__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Kernel Security Update [Red Hat RHSA:2007:0014-6] January 30, 2007 19:00 GMT Number R-117 [REVISED 22 Jun 2007] [REVISED 7 Dec 2007] [REVISED 26 Feb 2008] ______________________________________________________________________________ PROBLEM: There are several vulnerabilities in the security issues in the Red Hat Enterprise Linux 4 kernel. PLATFORM: Red Hat Desktop (v. 3, v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 3, v. 4) Debian GNU/Linux 3.1 (sarge) and 3.1 (oldstable) DAMAGE: Local users can execute arbitrary code. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Local users can execute arbitrary code. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-117.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0014.html ADDITIONAL LINKS: http://www.debian.org/security/2007/dsa-1304 http://www.debian.org/security/2007/dsa-1503 http://www.debian.org/security/2007/dsa-1504 https://rhn.redhat.com/errata/RHSA-2007-1049.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-4538 CVE-2006-4813 CVE-2006-4814 CVE-2006-5174 CVE-2006-5619 CVE-2006-5751 CVE-2006-5753 CVE-2006-5754 CVE-2006-5757 CVE-2006-5823 CVE-2006-6053 CVE-2006-6054 CVE-2006-6056 CVE-2006-6106 CVE-2006-6535 ______________________________________________________________________________ REVISION HISTORY: 06/22/2007 - revised R-117 to add a link to Debian Security Advisory DSA-1304-1 for Debian GNU/Linux 3.1 (sarge). 12/07/2007 - revised R-117 to add a link to Red Hat RHSA-2007:1049-8 for Red Hat Desktop (v. 3) and Red Hat Enterprise Linux AS, ES, WS (v. 3). 02/26/2008 - revised R-117 to add links to Debian Security Advisories DSA-1503-1 and DSA-1504-1 for Debian GNU/Linux 3.1 (oldstable). [***** Start Red Hat RHSA:2007:0014-6 *****] Important: kernel security update Advisory: RHSA-2007:0014-6 Type: Security Advisory Severity: Important Issued on: 2007-01-30 Last updated on: 2007-01-30 Affected Products: Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20070014.xml CVEs (cve.mitre.org): CVE-2006-4538 CVE-2006-4813 CVE-2006-4814 CVE-2006-5174 CVE-2006-5619 CVE-2006-5751 CVE-2006-5753 CVE-2006-5754 CVE-2006-5757 CVE-2006-5823 CVE-2006-6053 CVE-2006-6054 CVE-2006-6056 CVE-2006-6106 CVE-2006-6535 Details Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the get_fdb_entries function of the network bridging support that allowed a local user to cause a denial of service (crash) or allow a potential privilege escalation (CVE-2006-5751, Important) * an information leak in the _block_prepare_write function that allowed a local user to read kernel memory (CVE-2006-4813, Important) * an information leak in the copy_from_user() implementation on s390 and s390x platforms that allowed a local user to read kernel memory (CVE-2006-5174, Important) * a flaw in the handling of /proc/net/ip6_flowlabel that allowed a local user to cause a denial of service (infinite loop) (CVE-2006-5619, Important) * a flaw in the AIO handling that allowed a local user to cause a denial of service (panic) (CVE-2006-5754, Important) * a race condition in the mincore system core that allowed a local user to cause a denial of service (system hang) (CVE-2006-4814, Moderate) * a flaw in the ELF handling on ia64 and sparc architectures which triggered a cross-region memory