[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fedora] Mehrere Schwachstellen im RedHat Fedora Linux Kernel - FEDORA-2009-9044



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2009-2691 - Schwachstelle im Linux Kernel erlaubt das Auslesen von
Prozess-Daten

  Aufgrund einer Schwachstelle in der Implementierung des
  '/proc'-Dateisystems. Dies ermoeglicht einem Angreifer die einem
  bestimmten Prozess zugeordneten 'maps' und 'smaps' Dateien zu lesen.
  Von der Schwachstelle sind Programme betroffen, die das SUID-Bit
  gesetzt haben. Ein Angreifer kann diese Schwachstelle ausnutzen um
  Informationen ueber die Speicherverwaltung des Prozesses zu erhalten.

CVE-2009-2848 - Fehler im Linux execve() System Call

  Unter bestimmten Umstaenden wird im Linux execve() System Call der
  "current->clear_child_tid" Pointer nicht geloescht, was beim Anlegen
  und Loeschen von Threads dazu fuehrt, das Datenstrukturen im Kernel
  ueberschrieben werden, falls die Threads mit den Flags
  CLONE_CHILD_SETTID oder CLONE_CHILD_CLEARTID angelegt werden. Ein
  lokaler Angreifer kann dies zu einem Denial of Service Angriff
  ausnutzen.

CVE-2009-2849 - Null Pointer Referenzierung im Linux md Treiber

  Im Linux md Treiber kann beim Suspend des Systems ein Null Pointer
  referenziert werden, wenn ein lokaler Angreifer auf bestimmte Bereiche
  des sysfs Dateisystems Schreibzugriff hat (per Default ist dies nicht
  der Fall). Als Folge davon kann das System abstuerzen (Denial of
  Service).

CVE-2009-2847 - Linux Kernelfunktion do_sigaltstack() saeubert Padding
Daten nicht

  Auf 64-Bit Architekturen enthaelt die Datenstruktur des Signal Stacks
  einige Padding Bytes. Diese werden von der Linux Kernelfunktion
  do_sigaltstack() nicht geloescht, wenn die Datenstruktur nach dem
  Aufruf an den Benutzer zurueckgegeben wird. Lokale Angreifer koennen
  dadurch einen Teil des Kernel Speicherbereichs auslesen und so an
  evtl. vertrauliche Informationen gelangen.

CVE-2009-2695 - Schwachstelle in SELinux

  Die SELinux Kernelerweiterung enthaelt eine Schwachstelle in der
  Funktion 'mmap_min_addr()'. Die Schwachstelle ermoeglicht es, eine
  Null-Pointer Dereferenzierung auszuloesen, was zu einem Absturz des
  Kernel fuehrt. Ein lokaler Angreifer kann diese Schwachstelle fuer
  Denial of Service Angriffe ausnutzen.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket kernel

  Fedora 11

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01256.html


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
   Michael Groening, DFN-CERT
- -- 

Michael Groening (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.:  DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen               https://www.cert.dfn.de/autowarn

- --------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-9044
2009-08-27 00:48:36
- --------------------------------------------------------------------------------

Name        : kernel
Product     : Fedora 11
Version     : 2.6.29.6
Release     : 217.2.16.fc11
URL         : http://www.kernel.org/
Summary     : The Linux kernel
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system.  The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc.

- --------------------------------------------------------------------------------
Update Information:

Security fixes:  - CVE-2009-2691: Information disclosure in proc filesystem  -
CVE-2009-2848: execve: must clear current->child_tid  - CVE-2009-2849: md: null
pointer dereference  - CVE-2009-2847: Information leak in do_sigaltstack
Restore missing LIRC drivers, dropped in previous release.    Backport upstream
fixes that further improve the security of mmap of low addresses.
(CVE-2009-2695)
- --------------------------------------------------------------------------------
ChangeLog:

