[USN-30-1] Linux kernel vulnerabilities

To: ubuntu-security-announce@xxxxxxxxxxxxxxxx
Subject: [USN-30-1] Linux kernel vulnerabilities
From: Martin Pitt <martin.pitt@xxxxxxxxxxxxx>
Date: Fri, 19 Nov 2004 00:12:05 +0100
Cc: full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: Martin Pitt <martin@xxxxxxxxx>
User-agent: Mutt/1.5.6+20040722i
===========================================================
Ubuntu Security Notice USN-30-1           November 18, 2004
linux-source-2.6.8.1 vulnerabilities
CAN-2004-0883, CAN-2004-0949, and others
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

linux-image-2.6.8.1-3-386
linux-image-2.6.8.1-3-686
linux-image-2.6.8.1-3-686-smp
linux-image-2.6.8.1-3-amd64-generic
linux-image-2.6.8.1-3-amd64-k8
linux-image-2.6.8.1-3-amd64-k8-smp
linux-image-2.6.8.1-3-amd64-xeon
linux-image-2.6.8.1-3-k7
linux-image-2.6.8.1-3-k7-smp
linux-image-2.6.8.1-3-power3
linux-image-2.6.8.1-3-power3-smp
linux-image-2.6.8.1-3-power4
linux-image-2.6.8.1-3-power4-smp
linux-image-2.6.8.1-3-powerpc
linux-image-2.6.8.1-3-powerpc-smp

The problem can be corrected by upgrading the affected package to
version 2.6.8.1-16.1.  You need to reboot the computer after doing a
standard system upgrade to effect the necessary changes.

Details follow:

CAN-2004-0883, CAN-2004-0949:

  During an audit of the smb file system implementation within Linux,
  several vulnerabilities were discovered ranging from out of bounds
  read accesses to kernel level buffer overflows.
  
  To exploit any of these vulnerabilities, an attacker needs control
  over the answers of the connected Samba server. This could be
  achieved by man-in-the-middle attacks or by taking over the Samba
  server with e. g. the recently disclosed vulnerability in Samba 3.x
  (see CAN-2004-0882).
  
  While any of these vulnerabilities can be easily used as remote denial
  of service exploits against Linux systems, it is unclear if it is
  possible for a skilled local or remote attacker to use any of the
  possible buffer overflows for arbitrary code execution in kernel
  space. So these bugs may theoretically lead to privilege escalation
  and total compromise of the whole system.

http://isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt:

  Several flaws have been found in the Linux ELF binary loader's
  handling of setuid binaries. Nowadays ELF is the standard format for
  Linux executables and libraries. setuid binaries are programs that
  have the "setuid" file permission bit set; they allow to execute a
  program under a user id different from the calling user and are
  mostly used to allow executing a program with root privileges to
  normal users.

  The vulnerabilities that were fixed in these updated kernel packages
  could lead Denial of Service attacks. They also might lead to
  execution of arbitrary code and privilege escalation on some
  platforms if an attacker is able to run setuid programs under some
  special system conditions (like very little remaining memory).

  Another flaw could allow an attacker to read supposedly unreadable,
  but executable suid binaries. The attacker can then use this to seek
  faults within the executable.

http://marc.theaimsgroup.com/?l=linux-kernel&m=109776571411003&w=2:

  Bernard Gagnon discovered a memory leak in the mmap raw packet
  socket implementation. When a client application (in ELF format)
  core dumps, a region of memory stays allocated as a ring buffer.
  This could be exploited by a malicious user who repeatedly crashes
  certain types of applications until the memory is exhausted, thus
  causing a Denial of Service.

Reverted 486 emulation patch:

  Ubuntu kernels for the i386 platforms are compiled using the i486
  instruction set for performance reasons. Former Ubuntu kernels
  contained code which emulated the missing instructions on real 386
  processors. However, several actual and potential security flaws
  have been discovered in the code, and it was found to be
  unsupportable. It might be possible to exploit these vulnerabilities
  also on i486 and higher processors.

  Therefore support for real i386 processors has ceased. This updated
  kernel will only run on i486 and newer processors.

  Other architectures supported by Ubuntu (amd64, powerpc) are not
  affected.


  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1-16.1.diff.gz
      Size/MD5:  3083854 6c6205802319f9774bacae96e0215e9b
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1-16.1.dsc
      Size/MD5:     2119 bd3ecefdb8236a927ca0af02b575dc2d
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1.orig.tar.gz
      Size/MD5: 44728688 79730a3ad4773ba65fab65515369df84

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-doc-2.6.8.1_2.6.8.1-16.1_all.deb
      Size/MD5:  6158782 88fdd5612e0c91ea71e97640a0fb7b9a
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-patch-debian-2.6.8.1_2.6.8.1-16.1_all.deb
      Size/MD5:  1438690 7a1c68e4b85dd8b00faaf559a343d925
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1-16.1_all.deb
      Size/MD5: 36716930 7b97d784e561b7cde26191882b6764b6
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-tree-2.6.8.1_2.6.8.1-16.1_all.deb
      Size/MD5:   305728 74735830ea74efa3d062eb48d945a629

