[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1301083317.17263.3.camel@localhost>
Date: Fri, 25 Mar 2011 15:01:57 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-1093-1] Linux Kernel vulnerabilities (Marvell Dove)
===========================================================
Ubuntu Security Notice USN-1093-1 March 25, 2011
linux-mvl-dove vulnerabilities
CVE-2010-2478, CVE-2010-2942, CVE-2010-2943, CVE-2010-2954,
CVE-2010-2955, CVE-2010-2960, CVE-2010-2962, CVE-2010-2963,
CVE-2010-3067, CVE-2010-3078, CVE-2010-3079, CVE-2010-3080,
CVE-2010-3084, CVE-2010-3296, CVE-2010-3297, CVE-2010-3298,
CVE-2010-3310, CVE-2010-3432, CVE-2010-3437, CVE-2010-3442,
CVE-2010-3477, CVE-2010-3705, CVE-2010-3848, CVE-2010-3849,
CVE-2010-3850, CVE-2010-3858, CVE-2010-3859, CVE-2010-3861,
CVE-2010-3865, CVE-2010-3873, CVE-2010-3874, CVE-2010-3875,
CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904,
CVE-2010-4072, CVE-2010-4075, CVE-2010-4076, CVE-2010-4077,
CVE-2010-4158, CVE-2010-4163, CVE-2010-4165, CVE-2010-4169,
CVE-2010-4175, CVE-2010-4248, CVE-2010-4249, CVE-2010-4343,
CVE-2010-4346, CVE-2010-4526, CVE-2010-4527, CVE-2010-4649,
CVE-2011-1044
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-216-dove 2.6.32-216.33
Ubuntu 10.10:
linux-image-2.6.32-416-dove 2.6.32-416.33
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
Details follow:
Joel Becker discovered that OCFS2 did not correctly validate on-disk
symlink structures. If an attacker were able to trick a user or automated
system into mounting a specially crafted filesystem, it could crash the
system or exposde kernel memory, leading to a loss of privacy.
Ben Hutchings discovered that the ethtool interface did not correctly
check certain sizes. A local attacker could perform malicious ioctl calls
that could crash the system, leading to a denial of service. (Only Ubuntu
10.04 LTS was affected.) (CVE-2010-2478, CVE-2010-3084)
Eric Dumazet discovered that many network functions could leak kernel
stack contents. A local attacker could exploit this to read portions
of kernel memory, leading to a loss of privacy. (Ubuntu 10.10 was not
affected.) (CVE-2010-2942, CVE-2010-3477)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this to
read or write disk blocks that had changed file assignment or had become
unlinked, leading to a loss of privacy. (CVE-2010-2943)
Tavis Ormandy discovered that the IRDA subsystem did not correctly shut
down. A local attacker could exploit this to cause the system to crash
or possibly gain root privileges. (Ubuntu 10.10 was not affected.)
(CVE-2010-2954)
Brad Spengler discovered that the wireless extensions did not correctly
validate certain request sizes. A local attacker could exploit this
to read portions of kernel memory, leading to a loss of privacy. (Only
Ubuntu 10.04 LTS was affected.) (CVE-2010-2955)
Tavis Ormandy discovered that the session keyring did not correctly
check for its parent. On systems without a default session keyring,
a local attacker could exploit this to crash the system, leading to a
denial of service. (Only Ubuntu 10.04 LTS was affected.) (CVE-2010-2960)
Kees Cook discovered that the Intel i915 graphics driver did not correctly
validate memory regions. A local attacker with access to the video card
could read and write arbitrary kernel memory to gain root privileges.
(CVE-2010-2962)
Kees Cook discovered that the V4L1 32bit compat interface did not correctly
validate certain parameters. A local attacker on a 64bit system with access
to a video device could exploit this to gain root privileges.
