[SECURITY] [DTSA-16-1] New linux-2.6 packages fix several holes

Subject: [SECURITY] [DTSA-16-1] New linux-2.6 packages fix several holes
From: joey at kitenet.net (Joey Hess)
Date: Thu Sep 15 16:14:02 2005
Message-id: <[🔎] 20050915160412.A6FADBF6C8@dragon.kitenet.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-16-1              September 15, 2005
secure-testing-team@lists.alioth.debian.org                      Joey Hess
http://secure-testing-master.debian.net/
- --------------------------------------------------------------------------

Package        : linux-2.6
Vulnerability  : several holes
Problem-Scope  : remote
Debian-specific: No
CVE ID         : CAN-2005-2098 CAN-2005-2099 CAN-2005-2456 CAN-2005-2617 CAN-2005-1913 CAN-2005-1761 CAN-2005-2457 CAN-2005-2458 CAN-2005-2459 CAN-2005-2548 CAN-2004-2302 CAN-2005-1765 CAN-2005-1762 CAN-2005-1761 CAN-2005-2555 

Several security related problems have been found in version 2.6 of the
linux kernel. The Common Vulnerabilities and Exposures project identifies
the following problems:

CAN-2004-2302

  Race condition in the sysfs_read_file and sysfs_write_file functions in
  Linux kernel before 2.6.10 allows local users to read kernel memory and
  cause a denial of service (crash) via large offsets in sysfs files.

CAN-2005-1761

  Vulnerability in the Linux kernel allows local users to cause a
  denial of service (kernel crash) via ptrace.

CAN-2005-1762

  The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64
  platform allows local users to cause a denial of service (kernel crash) via
  a "non-canonical" address.

CAN-2005-1765

  syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when
  running in 32-bit compatibility mode, allows local users to cause a denial
  of service (kernel hang) via crafted arguments.

CAN-2005-1913

  When a non group-leader thread called exec() to execute a different program
  while an itimer was pending, the timer expiry would signal the old group
  leader task, which did not exist any more. This caused a kernel panic.

CAN-2005-2098 

  The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before
  2.6.12.5 contains an error path that does not properly release the session
  management semaphore, which allows local users or remote attackers to cause
  a denial of service (semaphore hang) via a new session keyring (1) with an
  empty name string, (2) with a long name string, (3) with the key quota
  reached, or (4) ENOMEM.

CAN-2005-2099

  The Linux kernel before 2.6.12.5 does not properly destroy a keyring that
  is not instantiated properly, which allows local users or remote attackers
  to cause a denial of service (kernel oops) via a keyring with a payload
  that is not empty, which causes the creation to fail, leading to a null
  dereference in the keyring destructor.

CAN-2005-2456

  Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c
  in Linux kernel 2.6 allows local users to cause a denial of service (oops
  or deadlock) and possibly execute arbitrary code via a p->dir value that is
  larger than XFRM_POLICY_OUT, which is used as an index in the
  sock->sk_policy array.

CAN-2005-2457

  The driver for compressed ISO file systems (zisofs) in the Linux kernel
  before 2.6.12.5 allows local users and remote attackers to cause a denial
  of service (kernel crash) via a crafted compressed ISO file system.

CAN-2005-2458

  inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 allows
  remote attackers to cause a denial of service (kernel crash) via a
  compressed file with "improper tables".

CAN-2005-2459

  The huft_build function in inflate.c in the zlib routines in the Linux
  kernel before 2.6.12.5 returns the wrong value, which allows remote
  attackers to cause a denial of service (kernel crash) via a certain
  compressed file that leads to a null pointer dereference, a different
  vulnerbility than CAN-2005-2458.

CAN-2005-2548

  vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a denial
  of service (kernel oops from null dereference) via certain UDP packets that
  lead to a function call with the wrong argument, as demonstrated using
  snmpwalk on snmpd.

CAN-2005-2555

  Linux kernel 2.6.x does not properly restrict socket policy access to users
  with the CAP_NET_ADMIN capability, which could allow local users to conduct
  unauthorized activities via (1) ipv4/ip_sockglue.c and (2)
  ipv6/ipv6_sockglue.c.

CAN-2005-2617

  The syscall32_setup_pages function in syscall32.c for Linux kernel 2.6.12
  and later, on the amd64 architecture, does not check the return value of
  the insert_vm_struct function, which allows local users to trigger a memory
  leak via a 32-bit application with crafted ELF headers.

In addition this update fixes some security issues that have not been
assigned CVE ids:

  - Fix DST leak in icmp_push_reply().  Possible remote DoS?

