RHSA-2008:0957: Important: kernel security and bug fix update

First published: Tue Nov 04 2008(Updated: )

The kernel packages contain the Linux kernel, the core of any Linux<br>operating system.<br><li> the Xen implementation did not prevent applications running in a</li> para-virtualized guest from modifying CR4 TSC. This could cause a local<br>denial of service. (CVE-2007-5907, Important)<br><li> Tavis Ormandy reported missing boundary checks in the Virtual Dynamic</li> Shared Objects (vDSO) implementation. This could allow a local unprivileged<br>user to cause a denial of service or escalate privileges. (CVE-2008-3527,<br>Important)<br><li> the do_truncate() and generic_file_splice_write() functions did not clear</li> the setuid and setgid bits. This could allow a local unprivileged user to<br>obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833,<br>Important)<br><li> a flaw was found in the Linux kernel splice implementation. This could</li> cause a local denial of service when there is a certain failure in the<br>add_to_page_cache_lru() function. (CVE-2008-4302, Important)<br><li> a flaw was found in the Linux kernel when running on AMD64 systems.</li> During a context switch, EFLAGS were being neither saved nor restored. This<br>could allow a local unprivileged user to cause a denial of service.<br>(CVE-2006-5755, Low)<br><li> a flaw was found in the Linux kernel virtual memory implementation. This</li> could allow a local unprivileged user to cause a denial of service.<br>(CVE-2008-2372, Low)<br><li> an integer overflow was discovered in the Linux kernel Datagram</li> Congestion Control Protocol (DCCP) implementation. This could allow a<br>remote attacker to cause a denial of service. By default, remote DCCP is<br>blocked by SELinux. (CVE-2008-3276, Low)<br>In addition, these updated packages fix the following bugs:<br><li> random32() seeding has been improved. </li> <li> in a multi-core environment, a race between the QP async event-handler</li> and the destro_qp() function could occur. This led to unpredictable results<br>during invalid memory access, which could lead to a kernel crash.<br><li> a format string was omitted in the call to the request_module() function.</li> <li> a stack overflow caused by an infinite recursion bug in the binfmt_misc</li> kernel module was corrected.<br><li> the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for</li> scatterlist usage before calling kmap_atomic().<br><li> a sentinel NUL byte was added to the device_write() function to ensure</li> that lspace.name is NUL-terminated.<br><li> in the character device driver, a range_is_allowed() check was added to</li> the read_mem() and write_mem() functions. It was possible for an<br>illegitimate application to bypass these checks, and access /dev/mem beyond<br>the 1M limit by calling mmap_mem() instead. Also, the parameters of<br>range_is_allowed() were changed to cleanly handle greater than 32-bits of<br>physical address on 32-bit architectures.<br><li> some of the newer Nehalem-based systems declare their CPU DSDT entries as</li> type "Alias". During boot, this caused an "Error attaching device data"<br>message to be logged.<br><li> the evtchn event channel device lacked locks and memory barriers. This</li> has led to xenstore becoming unresponsive on the Itanium(r) architecture.<br><li> sending of gratuitous ARP packets in the Xen frontend network driver is</li> now delayed until the backend signals that its carrier status has been<br>processed by the stack.<br><li> on forcedeth devices, whenever setting ethtool parameters for link speed,</li> the device could stop receiving interrupts.<br><li> the CIFS 'forcedirectio' option did not allow text to be appended to files.</li> <li> the gettimeofday() function returned a backwards time on Intel(r) 64.</li> <li> residual-count corrections during UNDERRUN handling were added to the</li> qla2xxx driver. <br><li> the fix for a small quirk was removed for certain Adaptec controllers for</li> which it caused problems.<br><li> the "xm trigger init" command caused a domain panic if a userland</li> application was running on a guest on the Intel(r) 64 architecture.<br>Users of kernel should upgrade to these updated packages, which contain<br>backported patches to correct these issues.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2008:0957
• agent/severity
• agent/references
• agent/weakness
• agent/tags
• agent/title
• agent/description
• agent/type
• agent/event
• agent/remedy
• agent/last-modified-date
• agent/first-publish-date
• agent/softwarecombine
• package-manager/redhat