(CVE-2010-2963)
Tavis Ormandy discovered that the AIO subsystem did not correctly
validate certain parameters. A local attacker could exploit this to
crash the system or possibly gain root privileges. (Ubuntu 10.10 was
not affected.) (CVE-2010-3067)
Dan Rosenberg discovered that certain XFS ioctls leaked kernel stack
contents. A local attacker could exploit this to read portions of kernel
memory, leading to a loss of privacy. (10.10 was not affected.)
(CVE-2010-3078)
Robert Swiecki discovered that ftrace did not correctly handle mutexes. A
local attacker could exploit this to crash the kernel, leading to a denial
of service. (CVE-2010-3079)
Tavis Ormandy discovered that the OSS sequencer device did not
correctly shut down. A local attacker could exploit this to crash
the system or possibly gain root privileges. (Ubuntu 10.10 was not
affected.) (CVE-2010-3080)
Dan Rosenberg discovered that several network ioctls did not clear kernel
memory correctly. A local user could exploit this to read kernel stack
memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297,
CVE-2010-3298)
Dan Rosenberg discovered that the ROSE driver did not correctly check
parameters. A local attacker with access to a ROSE network device could
exploit this to crash the system or possibly gain root privileges. (Ubuntu
10.10 was not affected.) (CVE-2010-3310)
Thomas Dreibholz discovered that SCTP did not correctly handle appending
packet chunks. A remote attacker could send specially crafted traffic
to crash the system, leading to a denial of service. (Ubuntu 10.10 was
not affected.) (CVE-2010-3432)
Dan Rosenberg discovered that the CD driver did not correctly check
parameters. A local attacker could exploit this to read arbitrary kernel
memory, leading to a loss of privacy. (CVE-2010-3437)
Dan Rosenberg discovered that the Sound subsystem did not correctly
validate parameters. A local attacker could exploit this to crash
the system, leading to a denial of service. (Ubuntu 10.10 was not
affected.) (CVE-2010-3442)
Dan Rosenberg discovered that SCTP did not correctly handle HMAC
calculations. A remote attacker could send specially crafted traffic
that would crash the system, leading to a denial of service.
(CVE-2010-3705)
Nelson Elhage discovered several problems with the Acorn Econet protocol
driver. A local user could cause a denial of service via a NULL pointer
dereference, escalate privileges by overflowing the kernel stack, and
assign Econet addresses to arbitrary interfaces. (CVE-2010-3848,
CVE-2010-3849, CVE-2010-3850)
Brad Spengler discovered that stack memory for new a process was not
correctly calculated. A local attacker could exploit this to crash the
system, leading to a denial of service. (CVE-2010-3858)
Dan Rosenberg discovered that the Linux kernel TIPC implementation
contained multiple integer signedness errors. A local attacker could
exploit this to gain root privileges. (CVE-2010-3859)
Kees Cook discovered that the ethtool interface did not correctly clear
kernel memory. A local attacker could read kernel heap memory, leading to a
loss of privacy. (CVE-2010-3861)
Thomas Pollet discovered that the RDS network protocol did not check
certain iovec buffers. A local attacker could exploit this to crash the
system or possibly execute arbitrary code as the root user. (CVE-2010-3865)
Dan Rosenberg discovered that the Linux kernel X.25 implementation
incorrectly parsed facilities. A remote attacker could exploit this to
crash the kernel, leading to a denial of service. (CVE-2010-3873)
Dan Rosenberg discovered that the CAN protocol on 64bit systems did not
correctly calculate the size of certain buffers. A local attacker could
exploit this to crash the system or possibly execute arbitrary code as the
root user. (CVE-2010-3874)
Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
not correctly clear kernel memory. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
not properly initialize certain structures. A local attacker could exploit
this to read kernel stack memory, leading to a loss of privacy.
