USN-95-1: Linux kernel vulnerabilities

15 March 2005

Linux kernel vulnerabilities

Releases

Details

A remote Denial of Service vulnerability was discovered in the
Netfilter IP packet handler. This allowed a remote attacker to crash
the machine by sending specially crafted IP packet fragments.
(CAN-2005-0209)

The Netfilter code also contained a memory leak. Certain locally
generated packet fragments are reassembled twice, which caused a
double allocation of a data structure. This could be locally exploited
to crash the machine due to kernel memory exhaustion. (CAN-2005-0210)

Ben Martel and Stephen Blackheath found a remote Denial of Service
vulnerability in the PPP driver. This allowed a malicious pppd client
to crash the server machine. (CAN-2005-0384)

Georgi Guninski discovered a buffer overflow in the ATM driver. The
atm_get_addr() function does not validate its arguments sufficiently,
which could allow a local attacker to overwrite large portions of
kernel memory by supplying a negative length argument. This could
eventually lead to arbitrary code execution. (CAN-2005-0531)

Georgi Guninski also discovered three other integer comparison
problems in the TTY layer, in the /proc interface and the ReiserFS
driver. However, the previous Ubuntu security update (kernel version
2.6.8.1-16.11) already contained a patch which checks the arguments to
these functions at a higher level and thus prevents these flaws from
being exploited. (CAN-2005-0529, CAN-2005-0530, CAN-2005-0532)

Georgi Guninski discovered an integer overflow in the sys_epoll_wait()
function which allowed local users to overwrite the first few kB of
physical memory. However, very few applications actually use this
space (dosemu is a notable exception), but potentially this could lead
to privilege escalation. (CAN-2005-0736)

Eric Anholt discovered a race condition in the Radeon DRI driver. In
some cases this allowed a local user with DRI privileges on a Radeon
card to execute arbitrary code with root privileges.

Finally this update fixes a regression in the NFS server driver
which was introduced in the previous security update (kernel version
2.6.8.1-16.11). We apologize for the inconvenience.
(https://bugzilla.ubuntulinux.org/show_bug.cgi?id=6749)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 4.10
  • linux-image-2.6.8.1-5-amd64-k8-smp -
  • linux-image-2.6.8.1-5-686 -
  • linux-image-2.6.8.1-5-amd64-generic -
  • linux-image-2.6.8.1-5-powerpc-smp -
  • linux-image-2.6.8.1-5-k7-smp -
  • linux-patch-debian-2.6.8.1 -
  • linux-image-2.6.8.1-5-power4-smp -
  • linux-image-2.6.8.1-5-power3-smp -
  • linux-image-2.6.8.1-5-amd64-xeon -
  • linux-image-2.6.8.1-5-k7 -
  • linux-image-2.6.8.1-5-power3 -
  • linux-image-2.6.8.1-5-power4 -
  • linux-image-2.6.8.1-5-686-smp -
  • linux-image-2.6.8.1-5-powerpc -
  • linux-image-2.6.8.1-5-amd64-k8 -
  • linux-image-2.6.8.1-5-386 -

In general, a standard system update will make all the necessary changes.