USN-169-1: Linux kernel vulnerabilities

Releases

• Ubuntu 5.04
• Ubuntu 4.10

Details

David Howells discovered a local Denial of Service vulnerability in
the key session joining function. Under certain user-triggerable
conditions, a semaphore was not released properly, which caused
processes which also attempted to join a key session to hang forever.
This only affects Ubuntu 5.04 (Hoary Hedgehog). (CAN-2005-2098)

David Howells discovered a local Denial of Service vulnerability in
the keyring allocator. A local attacker could exploit this to crash
the kernel by attempting to add a specially crafted invalid keyring.
This only affects Ubuntu 5.04 (Hoary Hedgehog). (CAN-2005-2099)

Balazs Scheidler discovered a local Denial of Service vulnerability in
the xfrm_compile_policy() function. By calling setsockopt() with an
invalid xfrm_user policy message, a local attacker could cause the
kernel to write to an array beyond its boundaries, thus causing a
kernel crash. (CAN-2005-2456)

Tim Yamin discovered that the driver for compressed ISO file systems
did not sufficiently validate the iput data. By tricking an user into
mounting a malicious CD-ROM with a specially crafted compressed ISO
file system, he could cause a kernel crash. (CAN-2005-2457)

It was discovered that the kernel's embedded zlib compression library
was still vulnerable to two old vulnerabilities of the standalone zlib
library. This library is used by various drivers and can also be used
by third party modules, so the impact varies. (CAN-2005-2458,
CAN-2005-2459)

Peter Sandstrom discovered a remote Denial of Service vulnerability in
the SNMP handler. Certain UDP packages lead to a function call with
the wrong argument, which resulted in a crash of the network stack.
This only affects Ubuntu 4.10 (Warty Warthog). (CAN-2005-2548)

Herbert Xu discovered that the setsockopt() function was not
restricted to privileged users. This allowed a local attacker to
bypass intended IPSec policies, set invalid policies to exploit flaws
like CAN-2005-2456, or cause a Denial of Service by adding policies
until kernel memory is exhausted. Now the call is restricted to
processes with the CAP_NET_ADMIN capability. (CAN-2005-2555)

The Ubuntu 5.04 kernel update also fixes a memory leak in the "md"
(Software RAID) driver which eventually lead to kernel memory
exhaustion. Ubuntu 4.10 is not affected by this.
(http://bugs.debian.org/317787)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.04

• linux-patch-ubuntu-2.6.10 -
• linux-image-2.6.8.1-5-powerpc-smp -
• linux-image-2.6.8.1-5-power4-smp -
• linux-image-2.6.10-5-386 -
• linux-image-2.6.10-5-itanium-smp -
• linux-image-2.6.10-5-power4 -
• linux-image-2.6.10-5-amd64-k8 -
• linux-image-2.6.10-5-amd64-xeon -
• linux-image-2.6.10-5-mckinley-smp -
• linux-image-2.6.10-5-power4-smp -
• linux-image-2.6.8.1-5-amd64-generic -
• linux-image-2.6.10-5-amd64-k8-smp -
• linux-image-2.6.8.1-5-k7-smp -
• linux-image-2.6.8.1-5-power3-smp -
• linux-image-2.6.8.1-5-amd64-xeon -
• linux-image-2.6.10-5-powerpc-smp -
• linux-image-2.6.8.1-5-power3 -
• linux-image-2.6.8.1-5-power4 -
• linux-image-2.6.8.1-5-powerpc -
• linux-image-2.6.10-5-mckinley -
• linux-image-2.6.10-5-itanium -
• linux-image-2.6.10-5-power3-smp -
• linux-image-2.6.10-5-k7 -
• linux-image-2.6.10-5-power3 -
• linux-image-2.6.8.1-5-amd64-k8-smp -
• linux-image-2.6.8.1-5-686 -
• linux-image-2.6.8.1-5-686-smp -
• linux-patch-debian-2.6.8.1 -
• linux-image-2.6.10-5-powerpc -
• linux-image-2.6.8.1-5-k7 -
• linux-image-2.6.10-5-k7-smp -
• linux-image-2.6.10-5-amd64-generic -
• linux-image-2.6.10-5-686-smp -
• linux-image-2.6.8.1-5-386 -
• linux-image-2.6.10-5-686 -
• linux-image-2.6.8.1-5-amd64-k8 -

Ubuntu 4.10

• linux-patch-ubuntu-2.6.10 -
• linux-image-2.6.8.1-5-powerpc-smp -
• linux-image-2.6.8.1-5-power4-smp -
• linux-image-2.6.10-5-386 -
• linux-image-2.6.10-5-itanium-smp -
• linux-image-2.6.10-5-power4 -
• linux-image-2.6.10-5-amd64-k8 -
• linux-image-2.6.10-5-amd64-xeon -
• linux-image-2.6.10-5-mckinley-smp -
• linux-image-2.6.10-5-power4-smp -
• linux-image-2.6.8.1-5-amd64-generic -
• linux-image-2.6.10-5-amd64-k8-smp -
• linux-image-2.6.8.1-5-k7-smp -
• linux-image-2.6.8.1-5-power3-smp -
• linux-image-2.6.8.1-5-amd64-xeon -
• linux-image-2.6.10-5-powerpc-smp -
• linux-image-2.6.8.1-5-power3 -
• linux-image-2.6.8.1-5-power4 -
• linux-image-2.6.8.1-5-powerpc -
• linux-image-2.6.10-5-mckinley -
• linux-image-2.6.10-5-itanium -
• linux-image-2.6.10-5-power3-smp -
• linux-image-2.6.10-5-k7 -
• linux-image-2.6.10-5-power3 -
• linux-image-2.6.8.1-5-amd64-k8-smp -
• linux-image-2.6.8.1-5-686 -
• linux-image-2.6.8.1-5-686-smp -
• linux-patch-debian-2.6.8.1 -
• linux-image-2.6.10-5-powerpc -
• linux-image-2.6.8.1-5-k7 -
• linux-image-2.6.10-5-k7-smp -
• linux-image-2.6.10-5-amd64-generic -
• linux-image-2.6.10-5-686-smp -
• linux-image-2.6.8.1-5-386 -
• linux-image-2.6.10-5-686 -
• linux-image-2.6.8.1-5-amd64-k8 -

In general, a standard system update will make all the necessary changes.

References

• CVE-2005-2548
• CVE-2005-2555
• CVE-2005-2457
• CVE-2005-2459
• CVE-2005-2458
• CVE-2005-2098
• CVE-2005-2456