USN-864-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-864-1

4th December, 2009

linux, linux-source-2.6.15 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software description

  • linux
  • linux-source-2.6.15

Details

It was discovered that the AX.25 network subsystem did not correctly
check integer signedness in certain setsockopt calls. A local attacker
could exploit this to crash the system, leading to a denial of service.
Ubuntu 9.10 was not affected. (CVE-2009-2909)

Jan Beulich discovered that the kernel could leak register contents to
32-bit processes that were switched to 64-bit mode. A local attacker
could run a specially crafted binary to read register values from an
earlier process, leading to a loss of privacy. (CVE-2009-2910)

Dave Jones discovered that the gdth SCSI driver did not correctly validate
array indexes in certain ioctl calls. A local attacker could exploit
this to crash the system or gain elevated privileges. (CVE-2009-3080)

Eric Dumazet and Jiri Pirko discovered that the TC and CLS subsystems
would leak kernel memory via uninitialized structure members. A local
attacker could exploit this to read several bytes of kernel memory,
leading to a loss of privacy. (CVE-2009-3228, CVE-2009-3612)

Earl Chew discovered race conditions in pipe handling. A local attacker
could exploit anonymous pipes via /proc/*/fd/ and crash the system or
gain root privileges. (CVE-2009-3547)

Dave Jones and Francois Romieu discovered that the r8169 network driver
could be made to leak kernel memory. A remote attacker could send a large
number of jumbo frames until the system memory was exhausted, leading
to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-3613).

Ben Hutchings discovered that the ATI Rage 128 video driver did not
correctly validate initialization states. A local attacker could
make specially crafted ioctl calls to crash the system or gain root
privileges. (CVE-2009-3620)

Tomoki Sekiyama discovered that Unix sockets did not correctly verify
namespaces. A local attacker could exploit this to cause a system hang,
leading to a denial of service. (CVE-2009-3621)

J. Bruce Fields discovered that NFSv4 did not correctly use the credential
cache. A local attacker using a mount with AUTH_NULL authentication
could exploit this to crash the system or gain root privileges. Only
Ubuntu 9.10 was affected. (CVE-2009-3623)

Alexander Zangerl discovered that the kernel keyring did not correctly
reference count. A local attacker could issue a series of specially
crafted keyring calls to crash the system or gain root privileges.
Only Ubuntu 9.10 was affected. (CVE-2009-3624)

David Wagner discovered that KVM did not correctly bounds-check CPUID
entries. A local attacker could exploit this to crash the system
or possibly gain elevated privileges. Ubuntu 6.06 and 9.10 were not
affected. (CVE-2009-3638)

Avi Kivity discovered that KVM did not correctly check privileges when
accessing debug registers. A local attacker could exploit this to
crash a host system from within a guest system, leading to a denial of
service. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3722)

Philip Reisner discovered that the connector layer for uvesafb, pohmelfs,
dst, and dm did not correctly check capabilties. A local attacker could
exploit this to crash the system or gain elevated privileges. Ubuntu
6.06 was not affected. (CVE-2009-3725)

Trond Myklebust discovered that NFSv4 clients did not robustly
verify attributes. A malicious remote NFSv4 server could exploit
this to crash a client or gain root privileges. Ubuntu 9.10 was not
affected. (CVE-2009-3726)

Robin Getz discovered that NOMMU systems did not correctly validate
NULL pointers in do_mmap_pgoff calls. A local attacker could attempt to
allocate large amounts of memory to crash the system, leading to a denial
of service. Only Ubuntu 6.06 and 9.10 were affected. (CVE-2009-3888)

Joseph Malicki discovered that the MegaRAID SAS driver had
world-writable option files. A local attacker could exploit these
to disrupt the behavior of the controller, leading to a denial of
service. (CVE-2009-3889, CVE-2009-3939)

Roel Kluin discovered that the Hisax ISDN driver did not correctly
check the size of packets. A remote attacker could send specially
crafted packets to cause a system crash, leading to a denial of
service. (CVE-2009-4005)

