=========================================================== Ubuntu Security Notice USN-1093-1 March 25, 2011 linux-mvl-dove vulnerabilities CVE-2010-2478, CVE-2010-2942, CVE-2010-2943, CVE-2010-2954, CVE-2010-2955, CVE-2010-2960, CVE-2010-2962, CVE-2010-2963, CVE-2010-3067, CVE-2010-3078, CVE-2010-3079, CVE-2010-3080, CVE-2010-3084, CVE-2010-3296, CVE-2010-3297, CVE-2010-3298, CVE-2010-3310, CVE-2010-3432, CVE-2010-3437, CVE-2010-3442, CVE-2010-3477, CVE-2010-3705, CVE-2010-3848, CVE-2010-3849, CVE-2010-3850, CVE-2010-3858, CVE-2010-3859, CVE-2010-3861, CVE-2010-3865, CVE-2010-3873, CVE-2010-3874, CVE-2010-3875, CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904, CVE-2010-4072, CVE-2010-4075, CVE-2010-4076, CVE-2010-4077, CVE-2010-4158, CVE-2010-4163, CVE-2010-4165, CVE-2010-4169, CVE-2010-4175, CVE-2010-4248, CVE-2010-4249, CVE-2010-4343, CVE-2010-4346, CVE-2010-4526, CVE-2010-4527, CVE-2010-4649, CVE-2011-1044 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: linux-image-2.6.32-216-dove 2.6.32-216.33 Ubuntu 10.10: linux-image-2.6.32-416-dove 2.6.32-416.33 ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. Details follow: Joel Becker discovered that OCFS2 did not correctly validate on-disk symlink structures. If an attacker were able to trick a user or automated system into mounting a specially crafted filesystem, it could crash the system or exposde kernel memory, leading to a loss of privacy. Ben Hutchings discovered that the ethtool interface did not correctly check certain sizes. A local attacker could perform malicious ioctl calls that could crash the system, leading to a denial of service. (Only Ubuntu 10.04 LTS was affected.) (CVE-2010-2478, CVE-2010-3084) Eric Dumazet discovered that many network functions could leak kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (Ubuntu 10.10 was not affected.) (CVE-2010-2942, CVE-2010-3477) Dave Chinner discovered that the XFS filesystem did not correctly order inode lookups when exported by NFS. A remote attacker could exploit this to read or write disk blocks that had changed file assignment or had become unlinked, leading to a loss of privacy. (CVE-2010-2943) Tavis Ormandy discovered that the IRDA subsystem did not correctly shut down. A local attacker could exploit this to cause the system to crash or possibly gain root privileges. (Ubuntu 10.10 was not affected.) (CVE-2010-2954) Brad Spengler discovered that the wireless extensions did not correctly validate certain request sizes. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (Only Ubuntu 10.04 LTS was affected.) (CVE-2010-2955) Tavis Ormandy discovered that the session keyring did not correctly check for its parent. On systems without a default session keyring, a local attacker could exploit this to crash the system, leading to a denial of service. (Only Ubuntu 10.04 LTS was affected.) (CVE-2010-2960) Kees Cook discovered that the Intel i915 graphics driver did not correctly validate memory regions. A local attacker with access to the video card could read and write arbitrary kernel memory to gain root privileges. (CVE-2010-2962) Kees Cook discovered that the V4L1 32bit compat interface did not correctly validate certain parameters. A local attacker on a 64bit system with access to a video device could exploit this to gain root privileges. (CVE-2010-2963) Tavis Ormandy discovered that the AIO subsystem did not correctly validate certain parameters. A local attacker could exploit this to crash the system or possibly gain root privileges. (Ubuntu 10.10 was not affected.) (CVE-2010-3067) Dan Rosenberg discovered that certain XFS ioctls leaked kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (10.10 was not affected.) (CVE-2010-3078) Robert Swiecki discovered that ftrace did not correctly handle mutexes. A local attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3079) Tavis Ormandy discovered that the OSS sequencer device did not correctly shut down. A local attacker could exploit this to crash the system or possibly gain root privileges. (Ubuntu 10.10 was not affected.) (CVE-2010-3080) Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297, CVE-2010-3298) Dan Rosenberg discovered that the ROSE driver did not correctly check parameters. A local attacker with access to a ROSE network device could exploit this to crash the system or possibly gain root privileges. (Ubuntu 10.10 was not affected.) (CVE-2010-3310) Thomas Dreibholz discovered that SCTP did not correctly handle appending packet chunks. A remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (Ubuntu 10.10 was not affected.) (CVE-2010-3432) Dan Rosenberg discovered that the CD driver did not correctly check parameters. A local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2010-3437) Dan Rosenberg discovered that the Sound subsystem did not correctly validate parameters. A local attacker could exploit this to crash the system, leading to a denial of service. (Ubuntu 10.10 was not affected.) (CVE-2010-3442) Dan Rosenberg discovered that SCTP did not correctly handle HMAC calculations. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-3705) Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850) Brad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858) Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859) Kees Cook discovered that the ethtool interface did not correctly clear kernel memory. A local attacker could read kernel heap memory, leading to a loss of privacy. (CVE-2010-3861) Thomas Pollet discovered that the RDS network protocol did not check certain iovec buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3865) Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873) Dan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874) Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875) Vasiliy Kulikov discovered that the Linux kernel sockets implementation did not properly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3876) Vasiliy Kulikov discovered that the TIPC interface did not correctly initialize certain structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3877) Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880) Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Kees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4072) Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077) Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158) Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163) Steve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165) Dave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169) Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175) Vegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249) It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248) Krishna Gudipati discovered that the bfa adapter driver did not correctly initialize certain structures. A local attacker could read files in /sys to crash the system, leading to a denial of service. (CVE-2010-4343) Tavis Ormandy discovered that the install_special_mapping function could bypass the mmap_min_addr restriction. A local attacker could exploit this to mmap 4096 bytes below the mmap_min_addr area, possibly improving the chances of performing NULL pointer dereference attacks. (CVE-2010-4346) It was discovered that the ICMP stack did not correctly handle certain unreachable messages. If a remote attacker were able to acquire a socket lock, they could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-4526) Dan Rosenberg discovered that the OSS subsystem did not