[Trisquel-security] [USN-1164-1] Linux kernel vulnerabilities (i.MX51)

Rubén Rodríguez ruben at trisquel.info
Fri Jul 8 01:49:06 CEST 2011


Note to Trisquel users: you can ignore this advisory as Trisquel does
not distribute this package. This notice came automatically from the
ubuntu-security mailing list, which we don't filter.

> ==========================================================================
> Ubuntu Security Notice USN-1164-1
> July 06, 2011
> 
> linux-fsl-imx51 vulnerabilities
> ==========================================================================
> 
> A security issue affects these releases of Ubuntu and its derivatives:
> 
> - Ubuntu 10.04 LTS
> 
> Summary:
> 
> Multiple kernel flaws have been fixed.
> 
> Software Description:
> - linux-fsl-imx51: Linux kernel for IMX51
> 
> Details:
> 
> Thomas Pollet discovered that the RDS network protocol did not check
> certain iovec buffers. A local attacker could exploit this to crash
> the system or possibly execute arbitrary code as the root user.
> (CVE-2010-3865)
> 
> Dan Rosenberg discovered that the CAN protocol on 64bit systems did
> not correctly calculate the size of certain buffers. A local attacker
> could exploit this to crash the system or possibly execute arbitrary
> code as the root user. (CVE-2010-3874)
> 
> Vasiliy Kulikov discovered that the Linux kernel X.25 implementation
> did not correctly clear kernel memory. A local attacker could exploit
> this to read kernel stack memory, leading to a loss of privacy.
> (CVE-2010-3875)
> 
> Vasiliy Kulikov discovered that the Linux kernel sockets
> implementation did not properly initialize certain structures. A
> local attacker could exploit this to read kernel stack memory,
> leading to a loss of privacy. (CVE-2010-3876)
> 
> Vasiliy Kulikov discovered that the TIPC interface did not correctly
> initialize certain structures. A local attacker could exploit this to
> read kernel stack memory, leading to a loss of privacy.
> (CVE-2010-3877)
> 
> Nelson Elhage discovered that the Linux kernel IPv4 implementation
> did not properly audit certain bytecodes in netlink messages. A local
> attacker could exploit this to cause the kernel to hang, leading to a
> denial of service. (CVE-2010-3880)
> 
> Dan Rosenberg discovered that the RME Hammerfall DSP audio interface
> driver did not correctly clear kernel memory. A local attacker could
> exploit this to read kernel stack memory, leading to a loss of
> privacy. (CVE-2010-4080, CVE-2010-4081)
> 
> Dan Rosenberg discovered that the VIA video driver did not correctly
> clear kernel memory. A local attacker could exploit this to read
> kernel stack memory, leading to a loss of privacy. (CVE-2010-4082)
> 
> Dan Rosenberg discovered that the semctl syscall did not correctly
> clear kernel memory. A local attacker could exploit this to read
> kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)
> 
> James Bottomley discovered that the ICP vortex storage array
> controller driver did not validate certain sizes. A local attacker on
> a 64bit system could exploit this to crash the kernel, leading to a
> denial of service. (CVE-2010-4157)
> 
> Dan Rosenberg discovered multiple flaws in the X.25 facilities
> parsing. If a system was using X.25, a remote attacker could exploit
> this to crash the system, leading to a denial of service.
> (CVE-2010-4164)
> 
> It was discovered that multithreaded exec did not handle CPU timers
> correctly. A local attacker could exploit this to crash the system,
> leading to a denial of service. (CVE-2010-4248)
> 
> Nelson Elhage discovered that the kernel did not correctly handle
> process cleanup after triggering a recoverable kernel bug. If a local
> attacker were able to trigger certain kinds of kernel bugs, they
> could create a specially crafted process to gain root privileges.
> (CVE-2010-4258)
> 
> Nelson Elhage discovered that Econet did not correctly handle AUN
> packets over UDP. A local attacker could send specially crafted
> traffic to crash the system, leading to a denial of service.
> (CVE-2010-4342)
> 
> Tavis Ormandy discovered that the install_special_mapping function
> could bypass the mmap_min_addr restriction. A local attacker could
> exploit this to mmap 4096 bytes below the mmap_min_addr area,
> possibly improving the chances of performing NULL pointer dereference
> attacks. (CVE-2010-4346)
> 
> Dan Rosenberg discovered that the OSS subsystem did not handle name
> termination correctly. A local attacker could exploit this crash the
> system or gain root privileges. (CVE-2010-4527)
> 
> Dan Rosenberg discovered that IRDA did not correctly check the size of
> buffers. On non-x86 systems, a local attacker could exploit this to
> read kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)
> 
> Dan Rosenburg discovered that the CAN subsystem leaked kernel
> addresses into the /proc filesystem. A local attacker could use this
> to increase the chances of a successful memory corruption exploit.
> (CVE-2010-4565)
> 
> Kees Cook discovered that some ethtool functions did not correctly
