USN-864-1: Linux kernel vulnerabilities

Releases

• Ubuntu 9.10
• Ubuntu 9.04
• Ubuntu 8.10
• Ubuntu 8.04
• Ubuntu 6.06

Packages

• linux -
• linux-source-2.6.15 -

Details

It was discovered that the AX.25 network subsystem did not correctly
check integer signedness in certain setsockopt calls. A local attacker
could exploit this to crash the system, leading to a denial of service.
Ubuntu 9.10 was not affected. (CVE-2009-2909)

Jan Beulich discovered that the kernel could leak register contents to
32-bit processes that were switched to 64-bit mode. A local attacker
could run a specially crafted binary to read register values from an
earlier process, leading to a loss of privacy. (CVE-2009-2910)

Dave Jones discovered that the gdth SCSI driver did not correctly validate
array indexes in certain ioctl calls. A local attacker could exploit
this to crash the system or gain elevated privileges. (CVE-2009-3080)

Eric Dumazet and Jiri Pirko discovered that the TC and CLS subsystems
would leak kernel memory via uninitialized structure members. A local
attacker could exploit this to read several bytes of kernel memory,
leading to a loss of privacy. (CVE-2009-3228, CVE-2009-3612)

Earl Chew discovered race conditions in pipe handling. A local attacker
could exploit anonymous pipes via /proc/*/fd/ and crash the system or
gain root privileges. (CVE-2009-3547)

Dave Jones and Francois Romieu discovered that the r8169 network driver
could be made to leak kernel memory. A remote attacker could send a large
number of jumbo frames until the system memory was exhausted, leading
to a denial of service. Ubuntu 9.10 was not affected. (CVE-2009-3613).

Ben Hutchings discovered that the ATI Rage 128 video driver did not
correctly validate initialization states. A local attacker could
make specially crafted ioctl calls to crash the system or gain root
privileges. (CVE-2009-3620)

Tomoki Sekiyama discovered that Unix sockets did not correctly verify
namespaces. A local attacker could exploit this to cause a system hang,
leading to a denial of service. (CVE-2009-3621)

J. Bruce Fields discovered that NFSv4 did not correctly use the credential
cache. A local attacker using a mount with AUTH_NULL authentication
could exploit this to crash the system or gain root privileges. Only
Ubuntu 9.10 was affected. (CVE-2009-3623)

Alexander Zangerl discovered that the kernel keyring did not correctly
reference count. A local attacker could issue a series of specially
crafted keyring calls to crash the system or gain root privileges.
Only Ubuntu 9.10 was affected. (CVE-2009-3624)

David Wagner discovered that KVM did not correctly bounds-check CPUID
entries. A local attacker could exploit this to crash the system
or possibly gain elevated privileges. Ubuntu 6.06 and 9.10 were not
affected. (CVE-2009-3638)

Avi Kivity discovered that KVM did not correctly check privileges when
accessing debug registers. A local attacker could exploit this to
crash a host system from within a guest system, leading to a denial of
service. Ubuntu 6.06 and 9.10 were not affected. (CVE-2009-3722)

Philip Reisner discovered that the connector layer for uvesafb, pohmelfs,
dst, and dm did not correctly check capabilties. A local attacker could
exploit this to crash the system or gain elevated privileges. Ubuntu
6.06 was not affected. (CVE-2009-3725)

Trond Myklebust discovered that NFSv4 clients did not robustly
verify attributes. A malicious remote NFSv4 server could exploit
this to crash a client or gain root privileges. Ubuntu 9.10 was not
affected. (CVE-2009-3726)

Robin Getz discovered that NOMMU systems did not correctly validate
NULL pointers in do_mmap_pgoff calls. A local attacker could attempt to
allocate large amounts of memory to crash the system, leading to a denial
of service. Only Ubuntu 6.06 and 9.10 were affected. (CVE-2009-3888)

Joseph Malicki discovered that the MegaRAID SAS driver had
world-writable option files. A local attacker could exploit these
to disrupt the behavior of the controller, leading to a denial of
service. (CVE-2009-3889, CVE-2009-3939)

Roel Kluin discovered that the Hisax ISDN driver did not correctly
check the size of packets. A remote attacker could send specially
crafted packets to cause a system crash, leading to a denial of
service. (CVE-2009-4005)

Lennert Buytenhek discovered that certain 802.11 states were not handled
correctly. A physically-proximate remote attacker could send specially
crafted wireless traffic that would crash the system, leading to a denial
of service. Only Ubuntu 9.10 was affected. (CVE-2009-4026, CVE-2009-4027)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10

• linux-image-2.6.31-16-powerpc-smp - 2.6.31-16.52
• linux-image-2.6.31-16-server - 2.6.31-16.52
• linux-image-2.6.31-16-powerpc64-smp - 2.6.31-16.52
• linux-image-2.6.31-16-lpia - 2.6.31-16.52
• linux-image-2.6.31-16-386 - 2.6.31-16.52
• linux-image-2.6.31-16-generic-pae - 2.6.31-16.52
• linux-image-2.6.31-16-sparc64-smp - 2.6.31-16.52
• linux-image-2.6.31-16-virtual - 2.6.31-16.52
• linux-image-2.6.31-16-sparc64 - 2.6.31-16.52
• linux-image-2.6.31-16-ia64 - 2.6.31-16.52
• linux-image-2.6.31-16-generic - 2.6.31-16.52
• linux-image-2.6.31-16-powerpc - 2.6.31-16.52

