Debian Security Advisory

DSA-2240-1 linux-2.6 -- privilege escalation/denial of service/information leak

Date Reported:
24 May 2011
Affected Packages:
linux-2.6
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2010-3875, CVE-2011-0695, CVE-2011-0711, CVE-2011-0726, CVE-2011-1016, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1090, CVE-2011-1160, CVE-2011-1163, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1173, CVE-2011-1180, CVE-2011-1182, CVE-2011-1476, CVE-2011-1477, CVE-2011-1478, CVE-2011-1493, CVE-2011-1494, CVE-2011-1495, CVE-2011-1585, CVE-2011-1593, CVE-2011-1598, CVE-2011-1745, CVE-2011-1746, CVE-2011-1748, CVE-2011-1759, CVE-2011-1767, CVE-2011-1770, CVE-2011-1776, CVE-2011-2022.
More information:

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2010-3875

    Vasiliy Kulikov discovered an issue in the Linux implementation of the Amateur Radio AX.25 Level 2 protocol. Local users may obtain access to sensitive kernel memory.

  • CVE-2011-0695

    Jens Kuehnel reported an issue in the InfiniBand stack. Remote attackers can exploit a race condition to cause a denial of service (kernel panic).

  • CVE-2011-0711

    Dan Rosenberg reported an issue in the XFS filesystem. Local users may obtain access to sensitive kernel memory.

  • CVE-2011-0726

    Kees Cook reported an issue in the /proc/pid/stat implementation. Local users could learn the text location of a process, defeating protections provided by address space layout randomization (ASLR).

  • CVE-2011-1016

    Marek Olšák discovered an issue in the driver for ATI/AMD Radeon video chips. Local users could pass arbitrary values to video memory and the graphics translation table, resulting in denial of service or escalated privileges. On default Debian installations, this is exploitable only by members of the video group.

  • CVE-2011-1078

    Vasiliy Kulikov discovered an issue in the Bluetooth subsystem. Local users can obtain access to sensitive kernel memory.

  • CVE-2011-1079

    Vasiliy Kulikov discovered an issue in the Bluetooth subsystem. Local users with the CAP_NET_ADMIN capability can cause a denial of service (kernel Oops).

  • CVE-2011-1080

    Vasiliy Kulikov discovered an issue in the Netfilter subsystem. Local users can obtain access to sensitive kernel memory.

  • CVE-2011-1090

    Neil Horman discovered a memory leak in the setacl() call on NFSv4 filesystems. Local users can exploit this to cause a denial of service (Oops).

  • CVE-2011-1160

    Peter Huewe reported an issue in the Linux kernel's support for TPM security chips. Local users with permission to open the device can gain access to sensitive kernel memory.

  • CVE-2011-1163

    Timo Warns reported an issue in the kernel support for Alpha OSF format disk partitions. Users with physical access can gain access to sensitive kernel memory by adding a storage device with a specially crafted OSF partition.

  • CVE-2011-1170

    Vasiliy Kulikov reported an issue in the Netfilter ARP table implementation. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory.

  • CVE-2011-1171

    Vasiliy Kulikov reported an issue in the Netfilter IP table implementation. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory.

  • CVE-2011-1172

    Vasiliy Kulikov reported an issue in the Netfilter IPv6 table implementation. Local users with the CAP_NET_ADMIN capability can gain access to sensitive kernel memory.

  • CVE-2011-1173

    Vasiliy Kulikov reported an issue in the Acorn Econet protocol implementation. Local users can obtain access to sensitive kernel memory on systems that use this rare hardware.

  • CVE-2011-1180

    Dan Rosenberg reported a buffer overflow in the Information Access Service of the IrDA protocol, used for Infrared devices. Remote attackers within IR device range can cause a denial of service or possibly gain elevated privileges.

  • CVE-2011-1182

    Julien Tinnes reported an issue in the rt_sigqueueinfo interface. Local users can generate signals with falsified source pid and uid information.

  • CVE-2011-1476

    Dan Rosenberg reported issues in the Open Sound System MIDI interface that allow local users to cause a denial of service. This issue does not affect official Debian Linux image packages as they no longer provide support for OSS. However, custom kernels built from Debian's linux-source-2.6.32 may have enabled this configuration and would therefore be vulnerable.