handle name termination correctly. A local attacker could exploit this crash the system or gain root privileges. (CVE-2010-4527) Dan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044) Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32-216.33.diff.gz Size/MD5: 7629785 10a442d5149f374d91647eee1131a244 http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32-216.33.dsc Size/MD5: 1426 1c1ae71e7d8d0ac580d070190099317b http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32.orig.tar.gz Size/MD5: 81900940 4b1f6f6fac43a23e783079db589fc7e2 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/block-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 219790 adbd9025fff4823c6e76ed1a83732dde http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/crypto-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 60836 8a2347762bfd88d6cd11762559b31bc9 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fat-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 4858 da7caaa9a954230134eeb6ca2e1ae5d6 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/firewire-core-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 86606 1101c2d85dc874b002fec02dc91b4e9a http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fs-core-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 555128 739fa40e465de910fef6dc127e888684 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fs-secondary-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 138590 b4a297fc18ad3a04a3f210e70361dec8 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/input-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 51674 3909e00438c4a4745069bac12a1c2cb0 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/kernel-image-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 3697714 1ed6334e24e8f39b5297697be9d43c32 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-headers-2.6.32-216-dove_2.6.32-216.33_armel.deb Size/MD5: 764044 4a1fb599c05440c49d59c4a835ee69ae http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-headers-2.6.32-216_2.6.32-216.33_armel.deb Size/MD5: 10242462 5f90b0186995ce359a6ae35b89f8a584 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-image-2.6.32-216-dove_2.6.32-216.33_armel.deb Size/MD5: 16056640 fdbe14522676dc8671f7a2668a3d964d http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/md-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 217320 b1badf13ddb4078b3ef19e2ce9cd15e0 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/mouse-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 36128 7f3c64a240fe1f20e8b0b7bbd08ba2c9 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nfs-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 308630 7e39cd12ff338e9c52f6d5409593cf3a http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 687538 82c67cce03b161ebdf6e5cb7a5290e96 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-shared-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 215926 56c448eafed5bc97db9a650143222a97 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-usb-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 111636 523c1722daeec8b9d5c812dc654ed3b6 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/parport-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 33788 fe6ca570f566bbc2a0524b0538c4a01d http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/plip-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 8502 26a885c1ad255a588b0f19a462dc0258 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/ppp-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 57290 86b9e09bef4600656c7bfa126b1424b7 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/scsi-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 14260 9322109be33a219aa08c26888f7d53bd http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/usb-modules-2.6.32-216-dove-di_2.6.32-216.33_armel.udeb Size/MD5: 76060 f6cc06fd55a4cd2008a945fb96ee69fe Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32-416.33.dsc Size/MD5: 1155 973108dba3858a860043a5a2a6b5fa99 http://security.ubuntu.com/ubuntu/pool/main/l/linux-mvl-dove/linux-mvl-dove_2.6.32-416.33.tar.gz Size/MD5: 90276205 53779b30af86ffb7c4c9330ce0892653 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/block-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 267512 f8b909552cab1c2dbcb42b7a69280145 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/crypto-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 69288 2c88af96a9d69ad25daf9cbd6403a559 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fat-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 4908 b954f16b25e5d873d1d79298e8627db4 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/firewire-core-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 96660 dd89814e86c8b0e84cfa30ee6c22fedd http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fs-core-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 616670 b09e0fd87b4e810afa20322464a7ac63 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/fs-secondary-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 157288 4cf5eaf4a491518bce5d3ba828892e18 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/input-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 56470 11343afa90d062d35e8ee4d04392315a http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/kernel-image-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 3998446 d96bb8ed4d5256f3b9e1d82147e34742 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-headers-2.6.32-416-dove_2.6.32-416.33_armel.deb Size/MD5: 782358 f9ddf5a5f778e29e4412d44b6ed3e0ed http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-headers-2.6.32-416_2.6.32-416.33_armel.deb Size/MD5: 10237228 6771914efc0b995d1feb09db65e65f17 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/linux-image-2.6.32-416-dove_2.6.32-416.33_armel.deb Size/MD5: 17981618 e364479d3e93001888eaa914a3f554cb http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/md-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 236554 6979d5a5cd2967d5e1fac6be7d53eb28 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/mouse-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 39184 7c9900898bcc1bb28beeb5917750b417 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nfs-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 338846 e7f8f841b7b1bbebcf39112cfd7b4968 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 796006 39aee60cb92774dc50af3c6ae3c4d09b http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-shared-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 238426 348c9bdf966a5a3dde67d687f116e31a http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/nic-usb-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 122258 ad995a31be5f5ff1e614ca5ebb0a8264 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/parport-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 38132 03a36ae8ff4501fc00f1e08f32f2ff2f http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/plip-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 10376 5d40952502a33ed0ab9dba1e30c9dbcf http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/ppp-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 64696 8b4af44f42fc454ff118a12938c9d85b http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/scsi-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 15182 70d5b20f4f42754994c542c9beb051e1 http://ports.ubuntu.com/pool/main/l/linux-mvl-dove/usb-modules-2.6.32-416-dove-di_2.6.32-416.33_armel.udeb Size/MD5: 86228 13c13e73665ca947df1d0516effac435