USN-1212-1: Linux kernel (OMAP4) vulnerabilities

21 September 2011

Multiple kernel flaws have been fixed.

Releases

Packages

Details

Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly
clear memory when writing certain file holes. A local attacker could
exploit this to read uninitialized data from the disk, leading to a loss of
privacy. (CVE-2011-0463)

Timo Warns discovered that the LDM disk partition handling code did not
correctly handle certain values. By inserting a specially crafted disk
device, a local attacker could exploit this to gain root privileges.
(CVE-2011-1017)

It was discovered that the /proc filesystem did not correctly handle
permission changes when programs executed. A local attacker could hold open
files to examine details about programs running with higher privileges,
potentially increasing the chances of exploiting additional
vulnerabilities. (CVE-2011-1020)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear
memory. A local attacker could exploit this to read kernel stack memory,
leading to a loss of privacy. (CVE-2011-1078)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check
that device name strings were NULL terminated. A local attacker could
exploit this to crash the system, leading to a denial of service, or leak
contents of kernel stack memory, leading to a loss of privacy.
(CVE-2011-1079)

Vasiliy Kulikov discovered that bridge network filtering did not check that
name fields were NULL terminated. A local attacker could exploit this to
leak contents of kernel stack memory, leading to a loss of privacy.
(CVE-2011-1080)

Peter Huewe discovered that the TPM device did not correctly initialize
memory. A local attacker could exploit this to read kernel heap memory
contents, leading to a loss of privacy. (CVE-2011-1160)

Vasiliy Kulikov discovered that the netfilter code did not check certain
strings copied from userspace. A local attacker with netfilter access could
exploit this to read kernel memory or crash the system, leading to a denial
of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)

Vasiliy Kulikov discovered that the Acorn Universal Networking driver did
not correctly initialize memory. A remote attacker could send specially
crafted traffic to read kernel stack memory, leading to a loss of privacy.
(CVE-2011-1173)

Dan Rosenberg discovered that the IRDA subsystem did not correctly check
certain field sizes. If a system was using IRDA, a remote attacker could
send specially crafted traffic to crash the system or gain root privileges.
(CVE-2011-1180)

Julien Tinnes discovered that the kernel did not correctly validate the
signal structure from tkill(). A local attacker could exploit this to send
signals to arbitrary threads, possibly bypassing expected restrictions.
(CVE-2011-1182)

Dan Rosenberg reported errors in the OSS (Open Sound System) MIDI
interface. A local attacker on non-x86 systems might be able to cause a
denial of service. (CVE-2011-1476)

Dan Rosenberg reported errors in the kernel's OSS (Open Sound System)
driver for Yamaha FM synthesizer chips. A local user can exploit this to
cause memory corruption, causing a denial of service or privilege
escalation. (CVE-2011-1477)

It was discovered that the security fix for CVE-2010-4250 introduced a
regression. A remote attacker could exploit this to crash the system,
leading to a denial of service. (CVE-2011-1479)

Dan Rosenberg discovered that the X.25 Rose network stack did not correctly
handle certain fields. If a system was running with Rose enabled, a remote
attacker could send specially crafted traffic to gain root privileges.
(CVE-2011-1493)

Dan Rosenberg discovered that MPT devices did not correctly validate
certain values in ioctl calls. If these drivers were loaded, a local
attacker could exploit this to read arbitrary kernel memory, leading to a
loss of privacy. (CVE-2011-1494, CVE-2011-1495)

Timo Warns discovered that the GUID partition parsing routines did not
correctly validate certain structures. A local attacker with physical
access could plug in a specially crafted block device to crash the system,
leading to a denial of service. (CVE-2011-1577)

Phil Oester discovered that the network bonding system did not correctly
handle large queues. On some systems, a remote attacker could send
specially crafted traffic to crash the system, leading to a denial of
service. (CVE-2011-1581)

