Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, privilege escalation or a sensitive memory leak. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-0028     Chris Evans discovered a situation in which a child     process can send an arbitrary signal to its parent.

  - CVE-2009-0834     Roland McGrath discovered an issue on amd64 kernels that     allows local users to circumvent system call audit     configurations which filter based on the syscall numbers     or argument details.

  - CVE-2009-0835     Roland McGrath discovered an issue on amd64 kernels with     CONFIG_SECCOMP enabled. By making a specially crafted     syscall, local users can bypass access restrictions.

  - CVE-2009-0859     Jiri Olsa discovered that a local user can cause a     denial of service (system hang) using a SHM_INFO shmctl     call on kernels compiled with CONFIG_SHMEM disabled.
    This issue does not affect prebuilt Debian kernels.

  - CVE-2009-1046     Mikulas Patocka reported an issue in the console     subsystem that allows a local user to cause memory     corruption by selecting a small number of 3-byte UTF-8     characters.

  - CVE-2009-1072     Igor Zhbanov reported that nfsd was not properly     dropping CAP_MKNOD, allowing users to create device     nodes on file systems exported with root_squash.

  - CVE-2009-1184     Dan Carpenter reported a coding issue in the selinux     subsystem that allows local users to bypass certain     networking checks when running with compat_net=1.

  - CVE-2009-1192     Shaohua Li reported an issue in the AGP subsystem they     may allow local users to read sensitive kernel memory     due to a leak of uninitialized memory.

  - CVE-2009-1242     Benjamin Gilbert reported a local denial of service     vulnerability in the KVM VMX implementation that allows     local users to trigger an oops.

  - CVE-2009-1265     Thomas Pollet reported an overflow in the af_rose     implementation that allows remote attackers to retrieve     uninitialized kernel memory that may contain sensitive     data.

  - CVE-2009-1337     Oleg Nesterov discovered an issue in the exit_notify     function that allows local users to send an arbitrary     signal to a process by running a program that modifies     the exit_signal field and then uses an exec system call     to launch a setuid application.

  - CVE-2009-1338     Daniel Hokka Zakrisson discovered that a kill(-1) is     permitted to reach processes outside of the current     process namespace.

  - CVE-2009-1439     Pavan Naregundi reported an issue in the CIFS filesystem     code that allows remote users to overwrite memory via a     long nativeFileSystem field in a Tree Connect response     during mount.

NFS did not correctly handle races between fcntl and interrupts. A local attacker on an NFS mount could consume unlimited kernel memory, leading to a denial of service. (CVE-2008-4307)

Sparc syscalls did not correctly check mmap regions. A local attacker could cause a system panic, leading to a denial of service.
(CVE-2008-6107)

In certain situations, cloned processes were able to send signals to parent processes, crossing privilege boundaries. A local attacker could send arbitrary signals to parent processes, leading to a denial of service. (CVE-2009-0028)

The 64-bit syscall interfaces did not correctly handle sign extension.
A local attacker could make malicious syscalls, possibly gaining root privileges. The x86_64 architecture was not affected. (CVE-2009-0029)

The SCTP stack did not correctly validate FORWARD-TSN packets. A remote attacker could send specially crafted SCTP traffic causing a system crash, leading to a denial of service. (CVE-2009-0065)

The Dell platform device did not correctly validate user parameters. A local attacker could perform specially crafted reads to crash the system, leading to a denial of service. (CVE-2009-0322)

Network interfaces statistics for the SysKonnect FDDI driver did not check capabilities. A local user could reset statistics, potentially interfering with packet accounting systems. (CVE-2009-0675)

The getsockopt function did not correctly clear certain parameters. A local attacker could read leaked kernel memory, leading to a loss of privacy. (CVE-2009-0676)

The syscall interface did not correctly validate parameters when crossing the 64-bit/32-bit boundary. A local attacker could bypass certain syscall restricts via crafted syscalls. (CVE-2009-0834, CVE-2009-0835)

The shared memory subsystem did not correctly handle certain shmctl calls when CONFIG_SHMEM was disabled. Ubuntu kernels were not vulnerable, since CONFIG_SHMEM is enabled by default. (CVE-2009-0859).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This Linux kernel update for SUSE Linux Enterprise 11 fixes lots of bugs and some security issues.

The kernel was also updated to the 2.6.27.21 stable release.