Lennert Buytenhek discovered that certain 802.11 states were not handled
correctly. A physically-proximate remote attacker could send specially
crafted wireless traffic that would crash the system, leading to a denial
of service. Only Ubuntu 9.10 was affected. (CVE-2009-4026, CVE-2009-4027)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 9.10:
linux-image-2.6.31-16-powerpc-smp 2.6.31-16.52
linux-image-2.6.31-16-server 2.6.31-16.52
linux-image-2.6.31-16-powerpc64-smp 2.6.31-16.52
linux-image-2.6.31-16-lpia 2.6.31-16.52
linux-image-2.6.31-16-386 2.6.31-16.52
linux-image-2.6.31-16-generic-pae 2.6.31-16.52
linux-image-2.6.31-16-sparc64-smp 2.6.31-16.52
linux-image-2.6.31-16-virtual 2.6.31-16.52
linux-image-2.6.31-16-sparc64 2.6.31-16.52
linux-image-2.6.31-16-ia64 2.6.31-16.52
linux-image-2.6.31-16-generic 2.6.31-16.52
linux-image-2.6.31-16-powerpc 2.6.31-16.52
Ubuntu 9.04:
linux-image-2.6.28-17-imx51 2.6.28-17.58
linux-image-2.6.28-17-virtual 2.6.28-17.58
linux-image-2.6.28-17-server 2.6.28-17.58
linux-image-2.6.28-17-versatile 2.6.28-17.58
linux-image-2.6.28-17-iop32x 2.6.28-17.58
linux-image-2.6.28-17-generic 2.6.28-17.58
linux-image-2.6.28-17-ixp4xx 2.6.28-17.58
linux-image-2.6.28-17-lpia 2.6.28-17.58
Ubuntu 8.10:
linux-image-2.6.27-16-virtual 2.6.27-16.44
linux-image-2.6.27-16-server 2.6.27-16.44
linux-image-2.6.27-16-generic 2.6.27-16.44
Ubuntu 8.04 LTS:
linux-image-2.6.24-26-mckinley 2.6.24-26.64
linux-image-2.6.24-26-generic 2.6.24-26.64
linux-image-2.6.24-26-hppa32 2.6.24-26.64
linux-image-2.6.24-26-386 2.6.24-26.64
linux-image-2.6.24-26-sparc64-smp 2.6.24-26.64
linux-image-2.6.24-26-openvz 2.6.24-26.64
linux-image-2.6.24-26-powerpc 2.6.24-26.64
linux-image-2.6.24-26-itanium 2.6.24-26.64
linux-image-2.6.24-26-lpiacompat 2.6.24-26.64
linux-image-2.6.24-26-xen 2.6.24-26.64
linux-image-2.6.24-26-lpia 2.6.24-26.64
usb-modules-2.6.24-26-sparc64-di 2.6.24-26.64
linux-image-2.6.24-26-powerpc-smp 2.6.24-26.64
linux-image-2.6.24-26-virtual 2.6.24-26.64
linux-image-2.6.24-26-rt 2.6.24-26.64
linux-image-2.6.24-26-server 2.6.24-26.64
linux-image-2.6.24-26-powerpc64-smp 2.6.24-26.64
linux-image-2.6.24-26-hppa64 2.6.24-26.64
linux-image-2.6.24-26-sparc64 2.6.24-26.64
Ubuntu 6.06 LTS:
linux-image-2.6.15-55-hppa64 2.6.15-55.81
linux-image-2.6.15-55-mckinley 2.6.15-55.81
linux-image-2.6.15-55-powerpc-smp 2.6.15-55.81
linux-image-2.6.15-55-hppa32-smp 2.6.15-55.81
linux-image-2.6.15-55-686 2.6.15-55.81
linux-image-2.6.15-55-amd64-k8 2.6.15-55.81
linux-image-2.6.15-55-amd64-server 2.6.15-55.81
linux-image-2.6.15-55-386 2.6.15-55.81
linux-image-2.6.15-55-sparc64-smp 2.6.15-55.81
linux-image-2.6.15-55-k7 2.6.15-55.81
linux-image-2.6.15-55-sparc64 2.6.15-55.81
linux-image-2.6.15-55-server 2.6.15-55.81
linux-image-2.6.15-55-powerpc64-smp 2.6.15-55.81
linux-image-2.6.15-55-hppa32 2.6.15-55.81
linux-image-2.6.15-55-mckinley-smp 2.6.15-55.81
linux-image-2.6.15-55-server-bigiron 2.6.15-55.81
linux-image-2.6.15-55-itanium-smp 2.6.15-55.81
linux-image-2.6.15-55-amd64-xeon 2.6.15-55.81
linux-image-2.6.15-55-powerpc 2.6.15-55.81
linux-image-2.6.15-55-amd64-generic 2.6.15-55.81
linux-image-2.6.15-55-hppa64-smp 2.6.15-55.81
linux-image-2.6.15-55-itanium 2.6.15-55.81

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

ATTENTION: Due to an unavoidable ABI change (except for Ubuntu 6.06)
the kernel updates have been given a new version number, which requires
you to recompile and reinstall all third party kernel modules you
might have installed. If you use linux-restricted-modules, you have to
update that package as well to get modules which work with the new kernel
version. Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-server, linux-powerpc), a standard system
upgrade will automatically perform this as well.

References

CVE-2009-2909, CVE-2009-2910, CVE-2009-3080, CVE-2009-3228, CVE-2009-3547, CVE-2009-3612, CVE-2009-3613, CVE-2009-3620, CVE-2009-3621, CVE-2009-3623, CVE-2009-3624, CVE-2009-3638, CVE-2009-3722, CVE-2009-3725, CVE-2009-3726, CVE-2009-3888, CVE-2009-3889, CVE-2009-3939, CVE-2009-4005, CVE-2009-4026, CVE-2009-4027