Tavis Ormandy discovered that the pidmap function did not correctly handle
large requests. A local attacker could exploit this to crash the system,
leading to a denial of service. (CVE-2011-1593)

Oliver Hartkopp and Dave Jones discovered that the CAN network driver did
not correctly validate certain socket structures. If this driver was
loaded, a local attacker could crash the system, leading to a denial of
service. (CVE-2011-1598, CVE-2011-1748)

Vasiliy Kulikov discovered that the AGP driver did not check certain ioctl
values. A local attacker with access to the video subsystem could exploit
this to crash the system, leading to a denial of service, or possibly gain
root privileges. (CVE-2011-1745, CVE-2011-2022)

Vasiliy Kulikov discovered that the AGP driver did not check the size of
certain memory allocations. A local attacker with access to the video
subsystem could exploit this to run the system out of memory, leading to a
denial of service. (CVE-2011-1746)

Dan Rosenberg discovered that the DCCP stack did not correctly handle
certain packet structures. A remote attacker could exploit this to crash
the system, leading to a denial of service. (CVE-2011-1770)

Ben Greear discovered that CIFS did not correctly handle direct I/O. A
local attacker with access to a CIFS partition could exploit this to crash
the system, leading to a denial of service. (CVE-2011-1771)

Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not
correctly check the origin of mount points. A local attacker could exploit
this to trick the system into unmounting arbitrary mount points, leading to
a denial of service. (CVE-2011-1833)

Vasiliy Kulikov discovered that taskstats listeners were not correctly
handled. A local attacker could expoit this to exhaust memory and CPU
resources, leading to a denial of service. (CVE-2011-2484)

It was discovered that Bluetooth l2cap and rfcomm did not correctly
initialize structures. A local attacker could exploit this to read portions
of the kernel stack, leading to a loss of privacy. (CVE-2011-2492)

Sami Liedes discovered that ext4 did not correctly handle missing root
inodes. A local attacker could trigger the mount of a specially crafted
filesystem to cause the system to crash, leading to a denial of service.
(CVE-2011-2493)

It was discovered that GFS2 did not correctly check block sizes. A local
attacker could exploit this to crash the system, leading to a denial of
service. (CVE-2011-2689)

Fernando Gont discovered that the IPv6 stack used predictable fragment
identification numbers. A remote attacker could exploit this to exhaust
network resources, leading to a denial of service. (CVE-2011-2699)

The performance counter subsystem did not correctly handle certain
counters. A local attacker could exploit this to crash the system, leading
to a denial of service. (CVE-2011-2918)

A flaw was found in the b43 driver in the Linux kernel. An attacker could
use this flaw to cause a denial of service if the system has an active
wireless interface using the b43 driver. (CVE-2011-3359)

A flaw was found in the Linux kernel's /proc//map* interface. A local,
unprivileged user could exploit this flaw to cause a denial of service.
(CVE-2011-3637)

It was discovered that some import kernel threads can be blocked by a user
level process. An unprivileged local user could exploit this flaw to cause
a denial of service. (CVE-2011-4621)

Dan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used by
amateur radio. A local user or a remote user on an X.25 network could
exploit these flaws to execute arbitrary code as root. (CVE-2011-4913)

Ben Hutchings discovered several flaws in the Linux Rose (X.25 PLP) layer.
A local user or a remote user on an X.25 network could exploit these flaws
to execute arbitrary code as root. (CVE-2011-4914)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 11.04

After a standard system update you need to reboot your computer to make
all the necessary changes.

