Secunia

A weakness, a security issue, and a vulnerability have been reported in the Linux kernel, which can be exploited by malicious, local users to bypass certain security restrictions and potentially gain escalated privileges.

1) A vulnerability is caused due to the DRM_I915_HWS_ADDR IOCTL being available to non-root users, which can be exploited to e.g. zero and remap memory locations by sending a specially crafted IOCTL to the driver.

Successful exploitation may allow to execute arbitrary code with escalated privileges, but requires an Intel G33 series or newer chipset.

2) A weakness is caused due to the "do_splice_from()" function in fs/splice.c not honoring the "O_APPEND" flag. This can be exploited by using the "splice()" system call to write to arbitrary locations in a file regardless of the "O_APPEND" setting.

3) A security issue is caused due to /sys/bus/pci/drivers/megaraid_sas/dbg_lvl being set with insecure permissions (world-writable).

This security issue is reported in version prior to 2.6.27.

Solution
Update to version 2.6.25.19, 2.6.26.7, or 2.6.27.3.

Provided and/or discovered by
1) Olaf Kirch
2) Miklos Szeredi

Changelog
Further details available in Customer Area

Original Advisory
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.19
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.7
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.3
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27

Deep Links
Links available in Customer Area