[ MDVSA-2009:289 ] kernel

[dude67]

_______________________________________________________________________

Package : kernel
Date : October 27, 2009
Affected: 2009.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a
PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
which makes it easier for local users to leverage the details of
memory usage to (1) conduct NULL pointer dereference attacks, (2)
bypass the mmap_min_addr protection mechanism, or (3) defeat address
space layout randomization (ASLR). (CVE-2009-1895)

Stack-based buffer overflow in the parse_tag_11_packet function in
fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel
before 2.6.30.4 allows local users to cause a denial of service
(system crash) or possibly gain privileges via vectors involving a
crafted eCryptfs file, related to not ensuring that the key signature
length in a Tag 11 packet is compatible with the key signature buffer
size. (CVE-2009-2406)

Heap-based buffer overflow in the parse_tag_3_packet function in
fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel
before 2.6.30.4 allows local users to cause a denial of service
(system crash) or possibly gain privileges via vectors involving a
crafted eCryptfs file, related to a large encrypted key size in a
Tag 3 packet. (CVE-2009-2407)

The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the
Linux kernel 2.6.31 allows local users to cause a denial of service
(kernel OOPS) and possibly execute arbitrary code via unspecified
vectors that cause a negative dentry and trigger a NULL pointer
dereference, as demonstrated via a Mutt temporary directory in an
eCryptfs mount. (CVE-2009-2908)

The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in
the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when
running on x86 systems, does not prevent access to MMU hypercalls
from ring 0, which allows local guest OS users to cause a denial of
service (guest kernel crash) and read or write guest kernel memory
via unspecified random addresses. (CVE-2009-3290)

Additionaly, it includes the fixes from the stable kernel version
2.6.27.37. It also fixes also fixes IBM x3650 M2 hanging when using
both network interfaces and Wake on Lan problems on r8169. For details,
check the package changelog.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-1895
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2406
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2407
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2908
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3290
https://qa.mandriva.com/52294
https://qa.mandriva.com/52572
https://qa.mandriva.com/52573
https://qa.mandriva.com/53914
https://qa.mandriva.com/54555
_______________________________________________________________________