PACKAGE : kernel
SUMMARY : Fixes for kernel vulnerabilities
DATE : 2004-07-28 12:39:00
ID : CLA-2004:852
RELEVANT RELEASES : 10
DESCRIPTION
The Linux kernel is responsible for handling the basic functions of
the GNU/Linux operating system.
This announcement fixes the following vulnerabilities:
Integer overflow in netfilter's tcp_find_option function
(CAN-2004-0626[1])
Adam Osuchowski and Tomasz Dubinski noticed[2] that when using
iptables and TCP options rules, the tcp_find_option function of the
netfilter subsystem in Linux kernel 2.6 allows remote attackers to
cause a denial of service via a large option length that produces a
negative integer after a casting operation to the char type. They
also provided the corretion for this bug.
2. Missing DAC check's in inode_change_ok function
(CAN-2004-0497[3])
Missing Discretionary Access Control (DAC) checks in chown
system call allowed a local user to change the group ownership of
arbitrary files to a group that he or she belongs to, leading to a
privileges escalation vulnerability.
3. Integer overflow in ip_setsockopt function
(CAN-2004-0424[4])
iSEC Security Research published[5] an integer overflow
vulnerability[4] in the ip_setsockopt function on Linux kernel
2.6.1 through 2.6.3 which allows local users to cause a denial of
service condition or execute arbitrary code via the MCAST_MSFILTER
socket option.
4. Incorrect usage of the fb_copy_cmap function in framebuffer
(CAN-2004-0229[6])
The framebuffer driver in Linux kernel 2.6.x did not properly
use the fb_copy_cmap function, possibly allowing privileges
escalation for local attackers.
5. Integer overflow in the cpufreq proc handler
(CAN-2004-0228[7])
Brad Spender found an integer overflow bug in the Linux kernel
cpufreq code that allowed a local attacker to read arbitrary kernel
memory.
SOLUTION
It is recommended that all Conectiva Linux users upgrade the kernel
package.
IMPORTANT: exercise caution and preparation when upgrading the
kernel, since it will require a reboot after the new packages are
installed. In particular, Conectiva Linux 10 will most likely
require an initrd file (which is automatically created in the /boot
directory after the new packages are installed) and by default a
new grub entry will be added, not touching the old default option.
Generic kernel update instructions can be obtained in the manuals
and in our frequently asked questions page[8].