A weakness and two vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially gain escalated privileges.

1) A weakness is caused due to a logic error within the "skfp_ioctl()" function in drivers/net/skfp/skfddi.c, which can be exploited to reset the driver statistics without having CAP_NET_ADMIN capabilities.

The weakness is reported in versions prior to 2.6.27.18 and 2.6.28.6.

2) A vulnerability is caused due to an error within the "shm_get_stat()" function in ipc/shm.c. This can be exploited to crash a system by e.g. calling the "shmctl()" function.

Note: Successful exploitation requires that "CONFIG_SHMEM" is enabled.

The vulnerability is reported in versions prior to 2.6.27.16 and 2.6.28.5.

3) A boundary error exists in the "set_selection()" function in drivers/char/selection.c. This can be exploited to cause a heap-based buffer overflow with two bytes by selecting a small number of characters on an UTF-8 console.

Successful exploitation requires physical console access.

The vulnerability is reported in versions prior to 2.6.28.4.

Solution
Update to version 2.6.27.18 or 2.6.28.6.

Provided and/or discovered by
1) Reported by the vendor.
2) Jiri Olsa
3) Mikulas Patocka

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.18
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.4

Deep Links
Links available to Secunia VIM customers