__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Kernel Security Update [Red Hat RHSA-2006:0617-15] August 23, 2006 18:00 GMT Number Q-293 [REVISED 25 Sept 2006] [REVISED 7 Nov 2006] [REVISED 17 Jan 2007] [REVISED 18 Jan 2007] ______________________________________________________________________________ PROBLEM: There is a flaw in the DVD handling of the CDROM driver. PLATFORM: Red Hat Desktop (v. 3 & v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 3, v. 4, & v. 2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor DAMAGE: This can be used together with a custom built USB device to gain root privileges. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A flaw in the DVD handling of the CDROM ASSESSMENT: driver that could be used together with a custom built USB device to gain root privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-293.shtml ORIGINAL BULLETIN: Red Hat RHSA-2006:0617-15 https://rhn.redhat.com/errata/RHSA-2006-0617.html ADDITIONAL LINKS: Debian Security Advisory 1183-1 http://www.debian.org/security/2006/dsa-1183 Debian Security Advisory 1184-1 http://www.debian.org/security/2006/dsa-1184 Red Hat RHSA-2006:0710-7 https://rhn.redhat.com/errata/RHSA-2006-0710.html Red Hat RHSA-2007:0013-2 https://rhn.redhat.com/errata/RHSA-2007-0013.html Red Hat RHSA-2007:0012-2 https://rhn.redhat.com/errata/RHSA-2007-0012.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2935 ______________________________________________________________________________ REVISION HISTORY: 09/25/06 - added links to Debian Security Advisories 1183-1 and 1184-1. 11/07/06 - revised to add a link to Red Hat RHSA-2006:0710-7 for Red Hat Desktop (v. 3) and Red Hat Enterprise Linux AS, ES, WS (v. 3). 01/17/07 - revised to add a link to Red Hat RHSA-2007:0013-2 for Red Hat Enterprise Linux AS, ES, WS (v. 2.1). 01/18/07 - revised to add a link to Red Hat RHSA-2007:0012-2 for Red Hat Enterprise Linux AS (v. 2.1) & Linux Advanced Workstation 2.1 for the Itanium Processor. [***** Start Red Hat RHSA-2006:0617-15 *****] Important: kernel security update Advisory: RHSA-2006:0617-15 Type: Security Advisory Issued on: 2006-08-22 Last updated on: 2006-08-22 Affected Products: Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CVE-2004-2660 CVE-2006-1858 CVE-2006-2444 CVE-2006-2932 CVE-2006-2935 CVE-2006-2936 CVE-2006-3468 CVE-2006-3626 CVE-2006-3745 Details Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below: * a flaw in the proc file system that allowed a local user to use a suid-wrapper for scripts to gain root privileges (CVE-2006-3626, Important) * a flaw in the SCTP implementation that allowed a local user to cause a denial of service (panic) or to possibly gain root privileges (CVE-2006-3745, Important) * a flaw in NFS exported ext2/ext3 partitions when handling invalid inodes that allowed a remote authenticated user to cause a denial of service (filesystem panic) (CVE-2006-3468, Important) * a flaw in the restore_all code path of the 4/4GB split support of non-hugemem kernels that allowed a local user to cause a denial of service (panic) (CVE-2006-2932, Important) * a flaw in IPv4 netfilter handling for the unlikely use of SNMP NAT processing that allowed a remote user to cause a denial of service (crash) or potential memory corruption (CVE-2006-2444, Moderate) * a flaw in the DVD handling of the CDROM driver that could be used together with a custom built USB device to gain root privileges (CVE-2006-2935, Moderate) * a flaw in the handling of O_DIRECT writes that allowed a local user to cause a denial of service (memory consumption) (CVE-2004-2660, Low) * a flaw in the SCTP chunk length handling that allowed a remote user to cause a denial of service (crash) (CVE-2006-1858, Low) * a flaw in the input handling of the ftdi_sio driver that allowed a local user to cause a denial of service (memory consumption) (CVE-2006-2936, Low) In addition a bugfix was added to enable