===================================================================== CERT-Renater Note d'Information No. 2005/VULN428 _____________________________________________________________________ DATE : 01/07/2005 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Linux. ====================================================================== _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: kernel-2.4 Advisory ID: MDKSA-2005:111 Date: June 30th, 2005 Affected versions: 10.0, 10.1, Corporate 3.0, Corporate Server 2.1, Multi Network Firewall 8.2 ______________________________________________________________________ Problem Description: Multiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following have been fixed in the 2.4 kernels: Colin Percival discovered a vulnerability in Intel's Hyper-Threading technology could allow a local user to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys via a timing attack on memory cache misses. This has been corrected by disabling HT support in all kernels (CAN-2005-0109). When forwarding fragmented packets, a hardware assisted checksum could only be used once which could lead to a Denial of Service attack or crash by remote users (CAN-2005-0209). A flaw in the Linux PPP driver was found where on systems allowing remote users to connect to a server via PPP, a remote client could cause a crash, resulting in a Denial of Service (CAN-2005-0384). An information leak in the ext2 filesystem code was found where when a new directory is created, the ext2 block written to disk is not initialized (CAN-2005-0400). A signedness error in the copy_from_read_buf function in n_tty.c allows local users to read kernel memory via a negative argument (CAN-2005-0530). George Guninski discovered a buffer overflow in the ATM driver where the atm_get_addr() function does not validate its arguments sufficiently which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could potentially lead to the execution of arbitrary code (CAN-2005-0531). A flaw when freeing a pointer in load_elf_library was found that could be abused by a local user to potentially crash the machine causing a Denial of Service (CAN-2005-0749). A problem with the Bluetooth kernel stack in kernels 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker to gain root access or crash the machine (CAN-2005-0750). A race condition in the Radeon DRI driver allows a local user with DRI privileges to execute arbitrary code as root (CAN-2005-0767). Paul Starzetz found an integer overflow in the ELF binary format loader's code dump function in kernels prior to and including 2.4.31-pre1 and 2.6.12-rc4. By creating and executing a specially crafted ELF executable, a local attacker could exploit this to execute arbitrary code with root and kernel privileges (CAN-2005-1263). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0530 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0531 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1263 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 6e064c284eee32e9b8aa444d5c8b1f51 10.0/RPMS/kernel-2.4.25.14mdk-1-1mdk.i586.rpm 34b6b9caac88e1ff34788bc9a99eb023 10.0/RPMS/kernel-enterprise-2.4.25.14mdk-1-1mdk.i586.rpm 6464002754031a7fcd663d6df76c0871 10.0/RPMS/kernel-i686-up-4GB-2.4.25.14mdk-1-1mdk.i586.rpm 5d9c42cd422d34521514becb2b99f5ee 10.0/RPMS/kernel-p3-smp-64GB-2.4.25.14mdk-1-1mdk.i586.rpm da21d692d1c1b4ac76930491cb977355 10.0/RPMS/kernel-smp-2.4.25.14mdk-1-1mdk.i586.rpm e1680f042ca01793cd3526ca890a6359 10.0/RPMS/kernel-source-2.4.25-14mdk.i586.rpm 49ca54a42f3df341c89deea3cc60752b 10.0/SRPMS/kernel-2.4.25.14mdk-1-1mdk.src.rpm Mandrakelinux 10.0/AMD64: b25d2470f809eb14d8ba4c27ffc720b0 