Articles / Debian: Security update for…

Debian: Security update for Linux

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. Kees Cook discovered an issue in the /proc filesystem that allows local users to gain access to sensitive process information after execution of a setuid binary. Ryan Sweat discovered an issue in the VLAN implementation. Local users may be able to cause a kernel memory leak, resulting in a denial of service. Vasiliy Kulikov of Openwall discovered that the number of exit handlers that a process can register is not capped, resulting in local denial of service through resource exhaustion (cpu time and memory).

Vasily Averin discovered an issue with the NFS locking implementation. A malicious NFS server can cause a client to hang indefinitely in an unlock call. Marek Kroemeke and Filip Palian discovered that uninitialized struct elements in the Bluetooth subsystem could lead to a leak of sensitive kernel memory through leaked stack memory. Vasiliy Kulikov of Openwall discovered that the io file of a process’ proc directory was world-readable, resulting in local information disclosure of information such as password lengths.

Robert Swiecki discovered that mremap() could be abused for local denial of service by triggering a BUG_ON assert. Dan Rosenberg discovered an integer underflow in the Bluetooth subsystem, which could lead to denial of service or privilege escalation. It was discovered that the netlink-based wireless configuration interface performed insufficient length validation when parsing SSIDs, resulting in buffer overflows. Local users with the CAP_NET_ADMIN capability can cause a denial of service.

Ben Pfaff reported an issue in the network scheduling code. A local user could cause a denial of service (NULL pointer dereference) by sending a specially crafted netlink message. Mauro Carvalho Chehab of Red Hat reported a buffer overflow issue in the driver for the Si4713 FM Radio Transmitter driver used by N900 devices. Local users could exploit this issue to cause a denial of service or potentially gain elevated privileges. Brent Meshier reported an issue in the GRO (generic receive offload) implementation. This can be exploited by remote users to create a denial of service (system crash) in certain network device configurations.

Christian Ohm discovered that the ‘perf’ analysis tool searches for its config files in the current working directory. This could lead to denial of service or potential privilege escalation if a user with elevated privileges is tricked into running ‘perf’ in a directory under the control of the attacker. Vasiliy Kulikov of Openwall discovered that a programming error in the Comedi driver could lead to the information disclosure through leaked stack memory. Vince Weaver discovered that incorrect handling of software event overflows in the ‘perf’ analysis tool could lead to local denial of service.

Timo Warns discovered that insufficient validation of Be filesystem images could lead to local denial of service if a malformed filesystem image is mounted. Dan Kaminsky reported a weakness of the sequence number generation in the TCP protocol implementation. This can be used by remote attackers to inject packets into an active session. Darren Lavender reported an issue in the Common Internet File System (CIFS). A malicious file server could cause memory corruption leading to a denial of service.

Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----------------------------------------------------------------------
Debian Security Advisory DSA-2303-1                security@debian.org
http://www.debian.org/security/       Moritz Muehlenhoff, Dann Frazier
September 8, 2011                   http://www.debian.org/security/faq
- ----------------------------------------------------------------------

Package        : linux-2.6
Vulnerability  : privilege escalation/denial of service/information leak
Problem type   : local/remote
Debian-specific: no
CVE Id(s)      : CVE-2011-1020 CVE-2011-1576 CVE-2011-2484 CVE-2011-2491
                CVE-2011-2492 CVE-2011-2495 CVE-2011-2496 CVE-2011-2497
                CVE-2011-2517 CVE-2011-2525 CVE-2011-2700 CVE-2011-2723
                CVE-2011-2905 CVE-2011-2909 CVE-2011-2918 CVE-2011-2928
                CVE-2011-3188 CVE-2011-3191

Several vulnerabilities have been discovered in the Linux kernel that may lead
to a denial of service or privilege escalation. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2011-1020 

   Kees Cook discovered an issue in the /proc filesystem that allows local
   users to gain access to sensitive process information after execution of a
   setuid binary.

CVE-2011-1576 

   Ryan Sweat discovered an issue in the VLAN implementation. Local users may
   be able to cause a kernel memory leak, resulting in a denial of service.

CVE-2011-2484 

   Vasiliy Kulikov of Openwall discovered that the number of exit handlers that
   a process can register is not capped, resulting in local denial of service
   through resource exhaustion (cpu time and memory).

CVE-2011-2491

   Vasily Averin discovered an issue with the NFS locking implementation.  A
   malicious NFS server can cause a client to hang indefinitely in an unlock
   call.

CVE-2011-2492 

   Marek Kroemeke and Filip Palian discovered that uninitialized struct
   elements in the Bluetooth subsystem could lead to a leak of sensitive kernel
   memory through leaked stack memory.

