RHSA-2009:1438: Important: kernel security and bug fix update

First published: Tue Sep 15 2009(Updated: )

The kernel packages contain the Linux kernel, the core of any Linux<br>operating system.<br>This update fixes the following security issues:<br><li> the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a</li> setuid or setgid program was executed. A local, unprivileged user could use<br>this flaw to bypass the mmap_min_addr protection mechanism and perform a<br>NULL pointer dereference attack, or bypass the Address Space Layout<br>Randomization (ASLR) security feature. (CVE-2009-1895, Important)<br><li> it was discovered that, when executing a new process, the clear_child_tid</li> pointer in the Linux kernel is not cleared. If this pointer points to a<br>writable portion of the memory of the new program, the kernel could corrupt<br>four bytes of memory, possibly leading to a local denial of service or<br>privilege escalation. (CVE-2009-2848, Important)<br><li> Solar Designer reported a missing capability check in the z90crypt driver</li> in the Linux kernel. This missing check could allow a local user with an<br>effective user ID (euid) of 0 to bypass intended capability restrictions.<br>(CVE-2009-1883, Moderate)<br><li> a flaw was found in the way the do_sigaltstack() function in the Linux</li> kernel copies the stack_t structure to user-space. On 64-bit machines, this<br>flaw could lead to a four-byte information leak. (CVE-2009-2847, Moderate)<br>This update also fixes the following bugs:<br><li> the gcc flag "-fno-delete-null-pointer-checks" was added to the kernel</li> build options. This prevents gcc from optimizing out NULL pointer checks<br>after the first use of a pointer. NULL pointer bugs are often exploited by<br>attackers. Keeping these checks is a safety measure. (BZ#517964)<br><li> the Emulex LPFC driver has been updated to version 8.0.16.47, which</li> fixes a memory leak that caused memory allocation failures and system<br>hangs. (BZ#513192)<br><li> an error in the MPT Fusion driver makefile caused CSMI ioctls to not</li> work with Serial Attached SCSI devices. (BZ#516184)<br><li> this update adds the mmap_min_addr tunable and restriction checks to help</li> prevent unprivileged users from creating new memory mappings below the<br>minimum address. This can help prevent the exploitation of NULL pointer<br>deference bugs. Note that mmap_min_addr is set to zero (disabled) by<br>default for backwards compatibility. (BZ#517904)<br><li> time-outs resulted in I/O errors being logged to "/var/log/messages" when</li> running "mt erase" on tape drives using certain LSI MegaRAID SAS adapters,<br>preventing the command from completing. The megaraid_sas driver's timeout<br>value is now set to the OS layer value. (BZ#517965)<br><li> a locking issue caused the qla2xxx ioctl module to hang after</li> encountering errors. This locking issue has been corrected. This ioctl<br>module is used by the QLogic SAN management tools, such as SANsurfer and<br>scli. (BZ#519428)<br><li> when a RAID 1 array that uses the mptscsi driver and the LSI 1030</li> controller became degraded, the whole array was detected as being offline,<br>which could cause kernel panics at boot or data loss. (BZ#517295)<br><li> on 32-bit architectures, if a file was held open and frequently written</li> for more than 25 days, it was possible that the kernel would stop flushing<br>those writes to storage. (BZ#515255)<br><li> a memory allocation bug in ib_mthca prevented the driver from loading if</li> it was loaded with large values for the "num_mpt=" and "num_mtt=" options.<br>(BZ#518707)<br><li> with this update, get_random_int() is more random and no longer uses a</li> common seed value, reducing the possibility of predicting the values<br>returned. (BZ#519692)<br><li> a bug in __ptrace_unlink() caused it to create deadlocked and unkillable</li> processes. (BZ#519446)<br><li> previously, multiple threads using the fcntl() F_SETLK command to</li> synchronize file access caused a deadlock in posix_locks_deadlock(). This<br>could cause a system hang. (BZ#519429)<br>Users should upgrade to these updated packages, which contain backported<br>patches to correct these issues. The system must be rebooted for this<br>update to take effect.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2009:1438
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness