USN-1162-1: Linux kernel vulnerabilities (Marvell Dove)

29 June 2011

Multiple kernel flaws have been fixed.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

Brad Spengler discovered that the kernel did not correctly account for
userspace memory allocations during exec() calls. A local attacker could
exploit this to consume all system memory, leading to a denial of service.
(CVE-2010-4243)

Alexander Duyck discovered that the Intel Gigabit Ethernet driver did not
correctly handle certain configurations. If such a device was configured
without VLANs, a remote attacker could crash the system, leading to a
denial of service. (CVE-2010-4263)

Nelson Elhage discovered that Econet did not correctly handle AUN packets
over UDP. A local attacker could send specially crafted traffic to crash
the system, leading to a denial of service. (CVE-2010-4342)

Dan Rosenberg discovered that IRDA did not correctly check the size of
buffers. On non-x86 systems, a local attacker could exploit this to read
kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)

Dan Rosenburg discovered that the CAN subsystem leaked kernel addresses
into the /proc filesystem. A local attacker could use this to increase the
chances of a successful memory corruption exploit. (CVE-2010-4565)

Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly
clear memory when writing certain file holes. A local attacker could
exploit this to read uninitialized data from the disk, leading to a loss of
privacy. (CVE-2011-0463)

Jens Kuehnel discovered that the InfiniBand driver contained a race
condition. On systems using InfiniBand, a local attacker could send
specially crafted requests to crash the system, leading to a denial of
service. (CVE-2011-0695)

Dan Rosenberg discovered that XFS did not correctly initialize memory. A
local attacker could make crafted ioctl calls to leak portions of kernel
stack memory, leading to a loss of privacy. (CVE-2011-0711)

Kees Cook reported that /proc/pid/stat did not correctly filter certain
memory locations. A local attacker could determine the memory layout of
processes in an attempt to increase the chances of a successful memory
corruption exploit. (CVE-2011-0726)

Matthiew Herrb discovered that the drm modeset interface did not correctly
handle a signed comparison. A local attacker could exploit this to crash
the system or possibly gain root privileges. (CVE-2011-1013)

Marek Olšák discovered that the Radeon GPU drivers did not correctly
validate certain registers. On systems with specific hardware, a local
attacker could exploit this to write to arbitrary video memory.
(CVE-2011-1016)

Timo Warns discovered that the LDM disk partition handling code did not
correctly handle certain values. By inserting a specially crafted disk
device, a local attacker could exploit this to gain root privileges.
(CVE-2011-1017)

Vasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not
needed to load kernel modules. A local attacker with the CAP_NET_ADMIN
capability could load existing kernel modules, possibly increasing the
attack surface available on the system. (CVE-2011-1019)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear
memory. A local attacker could exploit this to read kernel stack memory,
leading to a loss of privacy. (CVE-2011-1078)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check
that device name strings were NULL terminated. A local attacker could
exploit this to crash the system, leading to a denial of service, or leak
contents of kernel stack memory, leading to a loss of privacy.
(CVE-2011-1079)

Vasiliy Kulikov discovered that bridge network filtering did not check that
name fields were NULL terminated. A local attacker could exploit this to
leak contents of kernel stack memory, leading to a loss of privacy.
(CVE-2011-1080)

Neil Horman discovered that NFSv4 did not correctly handle certain orders
of operation with ACL data. A remote attacker with access to an NFSv4 mount
could exploit this to crash the system, leading to a denial of service.
(CVE-2011-1090)

Peter Huewe discovered that the TPM device did not correctly initialize
memory. A local attacker could exploit this to read kernel heap memory
contents, leading to a loss of privacy. (CVE-2011-1160)

Timo Warns discovered that OSF partition parsing routines did not correctly
clear memory. A local attacker with physical access could plug in a
specially crafted block device to read kernel memory, leading to a loss of
privacy. (CVE-2011-1163)

Vasiliy Kulikov discovered that the netfilter code did not check certain
strings copied from userspace. A local attacker with netfilter access could
exploit this to read kernel memory or crash the system, leading to a denial
of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)