mapping and allowed a local user to cause a denial of service (CVE-2006-4538, Moderate) * a flaw in the dev_queue_xmit function of the network subsystem that allowed a local user to cause a denial of service (data corruption) (CVE-2006-6535, Moderate) * a flaw in the handling of CAPI messages over Bluetooth that allowed a remote system to cause a denial of service or potential code execution. This flaw is only exploitable if a privileged user establishes a connection to a malicious remote device (CVE-2006-6106, Moderate) * a flaw in the listxattr system call that allowed a local user to cause a denial of service (data corruption) or potential privilege escalation. To successfully exploit this flaw the existence of a bad inode is required first (CVE-2006-5753, Moderate) * a flaw in the __find_get_block_slow function that allowed a local privileged user to cause a denial of service (CVE-2006-5757, Low) * various flaws in the supported filesystems that allowed a local privileged user to cause a denial of service (CVE-2006-5823, CVE-2006-6053, CVE-2006-6054, CVE-2006-6056, Low) In addition to the security issues described above, fixes for the following bugs were included: * initialization error of the tg3 driver with some BCM5703x network card * a memory leak in the audit subsystem * x86_64 nmi watchdog timeout is too short * ext2/3 directory reads fail intermittently Red Hat would like to thank Dmitriy Monakhov and Kostantin Khorenko for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-42.0.8.EL.src.rpm 4c5a52437396f7a13656d571c953f23d IA-32: kernel-2.6.9-42.0.8.EL.i686.rpm 9a273bb88feb2ba6de0a729f4303da77 kernel-devel-2.6.9-42.0.8.EL.i686.rpm dcdbe50947e78445971d26b80088d4a5 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-hugemem-2.6.9-42.0.8.EL.i686.rpm eaf0c5906009b600ae0d0b4d8dc10689 kernel-hugemem-devel-2.6.9-42.0.8.EL.i686.rpm 4fda55afc62edb207d19859be66d0643 kernel-smp-2.6.9-42.0.8.EL.i686.rpm 1a036e3aaa5ffc09a15e5941e33c37a0 kernel-smp-devel-2.6.9-42.0.8.EL.i686.rpm 425feebacc995306ad28e58b35a94956 x86_64: kernel-2.6.9-42.0.8.EL.x86_64.rpm 8c9145fdf63eef95fb496e66c38d4bc7 kernel-devel-2.6.9-42.0.8.EL.x86_64.rpm e008222f297bf17d90b61445c7d70076 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-largesmp-2.6.9-42.0.8.EL.x86_64.rpm 144ff394474bea230f46727ec9ed49c2 kernel-largesmp-devel-2.6.9-42.0.8.EL.x86_64.rpm 7d419a43de741200d188a389c3f6fa75 kernel-smp-2.6.9-42.0.8.EL.x86_64.rpm d8bb03294708f82e5724db0907d208dc kernel-smp-devel-2.6.9-42.0.8.EL.x86_64.rpm b825e00d12216be12e3a15c5be7b8082 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-42.0.8.EL.src.rpm 4c5a52437396f7a13656d571c953f23d IA-32: kernel-2.6.9-42.0.8.EL.i686.rpm 9a273bb88feb2ba6de0a729f4303da77 kernel-devel-2.6.9-42.0.8.EL.i686.rpm dcdbe50947e78445971d26b80088d4a5 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-hugemem-2.6.9-42.0.8.EL.i686.rpm eaf0c5906009b600ae0d0b4d8dc10689 kernel-hugemem-devel-2.6.9-42.0.8.EL.i686.rpm 4fda55afc62edb207d19859be66d0643 kernel-smp-2.6.9-42.0.8.EL.i686.rpm 1a036e3aaa5ffc09a15e5941e33c37a0 kernel-smp-devel-2.6.9-42.0.8.EL.i686.rpm 425feebacc995306ad28e58b35a94956 IA-64: kernel-2.6.9-42.0.8.EL.ia64.rpm 42c3f6b694e25790958aed0aecc5bcd0 kernel-devel-2.6.9-42.0.8.EL.ia64.rpm 63d60b16a797bc511c1978eb785d4a51 