7.8 - USN-231-1

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

linux-image-2.6.10-6-386 linux-image-2.6.10-6-686 linux-image-2.6.10-6-686-smp linux-image-2.6.10-6-amd64-generic linux-image-2.6.10-6-amd64-k8 linux-image-2.6.10-6-amd64-k8-smp linux-image-2.6.10-6-amd64-xeon linux-image-2.6.10-6-itanium linux-image-2.6.10-6-itanium-smp linux-image-2.6.10-6-k7 linux-image-2.6.10-6-k7-smp linux-image-2.6.10-6-mckinley linux-image-2.6.10-6-mckinley-smp linux-image-2.6.10-6-power3 linux-image-2.6.10-6-power3-smp linux-image-2.6.10-6-power4 linux-image-2.6.10-6-power4-smp linux-image-2.6.10-6-powerpc linux-image-2.6.10-6-powerpc-smp linux-image-2.6.12-10-386 linux-image-2.6.12-10-686 linux-image-2.6.12-10-686-smp linux-image-2.6.12-10-amd64-generic linux-image-2.6.12-10-amd64-k8 linux-image-2.6.12-10-amd64-k8-smp linux-image-2.6.12-10-amd64-xeon linux-image-2.6.12-10-iseries-smp linux-image-2.6.12-10-k7 linux-image-2.6.12-10-k7-smp linux-image-2.6.12-10-powerpc linux-image-2.6.12-10-powerpc-smp linux-image-2.6.12-10-powerpc64-smp linux-image-2.6.8.1-6-386 linux-image-2.6.8.1-6-686 linux-image-2.6.8.1-6-686-smp linux-image-2.6.8.1-6-amd64-generic linux-image-2.6.8.1-6-amd64-k8 linux-image-2.6.8.1-6-amd64-k8-smp linux-image-2.6.8.1-6-amd64-xeon linux-image-2.6.8.1-6-k7 linux-image-2.6.8.1-6-k7-smp linux-image-2.6.8.1-6-power3 linux-image-2.6.8.1-6-power3-smp linux-image-2.6.8.1-6-power4 linux-image-2.6.8.1-6-power4-smp linux-image-2.6.8.1-6-powerpc linux-image-2.6.8.1-6-powerpc-smp linux-patch-debian-2.6.8.1 linux-patch-ubuntu-2.6.10 linux-patch-ubuntu-2.6.12

The problem can be corrected by upgrading the affected package to version 2.6.8.1-16.26 (for Ubuntu 4.10), 2.6.10-34.9 (for Ubuntu 5.04), or 2.6.12-10.25 (for Ubuntu 5.10). After a standard system upgrade you need to reboot the computer to effect the necessary changes.

Details follow:

Rudolf Polzer reported an abuse of the 'loadkeys' command. By redefining one or more keys and tricking another user (like root) into logging in on a text console and typing something that involves the redefined keys, a local user could cause execution of arbitrary commands with the privileges of the target user. The updated kernel restricts the usage of 'loadkeys' to root. (CVE-2005-3257)

The ptrace() system call did not correctly check whether a process tried to attach to itself. A local attacker could exploit this to cause a kernel crash. (CVE-2005-3783)

A Denial of Service vulnerability was found in the handler that automatically cleans up and terminates child processes that are not correctly handled by their parent process ("auto-reaper"). The check did not correctly handle processes which were currently traced by another process. A local attacker could exploit this to cause a kernel crash. (CVE-2005-3784)

A locking problem was discovered in the POSIX timer cleanup handling on process exit. A local attacker could exploit this to cause the machine to hang (Denial of Service). This flaw only affects multiprocessor (SMP) systems. (CVE-2005-3805)

A Denial of Service vulnerability was discovered in the IPv6 flowlabel handling code. By invoking setsockopt(IPV6_FLOWLABEL_MGR) in a special way, a local attacker could cause memory corruption which eventually led to a kernel crash. (CVE-2005-3806)

A memory leak was discovered in the VFS lease handling. These operations are commonly executed by the Samba server, which led to steady memory exhaustion. By repeatedly triggering the affected operations in quick succession, a local attacker could exploit this to drain all memory, which leads to a Denial of Service. (CVE-2005-3807)

An integer overflow was discovered in the invalidate_inode_pages2_range() function. By issuing 64-bit mmap calls on a 32 bit system, a local user could exploit this to crash the machine, thereby causing Denial of Service. This flaw does not affect the amd64 platform, and does only affect Ubuntu 5.10. (CVE-2005-3808)

Ollie Wild discovered a memory leak in the icmp_push_reply() function. By sending a large amount of specially crafted packets, a remote attacker could exploit this to drain all memory, which eventually leads to a Denial of Service. (CVE-2005-3848)

Chris Wrigth found a Denial of Service vulnerability in the time_out_leases() function. By allocating a large number of VFS file lock leases and having them timeout at the same time, a large number of 'printk' debugging statements was generated at the same time, which could exhaust kernel memory. (CVE-2005-3857)

Patrick McHardy discovered a memory leak in the ip6_input_finish() function. A remote attacker could exploit this by sending specially crafted IPv6 packets, which would eventually drain all available kernel memory, thus causing a Denial of Service. (CVE-2005-3858)