Debian Security Advisory

DSA-1018-2 kernel-source-2.4.27 -- several vulnerabilities

Date Reported:
24 Mar 2006
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2004-0887, CVE-2004-1058, CVE-2004-2607, CVE-2005-0449, CVE-2005-1761, CVE-2005-2457, CVE-2005-2555, CVE-2005-2709, CVE-2005-2973, CVE-2005-3257, CVE-2005-3783, CVE-2005-3806, CVE-2005-3848, CVE-2005-3857, CVE-2005-3858, CVE-2005-4618.
More information:

The original update lacked recompiled ALSA modules against the new kernel ABI. Furthermore, kernel-latest-2.4-sparc now correctly depends on the updated packages. For completeness we're providing the original problem description:

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2004-0887

    Martin Schwidefsky discovered that the privileged instruction SACF (Set Address Space Control Fast) on the S/390 platform is not handled properly, allowing for a local user to gain root privileges.

  • CVE-2004-1058

    A race condition allows for a local user to read the environment variables of another process that is still spawning through /proc/.../cmdline.

  • CVE-2004-2607

    A numeric casting discrepancy in sdla_xfer allows local users to read portions of kernel memory via a large len argument which is received as an int but cast to a short, preventing read loop from filling a buffer.

  • CVE-2005-0449

    An error in the skb_checksum_help() function from the netfilter framework has been discovered that allows the bypass of packet filter rules or a denial of service attack.

  • CVE-2005-1761

    A vulnerability in the ptrace subsystem of the IA-64 architecture can allow local attackers to overwrite kernel memory and crash the kernel.

  • CVE-2005-2457

    Tim Yamin discovered that insufficient input validation in the compressed ISO file system (zisofs) allows a denial of service attack through maliciously crafted ISO images.

  • CVE-2005-2555

    Herbert Xu discovered that the setsockopt() function was not restricted to users/processes with the CAP_NET_ADMIN capability. This allows attackers to manipulate IPSEC policies or initiate a denial of service attack.

  • CVE-2005-2709

    Al Viro discovered a race condition in the /proc handling of network devices. A (local) attacker could exploit the stale reference after interface shutdown to cause a denial of service or possibly execute code in kernel mode.

  • CVE-2005-2973

    Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code can be forced into an endless loop, which allows a denial of service attack.

  • CVE-2005-3257

    Rudolf Polzer discovered that the kernel improperly restricts access to the KDSKBSENT ioctl, which can possibly lead to privilege escalation.

  • CVE-2005-3783

    The ptrace code using CLONE_THREAD didn't use the thread group ID to determine whether the caller is attaching to itself, which allows a denial of service attack.

  • CVE-2005-3806

    Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable, which could lead to memory corruption and denial of service.

  • CVE-2005-3848

    Ollie Wild discovered a memory leak in the icmp_push_reply() function, which allows denial of service through memory consumption.

  • CVE-2005-3857

    Chris Wright discovered that excessive allocation of broken file lock leases in the VFS layer can exhaust memory and fill up the system logging, which allows denial of service.

  • CVE-2005-3858

    Patrick McHardy discovered a memory leak in the ip6_input_finish() function from the IPv6 code, which allows denial of service.

  • CVE-2005-4618

    Yi Ying discovered that sysctl does not properly enforce the size of a buffer, which allows a denial of service attack.

The following matrix explains which kernel version for which architecture fix the problems mentioned above:

Debian 3.1 (sarge)
Source 2.4.27-10sarge2
Alpha architecture 2.4.27-10sarge2
ARM architecture 2.4.27-2sarge2
Intel IA-32 architecture 2.4.27-10sarge2
Intel IA-64 architecture 2.4.27-10sarge2
Motorola 680x0 architecture 2.4.27-3sarge2
Big endian MIPS architecture 2.4.27-10.sarge1.040815-2
Little endian MIPS architecture2.4.27-10.sarge1.040815-2
PowerPC architecture 2.4.27-10sarge2
IBM S/390 architecture 2.4.27-2sarge2
Sun Sparc architecture 2.4.27-9sarge2

The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update:

Debian 3.1 (sarge)
kernel-latest-2.4-alpha 101sarge1
kernel-latest-2.4-i386 101sarge1
kernel-latest-2.4-s390 2.4.27-1sarge1
kernel-latest-2.4-sparc 42sarge1
kernel-latest-powerpc 102sarge1
fai-kernels 1.9.1sarge1
i2c 1:2.9.1-1sarge1
kernel-image-speakup-i386 2.4.27-1.1sasrge1
lm-sensors 1:2.9.1-1sarge3
mindi-kernel 2.4.27-2sarge1
systemimager 3.2.3-6sarge1

We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes.

This update introduces a change in the kernel's binary interface, the affected kernel packages inside Debian have been rebuilt, if you're running local addons you'll need to rebuild these as well.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.

MD5 checksums of the listed files are available in the revised advisory.