[SECURITY] [DSA 1184-2] New Linux 2.6.8 packages fix several vulnerabilities

[joey@infodrom.org (Martin Schulze)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1184-2                    security@debian.org
http://www.debian.org/security/                               Dann Frazier
September 26th, 2006                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : kernel-source-2.6.8
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2004-2660 CVE-2005-4798 CVE-2006-1052 CVE-2006-1343
                 CVE-2006-1528 CVE-2006-1855 CVE-2006-1856 CVE-2006-2444
                 CVE-2006-2446 CVE-2006-2935 CVE-2006-2936 CVE-2006-3468
                 CVE-2006-3745 CVE-2006-4093 CVE-2006-4145 CVE-2006-4535
CERT advisory  : VU#681569
BugTraq IDs    : 17203 17830 18081 18099 18101 18105 18847 19033 19396
                 19562 19615 19666 20087

This advisory covers the S/390 components of the recent security
update for the Linux 2.6.8 kernel that was missing due to technical
problems.  For reference below please see the original advisory text.

Several security related problems have been discovered in the Linux
kernel which may lead to a denial of service or even the execution of
arbitrary code.  The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2004-2660

    Toshihiro Iwamoto discovered a memory leak in the handling of
    direct I/O writes that allows local users to cause a denial of
    service.

CVE-2005-4798

    A buffer overflow in NFS readlink handling allows a malicious
    remote server to cause a denial of service.

CVE-2006-1052

    Stephen Smalley discovered a bug in the SELinux ptrace handling
    that allows local users with ptrace permissions to change the
    tracer SID to the SID of another process.

CVE-2006-1343

    Pavel Kankovsky discovered an information leak in the getsockopt
    system call which can be exploited by a local program to leak
    potentially sensitive memory to userspace.

CVE-2006-1528

    Douglas Gilbert reported a bug in the sg driver that allows local
    users to cause a denial of service by performing direct I/O
    transfers from the sg driver to memory mapped I/O space.

CVE-2006-1855

    Mattia Belletti noticed that certain debugging code left in the
    process management code could be exploited by a local attacker to
    cause a denial of service.

CVE-2006-1856

    Kostik Belousov discovered a missing LSM file_permission check in
    the readv and writev functions which might allow attackers to
    bypass intended access restrictions.

CVE-2006-2444

    Patrick McHardy discovered a bug in the SNMP NAT helper that
    allows remote attackers to cause a denial of service.

CVE-2006-2446

    A race condition in the socket buffer handling allows remote
    attackers to cause a denial of service.

CVE-2006-2935

    Diego Calleja Garcia discovered a buffer overflow in the DVD
    handling code that could be exploited by a specially crafted DVD
    or USB storage device to execute arbitrary code.

CVE-2006-2936

    A bug in the serial USB driver has been discovered that could be
    exploited by a custom made USB serial adapter to consume arbitrary
    amounts of memory.

CVE-2006-3468

    James McKenzie discovered a denial of service vulnerability in the
    NFS driver.  When exporting an ext3 file system over NFS, a remote
    attacker could exploit this to trigger a file system panic by
    sending a specially crafted UDP packet.

CVE-2006-3745

    Wei Wang discovered a bug in the SCTP implementation that allows
    local users to cause a denial of service and possibly gain root
    privileges.

CVE-2006-4093

    Olof Johansson discovered that the kernel did not disable the HID0
    bit on PowerPC 970 processors which could be exploited by a local
    attacker to cause a denial of service.

CVE-2006-4145

    A bug in the Universal Disk Format (UDF) filesystem driver could
    be exploited by a local user to cause a denial of service.

CVE-2006-4535

    David Miller reported a problem with the fix for CVE-2006-3745
    that allows local users to crash the system using via an SCTP
    socket with a certain SO_LINGER value.


The following matrix explains which kernel version for which
architecture fixes the problem mentioned above:

                                     stable (sarge)
    Source                           2.6.8-16sarge5
    Alpha architecture               2.6.8-16sarge5
    AMD64 architecture               2.6.8-16sarge5
    HP Precision architecture        2.6.8-6sarge5
    Intel IA-32 architecture         2.6.8-16sarge5
    Intel IA-64 architecture         2.6.8-14sarge5
    Motorola 680x0 architecture      2.6.8-4sarge5
    PowerPC architecture             2.6.8-12sarge5
    IBM S/390                        2.6.8-5sarge5
    Sun Sparc architecture           2.6.8-15sarge5
    FAI                              1.9.1sarge4

Due to some internal problems kernel packages for the S/390 are
missing and will be provided later.

For the unstable distribution (sid) these problems have been fixed in
version 2.6.18-1.

We recommend that you upgrade your kernel package and reboot the
machine.  If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-s390_2.6.8-5sarge5.dsc
      Size/MD5 checksum:      846 1bcc93834f3d4ae2a83731ba2dab444c
    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-s390_2.6.8-5sarge5.tar.gz
      Size/MD5 checksum:    13994 feb0f938746f52cf80597ef8ff5691fc

  Architecture independent components:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-patch-2.6.8-s390_2.6.8-5sarge5_all.deb
      Size/MD5 checksum:    12084 ab2e51bb8bbbbfcc392b725f955f96c0

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-headers-2.6.8-3_2.6.8-5sarge5_s390.deb
      Size/MD5 checksum:  5087410 92c4b60e889e92f05f30214020b50955
    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-3-s390_2.6.8-5sarge5_s390.deb
      Size/MD5 checksum:  2981914 f71d20cba548768ee4e44ffe28be947d
    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-3-s390-tape_2.6.8-5sarge5_s390.deb
      Size/MD5 checksum:  1144574 7e3ae52a9d115cdca1c79d3946cd4e6c
    http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-s390/kernel-image-2.6.8-3-s390x_2.6.8-5sarge5_s390.deb
      Size/MD5 checksum:  3189746 f1bd52a536ae5a13427c8b935bd81434


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFGMhrW5ql+IAeqTIRAhDtAJ48eEm9y5aou9FITfBIYY48Yd2bFQCfVmlO
f+oJiE+2K55wuG4SdHJf0yI=
=vH4C
-----END PGP SIGNATURE-----