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-largesmp-2.6.9-42.0.8.EL.ia64.rpm 88c4b888ee5568cc25edf1a9ff870fbb kernel-largesmp-devel-2.6.9-42.0.8.EL.ia64.rpm af29b49da4539869697ae837515efdd9 PPC: kernel-2.6.9-42.0.8.EL.ppc64.rpm 4177872245f3a38f80cd48416d3e26ec kernel-2.6.9-42.0.8.EL.ppc64iseries.rpm 1bced0760a374adb51c0be3558d08c0f kernel-devel-2.6.9-42.0.8.EL.ppc64.rpm 6d8b0391759a4ebb0fdd0ab9557f6e2b kernel-devel-2.6.9-42.0.8.EL.ppc64iseries.rpm 504c22fedffe3211e3baf7cead42f4b2 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-largesmp-2.6.9-42.0.8.EL.ppc64.rpm 67ba325845e53adb47491270cce6f25c kernel-largesmp-devel-2.6.9-42.0.8.EL.ppc64.rpm 6913c4c29c66596002cafbeaf5e302e5 s390: kernel-2.6.9-42.0.8.EL.s390.rpm 465a450fa33240414a60c8fc6b667d93 kernel-devel-2.6.9-42.0.8.EL.s390.rpm 85fd0c3ec8835e8db559534cea3c6499 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 s390x: kernel-2.6.9-42.0.8.EL.s390x.rpm 7b864b4442b5bfeead88fc3e71ec23ed kernel-devel-2.6.9-42.0.8.EL.s390x.rpm 8aefa3b6fba894952ec26f65e531b3a9 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 x86_64: kernel-2.6.9-42.0.8.EL.x86_64.rpm 8c9145fdf63eef95fb496e66c38d4bc7 kernel-devel-2.6.9-42.0.8.EL.x86_64.rpm e008222f297bf17d90b61445c7d70076 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-largesmp-2.6.9-42.0.8.EL.x86_64.rpm 144ff394474bea230f46727ec9ed49c2 kernel-largesmp-devel-2.6.9-42.0.8.EL.x86_64.rpm 7d419a43de741200d188a389c3f6fa75 kernel-smp-2.6.9-42.0.8.EL.x86_64.rpm d8bb03294708f82e5724db0907d208dc kernel-smp-devel-2.6.9-42.0.8.EL.x86_64.rpm b825e00d12216be12e3a15c5be7b8082 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-42.0.8.EL.src.rpm 4c5a52437396f7a13656d571c953f23d IA-32: kernel-2.6.9-42.0.8.EL.i686.rpm 9a273bb88feb2ba6de0a729f4303da77 kernel-devel-2.6.9-42.0.8.EL.i686.rpm dcdbe50947e78445971d26b80088d4a5 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-hugemem-2.6.9-42.0.8.EL.i686.rpm eaf0c5906009b600ae0d0b4d8dc10689 kernel-hugemem-devel-2.6.9-42.0.8.EL.i686.rpm 4fda55afc62edb207d19859be66d0643 kernel-smp-2.6.9-42.0.8.EL.i686.rpm 1a036e3aaa5ffc09a15e5941e33c37a0 kernel-smp-devel-2.6.9-42.0.8.EL.i686.rpm 425feebacc995306ad28e58b35a94956 IA-64: kernel-2.6.9-42.0.8.EL.ia64.rpm 42c3f6b694e25790958aed0aecc5bcd0 kernel-devel-2.6.9-42.0.8.EL.ia64.rpm 63d60b16a797bc511c1978eb785d4a51 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-largesmp-2.6.9-42.0.8.EL.ia64.rpm 88c4b888ee5568cc25edf1a9ff870fbb kernel-largesmp-devel-2.6.9-42.0.8.EL.ia64.rpm af29b49da4539869697ae837515efdd9 x86_64: kernel-2.6.9-42.0.8.EL.x86_64.rpm 8c9145fdf63eef95fb496e66c38d4bc7 kernel-devel-2.6.9-42.0.8.EL.x86_64.rpm e008222f297bf17d90b61445c7d70076 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-largesmp-2.6.9-42.0.8.EL.x86_64.rpm 144ff394474bea230f46727ec9ed49c2 kernel-largesmp-devel-2.6.9-42.0.8.EL.x86_64.rpm 7d419a43de741200d188a389c3f6fa75 kernel-smp-2.6.9-42.0.8.EL.x86_64.rpm d8bb03294708f82e5724db0907d208dc kernel-smp-devel-2.6.9-42.0.8.EL.x86_64.rpm b825e00d12216be12e3a15c5be7b8082 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-42.0.8.EL.src.rpm 4c5a52437396f7a13656d571c953f23d IA-32: kernel-2.6.9-42.0.8.EL.i686.rpm 9a273bb88feb2ba6de0a729f4303da77 kernel-devel-2.6.9-42.0.8.EL.i686.rpm dcdbe50947e78445971d26b80088d4a5 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-hugemem-2.6.9-42.0.8.EL.i686.rpm