Articles / Debian: Security update for…

Debian: Security update for linux-2.6

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. Vasiliy Kulikov discovered an issue in the Linux implementation of the Amateur Radio AX.25 Level 2 protocol. Local users may obtain access to sensitive kernel memory. Jens Kuehnel reported an issue in the InfiniBand stack. Remote attackers can exploit a race condition to cause a denial of service (kernel panic). Dan Rosenberg reported an issue in the XFS filesystem. Local users may obtain access to sensitive kernel memory.

Kees Cook reported an issue in the /proc/pid/stat implementation. Local users could learn the text location of a process, defeating protections provided by address space layout randomization (ASLR). Marek Olk discovered an issue in the driver for ATI/AMD Radeon video chips. Local users could pass arbitrary values to video memory and the graphics translation table, resulting in denial of service or escalated privileges. On default Debian installations, this is exploitable only by members of the ‘video’ group. Vasiliy Kulikov discovered an issue in the Bluetooth subsystem. Local users can obtain access to sensitive kernel memory.

Vasiliy Kulikov discovered an issue in the Bluetooth subsystem. Local users with the CAP_NET_ADMIN capability can cause a denial of service (kernel Oops). Vasiliy Kulikov discovered an issue in the Netfilter subsystem. Local users can obtain access to sensitive kernel memory. Neil Horman discovered a memory leak in the setacl() call on NFSv4 filesystems. Local users can explot this to cause a denial of service (Oops).

Peter Huewe reported an issue in the support for TPM security chips. Local users with permission to open the device can gain access to sensitive kernel memory. Timo Warns reported an issue in the kernel support for Alpha OSF format disk partitions. Users with physical access can gain access to sensitive kernel memory by adding a storage device with a specially crafted OSF partition. Vasiliy Kulikov reported an issue in the Netfilter arp table implementation. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory.

Vasiliy Kulikov reported an issue in the Netfilter IP table implementation. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory. Vasiliy Kulikov reported an issue in the Netfilter IP6 table implementation. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory. Vasiliy Kulikov reported an issue in the Acorn Econet protocol implementation. Local users can obtain access to sensitive kernel memory on systems that use this rare hardware.

Dan Rosenberg reported a buffer overflow in the Information Access Service of the IrDA protocol, used for Infrared devices. Remote attackers within IR device range can cause a denial of service or possibly gain elevated privileges. Julien Tinnes reported an issue in the rt_sigqueueinfo interface. Local users can generate signals with falsified source pid and uid information. Dan Rosenberg reported issues in the Open Sound System MIDI interface that allow local users to cause a denial of service.

Dan Rosenberg reported issues in the Open Sound System driver for cards that include a Yamaha FM synthesizer chip. Local users can cause memory corruption resulting in a denial of service. Ryan Sweat reported an issue in the Generic Receive Offload (GRO) support in the networking subsystem. If an interface has GRO enabled and is running in promiscuous mode, remote users can cause a denial of service (NULL pointer dereference) by sending packets on an unknown VLAN. Dan Rosenburg reported two issues in the Linux implementation of the Amateur Radio X.25 PLP (Rose) protocol. A remote user can cause a denial of service by providing specially crafted facilities fields.

Dan Rosenberg reported an issue in the /dev/mpt2ctl interface provided by the driver for LSI MPT Fusion SAS 2.0 controllers. Local users can obtain elevated privileges by specially crafted ioctl calls. Dan Rosenberg reported two additional issues in the /dev/mpt2ctl interface provided by the driver for LSI MPT Fusion SAS 2.0 controllers. Local users can obtain elevated privileges and ready arbitrary kernel memory by using specially crafted ioctl calls. Jeff Layton reported an issue in the Common Internet File System (CIFS). Local users can bypass authentication requirements for shares that are already mounted by another user.

Robert Swiecki reported a signednes issue in the next_pidmap() function, which can be exploited my local users to cause a denial of service. Dave Jones reported an issue in the Broadcast Manager Controller Area Network (CAN/BCM) protocol that may allow local users to cause a NULL pointer dereference, resulting in a denial of service. Vasiliy Kulikov reported an issue in the support for AGP devices. Local users can obtain elevated privileges or cause a denial of service due to missing bounds checking in the AGPIOC_BIND ioctl.

