Executive Summary

Summary
Title Linux kernel vulnerabilities
Informations
Name USN-95-1 First vendor Publication 2005-03-15
Vendor Ubuntu Last vendor Modification 2005-03-15
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

linux-image-2.6.8.1-5-386 linux-image-2.6.8.1-5-686 linux-image-2.6.8.1-5-686-smp linux-image-2.6.8.1-5-amd64-generic linux-image-2.6.8.1-5-amd64-k8 linux-image-2.6.8.1-5-amd64-k8-smp linux-image-2.6.8.1-5-amd64-xeon linux-image-2.6.8.1-5-k7 linux-image-2.6.8.1-5-k7-smp linux-image-2.6.8.1-5-power3 linux-image-2.6.8.1-5-power3-smp linux-image-2.6.8.1-5-power4 linux-image-2.6.8.1-5-power4-smp linux-image-2.6.8.1-5-powerpc linux-image-2.6.8.1-5-powerpc-smp linux-patch-debian-2.6.8.1

The problem can be corrected by upgrading the affected package to version 2.6.8.1-16.12. You need to reboot the computer after doing a standard system upgrade to effect the necessary changes.

Details follow:

A remote Denial of Service vulnerability was discovered in the Netfilter IP packet handler. This allowed a remote attacker to crash the machine by sending specially crafted IP packet fragments. (CAN-2005-0209)

The Netfilter code also contained a memory leak. Certain locally generated packet fragments are reassembled twice, which caused a double allocation of a data structure. This could be locally exploited to crash the machine due to kernel memory exhaustion. (CAN-2005-0210)

Ben Martel and Stephen Blackheath found a remote Denial of Service vulnerability in the PPP driver. This allowed a malicious pppd client to crash the server machine. (CAN-2005-0384)

Georgi Guninski discovered a buffer overflow in the ATM driver. The atm_get_addr() function does not validate its arguments sufficiently, which could allow a local attacker to overwrite large portions of kernel memory by supplying a negative length argument. This could eventually lead to arbitrary code execution. (CAN-2005-0531)

Georgi Guninski also discovered three other integer comparison problems in the TTY layer, in the /proc interface and the ReiserFS driver. However, the previous Ubuntu security update (kernel version 2.6.8.1-16.11) already contained a patch which checks the arguments to these functions at a higher level and thus prevents these flaws from being exploited. (CAN-2005-0529, CAN-2005-0530, CAN-2005-0532)

Georgi Guninski discovered an integer overflow in the sys_epoll_wait() function which allowed local users to overwrite the first few kB of physical memory. However, very few applications actually use this space (dosemu is a notable exception), but potentially this could lead to privilege escalation. (CAN-2005-0736)

Eric Anholt discovered a race condition in the Radeon DRI driver. In some cases this allowed a local user with DRI privileges on a Radeon card to execute arbitrary code with root privileges.

Finally this update fixes a regression in the NFS server driver which was introduced in the previous security update (kernel version 2.6.8.1-16.11). We apologize for the inconvenience. (https://bugzilla.ubuntulinux.org/show_bug.cgi?id=6749)

Original Source

Url : http://www.ubuntu.com/usn/USN-95-1

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-399 Resource Management Errors
50 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10095
 
Oval ID: oval:org.mitre.oval:def:10095
Title: The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative arguments.
Description: The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative arguments.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0531
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10275
 
Oval ID: oval:org.mitre.oval:def:10275
Title: The Linux kernel before 2.6.11 on the Itanium IA64 platform has certain "ptrace corner cases" that allow local users to cause a denial of service (crash) via crafted syscalls, possibly related to MCA/INIT, a different vulnerability than CVE-2005-1761.
Description: Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of service (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0210
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10431
 
Oval ID: oval:org.mitre.oval:def:10431
Title: Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows local users with DRI privileges to execute arbitrary code as root.
Description: Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows local users with DRI privileges to execute arbitrary code as root.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0767
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10960
 
Oval ID: oval:org.mitre.oval:def:10960
Title: Signedness error in the copy_from_read_buf function in n_tty.c for Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a negative argument.
Description: Signedness error in the copy_from_read_buf function in n_tty.c for Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a negative argument.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0530
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11855
 
