Secunia

A weakness and four vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service), bypass certain security restrictions, or with unknown impacts.

1) An integer overflow error exists within the "do_replace()" function in Netfilter. This can be exploited to cause a buffer overflow and allows the overwrite of arbitrary amounts of kernel memory when data is copied from user space.

Successful exploitation requires that the user is granted CAP_NET_ADMIN rights e.g. on systems that uses certain virtualisation solutions such as OpenVZ.

2) Insufficient memory allocation in "drivers/usb/gadget/rndis.c" when handling NDIS response to OID_GEN_SUPPORTED_LIST may cause kernel memory corruption.

3) An error in the get_compat_timespec() and compat_sys_clock_settime() functions when handling sign extended arguments can be exploited to cause the system to stop responding via a "date -s" command.

The vulnerability affects only the SPARC platform.

4) An error exists within the handling of singlestep ptrace when a task get preempted out of "do_debug()" processing while it is running on the DEBUG_STACK stack. This can be exploited to crash the system by having multiple tasks doing ptrace singlesteps at around the same time.

Successful exploitation requires that preemption is enabled in the kernel.

The vulnerability affects only the x86_64 platform.

5) An error exists within the SELinux ptrace handling code when setting the tracer SID of a process that is being ptraced. This causes incorrect ptrace revalidation at execve time and can potentially be exploited to bypass certain security restrictions.

The vulnerability was reportedly introduced in version 2.6.6.

Solution
Update to version 2.6.16.
Further details available in Customer Area

Provided and/or discovered by
1) Solar Designer
2) Shaun Tancheff
3) Ludovic Courtes
4) John Blackwood
5) Stephen Smalley

Changelog
Further details available in Customer Area

Original Advisory
http://marc.theaimsgroup.com/?l=linux-sparc&m=113861010514065&w=2
http://marc.theaimsgroup.com/?l=linux-kernel&m=113932292516359&w=2
http://marc.theaimsgroup.com/?l=selinux&m=114226465106131&w=2

Kernel.org:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee4bb818ae35f68d1f848eae0a7b150a38eb4168
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8763716bfe4d8a16bef28c9947cf9d799b1796a5
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cddfc12e2513a4229bad0d05fde2d40a75c3e197
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a65d17c9d27a85782cfe1bbc36c747ffa1f81814

Deep Links
Links available in Customer Area