* Thu Sep 24 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.6-217.2.16
- - Fix CVE-2009-2691: local information disclosure in /proc
* Fri Aug 21 2009 David Woodhouse <David.Woodhouse@xxxxxxxxx>
- - Fix b43 on iMac G5 (#514787)
* Tue Aug 18 2009 Kyle McMartin <kyle@xxxxxxxxxx>
- - CVE-2009-2848: execve: must clear current->clear_child_tid
- - Cherry pick upstream commits 52dec22e739eec8f3a0154f768a599f5489048bd
  which improve mmap_min_addr.
- - CVE-2009-2849: md: avoid dereferencing null ptr when accessing suspend
  sysfs attributes.
- - CVE-2009-2847: do_sigaltstack: avoid copying 'stack_t' as a structure
  to userspace
* Mon Aug 17 2009 Jarod Wilson <jarod@xxxxxxxxxx> 2.6.29.6-217.2.9
- - Fix flub in prior lirc patch update that resulted in no lirc
  drivers getting built
* Sat Aug 15 2009 Kyle McMartin <kyle@xxxxxxxxxx> 2.6.29.6-217.2.8
- - CVE-2009-2767: Fix clock_nanosleep NULL ptr deref.
* Fri Aug 14 2009 Kyle McMartin <kyle@xxxxxxxxxx> 2.6.29.6-217.2.7
- - CVE-2009-2692: Fix sock sendpage NULL ptr deref.
* Thu Aug 13 2009 Kristian Høgsberg <krh@xxxxxxxxxx> - 2.6.29.6-217.2.6
- - Backport 0e7ddf7e to fix bad BUG_ON() in i915 gem fence management
  code.  Adds drm-i915-gem-bad-bug-on.patch, fixes #514091.
* Wed Aug 12 2009 John W. Linville <linville@xxxxxxxxxx> 2.6.29.6-217.2.5
- - iwlwifi: fix TX queue race
* Mon Aug 10 2009 Jarod Wilson <jarod@xxxxxxxxxx> 2.6.29.6-217.2.4
- - Add tunable pad threshold support to lirc_imon
- - Blacklist all iMON devices in usbhid driver so lirc_imon can bind
- - Add new device ID to lirc_mceusb (#512483)
- - Enable IR transceiver on the HD PVR
* Wed Jul 29 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.6-217.2.3
- - Don't optimize away NULL pointer tests where pointer is used before the test.
  (CVE-2009-1897)
* Wed Jul 29 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.6-217.2.2
- - Fix mmap_min_addr security bugs (CVE-2009-1895)
* Wed Jul 29 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.6-217.2.1
- - Fix eCryptfs overflow issues (CVE-2009-2406, CVE-2009-2407)
* Thu Jul 23 2009 Kyle McMartin <kyle@xxxxxxxxxx> 2.6.29.6-217
- - Apply three patches requested by sgruszka@xxxxxxxxxx:
 - iwl3945-release-resources-before-shutting-down.patch
 - iwl3945-add-debugging-for-wrong-command-queue.patch
 - iwl3945-fix-rfkill-sw-and-hw-mishmash.patch
* Thu Jul 23 2009 Jarod Wilson <jarod@xxxxxxxxxx>
- - virtio_blk: don't bounce highmem requests, works around a frequent
  oops in kvm guests using virtio block devices (#510304)
* Wed Jul 22 2009 Tom "spot" Callaway <tcallawa@xxxxxxxxxx>
- - We have to override the new %install behavior because, well... the kernel is
special.
* Wed Jul 22 2009 Ben Skeggs <bskeggs@xxxxxxxxxx>
- - drm-nouveau.patch: Fix DPMS off for DAC outputs, NV4x PFIFO typo
* Tue Jul  7 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.6-213
- - Drop the correct patch to fix bug #498858
* Mon Jul  6 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.6-212
- - Additional fixes for bug #498854
* Thu Jul  2 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.6-211
- - Fix NFSD null credentials bug (#494067)
- - Remove null credentials debugging patch.
* Thu Jul  2 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.6-210
- - Linux 2.6.29.6
* Wed Jul  1 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.6-209.rc1
- - Linux 2.6.29.6-rc1
- - Enable CONFIG_DEBUG_CREDENTIALS in debug kernels only.
- - Dropped patches merged upstream:
    linux-2.6-netdev-r8169-fix-lg-pkt-crash.patch
    linux-2.6-input-atkbd-forced-release.patch
* Wed Jul  1 2009 Dave Airlie <airlied@xxxxxxxxxx> 2.6.29.5-208
- - drm-intel-a17-fix.patch, drm-pnp-add-resource-range-checker.patch,
  drm-i915-enable-mchbar.patch:
    backport upstream fixes for 915/945 tiling slowness.
* Tue Jun 30 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-207
- - Fix stalled NFS writes (#508174)
- - Fix broken TSC-based delay.
* Tue Jun 30 2009 Jarod Wilson <jarod@xxxxxxxxxx> 2.6.29.5-206
- - Fix busticated lirc_serial (#504402)