CVE-2011-2495 

   Vasiliy Kulikov of Openwall discovered that the io file of a process' proc
   directory was world-readable, resulting in local information disclosure of
   information such as password lengths.

CVE-2011-2496 

   Robert Swiecki discovered that mremap() could be abused for local denial of
   service by triggering a BUG_ON assert.

CVE-2011-2497

   Dan Rosenberg discovered an integer underflow in the Bluetooth subsystem,
   which could lead to denial of service or privilege escalation.

CVE-2011-2517 

   It was discovered that the netlink-based wireless configuration interface
   performed insufficient length validation when parsing SSIDs, resulting in
   buffer overflows. Local users with the CAP_NET_ADMIN capability can cause a
   denial of service.

CVE-2011-2525 

   Ben Pfaff reported an issue in the network scheduling code. A local user
   could cause a denial of service (NULL pointer dereference) by sending a
   specially crafted netlink message.

CVE-2011-2700 

   Mauro Carvalho Chehab of Red Hat reported a buffer overflow issue in the
   driver for the Si4713 FM Radio Transmitter driver used by N900 devices.
   Local users could exploit this issue to cause a denial of service or
   potentially gain elevated privileges.

CVE-2011-2723

   Brent Meshier reported an issue in the GRO (generic receive offload)
   implementation. This can be exploited by remote users to create a denial of
   service (system crash) in certain network device configurations.

CVE-2011-2905 

   Christian Ohm discovered that the 'perf' analysis tool searches for its
   config files in the current working directory. This could lead to denial of
   service or potential privilege escalation if a user with elevated privileges
   is tricked into running 'perf' in a directory under the control of the
   attacker.

CVE-2011-2909 

   Vasiliy Kulikov of Openwall discovered that a programming error in
   the Comedi driver could lead to the information disclosure through 
   leaked stack memory.

CVE-2011-2918 

   Vince Weaver discovered that incorrect handling of software event overflows
   in the 'perf' analysis tool could lead to local denial of service.

CVE-2011-2928

   Timo Warns discovered that insufficient validation of Be filesystem images
   could lead to local denial of service if a malformed filesystem image is
   mounted.

CVE-2011-3188 

   Dan Kaminsky reported a weakness of the sequence number generation in the
   TCP protocol implementation. This can be used by remote attackers to inject
   packets into an active session.

CVE-2011-3191

   Darren Lavender reported an issue in the Common Internet File System (CIFS).
   A malicious file server could cause memory corruption leading to a denial of
   service.

This update also includes a fix for a regression introduced with the previous
security fix for CVE-2011-1768 (Debian: #633738)

For the stable distribution (squeeze), this problem has been fixed in version
2.6.32-35squeeze1. Updates for issues impacting the oldstable distribution
(lenny) will be available soon.

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

                                            Debian 6.0 (squeeze)
    user-mode-linux                         2.6.32-1um-4+35squeeze1

We recommend that you upgrade your linux-2.6 and user-mode-linux packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOaRShAAoJEBv4PF5U/IZA+84P/2CeacZYaJCVG1b0+zIXZvSX
Bo8QCAEtSrHajq05+4VNbUK2Rppc4TXix4Ml/pz2+olqfFbKyciYa0suY3n3pMoR
n21fwZp1G0e0L4lbaWit/l3S6nrqJyN0oB9s9fQtulYKXThbtGt642SW5qzYcRAC
5p91pWZGPLqh3wcEeQu4gj2Ezxsf0rinKStg4N37TISAwQ8NwQu5+dQWPyrNVps1
ivAxzc+ib6qqBmFemieCnmooDymrFXEZt7g1q/XiLtK60cIFCqCByjcBSy1IwOar
CzUStuvf5pZqBZzMM20AuEC2Ew1Ns1U2rh/PzroCBmfP5dI/WyWNYrow1UOXuCUV
5suQhn9evRZrWqo+PvKfLGozkIKkXV3EFZVr/KAo0/yqrStpXKAStBf08j9x2Dvj
5UYQmKD2xtAQpagGxzEI/nvifBVSgrGF7xHmjRXBlaIL7B5S9LrnTtRIpSBiL1P5
3E44c1lianQUEOmn+ZLY9XuViRlBL1C4xnHykEOrDbZwuwMJwnNjmB6R+PC0ihyz
+uPMmCriCZUlHIZQJrizQZfXjxFQPSMFIEeRselTpqT7CBdpYl1+lZYyAqXVwtpr
KYY+PhX9P/OZk9ItfHn+da34qd6sDziVIeOXyT7rT6J/zRrUgcBhPYIjw9tf6LWk
WQCOU7R36SGlbbGwod3b
=XlCl
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.