Vasiliy Kulikov reported an issue in the support for AGP devices. Local users can obtain elevated privileges or cause a denial of service due to missing bounds checking in the agp_allocate_memory and agp_create_user_memory. Oliver Kartkopp reported an issue in the Controller Area Network (CAN) raw socket implementation which permits ocal users to cause a NULL pointer dereference, resulting in a denial of service. Dan Rosenberg reported an issue in the support for executing “old ABI” binaries on ARM processors. Local users can obtain elevated privileges due to insufficient bounds checking in the semtimedop system call.

Alexecy Dobriyan reported an issue in the GRE over IP implementation. Remote users can cause a denial of service by sending a packet during module initialization. Dan Rosenberg reported an issue in the Datagram Congestion Control Protocol (DCCP). Remote users can cause a denial of service or potentially obtain access to sensitive kernel memory. Timo Warns reported an issue in the Linux implementation for GUID partitions. Users with physical access can gain access to sensitive kernel memory by adding a storage device with a specially crafted corrupted invalid partition table.

Vasiliy Kulikov reported an issue in the Linux support for AGP devices. Local users can obtain elevated privileges or cause a denial of service due to missing bounds checking in the AGPIOC_UNBIND ioctl. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----------------------------------------------------------------------
Debian Security Advisory DSA-2240-1                security@debian.org
http://www.debian.org/security/                           dann frazier
May 24, 2011                        http://www.debian.org/security/faq
- ----------------------------------------------------------------------

Package        : linux-2.6
Vulnerability  : privilege escalation/denial of service/information leak
Problem type   : local/remote
Debian-specific: no
CVE Id(s)      : CVE-2010-3875 CVE-2011-0695 CVE-2011-0711 CVE-2011-0726
                CVE-2011-1016 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080
                CVE-2011-1090 CVE-2011-1160 CVE-2011-1163 CVE-2011-1170
                CVE-2011-1171 CVE-2011-1172 CVE-2011-1173 CVE-2011-1180
                CVE-2011-1182 CVE-2011-1476 CVE-2011-1477 CVE-2011-1478
                CVE-2011-1493 CVE-2011-1494 CVE-2011-1495 CVE-2011-1585
                CVE-2011-1593 CVE-2011-1598 CVE-2011-1745 CVE-2011-1746
                CVE-2011-1748 CVE-2011-1759 CVE-2011-1767 CVE-2011-1770
                CVE-2011-1776 CVE-2011-2022
Debian Bug(s)  : 

Several vulnerabilities have been discovered in the Linux kernel that may lead
to a denial of service or privilege escalation. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2010-3875

   Vasiliy Kulikov discovered an issue in the Linux implementation of the
   Amateur Radio AX.25 Level 2 protocol. Local users may obtain access to
   sensitive kernel memory.

CVE-2011-0695

   Jens Kuehnel reported an issue in the InfiniBand stack. Remote attackers can
   exploit a race condition to cause a denial of service (kernel panic).

CVE-2011-0711

   Dan Rosenberg reported an issue in the XFS filesystem. Local users may
   obtain access to sensitive kernel memory.

CVE-2011-0726

   Kees Cook reported an issue in the /proc/pid/stat implementation. Local
   users could learn the text location of a process, defeating protections
   provided by address space layout randomization (ASLR).

CVE-2011-1016

   Marek Olk discovered an issue in the driver for ATI/AMD Radeon video
   chips. Local users could pass arbitrary values to video memory and the
   graphics translation table, resulting in denial of service or escalated
   privileges. On default Debian installations, this is exploitable only by
   members of the 'video' group.

CVE-2011-1078

   Vasiliy Kulikov discovered an issue in the Bluetooth subsystem. Local users
   can obtain access to sensitive kernel memory.

CVE-2011-1079

   Vasiliy Kulikov discovered an issue in the Bluetooth subsystem. Local users
   with the CAP_NET_ADMIN capability can cause a denial of service (kernel
   Oops).

CVE-2011-1080

   Vasiliy Kulikov discovered an issue in the Netfilter subsystem. Local users
   can obtain access to sensitive kernel memory.