(CVE-2010-3876)
Vasiliy Kulikov discovered that the TIPC interface did not correctly
initialize certain structures. A local attacker could exploit this to read
kernel stack memory, leading to a loss of privacy. (CVE-2010-3877)
Nelson Elhage discovered that the Linux kernel IPv4 implementation did not
properly audit certain bytecodes in netlink messages. A local attacker
could exploit this to cause the kernel to hang, leading to a denial of
service. (CVE-2010-3880)
Dan Rosenberg discovered that the RDS network protocol did not
correctly check certain parameters. A local attacker could exploit
this gain root privileges. (CVE-2010-3904)
Kees Cook and Vasiliy Kulikov discovered that the shm interface did not
clear kernel memory correctly. A local attacker could exploit this to read
kernel stack memory, leading to a loss of privacy. (CVE-2010-4072)
Dan Rosenberg discovered that multiple terminal ioctls did not correctly
initialize structure memory. A local attacker could exploit this to read
portions of kernel stack memory, leading to a loss of privacy.
(CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)
Dan Rosenberg discovered that the socket filters did not correctly
initialize structure memory. A local attacker could create malicious
filters to read portions of kernel stack memory, leading to a loss of
privacy. (CVE-2010-4158)
Dan Rosenberg discovered that the SCSI subsystem did not correctly validate
iov segments. A local attacker with access to a SCSI device could send
specially crafted requests to crash the system, leading to a denial of
service. (CVE-2010-4163)
Steve Chen discovered that setsockopt did not correctly check MSS values. A
local attacker could make a specially crafted socket call to crash the
system, leading to a denial of service. (CVE-2010-4165)
Dave Jones discovered that the mprotect system call did not correctly
handle merged VMAs. A local attacker could exploit this to crash the
system, leading to a denial of service. (CVE-2010-4169)
Dan Rosenberg discovered that the RDS protocol did not correctly check
ioctl arguments. A local attacker could exploit this to crash the system,
leading to a denial of service. (CVE-2010-4175)
Vegard Nossum discovered that memory garbage collection was not handled
correctly for active sockets. A local attacker could exploit this to
allocate all available kernel memory, leading to a denial of service.
(CVE-2010-4249)
It was discovered that multithreaded exec did not handle CPU timers
correctly. A local attacker could exploit this to crash the system, leading
to a denial of service. (CVE-2010-4248)
Krishna Gudipati discovered that the bfa adapter driver did not correctly
initialize certain structures. A local attacker could read files in /sys to
crash the system, leading to a denial of service. (CVE-2010-4343)
Tavis Ormandy discovered that the install_special_mapping function could
bypass the mmap_min_addr restriction. A local attacker could exploit this
to mmap 4096 bytes below the mmap_min_addr area, possibly improving the
chances of performing NULL pointer dereference attacks. (CVE-2010-4346)
It was discovered that the ICMP stack did not correctly handle certain
unreachable messages. If a remote attacker were able to acquire a socket
lock, they could send specially crafted traffic that would crash the
system, leading to a denial of service. (CVE-2010-4526)
Dan Rosenberg discovered that the OSS subsystem did not handle name
termination correctly. A local attacker could exploit this crash the system
or gain root privileges. (CVE-2010-4527)
Dan Carpenter discovered that the Infiniband driver did not correctly
handle certain requests. A local user could exploit this to crash the
system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)
Updated packages for Ubuntu 10.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32-216.33.diff.gz
Size/MD5: 7629785 10a442d5149f374d91647eee1131a244
http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32-216.33.dsc
Size/MD5: 1426 1c1ae71e7d8d0ac580d070190099317b
http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32.orig.tar.gz
Size/MD5: 81900940 4b1f6f6fac43a23e783079db589fc7e2
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/block-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 219790 adbd9025fff4823c6e76ed1a83732dde
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/crypto-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 60836 8a2347762bfd88d6cd11762559b31bc9
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fat-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 4858 da7caaa9a954230134eeb6ca2e1ae5d6
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/firewire-core-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 86606 1101c2d85dc874b002fec02dc91b4e9a
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fs-core-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 555128 739fa40e465de910fef6dc127e888684
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fs-secondary-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 138590 b4a297fc18ad3a04a3f210e70361dec8
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/input-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 51674 3909e00438c4a4745069bac12a1c2cb0
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/kernel-image-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 3697714 1ed6334e24e8f39b5297697be9d43c32
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-headers-2.6.32-216-dove_2.6.32-216.33_armel.deb
Size/MD5: 764044 4a1fb599c05440c49d59c4a835ee69ae
