kernel-source-2.6.8 - several

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:

• CVE-2004-1017
  Multiple overflows exist in the io_edgeport driver which might be usable
  as a denial of service attack vector.
• CVE-2005-0124
  Bryan Fulton reported a bounds checking bug in the coda_pioctl function
  which may allow local users to execute arbitrary code or trigger a denial
  of service attack.
• CVE-2005-0449
  An error in the skb_checksum_help() function from the netfilter framework
  has been discovered that allows the bypass of packet filter rules or
  a denial of service attack.
• CVE-2005-2457
  Tim Yamin discovered that insufficient input validation in the zisofs driver
  for compressed ISO file systems allows a denial of service attack through
  maliciously crafted ISO images.
• CVE-2005-2490
  A buffer overflow in the sendmsg() function allows local users to execute
  arbitrary code.
• CVE-2005-2555
  Herbert Xu discovered that the setsockopt() function was not restricted to
  users/processes with the CAP_NET_ADMIN capability. This allows attackers to
  manipulate IPSEC policies or initiate a denial of service attack.
• CVE-2005-2709
  Al Viro discovered a race condition in the /proc handling of network devices.
  A (local) attacker could exploit the stale reference after interface shutdown
  to cause a denial of service or possibly execute code in kernel mode.
• CVE-2005-2800
  Jan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices
  leak memory, which allows a denial of service attack.
• CVE-2005-2973
  Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code
  can be forced into an endless loop, which allows a denial of service attack.
• CVE-2005-3044
  Vasiliy Averin discovered that the reference counters from sockfd_put() and
  fput() can be forced into overlapping, which allows a denial of service attack
  through a null pointer dereference.
• CVE-2005-3053
  Eric Dumazet discovered that the set_mempolicy() system call accepts a negative
  value for its first argument, which triggers a BUG() assert. This allows a
  denial of service attack.
• CVE-2005-3055
  Harald Welte discovered that if a process issues a USB Request Block (URB)
  to a device and terminates before the URB completes, a stale pointer
  would be dereferenced. This could be used to trigger a denial of service
  attack.
• CVE-2005-3180
  Pavel Roskin discovered that the driver for Orinoco wireless cards clears
  its buffers insufficiently. This could leak sensitive information into
  user space.
• CVE-2005-3181
  Robert Derr discovered that the audit subsystem uses an incorrect function to
  free memory, which allows a denial of service attack.
• CVE-2005-3257
  Rudolf Polzer discovered that the kernel improperly restricts access to the
  KDSKBSENT ioctl, which can possibly lead to privilege escalation.
• CVE-2005-3356
  Doug Chapman discovered that the mq_open syscall can be tricked into
  decrementing an internal counter twice, which allows a denial of service attack
  through a kernel panic.
• CVE-2005-3358
  Doug Chapman discovered that passing a zero bitmask to the set_mempolicy()
  system call leads to a kernel panic, which allows a denial of service attack.
• CVE-2005-3783
  The ptrace code using CLONE_THREAD didn’t use the thread group ID to
  determine whether the caller is attaching to itself, which allows a denial
  of service attack.
• CVE-2005-3784
  The auto-reaping of child processes functionality included ptraced-attached
  processes, which allows denial of service through dangling references.
• CVE-2005-3806
  Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable,
  which could lead to memory corruption and denial of service.
• CVE-2005-3847
  It was discovered that a threaded real-time process, which is currently dumping
  core can be forced into a dead-lock situation by sending it a SIGKILL signal,
  which allows a denial of service attack.
• CVE-2005-3848
  Ollie Wild discovered a memory leak in the icmp_push_reply() function, which
  allows denial of service through memory consumption.
• CVE-2005-3857
  Chris Wright discovered that excessive allocation of broken file lock leases
  in the VFS layer can exhaust memory and fill up the system logging, which allows
  denial of service.
• CVE-2005-3858
  Patrick McHardy discovered a memory leak in the ip6_input_finish() function from
  the IPv6 code, which allows denial of service.
• CVE-2005-4605
  Karl Janmar discovered that a signedness error in the procfs code can be exploited
  to read kernel memory, which may disclose sensitive information.
• CVE-2005-4618
  Yi Ying discovered that sysctl does not properly enforce the size of a buffer, which
  allows a denial of service attack.
• CVE-2006-0095
  Stefan Rompf discovered that dm_crypt does not clear an internal struct before freeing
  it, which might disclose sensitive information.
• CVE-2006-0096
  It was discovered that the SDLA driver’s capability checks were too lax
  for firmware upgrades.
• CVE-2006-0482
  Ludovic Courtes discovered that get_compat_timespec() performs insufficient input
  sanitizing, which allows a local denial of service attack.
• CVE-2006-1066
  It was discovered that ptrace() on the ia64 architecture allows a local denial of
  service attack, when preemption is enabled.

The following matrix explains which kernel version for which architecture
fix the problems mentioned above:

The following matrix lists additional packages that were rebuilt for
compatibility with or to take advantage of this update:

We recommend that you upgrade your kernel package immediately and reboot
the machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.

This update introduces a change in the kernel’s binary interface, the affected
kernel packages inside Debian have been rebuilt, if you’re running local addons
you’ll need to rebuild these as well. Due to the change in the package
name you need to use apt-get dist-upgrade to update your system.