Related notices

  • USN-1188-1: ecryptfs-utils
  • USN-1111-1: linux-image-2.6.15-57-mckinley, linux-source-2.6.15, linux-image-2.6.15-57-server, linux-image-2.6.15-57-mckinley-smp, linux-image-2.6.15-57-powerpc, linux-image-2.6.15-57-powerpc-smp, linux-image-2.6.15-57-amd64-server, linux-image-2.6.15-57-386, linux-image-2.6.15-57-sparc64, linux-image-2.6.15-57-686, linux-image-2.6.15-57-hppa32, linux-image-2.6.15-57-server-bigiron, linux-image-2.6.15-57-powerpc64-smp, linux-image-2.6.15-57-k7, linux-image-2.6.15-57-amd64-k8, linux-image-2.6.15-57-sparc64-smp, linux-image-2.6.15-57-hppa64, linux-image-2.6.15-57-amd64-xeon, linux-image-2.6.15-57-itanium, linux-image-2.6.15-57-hppa32-smp, linux-image-2.6.15-57-itanium-smp, linux-image-2.6.15-57-hppa64-smp, linux-image-2.6.15-57-amd64-generic
  • USN-1081-1: linux-image-2.6.35-27-virtual, linux, linux-image-2.6.35-27-powerpc-smp, linux-image-2.6.35-27-powerpc, linux-image-2.6.35-27-generic, linux-image-2.6.35-27-server, linux-image-2.6.35-27-versatile, linux-image-2.6.35-27-generic-pae, linux-image-2.6.35-27-powerpc64-smp, linux-image-2.6.35-27-omap
  • USN-1225-1: linux-image-2.6.24-29-openvz, linux-image-2.6.24-29-itanium, linux-image-2.6.24-29-sparc64-smp, linux-image-2.6.24-29-powerpc, linux-image-2.6.24-29-generic, linux-image-2.6.24-29-lpiacompat, linux, linux-image-2.6.24-29-rt, linux-image-2.6.24-29-hppa32, linux-image-2.6.24-29-386, linux-image-2.6.24-29-lpia, linux-image-2.6.24-29-powerpc-smp, linux-image-2.6.24-29-sparc64, linux-image-2.6.24-29-powerpc64-smp, linux-image-2.6.24-29-xen, linux-image-2.6.24-29-hppa64, linux-image-2.6.24-29-mckinley, linux-image-2.6.24-29-virtual, linux-image-2.6.24-29-server
  • USN-1168-1: linux, linux-image-2.6.32-33-sparc64, linux-image-2.6.32-33-generic, linux-image-2.6.32-33-versatile, linux-image-2.6.32-33-lpia, linux-image-2.6.32-33-powerpc-smp, linux-image-2.6.32-33-preempt, linux-image-2.6.32-33-powerpc64-smp, linux-image-2.6.32-33-virtual, linux-image-2.6.32-33-powerpc, linux-image-2.6.32-33-server, linux-image-2.6.32-33-sparc64-smp, linux-image-2.6.32-33-386, linux-image-2.6.32-33-generic-pae, linux-image-2.6.32-33-ia64
  • USN-1240-1: linux-mvl-dove, linux-image-2.6.32-219-dove
  • USN-1193-1: linux, linux-image-2.6.38-11-omap, linux-image-2.6.38-11-versatile, linux-image-2.6.38-11-generic-pae, linux-image-2.6.38-11-server, linux-image-2.6.38-11-powerpc-smp, linux-image-2.6.38-11-powerpc64-smp, linux-image-2.6.38-11-generic, linux-image-2.6.38-11-virtual, linux-image-2.6.38-11-powerpc
  • USN-1216-1: linux-image-2.6.32-318-ec2, linux-ec2
  • USN-1325-1: linux-ti-omap4, linux-image-2.6.35-903-omap4
