kernel-source-2.4.27 - several vulnerabilities

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:

• CVE-2006-0038
  “Solar Designer” discovered that arithmetic computations in netfilter’s
  do_replace() function can lead to a buffer overflow and the execution of
  arbitrary code. However, the operation requires CAP_NET_ADMIN privileges,
  which is only an issue in virtualization systems or fine grained access
  control systems.
• CVE-2006-0039
  “Solar Designer” discovered a race condition in netfilter’s
  do_add_counters() function, which allows information disclosure of
  kernel memory by exploiting a race condition. Like CVE-2006-0038,
  it requires CAP_NET_ADMIN privileges.
• CVE-2006-0741
  Intel EM64T systems were discovered to be susceptible to a local
  DoS due to an endless recursive fault related to a bad ELF entry
  address.
• CVE-2006-0742
  Incorrectly declared die_if_kernel() function as “does never
  return” which could be exploited by a local attacker resulting in
  a kernel crash.
• CVE-2006-1056
  AMD64 machines (and other 7th and 8th generation AuthenticAMD
  processors) were found to be vulnerable to sensitive information
  leakage, due to how they handle saving and restoring the FOP, FIP,
  and FDP x87 registers in FXSAVE/FXRSTOR when an exception is
  pending. This allows a process to determine portions of the state
  of floating point instructions of other processes.
• CVE-2006-1242
  Marco Ivaldi discovered that there was an unintended information
  disclosure allowing remote attackers to bypass protections against
  Idle Scans (nmap -sI) by abusing the ID field of IP packets and
  bypassing the zero IP ID in DF packet countermeasure. This was a
  result of the ip_push_pending_frames function improperly
  incremented the IP ID field when sending a RST after receiving
  unsolicited TCP SYN-ACK packets.
• CVE-2006-1343
  Pavel Kankovsky reported the existence of a potential information leak
  resulting from the failure to initialize sin.sin_zero in the IPv4 socket
  code.
• CVE-2006-1368
  Shaun Tancheff discovered a buffer overflow (boundary condition
  error) in the USB Gadget RNDIS implementation allowing remote
  attackers to cause a DoS. While creating a reply message, the
  driver allocated memory for the reply data, but not for the reply
  structure. The kernel fails to properly bounds-check user-supplied
  data before copying it to an insufficiently sized memory
  buffer. Attackers could crash the system, or possibly execute
  arbitrary machine code.
• CVE-2006-1524
  Hugh Dickins discovered an issue in the madvise_remove() function wherein
  file and mmap restrictions are not followed, allowing local users to
  bypass IPC permissions and replace portions of readonly tmpfs files with
  zeroes.
• CVE-2006-1525
  Alexandra Kossovsky reported a NULL pointer dereference condition in
  ip_route_input() that can be triggered by a local user by requesting
  a route for a multicast IP address, resulting in a denial of service
  (panic).
• CVE-2006-1857
  Vlad Yasevich reported a data validation issue in the SCTP subsystem
  that may allow a remote user to overflow a buffer using a badly formatted
  HB-ACK chunk, resulting in a denial of service.
• CVE-2006-1858
  Vlad Yasevich reported a bug in the bounds checking code in the SCTP
  subsystem that may allow a remote attacker to trigger a denial of service
  attack when rounded parameter lengths are used to calculate parameter
  lengths instead of the actual values.
• CVE-2006-1864
  Mark Mosely discovered that chroots residing on an SMB share can be
  escaped with specially crafted “cd” sequences.
• CVE-2006-2271
  The “Mu security team” discovered that carefully crafted ECNE chunks can
  cause a kernel crash by accessing incorrect state stable entries in the
  SCTP networking subsystem, which allows denial of service.
• CVE-2006-2272
  The “Mu security team” discovered that fragmented SCTP control
  chunks can trigger kernel panics, which allows for denial of
  service attacks.
• CVE-2006-2274
  It was discovered that SCTP packets with two initial bundled data
  packets can lead to infinite recursion, which allows for denial of
  service attacks.

The following matrix explains which kernel version for which architecture
fix the problems mentioned above:

The following matrix lists additional packages that were rebuilt for
compatibility with or to take advantage of this update:

We recommend that you upgrade your kernel package immediately and reboot
the machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.