Debian Project

Debian testing security team - Advisory

DTSA-16-1

Date Reported:
September 15, 2005
Affected Package:
linux-2.6
Vulnerability:
several holes
Problem-Scope:
remote
Debian-specific:
No
CVE:
CVE-2005-2098 CVE-2005-2099 CVE-2005-2456 CVE-2005-2617 CVE-2005-1913 CVE-2005-1761 CVE-2005-2457 CVE-2005-2458 CVE-2005-2459 CVE-2005-2548 CVE-2004-2302 CVE-2005-1765 CVE-2005-1762 CVE-2005-1761 CVE-2005-2555

More information:
Several security related problems have been found in version 2.6 of the 
linux kernel. The Common Vulnerabilities and Exposures project identifies 
the following problems: 
 
CVE-2004-2302 
 
Race condition in the sysfs_read_file and sysfs_write_file functions in 
Linux kernel before 2.6.10 allows local users to read kernel memory and 
cause a denial of service (crash) via large offsets in sysfs files. 
 
CVE-2005-1761 
 
Vulnerability in the Linux kernel allows local users to cause a 
denial of service (kernel crash) via ptrace. 
 
CVE-2005-1762 
 
The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 
platform allows local users to cause a denial of service (kernel crash) via 
a "non-canonical" address. 
 
CVE-2005-1765 
 
syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when 
running in 32-bit compatibility mode, allows local users to cause a denial 
of service (kernel hang) via crafted arguments. 
 
CVE-2005-1913 
 
When a non group-leader thread called exec() to execute a different program 
while an itimer was pending, the timer expiry would signal the old group 
leader task, which did not exist any more. This caused a kernel panic. 
 
CVE-2005-2098  
 
The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before 
2.6.12.5 contains an error path that does not properly release the session 
management semaphore, which allows local users or remote attackers to cause 
a denial of service (semaphore hang) via a new session keyring (1) with an 
empty name string, (2) with a long name string, (3) with the key quota 
reached, or (4) ENOMEM. 
 
CVE-2005-2099 
 
The Linux kernel before 2.6.12.5 does not properly destroy a keyring that 
is not instantiated properly, which allows local users or remote attackers 
to cause a denial of service (kernel oops) via a keyring with a payload 
that is not empty, which causes the creation to fail, leading to a null 
dereference in the keyring destructor. 
 
CVE-2005-2456 
 
Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c 
in Linux kernel 2.6 allows local users to cause a denial of service (oops 
or deadlock) and possibly execute arbitrary code via a p->dir value that is 
larger than XFRM_POLICY_OUT, which is used as an index in the 
sock->sk_policy array. 
 
CVE-2005-2457 
 
The driver for compressed ISO file systems (zisofs) in the Linux kernel 
before 2.6.12.5 allows local users and remote attackers to cause a denial 
of service (kernel crash) via a crafted compressed ISO file system. 
 
CVE-2005-2458 
 
inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 allows 
remote attackers to cause a denial of service (kernel crash) via a 
compressed file with "improper tables". 
 
CVE-2005-2459 
 
The huft_build function in inflate.c in the zlib routines in the Linux 
kernel before 2.6.12.5 returns the wrong value, which allows remote 
attackers to cause a denial of service (kernel crash) via a certain 
compressed file that leads to a null pointer dereference, a different 
vulnerbility than CVE-2005-2458. 
 
CVE-2005-2548 
 
vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a denial 
of service (kernel oops from null dereference) via certain UDP packets that 
lead to a function call with the wrong argument, as demonstrated using 
snmpwalk on snmpd. 
 
CVE-2005-2555 
 
Linux kernel 2.6.x does not properly restrict socket policy access to users 
with the CAP_NET_ADMIN capability, which could allow local users to conduct 
unauthorized activities via (1) ipv4/ip_sockglue.c and (2) 
ipv6/ipv6_sockglue.c. 
 
CVE-2005-2617 
 
The syscall32_setup_pages function in syscall32.c for Linux kernel 2.6.12 
and later, on the amd64 architecture, does not check the return value of 
the insert_vm_struct function, which allows local users to trigger a memory 
leak via a 32-bit application with crafted ELF headers. 
 
In addition this update fixes some security issues that have not been 
assigned CVE ids: 
 
- Fix DST leak in icmp_push_reply(). Possible remote DoS? 
 
- NPTL signal delivery deadlock fix; possible local DoS. 
 
- fix a memory leak in devices seq_file implementation; local DoS. 
 
- Fix SKB leak in ip6_input_finish(); local DoS. 

For the testing distribution (etch) this is fixed in version 2.6.12-6
For the unstable distribution (sid) this is fixed in version 2.6.12-6

The Debian testing security team does not track security issues for the stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.

Your system does not need to be configured to use the Debian testing security archive to install this update. The fixed kernel packages are available in the regular Debian testing archive.

To install the update, first run this command as root:

apt-get update

Next, install an appropriate kernel package for your architecture and machine. The following kernel will work for all i386 machines:

apt-get install linux-image-2.6-386

However, you may prefer to install an optimised kernel for your machine:

apt-get install linux-image-2.6-686
apt-get install linux-image-2.6-686-smp
apt-get install linux-image-2.6-k7
apt-get install linux-image-2.6-k7-smp

For the amd64 architecture, chose one of these kernels:

apt-get install linux-image-2.6-amd64-generic
apt-get install linux-image-2.6-amd64-k8
apt-get install linux-image-2.6-amd64-k8-smp

For the powerpc architecture, choose one of these kernels:

apt-get install linux-image-2.6-powerpc
apt-get install linux-image-2.6-powerpc-smp
apt-get install linux-image-2.6-powerpc64

For the sparc architecture, choose one of these kernels:

apt-get install linux-image-2.6-sparc64
apt-get install linux-image-2.6-sparc64-smp

(Note that users of 32 bit sparc systems are no longer supported by the 2.6 kernel.)

For the alpha architecture, choose one of these kernels:

apt-get install linux-image-2.6-alpha-generic
apt-get install linux-image-2.6-alpha-smp

For the ia64 architecture, choose one of these kernels:

apt-get install linux-image-2.6-itanium
apt-get install linux-image-2.6-itanium-smp
apt-get install linux-image-2.6-mckinley
apt-get install linux-image-2.6-mckinley-smp

For the hppa architecture, choose one of these kernels:

apt-get install linux-image-2.6-parisc
apt-get install linux-image-2.6-parisc-smp
apt-get install linux-image-2.6-parisc64
apt-get install linux-image-2.6-parisc64-smp

For the s390 architecture, choose one of these kernels:

apt-get install linux-image-2.6-s390
apt-get install linux-image-2.6-s390x

For the arm architecture, choose one of these kernels:

apt-get install linux-image-2.6-footbridge
apt-get install linux-image-2.6-ixp4xx
apt-get install linux-image-2.6-rpc
apt-get install linux-image-2.6-s3c2410

For the m68k architecture, choose one of these kernels:

apt-get install linux-image-2.6-amiga
apt-get install linux-image-2.6-atari
apt-get install linux-image-2.6-bvme6000
apt-get install linux-image-2.6-hp
apt-get install linux-image-2.6-mac
apt-get install linux-image-2.6-mvme147
apt-get install linux-image-2.6-mvme16x
apt-get install linux-image-2.6-q40
apt-get install linux-image-2.6-sun3

Updated kernels are not yet available for the mips and mipsel architectures.

Note that you may also need to upgrade third-party modules that are not included in the kernel package.

Finally, reboot the system, taking care to boot the new 2.6.12 kernel with your bootloader.

Valid HTML 4.01! Valid CSS!