  - nfsd in the Linux kernel does not drop the CAP_MKNOD     capability before handling a user request in a thread,     which allows local users to create device nodes, as     demonstrated on a filesystem that has been exported with     the root_squash option. (CVE-2009-1072)

  - The sock_getsockopt function in net/core/sock.c in the     Linux kernel does not initialize a certain structure     member, which allows local users to obtain potentially     sensitive information from kernel memory via an     SO_BSDCOMPAT getsockopt request. The fix for this was     incomplete. (CVE-2009-0676)

  - The __secure_computing function in kernel/seccomp.c in     the seccomp subsystem in the Linux kernel on the x86_64     platform, when CONFIG_SECCOMP is enabled, does not     properly handle (1) a 32-bit process making a 64-bit     syscall or (2) a 64-bit process making a 32-bit syscall,     which allows local users to bypass intended access     restrictions via crafted syscalls that are     misinterpreted as (a) stat or (b) chmod. (CVE-2009-0835)

NFS did not correctly handle races between fcntl and interrupts. A local attacker on an NFS mount could consume unlimited kernel memory, leading to a denial of service. Ubuntu 8.10 was not affected.
(CVE-2008-4307)

Sparc syscalls did not correctly check mmap regions. A local attacker could cause a system panic, leading to a denial of service. Ubuntu 8.10 was not affected. (CVE-2008-6107)

In certain situations, cloned processes were able to send signals to parent processes, crossing privilege boundaries. A local attacker could send arbitrary signals to parent processes, leading to a denial of service. (CVE-2009-0028)

The kernel keyring did not free memory correctly. A local attacker could consume unlimited kernel memory, leading to a denial of service.
(CVE-2009-0031)

The SCTP stack did not correctly validate FORWARD-TSN packets. A remote attacker could send specially crafted SCTP traffic causing a system crash, leading to a denial of service. (CVE-2009-0065)

The eCryptfs filesystem did not correctly handle certain VFS return codes. A local attacker with write-access to an eCryptfs filesystem could cause a system crash, leading to a denial of service.
(CVE-2009-0269)

The Dell platform device did not correctly validate user parameters. A local attacker could perform specially crafted reads to crash the system, leading to a denial of service. (CVE-2009-0322)

The page fault handler could consume stack memory. A local attacker could exploit this to crash the system or gain root privileges with a Kprobe registered. Only Ubuntu 8.10 was affected. (CVE-2009-0605)

Network interfaces statistics for the SysKonnect FDDI driver did not check capabilities. A local user could reset statistics, potentially interfering with packet accounting systems. (CVE-2009-0675)

The getsockopt function did not correctly clear certain parameters. A local attacker could read leaked kernel memory, leading to a loss of privacy. (CVE-2009-0676)

The ext4 filesystem did not correctly clear group descriptors when resizing. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2009-0745)

The ext4 filesystem did not correctly validate certain fields. A local attacker could mount a malicious ext4 filesystem, causing a system crash, leading to a denial of service. (CVE-2009-0746, CVE-2009-0747, CVE-2009-0748)

The syscall interface did not correctly validate parameters when crossing the 64-bit/32-bit boundary. A local attacker could bypass certain syscall restricts via crafted syscalls. (CVE-2009-0834, CVE-2009-0835)

The shared memory subsystem did not correctly handle certain shmctl calls when CONFIG_SHMEM was disabled. Ubuntu kernels were not vulnerable, since CONFIG_SHMEM is enabled by default. (CVE-2009-0859)

The virtual consoles did not correctly handle certain UTF-8 sequences.
A local attacker on the physical console could exploit this to cause a system crash, leading to a denial of service. (CVE-2009-1046).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This Linux kernel update for openSUSE 11.1 fixes lots of bugs and some security issues.

The kernel was also updated to the 2.6.27.21 stable release.

CVE-2009-1072: nfsd in the Linux kernel does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

CVE-2009-0676: The sock_getsockopt function in net/core/sock.c in the Linux kernel does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request. The fix for this was incomplete.

CVE-2009-0835: The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod.

This kernel update for openSUSE 10.3 fixes some bugs and several security problems.

The following security issues are fixed: A local denial of service problem in the splice(2) system call.

CVE-2009-0834: The audit_syscall_entry function in the Linux kernel on the x86_64 platform did not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls.

CVE-2009-1072: nfsd in the Linux kernel did not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

CVE-2009-0835 The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod.

CVE-2009-1439: Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) or potential code execution via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.