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-headers-2.6.32-216_2.6.32-216.33_armel.deb
Size/MD5: 10242462 5f90b0186995ce359a6ae35b89f8a584
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-image-2.6.32-216-dove_2.6.32-216.33_armel.deb
Size/MD5: 16056640 fdbe14522676dc8671f7a2668a3d964d
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/md-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 217320 b1badf13ddb4078b3ef19e2ce9cd15e0
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/mouse-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 36128 7f3c64a240fe1f20e8b0b7bbd08ba2c9
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nfs-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 308630 7e39cd12ff338e9c52f6d5409593cf3a
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 687538 82c67cce03b161ebdf6e5cb7a5290e96
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-shared-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 215926 56c448eafed5bc97db9a650143222a97
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-usb-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 111636 523c1722daeec8b9d5c812dc654ed3b6
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/parport-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 33788 fe6ca570f566bbc2a0524b0538c4a01d
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/plip-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 8502 26a885c1ad255a588b0f19a462dc0258
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/ppp-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 57290 86b9e09bef4600656c7bfa126b1424b7
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/scsi-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 14260 9322109be33a219aa08c26888f7d53bd
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/usb-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb
Size/MD5: 76060 f6cc06fd55a4cd2008a945fb96ee69fe
Updated packages for Ubuntu 10.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32-416.33.dsc
Size/MD5: 1155 973108dba3858a860043a5a2a6b5fa99
http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32-416.33.tar.gz
Size/MD5: 90276205 53779b30af86ffb7c4c9330ce0892653
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/block-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 267512 f8b909552cab1c2dbcb42b7a69280145
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/crypto-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 69288 2c88af96a9d69ad25daf9cbd6403a559
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fat-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 4908 b954f16b25e5d873d1d79298e8627db4
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/firewire-core-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 96660 dd89814e86c8b0e84cfa30ee6c22fedd
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fs-core-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 616670 b09e0fd87b4e810afa20322464a7ac63
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fs-secondary-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 157288 4cf5eaf4a491518bce5d3ba828892e18
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/input-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 56470 11343afa90d062d35e8ee4d04392315a
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/kernel-image-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 3998446 d96bb8ed4d5256f3b9e1d82147e34742
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-headers-2.6.32-416-dove_2.6.32-416.33_armel.deb
Size/MD5: 782358 f9ddf5a5f778e29e4412d44b6ed3e0ed
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-headers-2.6.32-416_2.6.32-416.33_armel.deb
Size/MD5: 10237228 6771914efc0b995d1feb09db65e65f17
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-image-2.6.32-416-dove_2.6.32-416.33_armel.deb
Size/MD5: 17981618 e364479d3e93001888eaa914a3f554cb
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/md-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 236554 6979d5a5cd2967d5e1fac6be7d53eb28
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/mouse-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 39184 7c9900898bcc1bb28beeb5917750b417
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nfs-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 338846 e7f8f841b7b1bbebcf39112cfd7b4968
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 796006 39aee60cb92774dc50af3c6ae3c4d09b
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-shared-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 238426 348c9bdf966a5a3dde67d687f116e31a
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-usb-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 122258 ad995a31be5f5ff1e614ca5ebb0a8264
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/parport-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 38132 03a36ae8ff4501fc00f1e08f32f2ff2f
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/plip-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 10376 5d40952502a33ed0ab9dba1e30c9dbcf
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/ppp-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 64696 8b4af44f42fc454ff118a12938c9d85b
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/scsi-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 15182 70d5b20f4f42754994c542c9beb051e1
http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/usb-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb
Size/MD5: 86228 13c13e73665ca947df1d0516effac435
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists