USN-95-1: Linux kernel vulnerabilities
Posted on: 03/15/2005 09:48 AM

A Linux kernel security update is available for Ubuntu Linux

==========================================================
Ubuntu Security Notice USN-95-1 March 15, 2005
linux-source-2.6.8.1 vulnerabilities
CAN-2005-0209, CAN-2005-0210, CAN-2005-0384, CAN-2005-0529,
CAN-2005-0530, CAN-2005-0531, CAN-2005-0532, CAN-2005-0736
==========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

linux-image-2.6.8.1-5-386
linux-image-2.6.8.1-5-686
linux-image-2.6.8.1-5-686-smp
linux-image-2.6.8.1-5-amd64-generic
linux-image-2.6.8.1-5-amd64-k8
linux-image-2.6.8.1-5-amd64-k8-smp
linux-image-2.6.8.1-5-amd64-xeon
linux-image-2.6.8.1-5-k7
linux-image-2.6.8.1-5-k7-smp
linux-image-2.6.8.1-5-power3
linux-image-2.6.8.1-5-power3-smp
linux-image-2.6.8.1-5-power4
linux-image-2.6.8.1-5-power4-smp
linux-image-2.6.8.1-5-powerpc
linux-image-2.6.8.1-5-powerpc-smp
linux-patch-debian-2.6.8.1

The problem can be corrected by upgrading the affected package to version 2.6.8.1-16.12. You need to reboot the computer after doing a standard system upgrade to effect the necessary changes.

Details follow:

A remote Denial of Service vulnerability was discovered in the Netfilter IP packet handler. This allowed a remote attacker to crash the machine by sending specially crafted IP packet fragments. (CAN-2005-0209)

The Netfilter code also contained a memory leak. Certain locally generated packet fragments are reassembled twice, which caused a double allocation of a data structure. This could be locally exploited to crash the machine due to kernel memory exhaustion. (CAN-2005-0210)

Ben Martel and Stephen Blackheath found a remote Denial of Service vulnerability in the PPP driver. This allowed a malicious pppd client to crash the server machine. (CAN-2005-0384)

Georgi Guninski discovered a buffer overflow in the ATM driver. The atm_get_addr() function does not validate its arguments sufficiently, which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could eventually lead to arbitrary code execution. (CAN-2005-0531)

Georgi Guninski also discovered three other integer comparison problems in the TTY layer, in the /proc interface and the ReiserFS driver. However, the previous Ubuntu security update (kernel version 2.6.8.1-16.11) already contained a patch which checks the arguments to these functions at a higher level and thus prevents these flaws from being exploited. (CAN-2005-0529, CAN-2005-0530, CAN-2005-0532)

Georgi Guninski discovered an integer overflow in the sys_epoll_wait() function which allowed local users to overwrite the first few kB of physical memory. However, very few applications actually use this space (dosemu is a notable exception), but potentially this could lead to privilege escalation. (CAN-2005-0736)

Eric Anholt discovered a race condition in the Radeon DRI driver. In some cases this allowed a local user with DRI privileges on a Radeon card to execute arbitrary code with root privileges.

Finally this update fixes a regression in the NFS server driver which was introduced in the previous security update (kernel version 2.6.8.1-16.11). We apologize for the inconvenience. (https://bugzilla.ubuntulinux.org/show_bug.cgi?id=6749)

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1-16.12.diff.gz
Size/MD5: 3138173 562c678c1db3839022a46fe6707b17a2
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1-16.12.dsc
Size/MD5: 2121 ca9878e5a4300fb3d3ae973528826752
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1.orig.tar.gz
Size/MD5: 44728688 79730a3ad4773ba65fab65515369df84

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-doc-2.6.8.1_2.6.8.1-16.12_all.deb
Size/MD5: 6156398 8c909af9ca59a3ca9332e9b104550345
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-patch-debian-2.6.8.1_2.6.8.1-16.12_all.deb
Size/MD5: 1494402 7a0837f2bf959a81c654c739adbd46e9
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1-16.12_all.deb
Size/MD5: 36720352 05befe6c04d9327f92b49f8141220449
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-tree-2.6.8.1_2.6.8.1-16.12_all.deb
Size/MD5: 308034 147891a0041bcf9d210915a71914d6c0

