Home > Security > Advisories

Advisories

Mandriva Advisories

Package name kernel
Date June 30th, 2005
Advisory ID MDKSA-2005:110
Affected versions 10.0, 10.1, CS3.0, MNF2.0, 10.2
Synopsis Updated 2.6 kernel packages fix multiple vulnerabilities

Problem Description

Multiple vulnerabilities in the Linux kernel have been discovered and
fixed in this update. The following CVE names have been fixed in the
LE2005 kernel:

Colin Percival discovered a vulnerability in Intel's Hyper-Threading
technology could allow a local user to use a malicious thread to create
covert channels, monitor the execution of other threads, and obtain
sensitive information such as cryptographic keys via a timing attack on
memory cache misses. This has been corrected by disabling HT support
in all kernels (CAN-2005-0109).

An information leak in the ext2 filesystem code in kernels prior to
2.6.11.6 was found where when a new directory is created, the ext2
block written to disk is not initialized (CAN-2005-0400).

A flaw when freeing a pointer in load_elf_library was found in kernels
prior to 2.6.11.6 that could be abused by a local user to potentially
crash the machine causing a Denial of Service (CAN-2005-0749).

A problem with the Bluetooth kernel stack in kernels 2.4.6 through
2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker
to gain root access or crash the machine (CAN-2005-0750).

Paul Starzetz found an integer overflow in the ELF binary format
loader's code dump function in kernels prior to and including 2.4.31-pre1
and 2.6.12-rc4. By creating and executing a specially
crafted ELF executable, a local attacker could exploit this to
execute arbitrary code with root and kernel privileges
(CAN-2005-1263).

The drivers for raw devices used the wrong function to pass arguments
to the underlying block device in 2.6.x kernels. This made the kernel
address space accessible to user-space applictions allowing any local
user with at least read access to a device in /dev/raw/* (usually only
root) to execute arbitrary code with kernel privileges (CAN-2005-1264).

The it87 and via686a hardware monitor drivers in kernels prior to
2.6.11.8 and 2.6.12 prior to 2.6.12-rc2 created a sysfs file named
'alarms' with write permissions although they are not designed to be
writable. This allowed a local user to crash the kernel by attempting
to write to these files (CAN-2005-1369).

In addition to the above-noted CAN-2005-0109, CAN-2005-0400,
CAN-2005-0749, CAN-2005-0750, and CAN-2005-1369 fixes, the following
CVE names have been fixed in the 10.1 kernel:

The POSIX Capability Linux Security Module (LSM) for 2.6 kernels up to
and including 2.6.8.1 did not properly handle the credentials of a
process that is launched before the module is loaded, which could be
used by local attackers to gain elevated privileges (CAN-2004-1337).

A flaw in the Linux PPP driver in kernel 2.6.8.1 was found where on
systems allowing remote users to connect to a server via PPP, a remote
client could cause a crash, resulting in a Denial of Service
(CAN-2005-0384).

George Guninski discovered a buffer overflow in the ATM driver in
kernels 2.6.10 and 2.6.11 before 2.6.11-rc4 where the atm_get_addr()
function does not validate its arguments sufficiently which could allow
a local attacker to overwrite large portions of kernel memory by
supplying a negative length argument. This could potentially lead to
the execution of arbitrary code (CAN-2005-0531).

The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c
before kernel 2.6.11, when running on 64-bit architectures, could allow
local users to trigger a buffer overflow as a result of casting
discrepancies between size_t and int data types. This could allow an
attacker to overwrite kernel memory, crash the machine, or potentially
obtain root access (CAN-2005-0532).

A race condition in the Radeon DRI driver in kernel 2.6.8.1 allows a
local user with DRI privileges to execute arbitrary code as root
(CAN-2005-0767).

Access was not restricted to the N_MOUSE discipline for a TTY in
kernels prior to 2.6.11. This could allow local attackers to obtain
elevated privileges by injecting mouse or keyboard events into other
user's sessions (CAN-2005-0839).