* Tue Jun 30 2009 Ben Skeggs <bskeggs@xxxxxxxxxx> 2.6.29.5-205
- - nouveau: Forcibly DPMS on DAC/SORs during modeset
* Mon Jun 29 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-204
- - Fix "port=" option in CIFS mount calls. (#506574)
* Mon Jun 29 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-203
- - Add support for Apple mini keyboard (#507517)
* Mon Jun 29 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-202
- - New debug patch for null selinux credentials (for bug #494067)
* Fri Jun 26 2009 Ben Skeggs <bskeggs@xxxxxxxxxx> 2.6.29.5-201
- - nouveau: bump timeout up a bit, some people hitting false hangs
* Fri Jun 26 2009 Ben Skeggs <bskeggs@xxxxxxxxxx> 2.6.29.5-200
- - nouveau: backport nv50 output script fixes from upstream
* Fri Jun 26 2009 Ben Skeggs <bskeggs@xxxxxxxxxx>
- - nouveau: fix GT200 context control, will allow use of 3D engine now
* Wed Jun 24 2009 Jarod Wilson <jarod@xxxxxxxxxx> 2.6.29.5-198
- - Fix lirc_i2c functionality (#507047)
- - Add ability to disable lirc_imon mouse mode
* Wed Jun 24 2009 Kyle McMartin <kyle@xxxxxxxxxx>
- - config changes:
 - generic:
  - CONFIG_SCSI_DEBUG=m (was off, requested by davidz.)
* Mon Jun 22 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-196
- - Fix oopses in a bunch of USB serial devices (#500954)
* Sat Jun 20 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-195
- - Add linux-2.6-drivers-char-low-latency-removal.patch
  to fix oops in nozomi driver (#507005)
* Thu Jun 18 2009 Ben Skeggs <bskeggs@xxxxxxxxxx> 2.6.29.5-194
- - drm-nouveau.patch: un-break DPMS after DRM changes
* Thu Jun 18 2009 Dave Airlie <airlied@xxxxxxxxxx> 2.6.29.5-193
- - drm-radeon-cs-oops-fix.patch: fix oops if CS path called from non-kms
* Wed Jun 17 2009 Jarod Wilson <jarod@xxxxxxxxxx>
- - New lirc_imon hotness:
  * support dual-interface devices with a single lirc device
  * directional pad functions as an input device mouse
  * touchscreen devices finally properly supported
  * support for using MCE/RC-6 protocol remotes
  * fix oops in RF remote association code (F10 bug #475496)
  * fix re-enabling case/panel buttons and/or knobs
- - Add some misc additional lirc_mceusb2 transceiver IDs
- - Add missing unregister_chrdev_region() call to lirc_dev exit
- - Add it8720 support to lirc_it87
* Tue Jun 16 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-191
- - Copy latest version of the -mm streaming IO and executable pages patches from F-10
- - Copy the saner-vm-settings patch from F-10:
    change writeback interval from 5,30 seconds to 3,10 seconds
- - Comment out the null credentials debugging patch (bug #494067)
* Tue Jun 16 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-190
- - Two r8169 driver updates from 2.6.30
- - Update via-sdmmc driver
* Tue Jun 16 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-189
- - New debug patch for bug #494067, now enabled for non-debug kernels too.
* Tue Jun 16 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-188
- - Avoid lockup on OOM with /dev/zero
* Tue Jun 16 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.29.5-187
- - Drop the disable of mwait on VIA Nano processor. The lockup bug is
  fixed by BIOS updates.
* Tue Jun 16 2009 Ben Skeggs <bskeggs@xxxxxxxxxx> 2.6.29.5-186
- - nouveau: Use VBIOS image from PRAMIN in preference to PROM (#492658)
* Tue Jun 16 2009 Dave Airlie <airlied@xxxxxxxxxx> 2.6.29.5-185
- - drm-connector-dpms-fix.patch - allow hw to dpms off
- - drm-dont-frob-i2c.patch - don't play with i2c bits just do EDID
- - drm-intel-tv-fix.patch - fixed intel tv after connector dpms
- - drm-modesetting-radeon-fixes.patch - fix AGP issues (go faster) (otaylor)
- - drm-radeon-fix-ring-commit.patch - fix stability on some radeons
- - drm-radeon-new-pciids.patch - add rv770/790 support
- - drm-intel-vmalloc.patch - fix vmalloc patch
* Mon Jun 15 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.5-184
- - Get rid of the annoying parport sysctl registration warning (#503773)
  (linux-2.6-parport-quickfix-the-proc-registration-bug.patch)