  - NPTL signal delivery deadlock fix; possible local DoS.
  
  - fix a memory leak in devices seq_file implementation; local DoS.

  - Fix SKB leak in ip6_input_finish(); local DoS.

For the testing distribution (etch) this is fixed in version
2.6.12-6

For the unstable distribution (sid) this is fixed in version
2.6.12-6

This upgrade is recommended for users of version 2.6 of the linux kernel.
Users of version 2.4 of the linux kernel can also upgrade if desired, but
be warned that a major kernel upgrade is a complex process that is beyond
the scope of this advisory.

The Debian testing security team does not track security issues for the
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.

Upgrade Instructions
- --------------------

Your system does not need to be configured to use the Debian testing security
archive to install this update. The fixed kernel packages are available
in the regular Debian testing archive.

To install the update, first run this command as root:

  apt-get update

Next, install an appropriate kernel package for your architecture and
machine. The following kernel will work for all i386 machines:

  apt-get install linux-image-2.6-386

However, you may prefer to install an optimised kernel for your machine:

  apt-get install linux-image-2.6-686
  apt-get install linux-image-2.6-686-smp
  apt-get install linux-image-2.6-k7
  apt-get install linux-image-2.6-k7-smp

For the amd64 architecture, chose one of these kernels:

  apt-get install linux-image-2.6-amd64-generic
  apt-get install linux-image-2.6-amd64-k8
  apt-get install linux-image-2.6-amd64-k8-smp

For the powerpc architecture, choose one of these kernels:

  apt-get install linux-image-2.6-powerpc
  apt-get install linux-image-2.6-powerpc-smp
  apt-get install linux-image-2.6-powerpc64

For the sparc architecture, choose one of these kernels:

  apt-get install linux-image-2.6-sparc64
  apt-get install linux-image-2.6-sparc64-smp

  (Note that users of 32 bit sparc systems are no longer supported by the
  2.6 kernel.)

For the alpha architecture, choose one of these kernels:

  apt-get install linux-image-2.6-alpha-generic
  apt-get install linux-image-2.6-alpha-smp

For the ia64 architecture, choose one of these kernels:

  apt-get install linux-image-2.6-itanium
  apt-get install linux-image-2.6-itanium-smp
  apt-get install linux-image-2.6-mckinley
  apt-get install linux-image-2.6-mckinley-smp

For the hppa architecture, choose one of these kernels:

  apt-get install linux-image-2.6-parisc
  apt-get install linux-image-2.6-parisc-smp
  apt-get install linux-image-2.6-parisc64
  apt-get install linux-image-2.6-parisc64-smp

For the s390 architecture, choose one of these kernels:

  apt-get install linux-image-2.6-s390
  apt-get install linux-image-2.6-s390x

For the arm architecture, choose one of these kernels:

  apt-get install linux-image-2.6-footbridge
  apt-get install linux-image-2.6-ixp4xx
  apt-get install linux-image-2.6-rpc
  apt-get install linux-image-2.6-s3c2410

For the m68k architecture, choose one of these kernels:

  apt-get install linux-image-2.6-amiga
  apt-get install linux-image-2.6-atari
  apt-get install linux-image-2.6-bvme6000
  apt-get install linux-image-2.6-hp
  apt-get install linux-image-2.6-mac
  apt-get install linux-image-2.6-mvme147
  apt-get install linux-image-2.6-mvme16x
  apt-get install linux-image-2.6-q40
  apt-get install linux-image-2.6-sun3

Updated kernels are not yet available for the mips and mipsel
architectures.

Note that you may also need to upgrade third-party modules that are not
included in the kernel package.

Finally, reboot the system, taking care to boot the new 2.6.12 kernel with
your bootloader.

For further information about the Debian testing security team, please refer
to http://secure-testing-master.debian.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDKZt72tp5zXiKP0wRAr+UAJ0SvHLSEBWH7uUOu8u53ZMroqWIegCeJjae
u0d3/TG0l7Q9escyUecSrr4=
=g+ZX
-----END PGP SIGNATURE-----
Reply to:
Prev by Date: [secure-testing-announce] [DTSA-15-1] New php4 packages fix several vulnerabilities
Next by Date: [SECURITY] DTSA-17-1 New lm-sensors package fixes insecure temporary file
Previous by thread: [secure-testing-announce] [DTSA-15-1] New php4 packages fix several vulnerabilities
Next by thread: [SECURITY] DTSA-17-1 New lm-sensors package fixes insecure temporary file
Index(es):
- Date
- Thread