Some futex functions in futex.c in 2.6 kernels performed get_user calls
while holding the mmap_sem semaphore, which could allow a local
attacker to cause a deadlock condition in do_page_fault by triggering
get_user faults while another thread is executing mmap or other
functions (CAN-2005-0937).

In addition to the above-noted CAN-2004-1337, CAN-2005-0109,
CAN-2005-0384, CAN-2005-0400, CAN-2005-0531, CAN-2005-0532,
CAN-2005-0749, CAN-2005-0750, CAN-2005-0767, CAN-2005-0839,
CAN-2005-0937, CAN-2005-1263, CAN-2005-1264, and CAN-2005-1369
fixes, the following CVE names have been fixed in the 10.0/
Corporate 3.0 kernels:

A race condition in the setsid function in kernels before 2.6.8.1 could
allow a local attacker to cause a Denial of Service and possibly access
portions of kernel memory related to TTY changes, locking, and
semaphores (CAN-2005-0178).

When forwarding fragmented packets in kernel 2.6.8.1, a hardware
assisted checksum could only be used once which could lead to a Denial
of Service attack or crash by remote users (CAN-2005-0209).

A signedness error in the copy_from_read_buf function in n_tty.c
before kernel 2.6.11 allows local users to read kernel memory via a
negative argument (CAN-2005-0530).

A vulnerability in the fib_seq_start() function allowed a local user
to crash the system by readiung /proc/net/route in a certain way,
causing a Denial of Service (CAN-2005-1041).

A vulnerability in the Direct Rendering Manager (DRM) driver in the
2.6 kernel does not properly check the DMA lock, which could allow
remote attackers or local users to cause a Denial of Service (X Server
crash) and possibly modify the video output (CAN-2004-1056).

Updated Packages

Mandrakelinux 10.0

 fde15b50eb6b25c01363906ac9311a99  10.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.i586.rpm
4bac2ba6182cfc7a0b096643e5cf4864  10.0/RPMS/kernel-enterprise-2.6.3.27mdk-1-1mdk.i586.rpm
11f460372ed0f9bcbdf4d1d2ef172021  10.0/RPMS/kernel-i686-up-4GB-2.6.3.27mdk-1-1mdk.i586.rpm
c5c7869f7ba96fa2d323678aa64bbbff  10.0/RPMS/kernel-p3-smp-64GB-2.6.3.27mdk-1-1mdk.i586.rpm
c191f0627aaf8c4ec4882114241bd990  10.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.i586.rpm
e545c57e7ecd4cf7391c002f810488d2  10.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.i586.rpm
a6ab3a8dfb0da9376a2ef75953ee4eca  10.0/RPMS/kernel-source-2.6.3-27mdk.i586.rpm
81549411e82297db4fadf45db8d91147  10.0/RPMS/kernel-source-stripped-2.6.3-27mdk.i586.rpm
0161e0b7c6783f7484e2b13e80565a9a  10.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

Mandrakelinux 10.0/AMD64

 e776c1c98e4030da8c836e4291257dda  amd64/10.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.amd64.rpm
bf5c1a5412f35167ef3ac32257a80d5b  amd64/10.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.amd64.rpm
fd97913601dca600a22c4c6afcd92999  amd64/10.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.amd64.rpm
0c95a5bf2565e80cdbb236c730d563c7  amd64/10.0/RPMS/kernel-source-2.6.3-27mdk.amd64.rpm
a2feebf592ad2041cfa7ec7e2758206c  amd64/10.0/RPMS/kernel-source-stripped-2.6.3-27mdk.amd64.rpm
0161e0b7c6783f7484e2b13e80565a9a  amd64/10.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

