.6.22.7, when running on the x86_64 architecture,
does not zero extend the eax register after the 32bit entry path to
ptrace is used, which might allow local users to gain privileges by
triggering an out-of-bounds access to the system call table using the
%RAX register. This issue was already fixed in the regular kernel,
it is now being fixed also in the Xen kernel. (CVE-2007-4573)
Integer underflow in the ieee80211_rx function in
net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before
2.6.23 allows remote attackers to cause a denial of service (crash)
via a crafted SKB length value in a runt IEEE 802.11 frame when
the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two
error. (CVE-2007-4997)
The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
unplug the affected device. (CVE-2007-5093)
The wait_task_stopped function in the Linux kernel before 2.6.23.8
checks a TASK_TRACED bit instead of an exit_state value, which
allows local users to cause a denial of service (machine crash) via
unspecified vectors. NOTE: some of these details are obtained from
third party information. (CVE-2007-5500)
The minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and
possibly other versions, allows local users to cause a denial of
service (hang) via a malformed minix file stream that triggers an
infinite loop in the minix_bmap function. NOTE: this issue might be
due to an integer overflow or signedness error. (CVE-2006-6058)
Buffer overflow in the isdn_net_setcfg function in isdn_net.c in
Linux kernel 2.6.23 allows local users to have an unknown impact via
a crafted argument to the isdn_ioctl function. (CVE-2007-6063)
Additionaly, support for Promise 4350 controller was added (stex
module).
To update your kernel, please follow the directions located at:
http://www.mandriva.com/en/security/kernelupdate
Updated packages
CS4.0 x86_64
d2e4070842e4a6ea4d9e029a5977d929 corporate/4.0/x86_64/kernel-2.6.12.33mdk-1-1mdk.x86_64.rpm bf3014e8afe93ab0a8877e1d80d921e4 corporate/4.0/x86_64/kernel-BOOT-2.6.12.33mdk-1-1mdk.x86_64.rpm ac4c529077ff74e82362c1b7d4404233 corporate/4.0/x86_64/kernel-doc-2.6.12.33mdk-1-1mdk.x86_64.rpm fe2963758a2fbef0ed561dd41741f1f0 corporate/4.0/x86_64/kernel-smp-2.6.12.33mdk-1-1mdk.x86_64.rpm f8ea4d85518c1e2e6a8b163febbb39f8 corporate/4.0/x86_64/kernel-source-2.6.12.33mdk-1-1mdk.x86_64.rpm 773dd4eb7e4ebbe76c49817399bdfb23 corporate/4.0/x86_64/kernel-source-stripped-2.6.12.33mdk-1-1mdk.x86_64.rpm 83c8eb396798958d3a0581f7610973e8 corporate/4.0/x86_64/kernel-xen0-2.6.12.33mdk-1-1mdk.x86_64.rpm e3a4fc8ac6984d283aebcbf8c733942f corporate/4.0/x86_64/kernel-xenU-2.6.12.33mdk-1-1mdk.x86_64.rpm 877a5d94905829128211ecc1dd538138 corporate/4.0/SRPMS/kernel-2.6.12.33mdk-1-1mdk.src.rpm
CS4.0 i586
07fa3648c4fcad266094de58ee5f7976 corporate/4.0/i586/kernel-2.6.12.33mdk-1-1mdk.i586.rpm e252e134fca461feeee210bc85fe0b66 corporate/4.0/i586/kernel-BOOT-2.6.12.33mdk-1-1mdk.i586.rpm 2364ec022ffd41f61ef19aa4da196584 corporate/4.0/i586/kernel-doc-2.6.12.33mdk-1-1mdk.i586.rpm 56b9c725e2370594ea37bff83bec8adf corporate/4.0/i586/kernel-i586-up-1GB-2.6.12.33mdk-1-1mdk.i586.rpm ac5b435ab4b230da799b12b06054e3e5 corporate/4.0/i586/kernel-i686-up-4GB-2.6.12.33mdk-1-1mdk.i586.rpm 4bd260613b29981fd3b0a742707c6785 corporate/4.0/i586/kernel-smp-2.6.12.33mdk-1-1mdk.i586.rpm 4111453b8da035fa44428f7d79b77c64 corporate/4.0/i586/kernel-source-2.6.12.33mdk-1-1mdk.i586.rpm c31d879b0becf2c84569ad18615fbe7c corporate/4.0/i586/kernel-source-stripped-2.6.12.33mdk-1-1mdk.i586.rpm 9e8f1b4d991c1b144b5e999b647bbce6 corporate/4.0/i586/kernel-xbox-2.6.12.33mdk-1-1mdk.i586.rpm 895efcf862e5e8428ceec714f29666da corporate/4.0/i586/kernel-xen0-2.6.12.33mdk-1-1mdk.i586.rpm bab9c0071d482b0e3c03c181b8cca71a corporate/4.0/i586/kernel-xenU-2.6.12.33mdk-1-1mdk.i586.rpm 877a5d94905829128211ecc1dd538138 corporate/4.0/SRPMS/kernel-2.6.12.33mdk-1-1mdk.src.rpm
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6063
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5500
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5093
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4997
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4573
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4133
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3740