Ubuntu 9.04

• linux-image-2.6.28-17-imx51 - 2.6.28-17.58
• linux-image-2.6.28-17-virtual - 2.6.28-17.58
• linux-image-2.6.28-17-server - 2.6.28-17.58
• linux-image-2.6.28-17-versatile - 2.6.28-17.58
• linux-image-2.6.28-17-iop32x - 2.6.28-17.58
• linux-image-2.6.28-17-generic - 2.6.28-17.58
• linux-image-2.6.28-17-ixp4xx - 2.6.28-17.58
• linux-image-2.6.28-17-lpia - 2.6.28-17.58

Ubuntu 8.10

• linux-image-2.6.27-16-virtual - 2.6.27-16.44
• linux-image-2.6.27-16-server - 2.6.27-16.44
• linux-image-2.6.27-16-generic - 2.6.27-16.44

Ubuntu 8.04

• linux-image-2.6.24-26-mckinley - 2.6.24-26.64
• linux-image-2.6.24-26-generic - 2.6.24-26.64
• linux-image-2.6.24-26-hppa32 - 2.6.24-26.64
• linux-image-2.6.24-26-386 - 2.6.24-26.64
• linux-image-2.6.24-26-sparc64-smp - 2.6.24-26.64
• linux-image-2.6.24-26-openvz - 2.6.24-26.64
• linux-image-2.6.24-26-powerpc - 2.6.24-26.64
• linux-image-2.6.24-26-itanium - 2.6.24-26.64
• linux-image-2.6.24-26-lpiacompat - 2.6.24-26.64
• linux-image-2.6.24-26-xen - 2.6.24-26.64
• linux-image-2.6.24-26-lpia - 2.6.24-26.64
• usb-modules-2.6.24-26-sparc64-di - 2.6.24-26.64
• linux-image-2.6.24-26-powerpc-smp - 2.6.24-26.64
• linux-image-2.6.24-26-virtual - 2.6.24-26.64
• linux-image-2.6.24-26-rt - 2.6.24-26.64
• linux-image-2.6.24-26-server - 2.6.24-26.64
• linux-image-2.6.24-26-powerpc64-smp - 2.6.24-26.64
• linux-image-2.6.24-26-hppa64 - 2.6.24-26.64
• linux-image-2.6.24-26-sparc64 - 2.6.24-26.64

Ubuntu 6.06

• linux-image-2.6.15-55-hppa64 - 2.6.15-55.81
• linux-image-2.6.15-55-mckinley - 2.6.15-55.81
• linux-image-2.6.15-55-powerpc-smp - 2.6.15-55.81
• linux-image-2.6.15-55-hppa32-smp - 2.6.15-55.81
• linux-image-2.6.15-55-686 - 2.6.15-55.81
• linux-image-2.6.15-55-amd64-k8 - 2.6.15-55.81
• linux-image-2.6.15-55-amd64-server - 2.6.15-55.81
• linux-image-2.6.15-55-386 - 2.6.15-55.81
• linux-image-2.6.15-55-sparc64-smp - 2.6.15-55.81
• linux-image-2.6.15-55-k7 - 2.6.15-55.81
• linux-image-2.6.15-55-sparc64 - 2.6.15-55.81
• linux-image-2.6.15-55-server - 2.6.15-55.81
• linux-image-2.6.15-55-powerpc64-smp - 2.6.15-55.81
• linux-image-2.6.15-55-hppa32 - 2.6.15-55.81
• linux-image-2.6.15-55-mckinley-smp - 2.6.15-55.81
• linux-image-2.6.15-55-server-bigiron - 2.6.15-55.81
• linux-image-2.6.15-55-itanium-smp - 2.6.15-55.81
• linux-image-2.6.15-55-amd64-xeon - 2.6.15-55.81
• linux-image-2.6.15-55-powerpc - 2.6.15-55.81
• linux-image-2.6.15-55-amd64-generic - 2.6.15-55.81
• linux-image-2.6.15-55-hppa64-smp - 2.6.15-55.81
• linux-image-2.6.15-55-itanium - 2.6.15-55.81

After a standard system upgrade you need to reboot your computer to
effect the necessary changes.

ATTENTION: Due to an unavoidable ABI change (except for Ubuntu 6.06)
the kernel updates have been given a new version number, which requires
you to recompile and reinstall all third party kernel modules you
might have installed. If you use linux-restricted-modules, you have to
update that package as well to get modules which work with the new kernel
version. Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-server, linux-powerpc), a standard system
upgrade will automatically perform this as well.

References

• CVE-2009-3726
• CVE-2009-4027
• CVE-2009-3624
• CVE-2009-3612
• CVE-2009-3547
• CVE-2009-3613
• CVE-2009-3725
• CVE-2009-3620
• CVE-2009-3623
• CVE-2009-3888
• CVE-2009-3889
• CVE-2009-3939
• CVE-2009-4005
• CVE-2009-3621
• CVE-2009-2910
• CVE-2009-4026
• CVE-2009-3228
• CVE-2009-3080
• CVE-2009-2909
• CVE-2009-3722
• CVE-2009-3638