Articles / Ubuntu: New Linux kernel pa…

Ubuntu: New Linux kernel packages fix security vulnerabilities

Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. Alexander Duyck discovered that the Intel Gigabit Ethernet driver did not correctly handle certain configurations. If such a device was configured without VLANs, a remote attacker could crash the system, leading to a denial of service. Nelson Elhage discovered that Econet did not correctly handle AUN packets over UDP. A local attacker could send specially crafted traffic to crash the system, leading to a denial of service.

Dan Rosenberg discovered that IRDA did not correctly check the size of buffers. On non-x86 systems, a local attacker could exploit this to read kernel heap memory, leading to a loss of privacy. Dan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit. Kees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges.

Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. Dan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. Jens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service.

Rafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. Kees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. Timo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges.

Timo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. Matthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges. Marek Olk discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory.

Vasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. Nelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service. Nelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would consume large amounts of CPU, leading to a denial of service.

Julien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. Updated packages are available from security.ubuntu.com.

==========================================================================
Ubuntu Security Notice USN-1141-1
May 31, 2011

linux, linux-ec2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Multiple kernel vulnerabilities have been fixed.

Software Description:
- linux: Linux kernel
- linux-ec2: Linux kernel for EC2

Details:

Brad Spengler discovered that the kernel did not correctly account for
userspace memory allocations during exec() calls. A local attacker could
exploit this to consume all system memory, leading to a denial of service.
(CVE-2010-4243)

Alexander Duyck discovered that the Intel Gigabit Ethernet driver did not
correctly handle certain configurations. If such a device was configured
without VLANs, a remote attacker could crash the system, leading to a
denial of service. (CVE-2010-4263)

Nelson Elhage discovered that Econet did not correctly handle AUN packets
over UDP. A local attacker could send specially crafted traffic to crash
the system, leading to a denial of service. (CVE-2010-4342)

Dan Rosenberg discovered that IRDA did not correctly check the size of
buffers. On non-x86 systems, a local attacker could exploit this to read
kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)

Dan Rosenburg discovered that the CAN subsystem leaked kernel addresses
into the /proc filesystem. A local attacker could use this to increase
the chances of a successful memory corruption exploit. (CVE-2010-4565)

Kees Cook discovered that the IOWarrior USB device driver did not
correctly check certain size fields. A local attacker with physical
access could plug in a specially crafted USB device to crash the system
or potentially gain root privileges. (CVE-2010-4656)

Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly
clear memory when writing certain file holes. A local attacker could
exploit this to read uninitialized data from the disk, leading to a loss
of privacy. (CVE-2011-0463)

Dan Carpenter discovered that the TTPCI DVB driver did not check certain
values during an ioctl. If the dvb-ttpci module was loaded, a local
attacker could exploit this to crash the system, leading to a denial of
service, or possibly gain root privileges. (CVE-2011-0521)

Jens Kuehnel discovered that the InfiniBand driver contained a race
condition. On systems using InfiniBand, a local attacker could send
specially crafted requests to crash the system, leading to a denial of
service. (CVE-2011-0695)

Rafael Dominguez Vega discovered that the caiaq Native Instruments USB
driver did not correctly validate string lengths. A local attacker with
physical access could plug in a specially crafted USB device to crash
the system or potentially gain root privileges. (CVE-2011-0712)

Kees Cook reported that /proc/pid/stat did not correctly filter certain
memory locations. A local attacker could determine the memory layout of
processes in an attempt to increase the chances of a successful memory
corruption exploit. (CVE-2011-0726)

Timo Warns discovered that MAC partition parsing routines did not
correctly calculate block counts. A local attacker with physical access
could plug in a specially crafted block device to crash the system or
potentially gain root privileges. (CVE-2011-1010)

Timo Warns discovered that LDM partition parsing routines did not
correctly calculate block counts. A local attacker with physical access
could plug in a specially crafted block device to crash the system, leading
to a denial of service. (CVE-2011-1012)

Matthiew Herrb discovered that the drm modeset interface did not correctly
handle a signed comparison. A local attacker could exploit this to crash
the system or possibly gain root privileges. (CVE-2011-1013)

Marek Olk discovered that the Radeon GPU drivers did not correctly
validate certain registers. On systems with specific hardware,
a local attacker could exploit this to write to arbitrary video
memory. (CVE-2011-1016)

Vasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not
needed to load kernel modules. A local attacker with the CAP_NET_ADMIN
capability could load existing kernel modules, possibly increasing the
attack surface available on the system. (CVE-2011-1019)

Nelson Elhage discovered that the epoll subsystem did not correctly handle
certain structures. A local attacker could create malicious requests that
would hang the system, leading to a denial of service. (CVE-2011-1082)

Nelson Elhage discovered that the epoll subsystem did not correctly handle
certain structures. A local attacker could create malicious requests that
would consume large amounts of CPU, leading to a denial of service.
(CVE-2011-1083)

Julien Tinnes discovered that the kernel did not correctly validate
the signal structure from tkill(). A local attacker could exploit
this to send signals to arbitrary threads, possibly bypassing expected
restrictions. (CVE-2011-1182)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
 linux-image-2.6.32-316-ec2      2.6.32-316.31
 linux-image-2.6.32-32-386       2.6.32-32.62
 linux-image-2.6.32-32-generic   2.6.32-32.62
 linux-image-2.6.32-32-generic-pae  2.6.32-32.62
 linux-image-2.6.32-32-ia64      2.6.32-32.62
 linux-image-2.6.32-32-lpia      2.6.32-32.62
 linux-image-2.6.32-32-powerpc   2.6.32-32.62
 linux-image-2.6.32-32-powerpc-smp  2.6.32-32.62
 linux-image-2.6.32-32-powerpc64-smp  2.6.32-32.62
 linux-image-2.6.32-32-preempt   2.6.32-32.62
 linux-image-2.6.32-32-server    2.6.32-32.62
 linux-image-2.6.32-32-sparc64   2.6.32-32.62
 linux-image-2.6.32-32-sparc64-smp  2.6.32-32.62
 linux-image-2.6.32-32-versatile  2.6.32-32.62
 linux-image-2.6.32-32-virtual   2.6.32-32.62

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
 CVE-2010-4243, CVE-2010-4263, CVE-2010-4342, CVE-2010-4529,
 CVE-2010-4565, CVE-2010-4656, CVE-2011-0463, CVE-2011-0521,
 CVE-2011-0695, CVE-2011-0712, CVE-2011-0726, CVE-2011-1010,
 CVE-2011-1012, CVE-2011-1013, CVE-2011-1016, CVE-2011-1019,
 CVE-2011-1082, CVE-2011-1083, CVE-2011-1182

Package Information:
 https://launchpad.net/ubuntu/+source/linux/2.6.32-32.62
 https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-316.31
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.