Oval ID: oval:org.mitre.oval:def:11855
Title: The directory-services functionality in the scheduler in CUPS 1.1.17 and 1.1.22 allows remote attackers to cause a denial of service (cupsd daemon outage or crash) via manipulations of the timing of CUPS browse packets, related to a "pointer use-after-delete flaw."
Description: Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0209
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8994
 
Oval ID: oval:org.mitre.oval:def:8994
Title: Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context.
Description: Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0529
 Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9562
 
Oval ID: oval:org.mitre.oval:def:9562
Title: Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via a pppd client.
Description: Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via a pppd client.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0384
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9870
 
Oval ID: oval:org.mitre.oval:def:9870
Title: Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events.
Description: Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0736
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
 Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 17
Os 6
Os 1
Os 2
Os 4
Os 3
Os 1

OpenVAS Exploits

Date Description
2009-11-17 Name : Mac OS X Version
File : nvt/macosx_version.nasl
2009-10-10 Name : SLES9: Security update for Linux kernel
File : nvt/sles9p5011171.nasl
2008-01-17 Name : Debian Security Advisory DSA 1067-1 (kernel 2.4.16)
File : nvt/deb_1067_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1070-1 (kernel-source-2.4.19,kernel-image-sparc-...
File : nvt/deb_1070_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1082-1 (kernel-2.4.17)
File : nvt/deb_1082_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
14966 Linux Kernel Netfilter Memory Leak DoS
14965 Linux Kernel Netfliter IP Packet Fragment DoS
14871 Linux Kernel reiserfs_copy_from_user_to_file_region Function Local Overflow

A local overflow exists in Linux Kernel. The Linux Kernel code performs poor input validation in the reiserfs_copy_from_user_to_file_region function when used with 64 bit architectures due to discrepancies between the size_t and the int data type resulting in a local buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.
14810 Linux Kernel Malformed PPP Packet Remote DoS

Kernel contains a flaw in drivers/net/ppp_async.c that may allow a remote denial of service. The issue is triggered when a remote user sends a specially crafted PPP packet, and will result in loss of availability for the platform. No further details have been provided.
14777 Linux Kernel sys_epoll_wait() Function Local Overflow
13821 Linux Kernel Radeon Driver with DRI Race Condition
13820 Linux Kernel addr.c atm_get_addr Function Local Overflow
13819 Linux Kernel drivers/char/n_tty.c Arbitrary Kernel Memory Disclosure
13818 Linux Kernel /proc locks_read_proc() Function Overflow

Nessus® Vulnerability Scanner

Date Description
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1067.nasl - Type : ACT_GATHER_INFO
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1069.nasl - Type : ACT_GATHER_INFO
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1070.nasl - Type : ACT_GATHER_INFO
2006-10-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1082.nasl - Type : ACT_GATHER_INFO
2006-07-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-366.nasl - Type : ACT_GATHER_INFO
2006-07-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-420.nasl - Type : ACT_GATHER_INFO
2006-07-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-293.nasl - Type : ACT_GATHER_INFO
2006-07-03 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-663.nasl - Type : ACT_GATHER_INFO
2006-01-15 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-95-1.nasl - Type : ACT_GATHER_INFO
2006-01-15 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-219.nasl - Type : ACT_GATHER_INFO
2005-10-05 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-663.nasl - Type : ACT_GATHER_INFO
2005-09-12 Name : The remote Fedora Core host is missing a security update.
File : fedora_2005-313.nasl - Type : ACT_GATHER_INFO
2005-07-01 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-110.nasl - Type : ACT_GATHER_INFO
2005-07-01 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-111.nasl - Type : ACT_GATHER_INFO
2005-06-10 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-420.nasl - Type : ACT_GATHER_INFO
2005-05-19 Name : The remote Fedora Core host is missing a security update.
File : fedora_2005-262.nasl - Type : ACT_GATHER_INFO
2005-04-29 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-283.nasl - Type : ACT_GATHER_INFO
2005-04-25 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-293.nasl - Type : ACT_GATHER_INFO
2005-04-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-366.nasl - Type : ACT_GATHER_INFO
2005-03-25 Name : The remote host is missing a vendor-supplied security patch
File : suse_SA_2005_018.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 12:06:52
  • Multiple Updates
2013-05-11 12:26:23
  • Multiple Updates