  • USN-1141-1: linux-image-2.6.32-32-versatile, linux, linux-image-2.6.32-32-lpia, linux-image-2.6.32-32-sparc64-smp, linux-image-2.6.32-32-preempt, linux-image-2.6.32-32-powerpc-smp, linux-image-2.6.32-32-sparc64, linux-image-2.6.32-316-ec2, linux-image-2.6.32-32-ia64, linux-image-2.6.32-32-powerpc, linux-image-2.6.32-32-virtual, linux-ec2, linux-image-2.6.32-32-generic, linux-image-2.6.32-32-server, linux-image-2.6.32-32-generic-pae, linux-image-2.6.32-32-powerpc64-smp, linux-image-2.6.32-32-386
  • USN-1242-1: linux-image-2.6.35-30-generic-pae, linux-image-2.6.35-30-generic, linux-image-2.6.35-30-server, linux-lts-backport-maverick, linux-image-2.6.35-30-virtual
  • USN-1187-1: linux-image-2.6.35-30-generic-pae, linux-image-2.6.35-30-generic, linux-image-2.6.35-30-server, linux-lts-backport-maverick, linux-image-2.6.35-30-virtual
  • USN-1189-1: linux-image-2.6.24-29-openvz, linux-image-2.6.24-29-itanium, linux-image-2.6.24-29-sparc64-smp, linux-image-2.6.24-29-powerpc, linux-image-2.6.24-29-generic, linux-image-2.6.24-29-lpiacompat, linux, linux-image-2.6.24-29-rt, linux-image-2.6.24-29-hppa32, linux-image-2.6.24-29-386, linux-image-2.6.24-29-lpia, linux-image-2.6.24-29-powerpc-smp, linux-image-2.6.24-29-sparc64, linux-image-2.6.24-29-powerpc64-smp, linux-image-2.6.24-29-xen, linux-image-2.6.24-29-hppa64, linux-image-2.6.24-29-mckinley, linux-image-2.6.24-29-virtual, linux-image-2.6.24-29-server
  • USN-1227-1: linux-image-2.6.35-30-versatile, linux-image-2.6.35-30-generic-pae, linux, linux-image-2.6.35-30-powerpc-smp, linux-image-2.6.35-30-powerpc, linux-image-2.6.35-30-omap, linux-image-2.6.35-30-generic, linux-image-2.6.35-30-powerpc64-smp, linux-image-2.6.35-30-server, linux-image-2.6.35-30-virtual
  • USN-1323-1: linux-image-2.6.24-30-lpia, linux-image-2.6.24-30-openvz, linux-image-2.6.24-30-sparc64-smp, linux-image-2.6.24-30-rt, linux-image-2.6.24-30-xen, linux-image-2.6.24-30-sparc64, linux, linux-image-2.6.24-30-hppa32, linux-image-2.6.24-30-powerpc-smp, linux-image-2.6.24-30-powerpc, linux-image-2.6.24-30-generic, linux-image-2.6.24-30-server, linux-image-2.6.24-30-mckinley, linux-image-2.6.24-30-386, linux-image-2.6.24-30-powerpc64-smp, linux-image-2.6.24-30-virtual, linux-image-2.6.24-30-hppa64, linux-image-2.6.24-30-itanium, linux-image-2.6.24-30-lpiacompat
  • USN-1170-1: linux-image-2.6.24-29-openvz, linux-image-2.6.24-29-itanium, linux-image-2.6.24-29-sparc64-smp, linux-image-2.6.24-29-powerpc, linux-image-2.6.24-29-generic, linux-image-2.6.24-29-lpiacompat, linux, linux-image-2.6.24-29-rt, linux-image-2.6.24-29-hppa32, linux-image-2.6.24-29-386, linux-image-2.6.24-29-lpia, linux-image-2.6.24-29-powerpc-smp, linux-image-2.6.24-29-sparc64, linux-image-2.6.24-29-powerpc64-smp, linux-image-2.6.24-29-xen, linux-image-2.6.24-29-hppa64, linux-image-2.6.24-29-mckinley, linux-image-2.6.24-29-virtual, linux-image-2.6.24-29-server
  • USN-1202-1: linux-ti-omap4, linux-image-2.6.35-903-omap4