CVE-2011-1090

   Neil Horman discovered a memory leak in the setacl() call on NFSv4
   filesystems. Local users can explot this to cause a denial of service
   (Oops).

CVE-2011-1160

   Peter Huewe reported an issue in the Linux kernel's support for TPM security
   chips. Local users with permission to open the device can gain access to
   sensitive kernel memory.

CVE-2011-1163

   Timo Warns reported an issue in the kernel support for Alpha OSF format disk
   partitions. Users with physical access can gain access to sensitive kernel
   memory by adding a storage device with a specially crafted OSF partition.

CVE-2011-1170

   Vasiliy Kulikov reported an issue in the Netfilter arp table
   implementation. Local users with the CAP_NET_ADMIN capability can gain
   access to sensitive kernel memory.

CVE-2011-1171

   Vasiliy Kulikov reported an issue in the Netfilter IP table
   implementation. Local users with the CAP_NET_ADMIN capability can gain
   access to sensitive kernel memory.

CVE-2011-1172

   Vasiliy Kulikov reported an issue in the Netfilter IP6 table
   implementation. Local users with the CAP_NET_ADMIN capability can gain
   access to sensitive kernel memory.

CVE-2011-1173

   Vasiliy Kulikov reported an issue in the Acorn Econet protocol
   implementation. Local users can obtain access to sensitive kernel memory on
   systems that use this rare hardware.

CVE-2011-1180

   Dan Rosenberg reported a buffer overflow in the Information Access Service
   of the IrDA protocol, used for Infrared devices. Remote attackers within IR
   device range can cause a denial of service or possibly gain elevated
   privileges.

CVE-2011-1182

   Julien Tinnes reported an issue in the rt_sigqueueinfo interface. Local
   users can generate signals with falsified source pid and uid information.

CVE-2011-1476

   Dan Rosenberg reported issues in the Open Sound System MIDI interface that
   allow local users to cause a denial of service. This issue does not affect
   official Debian Linux image packages as they no longer provide support for
   OSS.  However, custom kernels built from Debians linux-source-2.6.32 may
   have enabled this configuration and would therefore be vulnerable.

CVE-2011-1477

   Dan Rosenberg reported issues in the Open Sound System driver for cards that
   include a Yamaha FM synthesizer chip. Local users can cause memory
   corruption resulting in a denial of service. This issue does not affect
   official Debian Linux image packages as they no longer provide support for
   OSS.  However, custom kernels built from Debians linux-source-2.6.32 may
   have enabled this configuration and would therefore be vulnerable.

CVE-2011-1478

   Ryan Sweat reported an issue in the Generic Receive Offload (GRO) support in
   the Linux networking subsystem. If an interface has GRO enabled and is
   running in promiscuous mode, remote users can cause a denial of service
   (NULL pointer dereference) by sending packets on an unknown VLAN.

CVE-2011-1493

   Dan Rosenburg reported two issues in the Linux implementation of the Amateur
   Radio X.25 PLP (Rose) protocol. A remote user can cause a denial of service
   by providing specially crafted facilities fields.

CVE-2011-1494

   Dan Rosenberg reported an issue in the /dev/mpt2ctl interface provided by
   the driver for LSI MPT Fusion SAS 2.0 controllers. Local users can obtain
   elevated privileges by specially crafted ioctl calls. On default Debian
   installations this is not exploitable as this interface is only accessible
   to root.

CVE-2011-1495

   Dan Rosenberg reported two additional issues in the /dev/mpt2ctl interface
   provided by the driver for LSI MPT Fusion SAS 2.0 controllers. Local users
   can obtain elevated privileges and ready arbitrary kernel memory by using
   specially crafted ioctl calls. On default Debian installations this is not
   exploitable as this interface is only accessible to root.

CVE-2011-1585

   Jeff Layton reported an issue in the Common Internet File System (CIFS).
   Local users can bypass authentication requirements for shares that are
   already mounted by another user.

CVE-2011-1593

   Robert Swiecki reported a signednes issue in the next_pidmap() function,
   which can be exploited my local users to cause a denial of service.

CVE-2011-1598

   Dave Jones reported an issue in the Broadcast Manager Controller Area
   Network (CAN/BCM) protocol that may allow local users to cause a NULL
   pointer dereference, resulting in a denial of service.

