[USN-574-1] Linux kernel vulnerabilities

Ubuntu Security Notice USN-574-1          February 04, 2008
linux-source-2.6.17/20/22 vulnerabilities
CVE-2006-6058, CVE-2007-3107, CVE-2007-4567, CVE-2007-4849,
CVE-2007-4997, CVE-2007-5093, CVE-2007-5500, CVE-2007-5501,
CVE-2007-5966, CVE-2007-6063, CVE-2007-6151, CVE-2007-6206,
CVE-2007-6417, CVE-2008-0001

Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10

Ubuntu 6.10

linux-image-2.6.17-12-386 2.6.17.1-12.43
linux-image-2.6.17-12-generic 2.6.17.1-12.43
linux-image-2.6.17-12-hppa32 2.6.17.1-12.43
linux-image-2.6.17-12-hppa64 2.6.17.1-12.43
linux-image-2.6.17-12-itanium 2.6.17.1-12.43
linux-image-2.6.17-12-mckinley 2.6.17.1-12.43
linux-image-2.6.17-12-powerpc 2.6.17.1-12.43
linux-image-2.6.17-12-powerpc-smp 2.6.17.1-12.43
linux-image-2.6.17-12-powerpc64-smp 2.6.17.1-12.43
linux-image-2.6.17-12-server 2.6.17.1-12.43
linux-image-2.6.17-12-server-bigiron 2.6.17.1-12.43
linux-image-2.6.17-12-sparc64 2.6.17.1-12.43
linux-image-2.6.17-12-sparc64-smp 2.6.17.1-12.43

Ubuntu 7.10

linux-image-2.6.22-14-386 2.6.22-14.51
linux-image-2.6.22-14-cell 2.6.22-14.51
linux-image-2.6.22-14-generic 2.6.22-14.51
linux-image-2.6.22-14-hppa32 2.6.22-14.51
linux-image-2.6.22-14-hppa64 2.6.22-14.51
linux-image-2.6.22-14-itanium 2.6.22-14.51
linux-image-2.6.22-14-lpia 2.6.22-14.51
linux-image-2.6.22-14-lpiacompat 2.6.22-14.51
linux-image-2.6.22-14-mckinley 2.6.22-14.51
linux-image-2.6.22-14-powerpc 2.6.22-14.51
linux-image-2.6.22-14-powerpc-smp 2.6.22-14.51
linux-image-2.6.22-14-powerpc64-smp 2.6.22-14.51
linux-image-2.6.22-14-rt 2.6.22-14.51
linux-image-2.6.22-14-server 2.6.22-14.51
linux-image-2.6.22-14-sparc64 2.6.22-14.51
linux-image-2.6.22-14-sparc64-smp 2.6.22-14.51
linux-image-2.6.22-14-ume 2.6.22-14.51
linux-image-2.6.22-14-virtual 2.6.22-14.51
linux-image-2.6.22-14-xen 2.6.22-14.51

Ubuntu 7.04

linux-image-2.6.20-16-386 2.6.20-16.34
linux-image-2.6.20-16-generic 2.6.20-16.34
linux-image-2.6.20-16-hppa32 2.6.20-16.34
linux-image-2.6.20-16-hppa64 2.6.20-16.34
linux-image-2.6.20-16-itanium 2.6.20-16.34
linux-image-2.6.20-16-lowlatency 2.6.20-16.34
linux-image-2.6.20-16-mckinley 2.6.20-16.34
linux-image-2.6.20-16-powerpc 2.6.20-16.34
linux-image-2.6.20-16-powerpc-smp 2.6.20-16.34
linux-image-2.6.20-16-powerpc64-smp 2.6.20-16.34
linux-image-2.6.20-16-server 2.6.20-16.34
linux-image-2.6.20-16-server-bigiron 2.6.20-16.34
linux-image-2.6.20-16-sparc64 2.6.20-16.34
linux-image-2.6.20-16-sparc64-smp 2.6.20-16.34

After a standard system upgrade you need to reboot your computer to effect the necessary changes.

The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2006-6058) The signal handling on PowerPC systems using HTX allowed local users to cause a denial of service via floating point corruption. This was only vulnerable in Ubuntu 6.10 and 7.04. (CVE-2007-3107) The Linux kernel did not properly validate the hop-by-hop IPv6 extended header. Remote attackers could send a crafted IPv6 packet and cause a denial of service via kernel panic. This was only vulnerable in Ubuntu 7.04. (CVE-2007-4567) The JFFS2 filesystem with ACL support enabled did not properly store permissions during inode creation and ACL setting. Local users could possibly access restricted files after a remount. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-4849) Chris Evans discovered an issue with certain drivers that use the ieee80211_rx function. Remote attackers could send a crafted 802.11 frame and cause a denial of service via crash. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-4997) Alex Smith discovered an issue with the pwc driver for certain webcam devices. A local user with physical access to the system could remove the device while a userspace application had it open and cause the USB subsystem to block. This was only vulnerable in Ubuntu 7.04. (CVE-2007-5093) Scott James Remnant discovered a coding error in ptrace. Local users could exploit this and cause the kernel to enter an infinite loop. This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-5500) It was discovered that the Linux kernel could dereference a NULL pointer when processing certain IPv4 TCP packets. A remote attacker could send a crafted TCP ACK response and cause a denial of service via crash. This was only vulnerable in Ubuntu 7.10. (CVE-2007-5501) Warren Togami discovered that the hrtimer subsystem did not properly check for large relative timeouts. A local user could exploit this and cause a denial of service via soft lockup. (CVE-2007-5966) Venustech AD-LAB discovered a buffer overflow in the isdn net subsystem. This issue is exploitable by local users via crafted input to the isdn_ioctl function. (CVE-2007-6063) It was discovered that the isdn subsystem did not properly check for NULL termination when performing ioctl handling. A local user could exploit this to cause a denial of service. (CVE-2007-6151) Blake Frantz discovered that when a root process overwrote an existing core file, the resulting core file retained the previous core file's ownership. Local users could exploit this to gain access to sensitive information. (CVE-2007-6206) Hugh Dickins discovered the when using the tmpfs filesystem, under rare circumstances, a kernel page may be improperly cleared. A local user may be able to exploit this and read sensitive kernel data or cause a denial of service via crash. (CVE-2007-6417) Bill Roman discovered that the VFS subsystem did not properly check access modes. A local user may be able to gain removal privileges on directories. (CVE-2008-0001)