Linux kernel vulnerabilities

Releases

• Ubuntu 5.04
• Ubuntu 4.10

Details

Oleg Nesterov discovered a local Denial of Service vulnerability in
the timer handling. When a non group-leader thread called exec() to
execute a different program while an itimer was pending, the timer
expiry would signal the old group leader task, which did not exist any
more. This caused a kernel panic. This vulnerability only affects
Ubuntu 5.04. (CAN-2005-1913)

Al Viro discovered that the sendmsg() function did not sufficiently
validate its input data. By calling sendmsg() and at the same time
modifying the passed message in another thread, he could exploit this
to execute arbitrary commands with kernel privileges. This only
affects the amd64 bit platform. (CAN-2005-2490)

Al Viro discovered a vulnerability in the raw_sendmsg() function. By
calling this function with specially crafted arguments, a local
attacker could either read kernel memory contents (leading to
information disclosure) or manipulate the hardware state by reading
certain IO ports. This vulnerability only affects Ubuntu 5.04.
(CAN-2005-2492)

Jan Blunck discovered a Denial of Service vulnerability in the procfs
interface of the SCSI driver. By repeatedly reading
/proc/scsi/sg/devices, a local attacker could eventually exhaust
kernel memory. (CAN-2005-2800)

A flaw was discovered in the handling of extended attributes on ext2
and ext3 file systems. Under certain condidions, this could prevent
the enforcement of Access Control Lists, which eventually could lead
to information disclosure, unauthorized program execution, or
unauthorized data modification. This does not affect the standard Unix
permissions. (CAN-2005-2801)

Chad Walstrom discovered a Denial of Service in the ipt_recent module,
which can be used in netfilter (Firewall configuration). A remote
attacker could exploit this to crash the kernel by sending certain
packets (such as an SSH brute force attack) to a host which uses the
“recent” module. (CAN-2005-2802)