Vasiliy Kulikov discovered that the Acorn Universal Networking driver did
not correctly initialize memory. A remote attacker could send specially
crafted traffic to read kernel stack memory, leading to a loss of privacy.
(CVE-2011-1173)

Dan Rosenberg discovered that the IRDA subsystem did not correctly check
certain field sizes. If a system was using IRDA, a remote attacker could
send specially crafted traffic to crash the system or gain root privileges.
(CVE-2011-1180)

Julien Tinnes discovered that the kernel did not correctly validate the
signal structure from tkill(). A local attacker could exploit this to send
signals to arbitrary threads, possibly bypassing expected restrictions.
(CVE-2011-1182)

Dan Rosenberg reported errors in the OSS (Open Sound System) MIDI
interface. A local attacker on non-x86 systems might be able to cause a
denial of service. (CVE-2011-1476)

Dan Rosenberg reported errors in the kernel's OSS (Open Sound System)
driver for Yamaha FM synthesizer chips. A local user can exploit this to
cause memory corruption, causing a denial of service or privilege
escalation. (CVE-2011-1477)

Ryan Sweat discovered that the GRO code did not correctly validate memory.
In some configurations on systems using VLANs, a remote attacker could send
specially crafted traffic to crash the system, leading to a denial of
service. (CVE-2011-1478)

Dan Rosenberg discovered that MPT devices did not correctly validate
certain values in ioctl calls. If these drivers were loaded, a local
attacker could exploit this to read arbitrary kernel memory, leading to a
loss of privacy. (CVE-2011-1494, CVE-2011-1495)

It was discovered that the Stream Control Transmission Protocol (SCTP)
implementation incorrectly calculated lengths. If the net.sctp.addip_enable
variable was turned on, a remote attacker could send specially crafted
traffic to crash the system. (CVE-2011-1573)

Tavis Ormandy discovered that the pidmap function did not correctly handle
large requests. A local attacker could exploit this to crash the system,
leading to a denial of service. (CVE-2011-1593)

Oliver Hartkopp and Dave Jones discovered that the CAN network driver did
not correctly validate certain socket structures. If this driver was
loaded, a local attacker could crash the system, leading to a denial of
service. (CVE-2011-1598, CVE-2011-1748)

Vasiliy Kulikov discovered that the AGP driver did not check certain ioctl
values. A local attacker with access to the video subsystem could exploit
this to crash the system, leading to a denial of service, or possibly gain
root privileges. (CVE-2011-1745, CVE-2011-2022)

Vasiliy Kulikov discovered that the AGP driver did not check the size of
certain memory allocations. A local attacker with access to the video
subsystem could exploit this to run the system out of memory, leading to a
denial of service. (CVE-2011-1746)

Dan Rosenberg reported an error in the old ABI compatibility layer of ARM
kernels. A local attacker could exploit this flaw to cause a denial of
service or gain root privileges. (CVE-2011-1759)

Dan Rosenberg discovered that the DCCP stack did not correctly handle
certain packet structures. A remote attacker could exploit this to crash
the system, leading to a denial of service. (CVE-2011-1770)

Timo Warns discovered that the EFI GUID partition table was not correctly
parsed. A physically local attacker that could insert mountable devices
could exploit this to crash the system or possibly gain root privileges.
(CVE-2011-1776)

A flaw was found in the b43 driver in the Linux kernel. An attacker could
use this flaw to cause a denial of service if the system has an active
wireless interface using the b43 driver. (CVE-2011-3359)

Yogesh Sharma discovered that CIFS did not correctly handle UNCs that had
no prefixpaths. A local attacker with access to a CIFS partition could
exploit this to crash the system, leading to a denial of service.
(CVE-2011-3363)

Maynard Johnson discovered that on POWER7, certain speculative events may
raise a performance monitor exception. A local attacker could exploit this
to crash the system, leading to a denial of service. (CVE-2011-4611)

Dan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used by
amateur radio. A local user or a remote user on an X.25 network could
exploit these flaws to execute arbitrary code as root. (CVE-2011-4913)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.04

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.