amd64/10.0/RPMS/kernel-2.4.25.14mdk-1-1mdk.amd64.rpm 6073c44537913b11d9ce81a506d4f698 amd64/10.0/RPMS/kernel-smp-2.4.25.14mdk-1-1mdk.amd64.rpm a2fe6dfa98e85ca097aea0c3cd01cac4 amd64/10.0/RPMS/kernel-source-2.4.25-14mdk.amd64.rpm 49ca54a42f3df341c89deea3cc60752b amd64/10.0/SRPMS/kernel-2.4.25.14mdk-1-1mdk.src.rpm Mandrakelinux 10.1: 2bb1a55a701e1f9bf8d9c004873fbec3 10.1/RPMS/kernel-2.4.28.0.rc1.6mdk-1-1mdk.i586.rpm e7dc646e68cde7f58de3379ab581c436 10.1/RPMS/kernel-enterprise-2.4.28.0.rc1.6mdk-1-1mdk.i586.rpm aa252943a193bb218ff6c7b80d40d575 10.1/RPMS/kernel-i586-up-1GB-2.4.28.0.rc1.6mdk-1-1mdk.i586.rpm f953475453e85586b8878024496708d6 10.1/RPMS/kernel-smp-2.4.28.0.rc1.6mdk-1-1mdk.i586.rpm 9472f72434bcd3152c440d886b8b8d0a 10.1/RPMS/kernel-source-2.4-2.4.28-0.rc1.6mdk.i586.rpm da09cdd87f8658578a134b35afc3634e 10.1/SRPMS/kernel-2.4.28.0.rc1.6mdk-1-1mdk.src.rpm Mandrakelinux 10.1/X86_64: 45b22f87c2aca0cd3cb660aee55b309c x86_64/10.1/RPMS/kernel-2.4.28.0.rc1.6mdk-1-1mdk.x86_64.rpm de98bf86d25660a7d1209391718941cd x86_64/10.1/RPMS/kernel-smp-2.4.28.0.rc1.6mdk-1-1mdk.x86_64.rpm 8037b0d02ff5958009c1ce06fc80ecb7 x86_64/10.1/RPMS/kernel-source-2.4-2.4.28-0.rc1.6mdk.x86_64.rpm da09cdd87f8658578a134b35afc3634e x86_64/10.1/SRPMS/kernel-2.4.28.0.rc1.6mdk-1-1mdk.src.rpm Corporate Server 2.1: 3d62f084903092436aa7074a57b8f50a corporate/2.1/RPMS/kernel-2.4.19.49mdk-1-1mdk.i586.rpm 057c35e5704d2cb40db72d6731798c45 corporate/2.1/RPMS/kernel-enterprise-2.4.19.49mdk-1-1mdk.i586.rpm 5c8e475f0f0d3dd14f79e2a3d875596d corporate/2.1/RPMS/kernel-secure-2.4.19.49mdk-1-1mdk.i586.rpm 0bdd8e582fa2c8996853c583581c5a1c corporate/2.1/RPMS/kernel-smp-2.4.19.49mdk-1-1mdk.i586.rpm cc34893f190d9a2b914b2b133687d483 corporate/2.1/RPMS/kernel-source-2.4.19-49mdk.i586.rpm 9b8252d59a1f75bf80d134ff394e631f corporate/2.1/SRPMS/kernel-2.4.19.49mdk-1-1mdk.src.rpm Corporate Server 2.1/X86_64: 2bf8630a1b3439a62cd226675afac5fa x86_64/corporate/2.1/RPMS/kernel-2.4.19.49mdk-1-1mdk.x86_64.rpm 81f5f76607480270437d4e176cbc052c x86_64/corporate/2.1/RPMS/kernel-secure-2.4.19.49mdk-1-1mdk.x86_64.rpm 68e934d793f23b77f0072e1d9dfffff8 x86_64/corporate/2.1/RPMS/kernel-smp-2.4.19.49mdk-1-1mdk.x86_64.rpm 76e6aed1997bd297034978fd177e9c6c x86_64/corporate/2.1/RPMS/kernel-source-2.4.19-49mdk.x86_64.rpm 9b8252d59a1f75bf80d134ff394e631f x86_64/corporate/2.1/SRPMS/kernel-2.4.19.49mdk-1-1mdk.src.rpm Corporate 3.0: 6e064c284eee32e9b8aa444d5c8b1f51 corporate/3.0/RPMS/kernel-2.4.25.14mdk-1-1mdk.i586.rpm 34b6b9caac88e1ff34788bc9a99eb023 corporate/3.0/RPMS/kernel-enterprise-2.4.25.14mdk-1-1mdk.i586.rpm 6464002754031a7fcd663d6df76c0871 corporate/3.0/RPMS/kernel-i686-up-4GB-2.4.25.14mdk-1-1mdk.i586.rpm 5d9c42cd422d34521514becb2b99f5ee corporate/3.0/RPMS/kernel-p3-smp-64GB-2.4.25.14mdk-1-1mdk.i586.rpm da21d692d1c1b4ac76930491cb977355 corporate/3.0/RPMS/kernel-smp-2.4.25.14mdk-1-1mdk.i586.rpm e1680f042ca01793cd3526ca890a6359 corporate/3.0/RPMS/kernel-source-2.4.25-14mdk.i586.rpm 49ca54a42f3df341c89deea3cc60752b corporate/3.0/SRPMS/kernel-2.4.25.14mdk-1-1mdk.src.rpm Corporate 3.0/X86_64: 9f9a2331e209bc05e1f673f6ba4496c3 x86_64/corporate/3.0/RPMS/kernel-2.4.25.14mdk-1-1mdk.x86_64.rpm cba23e8d414c01245b7bfd9d40fb976d x86_64/corporate/3.0/RPMS/kernel-smp-2.4.25.14mdk-1-1mdk.x86_64.rpm e1891c175b7544470017aa7979ae2fb9 x86_64/corporate/3.0/RPMS/kernel-source-2.4.25-14mdk.x86_64.rpm 49ca54a42f3df341c89deea3cc60752b x86_64/corporate/3.0/SRPMS/kernel-2.4.25.14mdk-1-1mdk.src.rpm Multi Network Firewall 8.2: 5c8e475f0f0d3dd14f79e2a3d875596d mnf8.2/RPMS/kernel-secure-2.4.19.49mdk-1-1mdk.i586.rpm 9b8252d59a1f75bf80d134ff394e631f mnf8.2/SRPMS/kernel-2.4.19.49mdk-1-1mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================