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-amd64-generic_2.6.8.1-16.1_amd64.deb
      Size/MD5:   246130 a3b83c36daa55bd5da928aa9f0eeaa73
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-amd64-k8-smp_2.6.8.1-16.1_amd64.deb
      Size/MD5:   241556 c52eb545c7d02dfb3daed6963d63de23
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-amd64-k8_2.6.8.1-16.1_amd64.deb
      Size/MD5:   245240 dcaee9f4c01adc03b6412a1572ee0bbd
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-amd64-xeon_2.6.8.1-16.1_amd64.deb
      Size/MD5:   239834 cd9d74ff5e7f7f788c6a61776392c6e7
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3_2.6.8.1-16.1_amd64.deb
      Size/MD5:  3176044 b5ccdb3732f81d90e4514ec88272b655
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-amd64-generic_2.6.8.1-16.1_amd64.deb
      Size/MD5: 14349546 a2ca8332e99848a722832debbc54656f
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-amd64-k8-smp_2.6.8.1-16.1_amd64.deb
      Size/MD5: 14824052 194df314c04b0dff5533447ee3e60813
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-amd64-k8_2.6.8.1-16.1_amd64.deb
      Size/MD5: 14858776 77f4c1b4c34097b54b2fcee760ea0060
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-amd64-xeon_2.6.8.1-16.1_amd64.deb
      Size/MD5: 14677266 55505fd066b07f357d635bb1afc3d782

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-386_2.6.8.1-16.1_i386.deb
      Size/MD5:   274702 f41d70a42ee38c74d49ef24f5c1d46cc
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-686-smp_2.6.8.1-16.1_i386.deb
      Size/MD5:   269116 fcf51ea7fa6358593a95ce16c0e6b566
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-686_2.6.8.1-16.1_i386.deb
      Size/MD5:   272350 8e3d25985b2f7578bcd0f792681a6d59
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-k7-smp_2.6.8.1-16.1_i386.deb
      Size/MD5:   269372 f590ae7dd326f071c7ea478c8ea942bb
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-k7_2.6.8.1-16.1_i386.deb
      Size/MD5:   272512 b0127d780e15371c4ad80c43f3aaaa74
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3_2.6.8.1-16.1_i386.deb
      Size/MD5:  3216814 4eaa3e0d0a82754264b5f38b5f4b1647
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-386_2.6.8.1-16.1_i386.deb
      Size/MD5: 15495148 2ac9ddfda9c306b52edd9f96769ee043
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-686-smp_2.6.8.1-16.1_i386.deb
      Size/MD5: 16341528 f71d56afae0ced2a45eb7625cf022077
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-686_2.6.8.1-16.1_i386.deb
      Size/MD5: 16504398 5a7638e3f39fb22de05a2fd1a7ccbf4b
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-k7-smp_2.6.8.1-16.1_i386.deb
      Size/MD5: 16444912 3bd7f0ce55842a1b8f4f3edf69bbc697
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-k7_2.6.8.1-16.1_i386.deb
      Size/MD5: 16573874 2219c9c8ca315eaba1b03bb578c14076

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-power3-smp_2.6.8.1-16.1_powerpc.deb
      Size/MD5:   210954 ac4d9d11672d6a2e0552d652f1269ff4
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-power3_2.6.8.1-16.1_powerpc.deb
      Size/MD5:   211752 e016ad7c0e83124384a8c9147fa88e80
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-power4-smp_2.6.8.1-16.1_powerpc.deb
      Size/MD5:   210808 a1d0ad910a32770e4966c4b7e7dc2a74
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-power4_2.6.8.1-16.1_powerpc.deb
      Size/MD5:   211446 05ce6bd870c4fb39c5d679b0ba8ba2d7
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-powerpc-smp_2.6.8.1-16.1_powerpc.deb
      Size/MD5:   211396 f927cb7855cea529445b8f2708ca2ac0
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-powerpc_2.6.8.1-16.1_powerpc.deb
      Size/MD5:   213070 0a0a0612917b8a47521f80ccfb8b3b24
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3_2.6.8.1-16.1_powerpc.deb
      Size/MD5:  3294420 034e87b6d1147de130a0a57e18f86461
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-power3-smp_2.6.8.1-16.1_powerpc.deb
      Size/MD5: 16362792 3fad8b328bf30241e429c0d144818747
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-power3_2.6.8.1-16.1_powerpc.deb
      Size/MD5: 15938436 150a04e8bbc4a6d17a18153748f090dc
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-power4-smp_2.6.8.1-16.1_powerpc.deb
      Size/MD5: 16344302 07c06af308187dc284ba32aa76962d46
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-power4_2.6.8.1-16.1_powerpc.deb
      Size/MD5: 15917192 702c4de81e48ff65c5c434379d2eb770
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-powerpc-smp_2.6.8.1-16.1_powerpc.deb
      Size/MD5: 16284782 242eced9657e4929022631395d122025
    
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-powerpc_2.6.8.1-16.1_powerpc.deb
      Size/MD5: 15966616 b412f10fcdcb6e6ade95d7a7203bf7ba
Attachment: signature.asc
Description: Digital signature
Prev by Date: [ GLSA 200411-27 ] Fcron: Multiple vulnerabilities
Next by Date: RE: EXEC exploit in phpBB - fix
Previous by thread: [ GLSA 200411-27 ] Fcron: Multiple vulnerabilities
Next by thread: [CLA-2004:890] Conectiva Security Announcement - libxml2
Index(es):
- Date
- Thread