USN-95-1: Linux kernel vulnerabilities
Posted on: 03/15/2005 10:48 AM

A Linux kernel security update is available for Ubuntu Linux

Ubuntu Security Notice USN-95-1 March 15, 2005
linux-source- vulnerabilities
CAN-2005-0209, CAN-2005-0210, CAN-2005-0384, CAN-2005-0529,
CAN-2005-0530, CAN-2005-0531, CAN-2005-0532, CAN-2005-0736

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:


The problem can be corrected by upgrading the affected package to version You need to reboot the computer after doing a standard system upgrade to effect the necessary changes.

Details follow:

A remote Denial of Service vulnerability was discovered in the Netfilter IP packet handler. This allowed a remote attacker to crash the machine by sending specially crafted IP packet fragments. (CAN-2005-0209)

The Netfilter code also contained a memory leak. Certain locally generated packet fragments are reassembled twice, which caused a double allocation of a data structure. This could be locally exploited to crash the machine due to kernel memory exhaustion. (CAN-2005-0210)

Ben Martel and Stephen Blackheath found a remote Denial of Service vulnerability in the PPP driver. This allowed a malicious pppd client to crash the server machine. (CAN-2005-0384)

Georgi Guninski discovered a buffer overflow in the ATM driver. The atm_get_addr() function does not validate its arguments sufficiently, which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could eventually lead to arbitrary code execution. (CAN-2005-0531)

Georgi Guninski also discovered three other integer comparison problems in the TTY layer, in the /proc interface and the ReiserFS driver. However, the previous Ubuntu security update (kernel version already contained a patch which checks the arguments to these functions at a higher level and thus prevents these flaws from being exploited. (CAN-2005-0529, CAN-2005-0530, CAN-2005-0532)

Georgi Guninski discovered an integer overflow in the sys_epoll_wait() function which allowed local users to overwrite the first few kB of physical memory. However, very few applications actually use this space (dosemu is a notable exception), but potentially this could lead to privilege escalation. (CAN-2005-0736)

Eric Anholt discovered a race condition in the Radeon DRI driver. In some cases this allowed a local user with DRI privileges on a Radeon card to execute arbitrary code with root privileges.

Finally this update fixes a regression in the NFS server driver which was introduced in the previous security update (kernel version We apologize for the inconvenience. (

Source archives:
Size/MD5: 3138173 562c678c1db3839022a46fe6707b17a2
Size/MD5: 2121 ca9878e5a4300fb3d3ae973528826752
Size/MD5: 44728688 79730a3ad4773ba65fab65515369df84

Architecture independent packages:
Size/MD5: 6156398 8c909af9ca59a3ca9332e9b104550345
Size/MD5: 1494402 7a0837f2bf959a81c654c739adbd46e9
Size/MD5: 36720352 05befe6c04d9327f92b49f8141220449
Size/MD5: 308034 147891a0041bcf9d210915a71914d6c0

amd64 architecture (Athlon64, Opteron, EM64T Xeon)
Size/MD5: 247896 7dd57b2064006690e2cdcad73ee68d45
Size/MD5: 243798 af368e29fd8253726f4d98fc61ae8e63
Size/MD5: 246918 2f15a30e62829856a793e1750d1627ec
Size/MD5: 242064 095a0823406b09537441e3e57bc2ab6c
Size/MD5: 3178994 b3837998e2015412d6a23a1767ab1f11
Size/MD5: 14352688 c5be7b5e81a224bbe32c96f8abb4612e
Size/MD5: 14828788 eb195f0cf157bfe5da0dc5b77b156c27
Size/MD5: 14861436 b43ddb164a0a2cc8808d1262b8d5750d
Size/MD5: 14684670 3420b9272177aece4bde1a566e894cf2

i386 architecture (x86 compatible Intel/AMD)
Size/MD5: 276950 3d9f318befd4cabacf059a85c06324c0
Size/MD5: 271656 09e1b2b404a079852f81b4d7b6eae7bb
Size/MD5: 274682 9f5ae2ee5d09e85f799eaf4ea3770615
Size/MD5: 272144 67499c9bafe38440ee8f3f2b09b667e8
Size/MD5: 274840 754e3a4030ee75d3362466832849acbd
Size/MD5: 3219706 508896938223113ea1699aa4151b8766
Size/MD5: 15495248 38b990d93eaba078db891bd7404c01e7
Size/MD5: 16344242 89cb33e659438f4e34b68ba3c32106cd
Size/MD5: 16512992 4147111c66724fa8691e4b16c356ce86
Size/MD5: 16447442 663241c045b232b8b46ff9c5d5b2f973
Size/MD5: 16572538 8b8891f4526497e43eab0c173f179615

powerpc architecture (Apple Macintosh G3/G4/G5)
Size/MD5: 212792 cb39e28e0814976f2831528e20bf8deb
Size/MD5: 213482 5b469307ceb0839a5ca73e170bd4b5a9
Size/MD5: 212514 eec8a75e60edee4eb0784cc44b4c5991
Size/MD5: 213232 7dc2c5a6884dc3bb9e12cb15c2d86475
Size/MD5: 213112 71c2be933fe1cae5cf04a834af834b97
Size/MD5: 214548 72904d0d50787c36b097c11f480329ba
Size/MD5: 3297040 15f7b67ca420635504ba90d020cd5990
Size/MD5: 16366562 437904d293401104d04e879394be098e
Size/MD5: 15942190 1b71783b31ec56e29d09dfa8de844caa
Size/MD5: 16353764 8aefa48d5f7461db9ede5fd05da3c57a
Size/MD5: 15924916 14f880d34cd8f1e232ec52a559f046af
Size/MD5: 16289024 1878256aaff9b8bbb003554590d359b3
Size/MD5: 15975818 8ba319a47d693a063cfae316aaf965e8

Printed from Linux Compatible (