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-amd64-generic_2.6.8.1-16.12_amd64.deb
Size/MD5: 247896 7dd57b2064006690e2cdcad73ee68d45
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-amd64-k8-smp_2.6.8.1-16.12_amd64.deb
Size/MD5: 243798 af368e29fd8253726f4d98fc61ae8e63
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-amd64-k8_2.6.8.1-16.12_amd64.deb
Size/MD5: 246918 2f15a30e62829856a793e1750d1627ec
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-amd64-xeon_2.6.8.1-16.12_amd64.deb
Size/MD5: 242064 095a0823406b09537441e3e57bc2ab6c
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5_2.6.8.1-16.12_amd64.deb
Size/MD5: 3178994 b3837998e2015412d6a23a1767ab1f11
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-amd64-generic_2.6.8.1-16.12_amd64.deb
Size/MD5: 14352688 c5be7b5e81a224bbe32c96f8abb4612e
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-amd64-k8-smp_2.6.8.1-16.12_amd64.deb
Size/MD5: 14828788 eb195f0cf157bfe5da0dc5b77b156c27
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-amd64-k8_2.6.8.1-16.12_amd64.deb
Size/MD5: 14861436 b43ddb164a0a2cc8808d1262b8d5750d
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-amd64-xeon_2.6.8.1-16.12_amd64.deb
Size/MD5: 14684670 3420b9272177aece4bde1a566e894cf2

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-386_2.6.8.1-16.12_i386.deb
Size/MD5: 276950 3d9f318befd4cabacf059a85c06324c0
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-686-smp_2.6.8.1-16.12_i386.deb
Size/MD5: 271656 09e1b2b404a079852f81b4d7b6eae7bb
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-686_2.6.8.1-16.12_i386.deb
Size/MD5: 274682 9f5ae2ee5d09e85f799eaf4ea3770615
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-k7-smp_2.6.8.1-16.12_i386.deb
Size/MD5: 272144 67499c9bafe38440ee8f3f2b09b667e8
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-k7_2.6.8.1-16.12_i386.deb
Size/MD5: 274840 754e3a4030ee75d3362466832849acbd
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5_2.6.8.1-16.12_i386.deb
Size/MD5: 3219706 508896938223113ea1699aa4151b8766
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-386_2.6.8.1-16.12_i386.deb
Size/MD5: 15495248 38b990d93eaba078db891bd7404c01e7
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-686-smp_2.6.8.1-16.12_i386.deb
Size/MD5: 16344242 89cb33e659438f4e34b68ba3c32106cd
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-686_2.6.8.1-16.12_i386.deb
Size/MD5: 16512992 4147111c66724fa8691e4b16c356ce86
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-k7-smp_2.6.8.1-16.12_i386.deb
Size/MD5: 16447442 663241c045b232b8b46ff9c5d5b2f973
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-k7_2.6.8.1-16.12_i386.deb
Size/MD5: 16572538 8b8891f4526497e43eab0c173f179615

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-power3-smp_2.6.8.1-16.12_powerpc.deb
Size/MD5: 212792 cb39e28e0814976f2831528e20bf8deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-power3_2.6.8.1-16.12_powerpc.deb
Size/MD5: 213482 5b469307ceb0839a5ca73e170bd4b5a9
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-power4-smp_2.6.8.1-16.12_powerpc.deb
Size/MD5: 212514 eec8a75e60edee4eb0784cc44b4c5991
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-power4_2.6.8.1-16.12_powerpc.deb
Size/MD5: 213232 7dc2c5a6884dc3bb9e12cb15c2d86475
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-powerpc-smp_2.6.8.1-16.12_powerpc.deb
Size/MD5: 213112 71c2be933fe1cae5cf04a834af834b97
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5-powerpc_2.6.8.1-16.12_powerpc.deb
Size/MD5: 214548 72904d0d50787c36b097c11f480329ba
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-5_2.6.8.1-16.12_powerpc.deb
Size/MD5: 3297040 15f7b67ca420635504ba90d020cd5990
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-power3-smp_2.6.8.1-16.12_powerpc.deb
Size/MD5: 16366562 437904d293401104d04e879394be098e
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-power3_2.6.8.1-16.12_powerpc.deb
Size/MD5: 15942190 1b71783b31ec56e29d09dfa8de844caa
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-power4-smp_2.6.8.1-16.12_powerpc.deb
Size/MD5: 16353764 8aefa48d5f7461db9ede5fd05da3c57a
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-power4_2.6.8.1-16.12_powerpc.deb
Size/MD5: 15924916 14f880d34cd8f1e232ec52a559f046af
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-powerpc-smp_2.6.8.1-16.12_powerpc.deb
Size/MD5: 16289024 1878256aaff9b8bbb003554590d359b3
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-5-powerpc_2.6.8.1-16.12_powerpc.deb
Size/MD5: 15975818 8ba319a47d693a063cfae316aaf965e8


Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_95_1_linux_kernel_vulnerabilities.html)