  • CVE-2011-1477

    Dan Rosenberg reported issues in the Open Sound System driver for cards that include a Yamaha FM synthesizer chip. Local users can cause memory corruption resulting in a denial of service. This issue does not affect official Debian Linux image packages as they no longer provide support for OSS. However, custom kernels built from Debian's linux-source-2.6.32 may have enabled this configuration and would therefore be vulnerable.

  • CVE-2011-1478

    Ryan Sweat reported an issue in the Generic Receive Offload (GRO) support in the Linux networking subsystem. If an interface has GRO enabled and is running in promiscuous mode, remote users can cause a denial of service (NULL pointer dereference) by sending packets on an unknown VLAN.

  • CVE-2011-1493

    Dan Rosenburg reported two issues in the Linux implementation of the Amateur Radio X.25 PLP (Rose) protocol. A remote user can cause a denial of service by providing specially crafted facilities fields.

  • CVE-2011-1494

    Dan Rosenberg reported an issue in the /dev/mpt2ctl interface provided by the driver for LSI MPT Fusion SAS 2.0 controllers. Local users can obtain elevated privileges by specially crafted ioctl calls. On default Debian installations this is not exploitable as this interface is only accessible to root.

  • CVE-2011-1495

    Dan Rosenberg reported two additional issues in the /dev/mpt2ctl interface provided by the driver for LSI MPT Fusion SAS 2.0 controllers. Local users can obtain elevated privileges and read arbitrary kernel memory by using specially crafted ioctl calls. On default Debian installations this is not exploitable as this interface is only accessible to root.

  • CVE-2011-1585

    Jeff Layton reported an issue in the Common Internet File System (CIFS). Local users can bypass authentication requirements for shares that are already mounted by another user.

  • CVE-2011-1593

    Robert Swiecki reported a signedness issue in the next_pidmap() function, which can be exploited by local users to cause a denial of service.

  • CVE-2011-1598

    Dave Jones reported an issue in the Broadcast Manager Controller Area Network (CAN/BCM) protocol that may allow local users to cause a NULL pointer dereference, resulting in a denial of service.

  • CVE-2011-1745

    Vasiliy Kulikov reported an issue in the Linux support for AGP devices. Local users can obtain elevated privileges or cause a denial of service due to missing bounds checking in the AGPIOC_BIND ioctl. On default Debian installations, this is exploitable only by users in the video group.

  • CVE-2011-1746

    Vasiliy Kulikov reported an issue in the Linux support for AGP devices. Local users can obtain elevated privileges or cause a denial of service due to missing bounds checking in the agp_allocate_memory and agp_create_user_memory routines. On default Debian installations, this is exploitable only by users in the video group.

  • CVE-2011-1748

    Oliver Kartkopp reported an issue in the Controller Area Network (CAN) raw socket implementation which permits local users to cause a NULL pointer dereference, resulting in a denial of service.

  • CVE-2011-1759

    Dan Rosenberg reported an issue in the support for executing old ABI binaries on ARM processors. Local users can obtain elevated privileges due to insufficient bounds checking in the semtimedop system call.

  • CVE-2011-1767

    Alexecy Dobriyan reported an issue in the GRE over IP implementation. Remote users can cause a denial of service by sending a packet during module initialization.

  • CVE-2011-1770

    Dan Rosenberg reported an issue in the Datagram Congestion Control Protocol (DCCP). Remote users can cause a denial of service or potentially obtain access to sensitive kernel memory.

  • CVE-2011-1776

    Timo Warns reported an issue in the Linux implementation for GUID partitions. Users with physical access can gain access to sensitive kernel memory by adding a storage device with a specially crafted corrupted invalid partition table.

  • CVE-2011-2022

    Vasiliy Kulikov reported an issue in the Linux support for AGP devices. Local users can obtain elevated privileges or cause a denial of service due to missing bounds checking in the AGPIOC_UNBIND ioctl. On default Debian installations, this is exploitable only by users in the video group.

This update also includes changes queued for the next point release of Debian 6.0, which also fix various non-security issues. These additional changes are described in the package changelog.

For the stable distribution (squeeze), these problems have been fixed in version 2.6.32-34squeeze1. Updates for issues impacting the oldstable distribution (lenny) will be available soon.

The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update:

  Debian 6.0 (squeeze)
user-mode-linux 2.6.32-1um-4+34squeeze1

We recommend that you upgrade your linux-2.6 and user-mode-linux packages.