CVE-2011-1745

   Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
   Local users can obtain elevated privileges or cause a denial of service due
   to missing bounds checking in the AGPIOC_BIND ioctl. On default Debian
   installations, this is exploitable only by users in the video group.

CVE-2011-1746

   Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
   Local users can obtain elevated privileges or cause a denial of service due
   to missing bounds checking in the agp_allocate_memory and
   agp_create_user_memory. On default Debian installations, this is exploitable
   only by users in the video group.

CVE-2011-1748

   Oliver Kartkopp reported an issue in the Controller Area Network (CAN) raw
   socket implementation which permits ocal users to cause a NULL pointer
   dereference, resulting in a denial of service.

CVE-2011-1759

   Dan Rosenberg reported an issue in the support for executing "old ABI"
   binaries on ARM processors. Local users can obtain elevated privileges due
   to insufficient bounds checking in the semtimedop system call.

CVE-2011-1767

   Alexecy Dobriyan reported an issue in the GRE over IP implementation.
   Remote users can cause a denial of service by sending a packet during module
   initialization.

CVE-2011-1770

   Dan Rosenberg reported an issue in the Datagram Congestion Control Protocol
   (DCCP). Remote users can cause a denial of service or potentially obtain
   access to sensitive kernel memory.

CVE-2011-1776

   Timo Warns reported an issue in the Linux implementation for GUID
   partitions. Users with physical access can gain access to sensitive kernel
   memory by adding a storage device with a specially crafted corrupted invalid
   partition table.

CVE-2011-2022

   Vasiliy Kulikov reported an issue in the Linux support for AGP devices.
   Local users can obtain elevated privileges or cause a denial of service due
   to missing bounds checking in the AGPIOC_UNBIND ioctl. On default Debian
   installations, this is exploitable only by users in the video group.

This update also includes changes queued for the next point release of
Debian 6.0, which also fix various non-security issues. These additional
changes are described in the package changelog which can be viewed at:

 http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.32-34/changelog

For the stable distribution (squeeze), this problem has been fixed in version
2.6.32-34squeeze1. Updates for issues impacting the oldstable distribution
(lenny) will be available soon.

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

                                            Debian 6.0 (squeeze)
    user-mode-linux                         2.6.32-1um-4+34squeeze1

We recommend that you upgrade your linux-2.6 and user-mode-linux packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJN3I4aAAoJEBv4PF5U/IZAaa4P/j+l40Mp6naHByZt3jpwNWSA
RN/jkkrYnYNDyT7crB+/DOdu84zalYa2KqfffOd/faV9+NSCBayjJ5c+FvVgeTay
Il8elfcWP/uK0BXJn2xVb7YAsLpIe0HRlhxe72ZqcT4Yxo1/IBnEpUS56JRd2tlA
k7x7dbj+smlzlM4qiXQy1F6LNyDqoGDUKNohQHUoyQ5dGq/gdi3C7EnUs4Nx9vjK
RU1HUWLXB4qm7JpoK6o3u6Hpe0ynZm74tYvTi0XhayGXGevaBvIQuEWqhY6gZF1P
v6a5gvBQC2pRIQXAVUbAhjoXpuF5jahTgicLdJanDqLfhefQ3qV11Ahvui2lzZuT
iKbMVGzO/azPLzskH8YNBq6drFPX2ZqRsxGmrTdzEtLWnJCN6nBBe4kF6C3z5T1A
1ez4/F+OhNl2wnimq3CxiyfXun9WWs6IlULpqsKgJjE4bItg5a8+zTYGjkhQxX+X
fPzO1xZCtQK4i+59Ejs5FwIfps0fA0m8c1Z5bnIaj4Q+0X5sJt2kwws8yrQKoOH1
eKGOgRqM70rOnyW/TQtXDGnTC4+vCCv89UjZUpG+sxZtWUxeh8CL2scUyceTeSNC
IS2+EgvilN+a3hQlYJH4YNshmQCtJDp7qMTLaXLHM9hoV1L383nbJV4AtrFlcsCO
KRI5f0ds95H6TsEoTSmO
=gx2x
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.