a clean reboot for the IBM Pizzaro machines. Red Hat would like to thank Wei Wang of McAfee Avert Labs and Kirill Korotaev for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-42.0.2.EL.src.rpm 54e1895e65589da13c578594012ad0ba IA-32: kernel-2.6.9-42.0.2.EL.i686.rpm 1291a2a6dc9592a76487e294917b578d kernel-devel-2.6.9-42.0.2.EL.i686.rpm cc50eb8dc85ffe81e51b5671b247055d kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-hugemem-2.6.9-42.0.2.EL.i686.rpm 577b6373adda9800ad596998e36c40fa kernel-hugemem-devel-2.6.9-42.0.2.EL.i686.rpm ada48e3afccb1ee42e42a530eb4deeaf kernel-smp-2.6.9-42.0.2.EL.i686.rpm fe8ef825893ac5eadcf1586338a134f1 kernel-smp-devel-2.6.9-42.0.2.EL.i686.rpm ead56e2d02db06b73fda433bd595cc53 x86_64: kernel-2.6.9-42.0.2.EL.x86_64.rpm 17a7f126cb4281b2b5dd8ad61707aae7 kernel-devel-2.6.9-42.0.2.EL.x86_64.rpm 7e35aa5e4eec51b035aba44c6f943f63 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-largesmp-2.6.9-42.0.2.EL.x86_64.rpm e04d013bee91d91756d59d307fa9729c kernel-largesmp-devel-2.6.9-42.0.2.EL.x86_64.rpm 527a75d26d8527108389aa7f169ef257 kernel-smp-2.6.9-42.0.2.EL.x86_64.rpm 683fe326ac61ddc9ef6aa5bb54dbcb3f kernel-smp-devel-2.6.9-42.0.2.EL.x86_64.rpm 12bba5dea4ee65a0410eabdf3e1ee608 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-42.0.2.EL.src.rpm 54e1895e65589da13c578594012ad0ba IA-32: kernel-2.6.9-42.0.2.EL.i686.rpm 1291a2a6dc9592a76487e294917b578d kernel-devel-2.6.9-42.0.2.EL.i686.rpm cc50eb8dc85ffe81e51b5671b247055d kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-hugemem-2.6.9-42.0.2.EL.i686.rpm 577b6373adda9800ad596998e36c40fa kernel-hugemem-devel-2.6.9-42.0.2.EL.i686.rpm ada48e3afccb1ee42e42a530eb4deeaf kernel-smp-2.6.9-42.0.2.EL.i686.rpm fe8ef825893ac5eadcf1586338a134f1 kernel-smp-devel-2.6.9-42.0.2.EL.i686.rpm ead56e2d02db06b73fda433bd595cc53 IA-64: kernel-2.6.9-42.0.2.EL.ia64.rpm bb567bb51e0555b3052705ed5fe0f830 kernel-devel-2.6.9-42.0.2.EL.ia64.rpm 68cfdde76af247bc0368edd19d3e2109 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-largesmp-2.6.9-42.0.2.EL.ia64.rpm dbe69a13ca5247468cb3c7835469b606 kernel-largesmp-devel-2.6.9-42.0.2.EL.ia64.rpm 4ea6bab2982a75b25906f1a32c9e460d PPC: kernel-2.6.9-42.0.2.EL.ppc64.rpm 5244bb631af93bc453138e915d3e5d62 kernel-2.6.9-42.0.2.EL.ppc64iseries.rpm 1d0dc2c15b5409a6ea52be70a4f18ae2 kernel-devel-2.6.9-42.0.2.EL.ppc64.rpm 73f49465cad104d8cc10555a5f87804b kernel-devel-2.6.9-42.0.2.EL.ppc64iseries.rpm dc801bc32fb394a97a3c6fb4ac269395 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-largesmp-2.6.9-42.0.2.EL.ppc64.rpm 4cb2878db54b921269d86077e34fa5e8 kernel-largesmp-devel-2.6.9-42.0.2.EL.ppc64.rpm 79d07284ec30db2f1e779f47b533b35a s390: kernel-2.6.9-42.0.2.EL.s390.rpm 382c50bf0832812050dc3de847109aaf kernel-devel-2.6.9-42.0.2.EL.s390.rpm 933c33891111e82f29223a2971c29a66 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 s390x: kernel-2.6.9-42.0.2.EL.s390x.rpm 4a8a120fc9d01c253135fe934ca5b17a kernel-devel-2.6.9-42.0.2.EL.s390x.rpm 65c260346e46078b8958a6b961cda8f9 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 x86_64: kernel-2.6.9-42.0.2.EL.x86_64.rpm 17a7f126cb4281b2b5dd8ad61707aae7 kernel-devel-2.6.9-42.0.2.EL.x86_64.rpm 7e35aa5e4eec51b035aba44c6f943f63 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-largesmp-2.6.9-42.0.2.EL.x86_64.rpm e04d013bee91d91756d59d307fa9729c kernel-largesmp-devel-2.6.9-42.0.2.EL.x86_64.rpm 527a75d26d8527108389aa7f169ef257 kernel-smp-2.6.9-42.0.2.EL.x86_64.rpm 683fe326ac61ddc9ef6aa5bb54dbcb3f kernel-smp-devel-2.6.9-42.0.2.EL.x86_64.rpm 12bba5dea4ee65a0410eabdf3e1ee608 Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-42.0.2.EL.src.rpm 54e1895e65589da13c578594012ad0ba IA-32: kernel-2.6.9-42.0.2.EL.i686.rpm 1291a2a6dc9592a76487e294917b578d kernel-devel-2.6.9-42.0.2.EL.i686.rpm cc50eb8dc85ffe81e51b5671b247055d kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-hugemem-2.6.9-42.0.2.EL.i686.rpm 577b6373adda9800ad596998e36c40fa kernel-hugemem-devel-2.6.9-42.0.2.EL.i686.rpm