Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:
- CVE-2006-5823
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted cramfs filesystem.
- CVE-2006-6054
LMH reported a potential local DoS which could be exploited by a malicious
user with the privileges to mount and read a corrupted ext2 filesystem.
- CVE-2006-6058
LMH reported an issue in the minix filesystem that allows local users
with mount privileges to create a DoS (printk flood) by mounting a
specially crafted corrupt filesystem.
- CVE-2006-7203
OpenVZ Linux kernel team reported an issue in the smbfs filesystem which
can be exploited by local users to cause a DoS (oops) during mount.
- CVE-2007-1353
Ilja van Sprundel discovered that kernel memory could be leaked via the
Bluetooth setsockopt call due to an uninitialized stack buffer. This
could be used by local attackers to read the contents of sensitive kernel
memory.
- CVE-2007-2172
Thomas Graf reported a typo in the DECnet protocol handler that could
be used by a local attacker to overrun an array via crafted packets,
potentially resulting in a Denial of Service (system crash).
A similar issue exists in the IPV4 protocol handler and will be fixed
in a subsequent update.
- CVE-2007-2525
Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused
by releasing a socket before PPPIOCGCHAN is called upon it. This could
be used by a local user to DoS a system by consuming all available memory.
- CVE-2007-3105
The PaX Team discovered a potential buffer overflow in the random number
generator which may permit local users to cause a denial of service or
gain additional privileges. This issue is not believed to effect default
Debian installations where only root has sufficient privileges to exploit
it.
- CVE-2007-3739
Adam Litke reported a potential local denial of service (oops) on
powerpc platforms resulting from unchecked VMA expansion into address
space reserved for hugetlb pages.
- CVE-2007-3740
Steve French reported that CIFS filesystems with CAP_UNIX enabled
were not honoring a process’ umask which may lead to unintentionally
relaxed permissions.
- CVE-2007-3848
Wojciech Purczynski discovered that pdeath_signal was not being reset
properly under certain conditions which may allow local users to gain
privileges by sending arbitrary signals to suid binaries.
- CVE-2007-4133
Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs.
A misconversion of hugetlb_vmtruncate_list to prio_tree may allow
local users to trigger a BUG_ON() call in exit_mmap.
- CVE-2007-4308
Alan Cox reported an issue in the aacraid driver that allows unprivileged
local users to make ioctl calls which should be restricted to admin
privileges.
- CVE-2007-4573
Wojciech Purczynski discovered a vulnerability that can be exploited
by a local user to obtain superuser privileges on x86_64 systems.
This resulted from improper clearing of the high bits of registers
during ia32 system call emulation. This vulnerability is relevant
to the Debian amd64 port as well as users of the i386 port who run
the amd64 linux-image flavour.
- CVE-2007-5093
Alex Smith discovered an issue with the pwc driver for certain webcam
devices. If the device is removed while a userspace application has it
open, the driver will wait for userspace to close the device, resulting
in a blocked USB subsystem. This issue is of low security impact as
it requires the attacker to either have physical access to the system
or to convince a user with local access to remove the device on their
behalf.
- CVE-2007-6063
Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl
handling, exploitable by a local user.
- CVE-2007-6151
ADLAB discovered a possible memory overrun in the ISDN subsystem that
may permit a local user to overwrite kernel memory by issuing
ioctls with unterminated data.
- CVE-2007-6206
Blake Frantz discovered that when a core file owned by a non-root user
exists, and a root-owned process dumps core over it, the core file
retains its original ownership. This could be used by a local user to
gain access to sensitive information.
- CVE-2007-6694
Cyrill Gorcunov reported a NULL pointer dereference in code specific
to the CHRP PowerPC platforms. Local users could exploit this issue
to achieve a Denial of Service (DoS).
- CVE-2008-0007
Nick Piggin of SuSE discovered a number of issues in subsystems which
register a fault handler for memory mapped areas. This issue can be
exploited by local users to achieve a Denial of Service (DoS) and possibly
execute arbitrary code.
The following matrix lists additional packages that were rebuilt for
compatibility with or to take advantage of this update:
|
Debian 3.1 (sarge) |
kernel-image-2.6.8-alpha |
2.6.8-17sarge1 |
kernel-image-2.6.8-amd64 |
2.6.8-17sarge1 |
kernel-image-2.6.8-hppa |
2.6.8-7sarge1 |
kernel-image-2.6.8-i386 |
2.6.8-17sarge1 |
kernel-image-2.6.8-ia64 |
2.6.8-15sarge1 |
kernel-image-2.6.8-m68k |
2.6.8-5sarge1 |
kernel-image-2.6.8-s390 |
2.6.8-6sarge1 |
kernel-image-2.6.8-sparc |
2.6.8-16sarge1 |
kernel-patch-powerpc-2.6.8 |
2.6.8-13sarge1 |
fai-kernels |
1.9.1sarge8 |
We recommend that you upgrade your kernel package immediately and reboot
the machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.