Debian Security Advisory

DSA-2094-1 linux-2.6 -- privilege escalation/denial of service/information leak

Date Reported:
19 Aug 2010
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 589179.
In Mitre's CVE dictionary: CVE-2009-4895, CVE-2010-2226, CVE-2010-2240, CVE-2010-2248, CVE-2010-2521, CVE-2010-2798, CVE-2010-2803, CVE-2010-2959, CVE-2010-3015.
More information:

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2009-4895

    Kyle Bader reported an issue in the tty subsystem that allows local users to create a denial of service (NULL pointer dereference).

  • CVE-2010-2226

    Dan Rosenberg reported an issue in the xfs filesystem that allows local users to copy and read a file owned by another user, for which they only have write permissions, due to a lack of permission checking in the XFS_SWAPEXT ioctl.

  • CVE-2010-2240

    Rafal Wojtczuk reported an issue that allows users to obtain escalated privileges. Users must already have sufficient privileges to execute or connect clients to an Xorg server.

  • CVE-2010-2248

    Suresh Jayaraman discovered an issue in the CIFS filesystem. A malicious file server can set an incorrect "CountHigh" value, resulting in a denial of service (BUG_ON() assertion).

  • CVE-2010-2521

    Neil Brown reported an issue in the NFSv4 server code. A malicious client could trigger a denial of service (Oops) on a server due to a bug in the read_buf() routine.

  • CVE-2010-2798

    Bob Peterson reported an issue in the GFS2 file system. A file system user could cause a denial of service (Oops) via certain rename operations.

  • CVE-2010-2803

    Kees Cook reported an issue in the DRM (Direct Rendering Manager) subsystem. Local users with sufficient privileges (local X users or members of the 'video' group on a default Debian install) could acquire access to sensitive kernel memory.

  • CVE-2010-2959

    Ben Hawkes discovered an issue in the AF_CAN socket family. An integer overflow condition may allow local users to obtain elevated privileges.

  • CVE-2010-3015

    Toshiyuki Okajima reported an issue in the ext4 filesystem. Local users could trigger a denial of service (BUG assertion) by generating a specific set of filesystem operations.

This update also includes fixes a regression introduced by a previous update. See the referenced Debian bug page for details.

For the stable distribution (lenny), this problem has been fixed in version 2.6.26-24lenny1.

We recommend that you upgrade your linux-2.6 and user-mode-linux packages.

The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update:

  Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+24lenny1

Updates for arm and mips will be released as they become available.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Architecture-independent component:
HP Precision:
Intel IA-32:
Intel IA-64:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.