CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE : kernel
SUMMARY : Fixes for kernel vulnerabilities
DATE : 2004-07-28 12:39:00
ID : CLA-2004:852
RELEVANT RELEASES : 10
DESCRIPTION
The Linux kernel is responsible for handling the basic functions of
the GNU/Linux operating system.
This announcement fixes the following vulnerabilities:
- Integer overflow in netfilter’s tcp_find_option function
(CAN-2004-0626[1])
Adam Osuchowski and Tomasz Dubinski noticed[2] that when using
iptables and TCP options rules, the tcp_find_option function of the
netfilter subsystem in Linux kernel 2.6 allows remote attackers to
cause a denial of service via a large option length that produces a
negative integer after a casting operation to the char type. They
also provided the corretion for this bug.
2. Missing DAC check’s in inode_change_ok function
(CAN-2004-0497[3])
Missing Discretionary Access Control (DAC) checks in chown
system call allowed a local user to change the group ownership of
arbitrary files to a group that he or she belongs to, leading to a
privileges escalation vulnerability.
3. Integer overflow in ip_setsockopt function
(CAN-2004-0424[4])
iSEC Security Research published[5] an integer overflow
vulnerability[4] in the ip_setsockopt function on Linux kernel
2.6.1 through 2.6.3 which allows local users to cause a denial of
service condition or execute arbitrary code via the MCAST_MSFILTER
socket option.
4. Incorrect usage of the fb_copy_cmap function in framebuffer
(CAN-2004-0229[6])
The framebuffer driver in Linux kernel 2.6.x did not properly
use the fb_copy_cmap function, possibly allowing privileges
escalation for local attackers.
5. Integer overflow in the cpufreq proc handler
(CAN-2004-0228[7])
Brad Spender found an integer overflow bug in the Linux kernel
cpufreq code that allowed a local attacker to read arbitrary kernel
memory.
SOLUTION
It is recommended that all Conectiva Linux users upgrade the kernel
package.
IMPORTANT: exercise caution and preparation when upgrading the
kernel, since it will require a reboot after the new packages are
installed. In particular, Conectiva Linux 10 will most likely
require an initrd file (which is automatically created in the /boot
directory after the new packages are installed) and by default a
new grub entry will be added, not touching the old default option.
Generic kernel update instructions can be obtained in the manuals
and in our frequently asked questions page[8].
REFERENCES:
1.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0626
2.http://www.securityfocus.com/archive/1/367615/2004-06-27/2004-07-03/0
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0424
5.http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt
6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0229
7.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0228
8.http://www.conectiva.com.br/suporte/pr/sistema.kernel.atualizar.html
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/kernel26-2.6.5-63255U10_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-2.6.5-63255U10_1cl.athlon.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-2.6.5-63255U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-2.6.5-63255U10_1cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-2.6.5-63255U10_1cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-2.6.5-63255U10_1cl.pentium4.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-BOOT-2.6.5-63255U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-doc-2.6.5-63255U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-enterprise-2.6.5-63255U10_1cl.athlon.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-enterprise-2.6.5-63255U10_1cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-enterprise-2.6.5-63255U10_1cl.pentium4.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-highmem-2.6.5-63255U10_1cl.athlon.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-highmem-2.6.5-63255U10_1cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-highmem-2.6.5-63255U10_1cl.pentium4.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-highmem-smp-2.6.5-63255U10_1cl.athlon.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-highmem-smp-2.6.5-63255U10_1cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-highmem-smp-2.6.5-63255U10_1cl.pentium4.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-smp-2.6.5-63255U10_1cl.athlon.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-smp-2.6.5-63255U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-smp-2.6.5-63255U10_1cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-smp-2.6.5-63255U10_1cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-smp-2.6.5-63255U10_1cl.pentium4.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-source-2.6.5-63255U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/kernel26-uml-2.6.5-63255U10_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/slmodemd-2.6.5.63255U10_1cl.2.9.7-63168U10_1cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade
examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
All packages are signed with Conectiva’s GPG key. The key and
instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can
be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com