  • USN-1146-1: linux-image-2.6.24-29-openvz, linux-image-2.6.24-29-itanium, linux-image-2.6.24-29-sparc64-smp, linux-image-2.6.24-29-powerpc, linux-image-2.6.24-29-generic, linux-image-2.6.24-29-lpiacompat, linux, linux-image-2.6.24-29-rt, linux-image-2.6.24-29-hppa32, linux-image-2.6.24-29-386, linux-image-2.6.24-29-lpia, linux-image-2.6.24-29-powerpc-smp, linux-image-2.6.24-29-sparc64, linux-image-2.6.24-29-powerpc64-smp, linux-image-2.6.24-29-xen, linux-image-2.6.24-29-hppa64, linux-image-2.6.24-29-mckinley, linux-image-2.6.24-29-virtual, linux-image-2.6.24-29-server
  • USN-1164-1: linux-image-2.6.31-609-imx51, linux-fsl-imx51
  • USN-1243-1: linux-image-2.6.35-30-versatile, linux-image-2.6.35-30-generic-pae, linux, linux-image-2.6.35-30-powerpc-smp, linux-image-2.6.35-30-powerpc, linux-image-2.6.35-30-omap, linux-image-2.6.35-30-generic, linux-image-2.6.35-30-powerpc64-smp, linux-image-2.6.35-30-server, linux-image-2.6.35-30-virtual
  • USN-1390-1: linux-image-2.6.24-31-lpia, linux-image-2.6.24-31-powerpc64-smp, linux-image-2.6.24-31-sparc64, linux-image-2.6.24-31-virtual, linux-image-2.6.24-31-itanium, linux-image-2.6.24-31-lpiacompat, linux, linux-image-2.6.24-31-openvz, linux-image-2.6.24-31-hppa64, linux-image-2.6.24-31-386, linux-image-2.6.24-31-powerpc, linux-image-2.6.24-31-hppa32, linux-image-2.6.24-31-powerpc-smp, linux-image-2.6.24-31-server, linux-image-2.6.24-31-mckinley, linux-image-2.6.24-31-generic, linux-image-2.6.24-31-xen, linux-image-2.6.24-31-sparc64-smp, linux-image-2.6.24-31-rt
  • USN-1394-1: linux-ti-omap4, linux-image-2.6.35-903-omap4
  • USN-1201-1: linux-image-2.6.35-30-versatile, linux-image-2.6.35-30-generic-pae, linux, linux-image-2.6.35-30-powerpc-smp, linux-image-2.6.35-30-powerpc, linux-image-2.6.35-30-omap, linux-image-2.6.35-30-generic, linux-image-2.6.35-30-powerpc64-smp, linux-image-2.6.35-30-server, linux-image-2.6.35-30-virtual
  • USN-1205-1: linux-image-2.6.35-30-generic-pae, linux-image-2.6.35-30-generic, linux-image-2.6.35-30-server, linux-lts-backport-maverick, linux-image-2.6.35-30-virtual
  • USN-1245-1: linux-mvl-dove, linux-image-2.6.32-419-dove
  • USN-1167-1: linux, linux-image-2.6.38-10-omap, linux-image-2.6.38-10-server, linux-image-2.6.38-10-versatile, linux-image-2.6.38-10-generic-pae, linux-image-2.6.38-10-powerpc-smp, linux-image-2.6.38-10-virtual, linux-image-2.6.38-10-generic, linux-image-2.6.38-10-powerpc, linux-image-2.6.38-10-powerpc64-smp
  • USN-1208-1: linux-mvl-dove, linux-image-2.6.32-418-dove
  • USN-1159-1: linux-image-2.6.32-417-dove, linux-mvl-dove
  • USN-1183-1: linux-image-2.6.35-30-versatile, linux-image-2.6.35-30-generic-pae, linux, linux-image-2.6.35-30-powerpc-smp, linux-image-2.6.35-30-powerpc, linux-image-2.6.35-30-omap, linux-image-2.6.35-30-generic, linux-image-2.6.35-30-powerpc64-smp, linux-image-2.6.35-30-server, linux-image-2.6.35-30-virtual