ada48e3afccb1ee42e42a530eb4deeaf kernel-smp-2.6.9-42.0.2.EL.i686.rpm fe8ef825893ac5eadcf1586338a134f1 kernel-smp-devel-2.6.9-42.0.2.EL.i686.rpm ead56e2d02db06b73fda433bd595cc53 IA-64: kernel-2.6.9-42.0.2.EL.ia64.rpm bb567bb51e0555b3052705ed5fe0f830 kernel-devel-2.6.9-42.0.2.EL.ia64.rpm 68cfdde76af247bc0368edd19d3e2109 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-largesmp-2.6.9-42.0.2.EL.ia64.rpm dbe69a13ca5247468cb3c7835469b606 kernel-largesmp-devel-2.6.9-42.0.2.EL.ia64.rpm 4ea6bab2982a75b25906f1a32c9e460d x86_64: kernel-2.6.9-42.0.2.EL.x86_64.rpm 17a7f126cb4281b2b5dd8ad61707aae7 kernel-devel-2.6.9-42.0.2.EL.x86_64.rpm 7e35aa5e4eec51b035aba44c6f943f63 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-largesmp-2.6.9-42.0.2.EL.x86_64.rpm e04d013bee91d91756d59d307fa9729c kernel-largesmp-devel-2.6.9-42.0.2.EL.x86_64.rpm 527a75d26d8527108389aa7f169ef257 kernel-smp-2.6.9-42.0.2.EL.x86_64.rpm 683fe326ac61ddc9ef6aa5bb54dbcb3f kernel-smp-devel-2.6.9-42.0.2.EL.x86_64.rpm 12bba5dea4ee65a0410eabdf3e1ee608 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.9-42.0.2.EL.src.rpm 54e1895e65589da13c578594012ad0ba IA-32: kernel-2.6.9-42.0.2.EL.i686.rpm 1291a2a6dc9592a76487e294917b578d kernel-devel-2.6.9-42.0.2.EL.i686.rpm cc50eb8dc85ffe81e51b5671b247055d kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-hugemem-2.6.9-42.0.2.EL.i686.rpm 577b6373adda9800ad596998e36c40fa kernel-hugemem-devel-2.6.9-42.0.2.EL.i686.rpm ada48e3afccb1ee42e42a530eb4deeaf kernel-smp-2.6.9-42.0.2.EL.i686.rpm fe8ef825893ac5eadcf1586338a134f1 kernel-smp-devel-2.6.9-42.0.2.EL.i686.rpm ead56e2d02db06b73fda433bd595cc53 IA-64: kernel-2.6.9-42.0.2.EL.ia64.rpm bb567bb51e0555b3052705ed5fe0f830 kernel-devel-2.6.9-42.0.2.EL.ia64.rpm 68cfdde76af247bc0368edd19d3e2109 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-largesmp-2.6.9-42.0.2.EL.ia64.rpm dbe69a13ca5247468cb3c7835469b606 kernel-largesmp-devel-2.6.9-42.0.2.EL.ia64.rpm 4ea6bab2982a75b25906f1a32c9e460d x86_64: kernel-2.6.9-42.0.2.EL.x86_64.rpm 17a7f126cb4281b2b5dd8ad61707aae7 kernel-devel-2.6.9-42.0.2.EL.x86_64.rpm 7e35aa5e4eec51b035aba44c6f943f63 kernel-doc-2.6.9-42.0.2.EL.noarch.rpm e482f113556fcbe571bf28b63993b518 kernel-largesmp-2.6.9-42.0.2.EL.x86_64.rpm e04d013bee91d91756d59d307fa9729c kernel-largesmp-devel-2.6.9-42.0.2.EL.x86_64.rpm 527a75d26d8527108389aa7f169ef257 kernel-smp-2.6.9-42.0.2.EL.x86_64.rpm 683fe326ac61ddc9ef6aa5bb54dbcb3f kernel-smp-devel-2.6.9-42.0.2.EL.x86_64.rpm 12bba5dea4ee65a0410eabdf3e1ee608 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 191736 - CVE-2004-2660 O_DIRECT write sometimes leaks memory 192632 - CVE-2006-2444 SNMP NAT netfilter memory corruption 192636 - CVE-2006-1858 SCTP chunk length overflow 196280 - CVE-2006-2932 bogus %ds/%es security issue in restore_all 197610 - CVE-2006-2936 Possible DoS in write routine of ftdi_sio driver 197670 - CVE-2006-2935 Possible buffer overflow in DVD handling 198973 - CVE-2006-3626 Nasty /proc privilege escalation 199172 - CVE-2006-3468 Bogus FH in NFS request causes DoS in file system code 200111 - Can't reboot/halt on IBM Pizzaro machine 202122 - CVE-2006-3745 Local SCTP privilege escalation References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2932 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3745 http://www.redhat.com/security/updates/classification/#important Keywords kernel, nahant, update -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2006:0617-15 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-283: krb5 Security Update Q-284: Security Vulnerability in the Sun Ray Utility utxconfig(1) Q-285: ncompress Q-286: RPC Interface Heap Overflow Q-287: Shadow Programming Error Q-288: ClamAV Buffer Overflow Q-289: Vulnerability May Allow Users With the "File System Management" RBAC Profile to Gain Elevated Privileges Q-290: Xsan Filesystem 1.4 Q-291: Buffer Overflow in the format(1M) Command Q-292: XFree86 Security Update