Linux kernel vulnerabilities

Releases

• Ubuntu 5.04
• Ubuntu 4.10

Details

Colin Percival discovered an information disclosure in the “Hyper
Threading Technology” architecture in processors which are capable of
simultaneous multithreading (in particular Intel Pentium 4, Intel
Mobile Pentium 4, and Intel Xeon processors). This allows a malicious
thread to monitor the execution of another thread on the same CPU.
This could be exploited to steal cryptographic keys, passwords, or
other arbitrary data from unrelated processes. Since it is not
possible to provide a safe patch in a short time, HyperThreading has
been disabled in the updated kernel packages for now. You can manually
enable HyperThreading again by passing the kernel parameter “ht=on” at
boot. (CAN-2005-0109)

A Denial of Service vulnerability was discovered in the
fib_seq_start() function(). This allowed a local user to crash the
system by reading /proc/net/route in a certain way. (CAN-2005-1041)

Paul Starzetz found an integer overflow in the ELF binary format
loader’s core dump function. By creating and executing a specially
crafted ELF executable, a local attacker could exploit this to execute
arbitrary code with root and kernel privileges. However, it is
believed that this flaw is not actually exploitable on 2.6.x kernels
(as shipped by Ubuntu). (CAN-2005-1263)

Alexander Nyberg discovered a flaw in the keyring kernel module. This
allowed a local attacker to cause a kernel crash on SMP machines by
calling key_user_lookup() in a particular way. This vulnerability does
not affect the kernel of Ubuntu 4.10. (CAN-2005-1368)

The it87 and via686a hardware monitoring drivers created a sysfs file
named “alarms” with write permissions, but they are not designed to be
writeable. This allowed a local user to crash the kernel by
attempting to write to these files. (CAN-2005-1369)

It was discovered that the drivers for raw devices (CAN-2005-1264) and
pktcdvd devices (CAN-2005-1589) used the wrong function to pass
arguments to the underlying block device. This made the kernel address
space accessible to userspace applications. This allowed any local
user with at least read access to a device in /dev/pktcdvd/_ (usually
members of the “cdrom” group) or /dev/raw/_ (usually only root) to
execute arbitrary code with kernel privileges. Ubuntu 4.10’s kernel is
not affected by the pktcdvd flaw since it does not yet support packet
CD writing.