Secunia

Some vulnerabilities have been reported in the Linux kernel. These can be exploited by malicious, local users to gain knowledge of potentially sensitive information, cause a DoS (Denial of Service), or gain escalated privileges, or by malicious people to cause a DoS or bypass certain security restrictions.

1) Insufficient permission checking in the "shmctl()" function allows any process to lock/unlock arbitrary System V shared memory segments that fall within the RLIMIT_MEMLOCK limit.

This can be exploited to unlock locked memory of other processes, which may result in sensitive information being written to swap space.

2) A race condition exists in the terminal handling of the "setsid()" function used for starting new process sessions.

3) An error within the handling of the OUTS instruction on 64-bit platforms can be exploited by malicious, local users to write to privileged IO ports.

4) Table sizes in "nls_ascii.c" are incorrectly set to 128 instead of 256, which may be exploited to cause buffer overflows and crash the kernel.

5) A design error in the netfilter/iptables module can be exploited to crash the kernel or bypass firewall rules via specially crafted packets.

6) An error in the netfilter/iptables module can be exploited to crash the kernel via specially crafted IP packet fragments.

7) A memory leak in the netfilter/iptables module when handling locally generated packet fragments can be exploited to consume all available kernel memory resources.

8) Missing restrictions on the N_MOUSE line discipline makes it possible for any user to inject mouse movements and keyboard events into the input subsystem and thereby hijack another user's session.

9) An error in the futex handling can be exploited to cause a deadlock condition.

10) A signedness error in sysfs when writing to a sysfs file can be exploited to overwrite kernel memory. This may crash the system or allow execution of arbitrary code with escalated privileges.

11) An unspecified error in the "unw_unwind_to_user()" function can be exploited by malicious, local users to crash 64-bit systems.

12) An unspecified error in the NFS client O_DIRECT error case handling can be exploited by malicious, local users to crash the system.

13) An error in the auditing code can be exploited by malicious, local users on Itanium systems to crash the kernel.

14) A error in the handling of extended attributes on ext2 and ext3 file systems can cause incorrect enforcement of Access Control Lists and may allow unauthorized access to files.

15) A boundary error in the "coda_pioctl()" function in the coda module (pioctl.c) may be exploited to crash the kernel or execute arbitrary code via negative "vi.in_size" or "vi.out_size" values.

16) A race condition in "/fs/exec.c" when threads are sharing memory mapping via CLONE_VM e.g. linuxthreads and vfork, may be exploited by local users to cause a DoS (deadlock) by triggering a core dump while waiting for a thread that has just performed an exec.

17) An error in handling the situation when one thread is tracing another thread that shares the same memory map, may be exploited by local users to cause a DoS (deadlock) by forcing a core dump when the traced thread is in the TASK_TRACED state.

18) Some signedness errors in "drivers/block/scsi_ioctl.c" may be exploited by malicious users to read and write kernel memory, potentially causing a crash.

The vulnerabilities have been reported in the 2.6 kernel. Vulnerability #3 also affects the 2.4 kernel.

Solution
1-2) Secunia is currently not aware of an updated kernel version addressing the vulnerabilities. Grant only trusted users access to affected systems.
Further details available in Customer Area

Provided and/or discovered by
1) Michael Kerrisk
4) Ogawa Hirofumi
5) David Coulson
6) Herbert Xu
9) Olof Johansson
10) Alexander Nyberg
11) Keith Owens
13) Stephane Eranian
15) Brian Fulton and Ted Unangst, Coverity Inc.
18) Brad Spengler

Changelog
Further details available in Customer Area

Original Advisory
Kernel.org:
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11
http://www.kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.32.log
http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=d53393237d7c6a04976a235420304b9b0a5063e0

Deep Links
Links available in Customer Area