  • USN-1218-1: linux-image-2.6.32-34-generic, linux, linux-image-2.6.32-34-preempt, linux-image-2.6.32-34-sparc64, linux-image-2.6.32-34-server, linux-image-2.6.32-34-powerpc-smp, linux-image-2.6.32-34-generic-pae, linux-image-2.6.32-34-powerpc64-smp, linux-image-2.6.32-34-virtual, linux-image-2.6.32-34-ia64, linux-image-2.6.32-34-386, linux-image-2.6.32-34-powerpc, linux-image-2.6.32-34-sparc64-smp, linux-image-2.6.32-34-lpia, linux-image-2.6.32-34-versatile
  • USN-1253-1: linux-image-2.6.32-35-preempt, linux-image-2.6.32-35-generic, linux-image-2.6.32-35-powerpc, linux, linux-image-2.6.32-35-sparc64, linux-image-2.6.32-35-virtual, linux-image-2.6.32-35-sparc64-smp, linux-image-2.6.32-35-server, linux-image-2.6.32-35-ia64, linux-image-2.6.32-35-versatile, linux-image-2.6.32-35-lpia, linux-image-2.6.32-35-powerpc64-smp, linux-image-2.6.32-35-powerpc-smp, linux-image-2.6.32-35-386, linux-image-2.6.32-35-generic-pae
  • USN-1256-1: linux-image-2.6.38-12-generic, linux-image-2.6.38-12-generic-pae, linux-image-2.6.38-12-virtual, linux-image-2.6.38-12-server, linux-lts-backport-natty
  • USN-1161-1: linux-image-2.6.32-317-ec2, linux-ec2
  • USN-1203-1: linux-mvl-dove, linux-image-2.6.32-218-dove
  • USN-1204-1: linux-image-2.6.31-610-imx51, linux-fsl-imx51
  • USN-1162-1: linux-mvl-dove, linux-image-2.6.32-217-dove
  • USN-1239-1: linux-ec2, linux-image-2.6.32-319-ec2
  • USN-1211-1: linux, linux-image-2.6.38-11-omap, linux-image-2.6.38-11-versatile, linux-image-2.6.38-11-generic-pae, linux-image-2.6.38-11-server, linux-image-2.6.38-11-powerpc-smp, linux-image-2.6.38-11-powerpc64-smp, linux-image-2.6.38-11-generic, linux-image-2.6.38-11-virtual, linux-image-2.6.38-11-powerpc
  • USN-1160-1: linux-image-2.6.35-30-versatile, linux-image-2.6.35-30-generic-pae, linux, linux-image-2.6.35-30-powerpc-smp, linux-image-2.6.35-30-powerpc, linux-image-2.6.35-30-omap, linux-image-2.6.35-30-generic, linux-image-2.6.35-30-powerpc64-smp, linux-image-2.6.35-30-server, linux-image-2.6.35-30-virtual
  • USN-1219-1: linux-image-2.6.35-30-generic-pae, linux-image-2.6.35-30-generic, linux-image-2.6.35-30-server, linux-lts-backport-maverick, linux-image-2.6.35-30-virtual
  • USN-1186-1: linux-image-2.6.24-29-openvz, linux-image-2.6.24-29-itanium, linux-image-2.6.24-29-sparc64-smp, linux-image-2.6.24-29-powerpc, linux-image-2.6.24-29-generic, linux-image-2.6.24-29-lpiacompat, linux, linux-image-2.6.24-29-rt, linux-image-2.6.24-29-hppa32, linux-image-2.6.24-29-386, linux-image-2.6.24-29-lpia, linux-image-2.6.24-29-powerpc-smp, linux-image-2.6.24-29-sparc64, linux-image-2.6.24-29-powerpc64-smp, linux-image-2.6.24-29-xen, linux-image-2.6.24-29-hppa64, linux-image-2.6.24-29-mckinley, linux-image-2.6.24-29-virtual, linux-image-2.6.24-29-server