This requires that kernel can be made to mount a 'cifs' filesystem from a malicious CIFS server.

CVE-2009-1337: The exit_notify function in kernel/exit.c in the Linux kernel did not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.

CVE-2009-0859: The shm_get_stat function in ipc/shm.c in the shm subsystem in the Linux kernel, when CONFIG_SHMEM is disabled, misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang) via an SHM_INFO shmctl call, as demonstrated by running the ipcs program. (SUSE is enabling CONFIG_SHMEM, so is by default not affected, the fix is just for completeness).

CVE-2009-1265: Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel might allow attackers to obtain sensitive information via a large length value, which causes 'garbage' memory to be sent.

CVE-2009-0028: The clone system call in the Linux kernel allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.

CVE-2009-0676: The sock_getsockopt function in net/core/sock.c in the Linux kernel does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.

CVE-2009-0322: drivers/firmware/dell_rbu.c in the Linux kernel allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.

CVE-2009-0269: fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.

CVE-2009-0065: Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.

CVE-2008-5702: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c in the Linux kernel might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call.

CVE-2008-4554: The do_splice_from function in fs/splice.c in the Linux kernel does not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.

Some other non-security bugs were fixed, please see the RPM changelog.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

The clone system call in the Linux kernel 2.6.28 and earlier allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.
(CVE-2009-0028)

fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index. (CVE-2009-0269)

The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343. (CVE-2009-0834)

The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod, a related issue to CVE-2009-0342 and CVE-2009-0343. (CVE-2009-0835)

The selinux_ip_postroute_iptables_compat function in security/selinux/hooks.c in the SELinux subsystem in the Linux kernel before 2.6.27.22, and 2.6.28.x before 2.6.28.10, when compat_net is enabled, omits calls to avc_has_perm for the (1) node and (2) port, which allows local users to bypass intended restrictions on network traffic. NOTE: this was incorrectly reported as an issue fixed in 2.6.27.21. (CVE-2009-1184)

Additionally, along with other things, this kernel update adds support for D-Link DWM 652 3.5G, some Intel gigabit network chipsets, Avermedia PCI pure analog (M135A), fixes a bug causing SQLite performance regression, and has some updated ALSA drivers. Check the package changelog for details.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

The Linux kernel on SUSE Linux Enterprise 10 Service Pack 2 was updated to fix various security issues and several bugs.

The following security issues were fixed: CVE-2009-0834: The audit_syscall_entry function in the Linux kernel on the x86_64 platform did not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls.

  - nfsd in the Linux kernel did not drop the CAP_MKNOD     capability before handling a user request in a thread,     which allows local users to create device nodes, as     demonstrated on a filesystem that has been exported with     the root_squash option. (CVE-2009-1072)

  - The __secure_computing function in kernel/seccomp.c in     the seccomp subsystem in the Linux kernel on the x86_64     platform, when CONFIG_SECCOMP is enabled, does not     properly handle (1) a 32-bit process making a 64-bit     syscall or (2) a 64-bit process making a 32-bit syscall,     which allows local users to bypass intended access     restrictions via crafted syscalls that are     misinterpreted as (a) stat or (b) chmod. (CVE-2009-0835)

  - Buffer overflow in fs/cifs/connect.c in CIFS in the     Linux kernel 2.6.29 and earlier allows remote attackers     to cause a denial of service (crash) or potential code     execution via a long nativeFileSystem field in a Tree     Connect response to an SMB mount request.
    (CVE-2009-1439)

This requires that kernel can be made to mount a 'cifs' filesystem from a malicious CIFS server.

  - The exit_notify function in kernel/exit.c in the Linux     kernel did not restrict exit signals when the CAP_KILL     capability is held, which allows local users to send an     arbitrary signal to a process by running a program that     modifies the exit_signal field and then uses an exec     system call to launch a setuid application.
    (CVE-2009-1337)

  - The shm_get_stat function in ipc/shm.c in the shm     subsystem in the Linux kernel, when CONFIG_SHMEM is     disabled, misinterprets the data type of an inode, which     allows local users to cause a denial of service (system     hang) via an SHM_INFO shmctl call, as demonstrated by     running the ipcs program. (SUSE is enabling     CONFIG_SHMEM, so is by default not affected, the fix is     just for completeness). (CVE-2009-0859)

The GCC option -fwrapv has been added to compilation to work around potentially removing integer overflow checks.

