Package name kernel
Date October 15th, 2007
Advisory ID MDKSA-2007:196
Affected versions CS4.0
Synopsis Updated kernel packages fix multiple vulnerabilities and bugs

Problem Description

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The compat_sys_mount function in fs/compat.c allowed local users
to cause a denial of service (NULL pointer dereference and oops)
by mounting a smbfs file system in compatibility mode (CVE-2006-7203).

The nf_conntrack function in netfilter did not set nfctinfo during
reassembly of fragmented packets, which left the default value as
IP_CT_ESTABLISHED and could allow remote attackers to bypass certain
rulesets using IPv6 fragments (CVE-2007-1497).

A typo in the Linux kernel caused RTA_MAX to be used as an array size
instead of RTN_MAX, which lead to an out of bounds access by certain
functions (CVE-2007-2172).

The IPv6 protocol allowed remote attackers to cause a denial of
service via crafted IPv6 type 0 route headers that create network
amplification between two routers (CVE-2007-2242).

The random number feature did not properly seed pools when there was
no entropy, or used an incorrect cast when extracting entropy, which
could cause the random number generator to provide the same values
after reboots on systems without an entropy source (CVE-2007-2453).

A memory leak in the PPPoE socket implementation allowed local users
to cause a denial of service (memory consumption) by creating a
socket using connect, and releasing it before the PPPIOCGCHAN ioctl
is initialized (CVE-2007-2525).

An integer underflow in the cpuset_tasks_read function, when the cpuset
filesystem is mounted, allowed local users to obtain kernel memory
contents by using a large offset when reading the /dev/cpuset/tasks
file (CVE-2007-2875).

The sctp_new function in netfilter allowed remote attackers to cause
a denial of service by causing certain invalid states that triggered
a NULL pointer dereference (CVE-2007-2876).

A stack-based buffer overflow in the random number generator could
allow local root users to cause a denial of service or gain privileges
by setting the default wakeup threshold to a value greater than the
output pool size (CVE-2007-3105).

The lcd_write function did not limit the amount of memory used by
a caller, which allows local users to cause a denial of service
(memory consumption) (CVE-2007-3513).

The Linux kernel allowed local users to send arbitrary signals
to a child process that is running at higher privileges by
causing a setuid-root parent process to die which delivered an
attacker-controlled parent process death signal (PR_SET_PDEATHSIG)

The aac_cfg_openm and aac_compat_ioctl functions in the SCSI layer
ioctl patch in aacraid did not check permissions for ioctls, which
might allow local users to cause a denial of service or gain privileges

The IA32 system call emulation functionality, when running on the
x86_64 architecture, did not zero extend the eax register after the
32bit entry path to ptrace is used, which could allow local users to
gain privileges by triggering an out-of-bounds access to the system
call table using the %RAX register (CVE-2007-4573).

In addition to these security fixes, other fixes have been included
such as:

- The 3w-9xxx module was updated to version, adding support
for 9650SE
- Fixed the build of e1000-ng
- Added NIC support for MCP55
- Added LSI Logic MegaRAID SAS 8300XLP support

To update your kernel, please follow the directions located at:

Updated Packages

Corporate Server 4.0

 3657c208eeb3c079d9ff0a4ca55a9b03  corporate/4.0/i586/kernel-
 0cd8fd1c504f3365fe503c4fd627b6ea  corporate/4.0/i586/kernel-BOOT-
 fbabe3497810452a0052bc67a5fb4f29  corporate/4.0/i586/kernel-doc-
 02edfc1bbb2bd826c4a9152d670cc2cc  corporate/4.0/i586/kernel-i586-up-1GB-
 88b0876de92beff866bb91ba57be0a70  corporate/4.0/i586/kernel-i686-up-4GB-
 e813926dc184e911deb62a1e34cff8ed  corporate/4.0/i586/kernel-smp-
 a8011ebbe529551463f87cc22f3da22f  corporate/4.0/i586/kernel-source-
 813ba955a1e9b5ff9834aeebbe477a93  corporate/4.0/i586/kernel-source-stripped-
 be08ad30fbc3988f654c1532e73fc330  corporate/4.0/i586/kernel-xbox-
 5894ac0216cf38203d2002a19db70c15  corporate/4.0/i586/kernel-xen0-
 62d5b93083df571edbf8785bc754dd6e  corporate/4.0/i586/kernel-xenU- 
 423fe3296a56ff845fd643890663cdee  corporate/4.0/SRPMS/kernel-

Corporate Server 4.0/X86_64

 a51bd78ce00e65f7521625c8c67605f0  corporate/4.0/x86_64/kernel-
 8d407ed81be714537c2c957918cedfed  corporate/4.0/x86_64/kernel-BOOT-
 730c0bae9b443e5f9d8cb3c8a3486488  corporate/4.0/x86_64/kernel-doc-
 06391bd475945e8a8b76dcb33989fc83  corporate/4.0/x86_64/kernel-smp-
 bc9c9a881f18b5c2f892684aaeee84cf  corporate/4.0/x86_64/kernel-source-
 b0240b751985babe1aabda9c9e231a92  corporate/4.0/x86_64/kernel-source-stripped-
 b1b4750de7daf9cb12ed0057a8851f32  corporate/4.0/x86_64/kernel-xen0-
 915a8eb87a9fc0c0deab5e696f27c59b  corporate/4.0/x86_64/kernel-xenU- 
 423fe3296a56ff845fd643890663cdee  corporate/4.0/SRPMS/kernel-



To upgrade your kernel, view the kernel update instructions. Kernels cannot be upgraded via MandrivaUpdate.


Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.