RHSA-2009:1550: Important: kernel security and bug fix update
First published: Tue Nov 03 2009(Updated: )
The kernel packages contain the Linux kernel, the core of any Linux<br>operating system.<br>Security fixes:<br><li> when fput() was called to close a socket, the __scm_destroy() function in</li> the Linux kernel could make indirect recursive calls to itself. This could,<br>potentially, lead to a denial of service issue. (CVE-2008-5029, Important)<br><li> the sendmsg() function in the Linux kernel did not block during UNIX</li> socket garbage collection. This could, potentially, lead to a local denial<br>of service. (CVE-2008-5300, Important)<br><li> the exit_notify() function in the Linux kernel did not properly reset the</li> exit signal if a process executed a set user ID (setuid) application before<br>exiting. This could allow a local, unprivileged user to elevate their<br>privileges. (CVE-2009-1337, Important)<br><li> a flaw was found in the Intel PRO/1000 network driver in the Linux</li> kernel. Frames with sizes near the MTU of an interface may be split across<br>multiple hardware receive descriptors. Receipt of such a frame could leak<br>through a validation check, leading to a corruption of the length check. A<br>remote attacker could use this flaw to send a specially-crafted packet that<br>would cause a denial of service or code execution. (CVE-2009-1385,<br>Important)<br><li> the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a</li> setuid or setgid program was executed. A local, unprivileged user could use<br>this flaw to bypass the mmap_min_addr protection mechanism and perform a<br>NULL pointer dereference attack, or bypass the Address Space Layout<br>Randomization (ASLR) security feature. (CVE-2009-1895, Important)<br><li> it was discovered that, when executing a new process, the clear_child_tid</li> pointer in the Linux kernel is not cleared. If this pointer points to a<br>writable portion of the memory of the new program, the kernel could corrupt<br>four bytes of memory, possibly leading to a local denial of service or<br>privilege escalation. (CVE-2009-2848, Important)<br><li> missing initialization flaws were found in getname() implementations in</li> the IrDA sockets, AppleTalk DDP protocol, NET/ROM protocol, and ROSE<br>protocol implementations in the Linux kernel. Certain data structures in<br>these getname() implementations were not initialized properly before being<br>copied to user-space. These flaws could lead to an information leak.<br>(CVE-2009-3002, Important)<br><li> a NULL pointer dereference flaw was found in each of the following</li> functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and<br>pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could<br>be released by other processes before it is used to update the pipe's<br>reader and writer counters. This could lead to a local denial of service or<br>privilege escalation. (CVE-2009-3547, Important)<br>Bug fixes:<br><li> this update adds the mmap_min_addr tunable and restriction checks to help</li> prevent unprivileged users from creating new memory mappings below the<br>minimum address. This can help prevent the exploitation of NULL pointer<br>dereference bugs. Note that mmap_min_addr is set to zero (disabled) by<br>default for backwards compatibility. (BZ#512642)<br><li> a bridge reference count problem in IPv6 has been fixed. (BZ#457010)</li> <li> enforce null-termination of user-supplied arguments to setsockopt().</li> (BZ#505514)<br><li> the gcc flag "-fno-delete-null-pointer-checks" was added to the kernel</li> build options. This prevents gcc from optimizing out NULL pointer checks<br>after the first use of a pointer. NULL pointer bugs are often exploited by<br>attackers. Keeping these checks is a safety measure. (BZ#511185)<br><li> a check has been added to the IPv4 code to make sure that rt is not NULL,</li> to help prevent future bugs in functions that call ip_append_data() from<br>being exploitable. (BZ#520300)<br>Users should upgrade to these updated packages, which contain backported<br>patches to correct these issues. The system must be rebooted for this<br>update to take effect.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=457010
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=470201
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=473259
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=493771
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=502981
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=505514
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511171
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=511185
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512642
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=515423
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=519305
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=520300
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=530490
- http://www.redhat.com/security/updates/classification/#important
- http://kbase.redhat.com/faq/docs/DOC-17866
- https://access.redhat.com/errata/RHSA-2009:1550 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2009:1550