Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:
- CVE-2006-0038
“Solar Designer” discovered that arithmetic computations in netfilter’s
do_replace() function can lead to a buffer overflow and the execution of
arbitrary code. However, the operation requires CAP_NET_ADMIN privileges,
which is only an issue in virtualization systems or fine grained access
control systems.
- CVE-2006-0039
“Solar Designer” discovered a race condition in netfilter’s
do_add_counters() function, which allows information disclosure of
kernel memory by exploiting a race condition. Like CVE-2006-0038,
it requires CAP_NET_ADMIN privileges.
- CVE-2006-0741
Intel EM64T systems were discovered to be susceptible to a local
DoS due to an endless recursive fault related to a bad ELF entry
address.
- CVE-2006-0742
Incorrectly declared die_if_kernel() function as “does never
return” which could be exploited by a local attacker resulting in
a kernel crash.
- CVE-2006-1056
AMD64 machines (and other 7th and 8th generation AuthenticAMD
processors) were found to be vulnerable to sensitive information
leakage, due to how they handle saving and restoring the FOP, FIP,
and FDP x87 registers in FXSAVE/FXRSTOR when an exception is
pending. This allows a process to determine portions of the state
of floating point instructions of other processes.
- CVE-2006-1242
Marco Ivaldi discovered that there was an unintended information
disclosure allowing remote attackers to bypass protections against
Idle Scans (nmap -sI) by abusing the ID field of IP packets and
bypassing the zero IP ID in DF packet countermeasure. This was a
result of the ip_push_pending_frames function improperly
incremented the IP ID field when sending a RST after receiving
unsolicited TCP SYN-ACK packets.
- CVE-2006-1343
Pavel Kankovsky reported the existence of a potential information leak
resulting from the failure to initialize sin.sin_zero in the IPv4 socket
code.
- CVE-2006-1368
Shaun Tancheff discovered a buffer overflow (boundary condition
error) in the USB Gadget RNDIS implementation allowing remote
attackers to cause a DoS. While creating a reply message, the
driver allocated memory for the reply data, but not for the reply
structure. The kernel fails to properly bounds-check user-supplied
data before copying it to an insufficiently sized memory
buffer. Attackers could crash the system, or possibly execute
arbitrary machine code.
- CVE-2006-1524
Hugh Dickins discovered an issue in the madvise_remove() function wherein
file and mmap restrictions are not followed, allowing local users to
bypass IPC permissions and replace portions of readonly tmpfs files with
zeroes.
- CVE-2006-1525
Alexandra Kossovsky reported a NULL pointer dereference condition in
ip_route_input() that can be triggered by a local user by requesting
a route for a multicast IP address, resulting in a denial of service
(panic).
- CVE-2006-1857
Vlad Yasevich reported a data validation issue in the SCTP subsystem
that may allow a remote user to overflow a buffer using a badly formatted
HB-ACK chunk, resulting in a denial of service.
- CVE-2006-1858
Vlad Yasevich reported a bug in the bounds checking code in the SCTP
subsystem that may allow a remote attacker to trigger a denial of service
attack when rounded parameter lengths are used to calculate parameter
lengths instead of the actual values.
- CVE-2006-1864
Mark Mosely discovered that chroots residing on an SMB share can be
escaped with specially crafted “cd” sequences.
- CVE-2006-2271
The “Mu security team” discovered that carefully crafted ECNE chunks can
cause a kernel crash by accessing incorrect state stable entries in the
SCTP networking subsystem, which allows denial of service.
- CVE-2006-2272
The “Mu security team” discovered that fragmented SCTP control
chunks can trigger kernel panics, which allows for denial of
service attacks.
- CVE-2006-2274
It was discovered that SCTP packets with two initial bundled data
packets can lead to infinite recursion, which allows for denial of
service attacks.
The following matrix explains which kernel version for which architecture
fix the problems mentioned above:
|
Debian 3.1 (sarge) |
Source |
2.4.27-10sarge3 |
Alpha architecture |
2.4.27-10sarge3 |
ARM architecture |
2.4.27-2sarge3 |
Intel IA-32 architecture |
2.4.27-10sarge3 |
Intel IA-64 architecture |
2.4.27-10sarge3 |
Motorola 680x0 architecture |
2.4.27-3sarge3 |
Big endian MIPS |
2.4.27-10.sarge3.040815-1 |
Little endian MIPS |
2.4.27-10.sarge3.040815-1 |
PowerPC architecture |
2.4.27-10sarge3 |
IBM S/390 architecture |
2.4.27-2sarge3 |
Sun Sparc architecture |
2.4.27-9sarge3 |
The following matrix lists additional packages that were rebuilt for
compatibility with or to take advantage of this update:
|
Debian 3.1 (sarge) |
fai-kernels |
1.9.1sarge2 |
kernel-image-2.4.27-speakup |
2.4.27-1.1sarge2 |
mindi-kernel |
2.4.27-2sarge2 |
systemimager |
3.2.3-6sarge2 |
We recommend that you upgrade your kernel package immediately and reboot
the machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.