Linux kernel vulnerabilities

Releases

• Ubuntu 5.10
• Ubuntu 5.04
• Ubuntu 4.10

Details

Rudolf Polzer reported an abuse of the ‘loadkeys’ command. By
redefining one or more keys and tricking another user (like root) into
logging in on a text console and typing something that involves the
redefined keys, a local user could cause execution of arbitrary
commands with the privileges of the target user. The updated kernel
restricts the usage of ‘loadkeys’ to root. (CVE-2005-3257)

The ptrace() system call did not correctly check whether a process
tried to attach to itself. A local attacker could exploit this to
cause a kernel crash. (CVE-2005-3783)

A Denial of Service vulnerability was found in the handler that
automatically cleans up and terminates child processes that are not
correctly handled by their parent process (“auto-reaper”). The check
did not correctly handle processes which were currently traced by
another process. A local attacker could exploit this to cause a kernel
crash. (CVE-2005-3784)

A locking problem was discovered in the POSIX timer cleanup handling
on process exit. A local attacker could exploit this to cause the
machine to hang (Denial of Service). This flaw only affects
multiprocessor (SMP) systems. (CVE-2005-3805)

A Denial of Service vulnerability was discovered in the IPv6 flowlabel
handling code. By invoking setsockopt(IPV6_FLOWLABEL_MGR) in a special
way, a local attacker could cause memory corruption which eventually
led to a kernel crash. (CVE-2005-3806)

A memory leak was discovered in the VFS lease handling. These
operations are commonly executed by the Samba server, which led to
steady memory exhaustion. By repeatedly triggering the affected
operations in quick succession, a local attacker could exploit this to
drain all memory, which leads to a Denial of Service. (CVE-2005-3807)

An integer overflow was discovered in the
invalidate_inode_pages2_range() function. By issuing 64-bit mmap calls
on a 32 bit system, a local user could exploit this to crash the
machine, thereby causing Denial of Service. This flaw does not affect
the amd64 platform, and does only affect Ubuntu 5.10. (CVE-2005-3808)

Ollie Wild discovered a memory leak in the icmp_push_reply() function.
By sending a large amount of specially crafted packets, a remote
attacker could exploit this to drain all memory, which eventually
leads to a Denial of Service. (CVE-2005-3848)

Chris Wrigth found a Denial of Service vulnerability in the
time_out_leases() function. By allocating a large number of VFS file
lock leases and having them timeout at the same time, a large number
of ‘printk’ debugging statements was generated at the same time, which
could exhaust kernel memory. (CVE-2005-3857)

Patrick McHardy discovered a memory leak in the ip6_input_finish()
function. A remote attacker could exploit this by sending specially
crafted IPv6 packets, which would eventually drain all available
kernel memory, thus causing a Denial of Service. (CVE-2005-3858)