eaf0c5906009b600ae0d0b4d8dc10689 kernel-hugemem-devel-2.6.9-42.0.8.EL.i686.rpm 4fda55afc62edb207d19859be66d0643 kernel-smp-2.6.9-42.0.8.EL.i686.rpm 1a036e3aaa5ffc09a15e5941e33c37a0 kernel-smp-devel-2.6.9-42.0.8.EL.i686.rpm 425feebacc995306ad28e58b35a94956 IA-64: kernel-2.6.9-42.0.8.EL.ia64.rpm 42c3f6b694e25790958aed0aecc5bcd0 kernel-devel-2.6.9-42.0.8.EL.ia64.rpm 63d60b16a797bc511c1978eb785d4a51 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-largesmp-2.6.9-42.0.8.EL.ia64.rpm 88c4b888ee5568cc25edf1a9ff870fbb kernel-largesmp-devel-2.6.9-42.0.8.EL.ia64.rpm af29b49da4539869697ae837515efdd9 x86_64: kernel-2.6.9-42.0.8.EL.x86_64.rpm 8c9145fdf63eef95fb496e66c38d4bc7 kernel-devel-2.6.9-42.0.8.EL.x86_64.rpm e008222f297bf17d90b61445c7d70076 kernel-doc-2.6.9-42.0.8.EL.noarch.rpm 632e04bf2018dc6ce16f8ea48fd7ef06 kernel-largesmp-2.6.9-42.0.8.EL.x86_64.rpm 144ff394474bea230f46727ec9ed49c2 kernel-largesmp-devel-2.6.9-42.0.8.EL.x86_64.rpm 7d419a43de741200d188a389c3f6fa75 kernel-smp-2.6.9-42.0.8.EL.x86_64.rpm d8bb03294708f82e5724db0907d208dc kernel-smp-devel-2.6.9-42.0.8.EL.x86_64.rpm b825e00d12216be12e3a15c5be7b8082 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 180663 - CVE-2006-4814 Race condition in mincore can cause "ps -ef" to hang 205335 - CVE-2006-4538 Local DoS with corrupted ELF 206328 - CVE-2006-5757 Linux kernel Filesystem Mount Dead Loop 207463 - CVE-2006-4813 Information leak in __block_prepare_write() 209435 - CVE-2006-5174 copy_from_user information leak on s390 212144 - CVE-2006-6535 unbalanced local_bh_enable() in dev_queue_xmit() 213214 - CVE-2006-5619 Lockup via /proc/net/ip6_flowlabel 213921 - SAN file systems becoming read-only 214288 - CVE-2006-5757 ISO9660 __find_get_block_slow() denial of service 216452 - CVE-2006-5751 Linux kernel get_fdb_entries() integer overflow 216958 - CVE-2006-5823 zlib_inflate memory corruption 217011 - CVE-2006-6056 SELinux superblock_doinit denial of service 217021 - CVE-2006-6054 ext2_check_page denial of service 217030 - CVE-2006-6053 ext3fs_dirhash denial of service 218602 - CVE-2006-6106 Multiple problems in net/bluetooth/cmtp/capi.c 220677 - CVE-2006-5753 listxattr syscall can corrupt user space programs 220971 - CVE-2006-5754 kernel panic in aio_free_ring() References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4538 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5757 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5823 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6535 http://www.redhat.com/security/updates/classification/#important Keywords kernel, nahant, update -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA:2007:0014-6 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-107: HP OpenView Network Node Manager (OV NNM) Remote Unauthorized Execution of Arbitrary Code R-108: Security Vulnerability in Processing GIF Images in the Java Runtime Environment R-109: Security Vulnerabilities: Buffer Overrun in NetMail 3.52 R-110: eIQnetworks Enterprise SEcurity Analyzer Syslog Server Buffer Overflow R-111: Security Vulnerability in the Sun Ray Server Software Admin GUI R-112: Crafted TCP Packet Can Cause Denial of Service R-113: Crafted IP Option Vulnerability R-114: IPv6 Routing Header Vulnerability R-115: Oracle Critical Patch Update - January 2007 R-116: vlc -- Format String