Nom du paquet
kernel
Date
2006-08-25
Advisory ID
MDKSA-2006:150
Affected versions
CS3.0 i586 , MNF2.0 i586 , CS3.0 x86_64

Problem description

A number of vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

Prior to 2.6.15.5, the kerenl allowed local users to obtain sensitive
information via a crafted XFS ftruncate call (CVE-2006-0554).

Prior to 2.6.15.5, the kernel did not properly handle uncanonical
return addresses on Intel EM64T CPUs causing the kernel exception
handler to run on the user stack with the wrong GS (CVE-2006-0744).

ip_conntrack_core.c in the 2.6 kernel, and possibly
nf_conntrack_l3proto_ipv4.c did not clear sockaddr_in.sin_zero before
returning IPv4 socket names from the getsockopt function with
SO_ORIGINAL_DST, which could allow local users to obtain portions of
potentially sensitive memory (CVE-2006-1343).

Prior to 2.6.16.17, the a buffer overflow in SCTP in the kernel allowed
remote attackers to cause a Denial of Service (crash) and possibly
execute arbitrary code via a malformed HB-ACK chunk (CVE-2006-1857).

Prior to 2.6.16.17, SCTP in the kernel allowed remote attackers to
cause a DoS (crash) and possibly execute arbitrary code via a chunk
length that is inconsistent with the actual length of provided
parameters (CVE-2006-1858).

Prior to 2.6.16, a directory traversal vulnerability in CIFS could
allow a local user to escape chroot restrictions for an SMB-mounted
filesystem via "..\\" sequences (CVE-2006-1863).

Prior to 2.6.16, a directory traversal vulnerability in smbfs could
allow a local user to escape chroot restrictions for an SMB-mounted
filesystem via "..\\" sequences (CVE-2006-1864).

Prior to 2.6.17, Linux SCTP allowed a remote attacker to cause a DoS
(infinite recursion and crash) via a packet that contains two or more
DATA fragments, which caused an skb pointer to refer back to itself
when the full message is reassembled, leading to an infinite recursion
in the sctp_skb_pull function (CVE-2006-2274).

The dvd_read_bca function in the DVD handling code assigns the wrong
value to a length variable, which could allow local users to execute
arbitrary code via a crafted USB storage device that triggers a buffer
overflow (CVE-2006-2935).

Prior to 2.6.17, the ftdi_sio driver could allow local users to cause
a DoS (memory consumption) by writing more data to the serial port than
the hardware can handle, causing the data to be queued (CVE-2006-2936).

The 2.6 kernel, when using both NFS and EXT3, allowed remote attackers
to cause a DoS (file system panic) via a crafted UDP packet with a V2
lookup procedure that specifies a bad file handle (inode number),
triggering an error and causing an exported directory to be remounted
read-only (CVE-2006-3468).

The 2.6 kernel's SCTP was found to cause system crashes and allow for
the possibility of local privilege escalation due to a bug in the
get_user_iov_size() function that doesn't properly handle overflow when
calculating the length of iovec (CVE-2006-3745).

The provided packages are patched to fix these vulnerabilities. All
users are encouraged to upgrade to these updated kernels immediately
and reboot to effect the fixes.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate

Updated packages

CS3.0 i586

 9d14c43145beafb4e63fe8cae758d0f6  corporate/3.0/RPMS/kernel-2.6.3.35mdk-1-1mdk.i586.rpm
 e7331f51ed5cf4edee33efcb01f49243  corporate/3.0/RPMS/kernel-BOOT-2.6.3.35mdk-1-1mdk.i586.rpm
 dcb027450192d7d73f407f30d3e3e852  corporate/3.0/RPMS/kernel-enterprise-2.6.3.35mdk-1-1mdk.i586.rpm
 59f29ace5cc862c84cace5d046d6302e  corporate/3.0/RPMS/kernel-i686-up-4GB-2.6.3.35mdk-1-1mdk.i586.rpm
 6b062c5059587a927f31fea04fb91a3a  corporate/3.0/RPMS/kernel-p3-smp-64GB-2.6.3.35mdk-1-1mdk.i586.rpm
 744287198a20913bd38b1c1d37a68bd2  corporate/3.0/RPMS/kernel-secure-2.6.3.35mdk-1-1mdk.i586.rpm
 17780ad90f4989615baab5f115074f8a  corporate/3.0/RPMS/kernel-smp-2.6.3.35mdk-1-1mdk.i586.rpm
 4555bac09b7ce50d83b97c47af0b2724  corporate/3.0/RPMS/kernel-source-2.6.3-35mdk.i586.rpm
 7165754462cdfcd92c894f56623bc8b0  corporate/3.0/RPMS/kernel-source-stripped-2.6.3-35mdk.i586.rpm
 e59db387f0642f5293dc60283832557b  corporate/3.0/SRPMS/kernel-2.6.3.35mdk-1-1mdk.src.rpm

MNF2.0 i586

 5cab4be7c19a67689f33f01de208879e  mnf/2.0/RPMS/kernel-2.6.3.35mdk-1-1mdk.i586.rpm
 ee1db88c9010b3a1af0f5ea93ce86505  mnf/2.0/RPMS/kernel-i686-up-4GB-2.6.3.35mdk-1-1mdk.i586.rpm
 0e3618eec1dcb5bca817ecec7e912836  mnf/2.0/RPMS/kernel-p3-smp-64GB-2.6.3.35mdk-1-1mdk.i586.rpm
 ded09245567203340c86b3ddacf21b3a  mnf/2.0/RPMS/kernel-secure-2.6.3.35mdk-1-1mdk.i586.rpm
 7efdc84f2748f1c2237a72ef94d90b31  mnf/2.0/RPMS/kernel-smp-2.6.3.35mdk-1-1mdk.i586.rpm
 d12744fdab6bf6606ed13fae69b51f50  mnf/2.0/SRPMS/kernel-2.6.3.35mdk-1-1mdk.src.rpm

CS3.0 x86_64

 918a70fe836d900b217f442b5208c779  x86_64/corporate/3.0/RPMS/kernel-2.6.3.35mdk-1-1mdk.x86_64.rpm
 dd1ea77b15bd07c75f5ab7caf00dbde0  x86_64/corporate/3.0/RPMS/kernel-BOOT-2.6.3.35mdk-1-1mdk.x86_64.rpm
 c8964849f4142c2c51c3ddd298513753  x86_64/corporate/3.0/RPMS/kernel-secure-2.6.3.35mdk-1-1mdk.x86_64.rpm
 7a98664c4ba5f0d50a500c1158a8fb08  x86_64/corporate/3.0/RPMS/kernel-smp-2.6.3.35mdk-1-1mdk.x86_64.rpm
 3c4d5ca4f7a1a91d99fc182e499c9e76  x86_64/corporate/3.0/RPMS/kernel-source-2.6.3-35mdk.x86_64.rpm
 a25c6705ba2b70c85c1c86e68cb0d3cd  x86_64/corporate/3.0/RPMS/kernel-source-stripped-2.6.3-35mdk.x86_64.rpm
 e59db387f0642f5293dc60283832557b  x86_64/corporate/3.0/SRPMS/kernel-2.6.3.35mdk-1-1mdk.src.rpm

References