> clear heap memory. A local attacker with CAP_NET_ADMIN privileges
> could exploit this to read portions of kernel heap memory, leading to
> a loss of privacy. (CVE-2010-4655)
> 
> Kees Cook discovered that the IOWarrior USB device driver did not
> correctly check certain size fields. A local attacker with physical
> access could plug in a specially crafted USB device to crash the
> system or potentially gain root privileges. (CVE-2010-4656)
> 
> Goldwyn Rodrigues discovered that the OCFS2 filesystem did not
> correctly clear memory when writing certain file holes. A local
> attacker could exploit this to read uninitialized data from the disk,
> leading to a loss of privacy. (CVE-2011-0463)
> 
> Dan Carpenter discovered that the TTPCI DVB driver did not check
> certain values during an ioctl. If the dvb-ttpci module was loaded, a
> local attacker could exploit this to crash the system, leading to a
> denial of service, or possibly gain root privileges. (CVE-2011-0521)
> 
> Jens Kuehnel discovered that the InfiniBand driver contained a race
> condition. On systems using InfiniBand, a local attacker could send
> specially crafted requests to crash the system, leading to a denial of
> service. (CVE-2011-0695)
> 
> Dan Rosenberg discovered that XFS did not correctly initialize
> memory. A local attacker could make crafted ioctl calls to leak
> portions of kernel stack memory, leading to a loss of privacy.
> (CVE-2011-0711)
> 
> Rafael Dominguez Vega discovered that the caiaq Native Instruments USB
> driver did not correctly validate string lengths. A local attacker
> with physical access could plug in a specially crafted USB device to
> crash the system or potentially gain root privileges. (CVE-2011-0712)
> 
> Timo Warns discovered that the LDM disk partition handling code did
> not correctly handle certain values. By inserting a specially crafted
> disk device, a local attacker could exploit this to gain root
> privileges. (CVE-2011-1017)
> 
> Julien Tinnes discovered that the kernel did not correctly validate
> the signal structure from tkill(). A local attacker could exploit
> this to send signals to arbitrary threads, possibly bypassing
> expected restrictions. (CVE-2011-1182)
> 
> Dan Rosenberg discovered that MPT devices did not correctly validate
> certain values in ioctl calls. If these drivers were loaded, a local
> attacker could exploit this to read arbitrary kernel memory, leading
> to a loss of privacy. (CVE-2011-1494, CVE-2011-1495)
> 
> Tavis Ormandy discovered that the pidmap function did not correctly
> handle large requests. A local attacker could exploit this to crash
> the system, leading to a denial of service. (CVE-2011-1593)
> 
> Vasiliy Kulikov discovered that the AGP driver did not check certain
> ioctl values. A local attacker with access to the video subsystem
> could exploit this to crash the system, leading to a denial of
> service, or possibly gain root privileges. (CVE-2011-1745,
> CVE-2011-2022)
> 
> Vasiliy Kulikov discovered that the AGP driver did not check the size
> of certain memory allocations. A local attacker with access to the
> video subsystem could exploit this to run the system out of memory,
> leading to a denial of service. (CVE-2011-1746, CVE-2011-1747)
> 
> Oliver Hartkopp and Dave Jones discovered that the CAN network driver
> did not correctly validate certain socket structures. If this driver
> was loaded, a local attacker could crash the system, leading to a
> denial of service. (CVE-2011-1748)
> 
> Update instructions:
> 
> The problem can be corrected by updating your system to the following
> package versions:
> 
> Ubuntu 10.04 LTS:
>   linux-image-2.6.31-609-imx51    2.6.31-609.26
> 
> After a standard system update you need to reboot your computer to
> make all the necessary changes.
> 
> ATTENTION: Due to an unavoidable ABI change the kernel updates have
> been given a new version number, which requires you to recompile and
> reinstall all third party kernel modules you might have installed. If
> you use linux-restricted-modules, you have to update that package as
> well to get modules which work with the new kernel version. Unless you
> manually uninstalled the standard kernel metapackages (e.g.
> linux-generic, linux-server, linux-powerpc), a standard system
> upgrade will automatically perform this as well.
> 
> References:
>   http://www.ubuntu.com/usn/usn-1164-1
>   CVE-2010-3865, CVE-2010-3874, CVE-2010-3875, CVE-2010-3876,
>   CVE-2010-3877, CVE-2010-3880, CVE-2010-4080, CVE-2010-4081,
>   CVE-2010-4082, CVE-2010-4083, CVE-2010-4157, CVE-2010-4164,
>   CVE-2010-4248, CVE-2010-4258, CVE-2010-4342, CVE-2010-4346,
>   CVE-2010-4527, CVE-2010-4529, CVE-2010-4565, CVE-2010-4655,
>   CVE-2010-4656, CVE-2011-0463, CVE-2011-0521, CVE-2011-0695,
>   CVE-2011-0711, CVE-2011-0712, CVE-2011-1017, CVE-2011-1182,
>   CVE-2011-1494, CVE-2011-1495, CVE-2011-1593, CVE-2011-1745,
>   CVE-2011-1746, CVE-2011-1747, CVE-2011-1748, CVE-2011-2022
> 
> Package Information:
>   https://launchpad.net/ubuntu/+source/linux-fsl-imx51/2.6.31-609.26
> 
> 


More information about the Trisquel-security mailing list