Mandrakelinux 10.1

 f9bc117f5575bb120fdae314f65ad1f9  10.1/RPMS/kernel-2.6.8.1.25mdk-1-1mdk.i586.rpm
b321c503f18429f4b3883c16230e158f  10.1/RPMS/kernel-enterprise-2.6.8.1.25mdk-1-1mdk.i586.rpm
08d2a5d4447588818f78f8ad4e9db138  10.1/RPMS/kernel-i586-up-1GB-2.6.8.1.25mdk-1-1mdk.i586.rpm
7f677908eb0fb03ff5db2a3eefc381d9  10.1/RPMS/kernel-i686-up-64GB-2.6.8.1.25mdk-1-1mdk.i586.rpm
7a1319d8c53d56582f0434f0f7898d2d  10.1/RPMS/kernel-secure-2.6.8.1.25mdk-1-1mdk.i586.rpm
352a4af3300e60399f78bca4e77945d0  10.1/RPMS/kernel-smp-2.6.8.1.25mdk-1-1mdk.i586.rpm
224358bcd6d086bf7fafa727a9322902  10.1/RPMS/kernel-source-2.6-2.6.8.1-25mdk.i586.rpm
725a2ff7ee8dee45cdf1d296c4af899c  10.1/RPMS/kernel-source-stripped-2.6-2.6.8.1-25mdk.i586.rpm
2b3bd96a8746eed953c950e13d257d5d  10.1/SRPMS/kernel-2.6.8.1.25mdk-1-1mdk.src.rpm

Mandrakelinux 10.1/X86_64

 deba2195393307cfbc3eda4da5ba9b55  x86_64/10.1/RPMS/kernel-2.6.8.1.25mdk-1-1mdk.x86_64.rpm
2dd4ba5eb8f59af931ea08e13895953c  x86_64/10.1/RPMS/kernel-secure-2.6.8.1.25mdk-1-1mdk.x86_64.rpm
29b46c7761117fa78b6ac84b78c2c95f  x86_64/10.1/RPMS/kernel-smp-2.6.8.1.25mdk-1-1mdk.x86_64.rpm
a5894bf0dedc2b92507c0a3aaf72b070  x86_64/10.1/RPMS/kernel-source-2.6-2.6.8.1-25mdk.x86_64.rpm
d9fc9585545fe50959ae48075bdb8611  x86_64/10.1/RPMS/kernel-source-stripped-2.6-2.6.8.1-25mdk.x86_64.rpm
2b3bd96a8746eed953c950e13d257d5d  x86_64/10.1/SRPMS/kernel-2.6.8.1.25mdk-1-1mdk.src.rpm

Corporate Server 3.0

 fde15b50eb6b25c01363906ac9311a99  corporate/3.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.i586.rpm
4bac2ba6182cfc7a0b096643e5cf4864  corporate/3.0/RPMS/kernel-enterprise-2.6.3.27mdk-1-1mdk.i586.rpm
11f460372ed0f9bcbdf4d1d2ef172021  corporate/3.0/RPMS/kernel-i686-up-4GB-2.6.3.27mdk-1-1mdk.i586.rpm
c5c7869f7ba96fa2d323678aa64bbbff  corporate/3.0/RPMS/kernel-p3-smp-64GB-2.6.3.27mdk-1-1mdk.i586.rpm
c191f0627aaf8c4ec4882114241bd990  corporate/3.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.i586.rpm
e545c57e7ecd4cf7391c002f810488d2  corporate/3.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.i586.rpm
a6ab3a8dfb0da9376a2ef75953ee4eca  corporate/3.0/RPMS/kernel-source-2.6.3-27mdk.i586.rpm
81549411e82297db4fadf45db8d91147  corporate/3.0/RPMS/kernel-source-stripped-2.6.3-27mdk.i586.rpm
0161e0b7c6783f7484e2b13e80565a9a  corporate/3.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