  - Integer overflow in rose_sendmsg (sys/net/af_rose.c) in     the Linux kernel might allow attackers to obtain     sensitive information via a large length value, which     causes 'garbage' memory to be sent. (CVE-2009-1265)

Also a number of bugs were fixed, for details please see the RPM changelog.

This kernel update for openSUSE 11.0 fixes some bugs and several security problems.

The following security issues are fixed: A local denial of service problem in the splice(2) system call.

CVE-2009-1630: The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.

CVE-2009-0834: The audit_syscall_entry function in the Linux kernel on the x86_64 platform did not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls.

CVE-2009-1072: nfsd in the Linux kernel did not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

CVE-2009-0835 The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod.

CVE-2009-1439: Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) or potential code execution via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.

This requires that kernel can be made to mount a 'cifs' filesystem from a malicious CIFS server.

CVE-2009-1337: The exit_notify function in kernel/exit.c in the Linux kernel did not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.

CVE-2009-0859: The shm_get_stat function in ipc/shm.c in the shm subsystem in the Linux kernel, when CONFIG_SHMEM is disabled, misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang) via an SHM_INFO shmctl call, as demonstrated by running the ipcs program. (SUSE is enabling CONFIG_SHMEM, so is by default not affected, the fix is just for completeness).

CVE-2009-1242: The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX implementation in the KVM subsystem in the Linux kernel on the i386 platform allows guest OS users to cause a denial of service (OOPS) by setting the EFER_LME (aka 'Long mode enable') bit in the Extended Feature Enable Register (EFER) model-specific register, which is specific to the x86_64 platform.

CVE-2009-1265: Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel might allow attackers to obtain sensitive information via a large length value, which causes 'garbage' memory to be sent.

CVE-2009-0028: The clone system call in the Linux kernel allows local users to send arbitrary signals to a parent process from an unprivileged child process by launching an additional child process with the CLONE_PARENT flag, and then letting this new process exit.

CVE-2009-0675: The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kernel permits SKFP_CLR_STATS requests only when the CAP_NET_ADMIN capability is absent, instead of when this capability is present, which allows local users to reset the driver statistics, related to an 'inverted logic' issue.

CVE-2009-0676: The sock_getsockopt function in net/core/sock.c in the Linux kernel does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request.

CVE-2009-0322: drivers/firmware/dell_rbu.c in the Linux kernel allows local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the (1) image_type or (2) packet_size file in /sys/devices/platform/dell_rbu/.

CVE-2009-0269: fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array index.

CVE-2009-0065: Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID.

Some other non-security bugs were fixed, please see the RPM changelog.

ID	Name	Product	Family	Published	Updated	Severity
38795	Debian DSA-1800-1 : linux-2.6 - denial of service/privilege escalation/sensitive memory leak	Nessus	Debian Local Security Checks	5/18/2009	1/4/2021	high
36418	Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerabilities (USN-752-1)	Nessus	Ubuntu Local Security Checks	4/23/2009	1/19/2021	critical
41410	SuSE 11 Security Update : Linux kernel (SAT Patch Numbers 713 / 715 / 716)	Nessus	SuSE Local Security Checks	9/24/2009	1/14/2021	medium
37337	Ubuntu 7.10 / 8.04 LTS / 8.10 : linux, linux-source-2.6.22 vulnerabilities (USN-751-1)	Nessus	Ubuntu Local Security Checks	4/23/2009	1/19/2021	critical
40249	openSUSE Security Update : kernel (kernel-733)	Nessus	SuSE Local Security Checks	7/21/2009	1/14/2021	medium
39335	openSUSE 10 Security Update : kernel (kernel-6274)	Nessus	SuSE Local Security Checks	6/9/2009	1/14/2021	critical
38845	Mandriva Linux Security Advisory : kernel (MDVSA-2009:118)	Nessus	Mandriva Local Security Checks	5/20/2009	1/6/2021	medium
41539	SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 6237)	Nessus	SuSE Local Security Checks	9/24/2009	1/14/2021	high
40012	openSUSE Security Update : kernel (kernel-951)	Nessus	SuSE Local Security Checks	7/21/2009	1/14/2021	critical
59137	SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 6236)	Nessus	SuSE Local Security Checks	5/17/2012	1/14/2021	high

Detections

Analytics

Plugins Search

high

critical

medium

critical

medium

critical

medium

high

critical

high