* Mon Jun 15 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.5-183
- - Linux 2.6.29.5
* Mon Jun 15 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.5-182.rc1
- - Add support for touchpad on MacBook 5 (Unibody) (#504197)
* Mon Jun 15 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.5-181.rc1
- - Fix reporting of short writes to the NFS client (#493500)
* Mon Jun 15 2009 John W. Linville <linville@xxxxxxxxxx>
- - neigh: fix state transition INCOMPLETE->FAILED via Netlink request
* Fri Jun 12 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.5-179.rc1
- - VIA Nano / VX800 fixes
    Padlock 64-bit fixes
    Disable mwait on the Nano
    Add via-sdmmc driver
    Enable the VIA random number generator on 64-bit
- - Enable the userspace ARP daemon (#502844)
* Wed Jun 10 2009 Ben Skeggs <bskeggs@xxxxxxxxxx>
- - drm-nouveau.patch: fill in modes derived from VBIOS tables better
* Tue Jun  9 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.5-177.rc1
- - 2.6.29.5-rc1
- - Reverted from stable, patch already in drm-next:
    drm-r128-fix-r128-ioremaps-to-use-ioremap_wc.patch
- - Dropped patches, merged in -stable:
    hpet-fixes.patch
    keys-Handle-there-being-no-fallback-destination-key.patch
    kvm-Fix-PDPTR-reloading-on-CR4-writes.patch
    kvm-Make-paravirt-tlb-flush-also-reload-the-PAE-PDP.patch
    linux-2.6-ptrace-fix-possible-zombie-leak.patch
    linux-2.6-usb-cdc-acm-remove-low-latency-flag.patch
    linux-2.6-xen-xenbus_state_transition_when_not_connected.patch
    linux-2.6.29.5-ext4-stable-fixes.patch
* Tue Jun  9 2009 John W. Linville <linville@xxxxxxxxxxxxx>
- - Clean-up some wireless bits in config-generic
* Tue Jun  9 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.4-175
- - Add ext4 stable patch queue, 18 patches submitted for 2.6.29.5
  (adds 10 patches that weren't already in F-11.)
* Tue Jun  9 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.4-174
- - Add support for ACPI P-states on VIA processors.
- - Disable the e_powersaver driver.
* Mon Jun  8 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.4-173
- - Add linux-2.6-ptrace-fix-possible-zombie-leak.patch
  Fixes bug #481753, ptraced processes fail to deliver exit notification to parent
* Mon Jun  8 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.4-172
- - Add linux-2.6-netdev-ehea-fix-circular-locking.patch (#498854)
* Mon Jun  8 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.4-171
- - Add AT keyboard forced key release quirks for four more notebooks.
  (Fixes Samsung NC20/Q45, Fujitsu PA1510/Xi3650)
* Mon Jun  8 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.4-170
- - Drop ALSA jiffies-based PCM boundary checking (#498858)
* Mon Jun  8 2009 Chuck Ebbert <cebbert@xxxxxxxxxx> - 2.6.29.4-169
- - Add debug patch for finding null security credentials. (494067)
* Tue Jun  2 2009 Roland McGrath <roland@xxxxxxxxxx> - 2.6.29.4-168
- - utrace update (fixes stap PR10185)
- --------------------------------------------------------------------------------
References:

  [ 1 ] Bug #516171 - CVE-2009-2691 kernel: /proc/$pid/maps visible during initial setuid ELF loading
        https://bugzilla.redhat.com/show_bug.cgi?id=516171
  [ 2 ] Bug #515423 - CVE-2009-2848 kernel: execve: must clear current->clear_child_tid
        https://bugzilla.redhat.com/show_bug.cgi?id=515423
  [ 3 ] Bug #518132 - CVE-2009-2849 kernel: md: NULL pointer deref when accessing suspend_* sysfs attributes
        https://bugzilla.redhat.com/show_bug.cgi?id=518132
  [ 4 ] Bug #515392 - CVE-2009-2847 kernel: information leak in sigaltstack
        https://bugzilla.redhat.com/show_bug.cgi?id=515392
  [ 5 ] Bug #517830 - CVE-2009-2695 SELinux and mmap_min_addr
        https://bugzilla.redhat.com/show_bug.cgi?id=517830
- --------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update kernel' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
- --------------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFKlpL2k0kIxZMiiQ8RAgqBAKCxOwbIApA9VIRrLxceiGxC2B4R3QCeMgHP
eMpcxj0TW8WRrJL5ehsDRQ0=
=le0m
-----END PGP SIGNATURE-----