Corporate Server 3.0/X86_64

 96fdece51d557ea9dc86b77d80ef6537  x86_64/corporate/3.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.x86_64.rpm
e89fd0dcef1c123fb5730179e9930529  x86_64/corporate/3.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.x86_64.rpm
3bac8cfb55ed2843d192e556dbafd62c  x86_64/corporate/3.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.x86_64.rpm
a77c835b23e270bb23944630e4677b1b  x86_64/corporate/3.0/RPMS/kernel-source-2.6.3-27mdk.x86_64.rpm
93ba3be628ae43ab9a2f2b2656c06f7f  x86_64/corporate/3.0/RPMS/kernel-source-stripped-2.6.3-27mdk.x86_64.rpm
0161e0b7c6783f7484e2b13e80565a9a  x86_64/corporate/3.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

Multi Network Firewall 2.0

 fde15b50eb6b25c01363906ac9311a99  mnf/2.0/RPMS/kernel-2.6.3.27mdk-1-1mdk.i586.rpm
11f460372ed0f9bcbdf4d1d2ef172021  mnf/2.0/RPMS/kernel-i686-up-4GB-2.6.3.27mdk-1-1mdk.i586.rpm
c5c7869f7ba96fa2d323678aa64bbbff  mnf/2.0/RPMS/kernel-p3-smp-64GB-2.6.3.27mdk-1-1mdk.i586.rpm
c191f0627aaf8c4ec4882114241bd990  mnf/2.0/RPMS/kernel-secure-2.6.3.27mdk-1-1mdk.i586.rpm
e545c57e7ecd4cf7391c002f810488d2  mnf/2.0/RPMS/kernel-smp-2.6.3.27mdk-1-1mdk.i586.rpm
0161e0b7c6783f7484e2b13e80565a9a  mnf/2.0/SRPMS/kernel-2.6.3.27mdk-1-1mdk.src.rpm

Mandriva Linux LE2005

 f8da585477aff19802764a73a832cb1c  10.2/RPMS/kernel-2.6.11.12mdk-1-1mdk.i586.rpm
07b27b601ebe941fbfa0f9ce61e4fc1f  10.2/RPMS/kernel-i586-up-1GB-2.6.11.12mdk-1-1mdk.i586.rpm
bc40a826454080bb9444f6572508d4d6  10.2/RPMS/kernel-i686-up-4GB-2.6.11.12mdk-1-1mdk.i586.rpm
1a7393ef7ad8a776d33577d06b666944  10.2/RPMS/kernel-smp-2.6.11.12mdk-1-1mdk.i586.rpm
81615112f862f81a0479715c590e7e06  10.2/RPMS/kernel-source-2.6-2.6.11-12mdk.i586.rpm
28fe68ece81b564741b1a679b23afe8c  10.2/RPMS/kernel-source-stripped-2.6-2.6.11-12mdk.i586.rpm
94c55fab597d0c982d092efe204f20bb  10.2/RPMS/kernel-xbox-2.6.11.12mdk-1-1mdk.i586.rpm
eccc248c8d65d091a93ac01cec3f1110  10.2/SRPMS/kernel-2.6.11.12mdk-1-1mdk.src.rpm

Mandriva Linux LE2005/X86_64

 6aa43ead23e6297fd1ca024a91b00129  x86_64/10.2/RPMS/kernel-2.6.11.12mdk-1-1mdk.x86_64.rpm
6a04e09e487c04ac9a60506fc5e37773  x86_64/10.2/RPMS/kernel-smp-2.6.11.12mdk-1-1mdk.x86_64.rpm
a3c12e575259175a5433c4aa6b282b9e  x86_64/10.2/RPMS/kernel-source-2.6-2.6.11-12mdk.x86_64.rpm
e4a470f6f4ebba211dd9dca0eb5ac246  x86_64/10.2/RPMS/kernel-source-stripped-2.6-2.6.11-12mdk.x86_64.rpm
eccc248c8d65d091a93ac01cec3f1110  x86_64/10.2/SRPMS/kernel-2.6.11.12mdk-1-1mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1041
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0532
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1056

Upgrade

To upgrade your kernel, view the kernel update instructions. Kernels cannot be upgraded via MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.