Advisories MDKSA-2007:196: Updated kernel packages fix multiple vulnerabilities and bugs

[paul]

Some vulnerabilities were discovered and corrected in the Linux

2.6 kernel:

 

The compat_sys_mount function in fs/compat.c allowed local users

to cause a denial of service (NULL pointer dereference and oops)

by mounting a smbfs file system in compatibility mode (CVE-2006-7203).

 

The nf_conntrack function in netfilter did not set nfctinfo during

reassembly of fragmented packets, which left the default value as

IP_CT_ESTABLISHED and could allow remote attackers to bypass certain

rulesets using IPv6 fragments (CVE-2007-1497).

 

A typo in the Linux kernel caused RTA_MAX to be used as an array size

instead of RTN_MAX, which lead to an out of bounds access by certain

functions (CVE-2007-2172).

 

The IPv6 protocol allowed remote attackers to cause a denial of

service via crafted IPv6 type 0 route headers that create network

amplification between two routers (CVE-2007-2242).

 

The random number feature did not properly seed pools when there was

no entropy, or used an incorrect cast when extracting entropy, which

could cause the random number generator to provide the same values

after reboots on systems without an entropy source (CVE-2007-2453).

 

A memory leak in the PPPoE socket implementation allowed local users

to cause a denial of service (memory consumption) by creating a

socket using connect, and releasing it before the PPPIOCGCHAN ioctl

is initialized (CVE-2007-2525).

 

An integer underflow in the cpuset_tasks_read function, when the cpuset

filesystem is mounted, allowed local users to obtain kernel memory

contents by using a large offset when reading the /dev/cpuset/tasks

file (CVE-2007-2875).

 

The sctp_new function in netfilter allowed remote attackers to cause

a denial of service by causing certain invalid states that triggered

a NULL pointer dereference (CVE-2007-2876).

 

A stack-based buffer overflow in the random number generator could

allow local root users to cause a denial of service or gain privileges

by setting the default wakeup threshold to a value greater than the

output pool size (CVE-2007-3105).

 

The lcd_write function did not limit the amount of memory used by

a caller, which allows local users to cause a denial of service

(memory consumption) (CVE-2007-3513).

 

The Linux kernel allowed local users to send arbitrary signals

to a child process that is running at higher privileges by

causing a setuid-root parent process to die which delivered an

attacker-controlled parent process death signal (PR_SET_PDEATHSIG)

(CVE-2007-3848).

 

The aac_cfg_openm and aac_compat_ioctl functions in the SCSI layer

ioctl patch in aacraid did not check permissions for ioctls, which

might allow local users to cause a denial of service or gain privileges

(CVE-2007-4308).

 

The IA32 system call emulation functionality, when running on the

x86_64 architecture, did not zero extend the eax register after the

32bit entry path to ptrace is used, which could allow local users to

gain privileges by triggering an out-of-bounds access to the system

call table using the %RAX register (CVE-2007-4573).

 

In addition to these security fixes, other fixes have been included

such as:

 

- The 3w-9xxx module was updated to version 9.4.1.2, adding support

for 9650SE

- Fixed the build of e1000-ng

- Added NIC support for MCP55

- Added LSI Logic MegaRAID SAS 8300XLP support

 

To update your kernel, please follow the directions located at:

 

http://www.mandriva.com/en/security/kernelupdate