Several vulnerabilities have been discovered in the Linux kernel that may lead
to a privilege escalation, denial of service or information leak. The Common
Vulnerabilities and Exposures project identifies the following problems:
- CVE-2010-2963
Kees Cook discovered an issue in the v4l 32-bit compatibility layer for
64-bit systems that allows local users with /dev/video write permission to
overwrite arbitrary kernel memory, potentially leading to a privilege
escalation. On Debian systems, access to /dev/video devices is restricted to
members of the ‘video’ group by default.
- CVE-2010-3067
Tavis Ormandy discovered an issue in the io_submit system call. Local users
can cause an integer overflow resulting in a denial of service.
- CVE-2010-3296
Dan Rosenberg discovered an issue in the cxgb network driver that allows
unprivileged users to obtain the contents of sensitive kernel memory.
- CVE-2010-3297
Dan Rosenberg discovered an issue in the eql network driver that allows
local users to obtain the contents of sensitive kernel memory.
- CVE-2010-3310
Dan Rosenberg discovered an issue in the ROSE socket implementation. On
systems with a rose device, local users can cause a denial of service
(kernel memory corruption).
- CVE-2010-3432
Thomas Dreibholz discovered an issue in the SCTP protocol that permits a
remote user to cause a denial of service (kernel panic).
- CVE-2010-3437
Dan Rosenberg discovered an issue in the pktcdvd driver. Local users with
permission to open /dev/pktcdvd/control can obtain the contents of sensitive
kernel memory or cause a denial of service. By default on Debian systems,
this access is restricted to members of the group ‘cdrom’.
- CVE-2010-3442
Dan Rosenberg discovered an issue in the ALSA sound system. Local users with
permission to open /dev/snd/controlC0 can create an integer overflow
condition that causes a denial of service. By default on Debian systems,
this access is restricted to members of the group ‘audio’.
- CVE-2010-3448
Dan Jacobson reported an issue in the thinkpad-acpi driver. On certain
Thinkpad systems, local users can cause a denial of service (X.org crash) by
reading /proc/acpi/ibm/video.
- CVE-2010-3477
Jeff Mahoney discovered an issue in the Traffic Policing (act_police) module
that allows local users to obtain the contents of sensitive kernel memory.
- CVE-2010-3705
Dan Rosenberg reported an issue in the HMAC processing code in the SCTP
protocol that allows remote users to create a denial of service (memory
corruption).
- CVE-2010-3848
Nelson Elhage discovered an issue in the Econet protocol. Local users can
cause a stack overflow condition with large msg->msgiovlen values that can
result in a denial of service or privilege escalation.
- CVE-2010-3849
Nelson Elhage discovered an issue in the Econet protocol. Local users can
cause a denial of service (oops) if a NULL remote addr value is passed as a
parameter to sendmsg().
- CVE-2010-3850
Nelson Elhage discovered an issue in the Econet protocol. Local users can
assign econet addresses to arbitrary interfaces due to a missing
capabilities check.
- CVE-2010-3858
Brad Spengler reported an issue in the setup_arg_pages() function. Due to a
bounds-checking failure, local users can create a denial of service (kernel
oops).
- CVE-2010-3859
Dan Rosenberg reported an issue in the TIPC protocol. When the tipc module
is loaded, local users can gain elevated privileges via the sendmsg() system
call.
- CVE-2010-3873
Dan Rosenberg reported an issue in the X.25 network protocol. Local users
can cause heap corruption, resulting in a denial of service (kernel panic).
- CVE-2010-3874
Dan Rosenberg discovered an issue in the Control Area Network (CAN)
subsystem on 64-bit systems. Local users may be able to cause a denial of
service (heap corruption).
- CVE-2010-3875
Vasiliy Kulikov discovered an issue in the AX.25 protocol. Local users can
obtain the contents of sensitive kernel memory.
- CVE-2010-3876
Vasiliy Kulikov discovered an issue in the Packet protocol. Local users can
obtain the contents of sensitive kernel memory.
- CVE-2010-3877
Vasiliy Kulikov discovered an issue in the TIPC protocol. Local users can
obtain the contents of sensitive kernel memory.
- CVE-2010-3880
Nelson Elhage discovered an issue in the INET_DIAG subsystem. Local users
can cause the kernel to execute unaudited INET_DIAG bytecode, resulting in a
denial of service.
- CVE-2010-4072
Kees Cook discovered an issue in the System V shared memory subsystem.
Local users can obtain the contents of sensitive kernel memory.
- CVE-2010-4073
Dan Rosenberg discovered an issue in the System V shared memory subsystem.
Local users on 64-bit system can obtain the contents of sensitive kernel
memory via the 32-bit compatible semctl() system call.
- CVE-2010-4074
Dan Rosenberg reported issues in the mos7720 and mos7840 drivers for USB
serial converter devices. Local users with access to these devices can
obtain the contents of sensitive kernel memory.
- CVE-2010-4078
Dan Rosenberg reported an issue in the framebuffer driver for SiS graphics
chipsets (sisfb). Local users with access to the framebuffer device can
obtain the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl.
- CVE-2010-4079
Dan Rosenberg reported an issue in the ivtvfb driver used for the Hauppauge
PVR-350 card. Local users with access to the framebuffer device can obtain
the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl.
- CVE-2010-4080
Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP
audio devices. Local users with access to the audio device can obtain the
contents of sensitive kernel memory via the SNDRV_HDSP_IOCTL_GET_CONFIG_INFO
ioctl.
- CVE-2010-4081
Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP
MADI audio devices. Local users with access to the audio device can obtain
the contents of sensitive kernel memory via the
SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl.
- CVE-2010-4083
Dan Rosenberg discovered an issue in the semctl system call. Local users can
obtain the contents of sensitive kernel memory through usage of the semid_ds
structure.
- CVE-2010-4164
Dan Rosenberg discovered an issue in the X.25 network protocol. Remote users
can achieve a denial of service (infinite loop) by taking advantage of an
integer underflow in the facility parsing code.
For the stable distribution (lenny), this problem has been fixed in version
2.6.26-26lenny1.
We recommend that you upgrade your linux-2.6 and user-mode-linux packages.
The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:
|
Debian 5.0 (lenny) |
user-mode-linux |
2.6.26-1um-2+26lenny1 |