SciLinux: CVE-2006-6304 Important: kernel SL5.x i386/x86_64
Summary
Security fixes:* an array index error was found in the gdth driver. A local user couldsend a specially-crafted IOCTL request that would cause a denial ofservice or, possibly, privilege escalation. (CVE-2009-3080, Important)* a flaw was found in the FUSE implementation. When a system is low onmemory, fuse_put_request() could dereference an invalid pointer,possibly leading to a local denial of service or privilege escalation.(CVE-2009-4021, Important)* Tavis Ormandy discovered a deficiency in the fasync_helper()implementation. This could allow a local, unprivileged user to leveragea use-after-free of locked, asynchronous file descriptors to cause adenial of service or privilege escalation. (CVE-2009-4141, Important)* the Parallels Virtuozzo Containers team reported the RHSA-2009:1243update introduced two flaws in the routing implementation. If anattacker was able to cause a large enough number of collisions in therouting hash table (via specially-crafted packets) for the emergencyroute flush to trigger, a deadlock could occur. Secondly, if the kernelrouting cache was disabled, an uninitialized pointer would be leftbehind after a route lookup, leading to a kernel panic. (CVE-2009-4272,Important)* the RHSA-2009:0225 update introduced a rewrite attack flaw in thedo_coredump() function. A local attacker able to guess the file name aprocess is going to dump its core to, prior to the process crashing,could use this flaw to append data to the dumped core file. This issueonly affects systems that have "/proc/sys/fs/suid_dumpable" set to 2(the default value is 0). (CVE-2006-6304, Moderate)The fix for CVE-2006-6304 changes the expected behavior: Withsuid_dumpable set to 2, the core file will not be recorded if the filealready exists. For example, core files will not be overwritten onsubsequent crashes of processes whose core files map to the same name.* an information leak was found in the Linux kernel. On AMD64 systems,32-bit processes could access and read certain 64-bit registers bytemporarily switching themselves to 64-bit mode. (CVE-2009-2910, Moderate)* the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV)support in the qla2xxx driver, resulting in two new sysfs pseudo files,"/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete".These two files were world-writable by default, allowing a local user tochange SCSI host attributes. This flaw only affects systems using theqla2xxx driver and NPIV capable hardware. (CVE-2009-3556, Moderate)* permission issues were found in the megaraid_sas driver. The "dbg_lvl"and "poll_mode_io" files on the sysfs file system ("/sys/") hadworld-writable permissions. This could allow local, unprivileged usersto change the behavior of the driver. (CVE-2009-3889, CVE-2009-3939,Moderate)* a NULL pointer dereference flaw was found in the firewire-ohci driverused for OHCI compliant IEEE 1394 controllers. A local, unprivilegeduser with access to /dev/fw* files could issue certain IOCTL calls,causing a denial of service or privilege escalation. The FireWiremodules are blacklisted by default, and if enabled, only root has accessto the files noted above by default. (CVE-2009-4138, Moderate)* a buffer overflow flaw was found in the hfs_bnode_read() function inthe HFS file system implementation. This could lead to a denial ofservice if a user browsed a specially-crafted HFS file system, forexample, by running "ls". (CVE-2009-4020, Low)Bug fixes:* In rare cases, a system management interrupt (SMI) could occur duringCPU frequency calibration (during boot), resulting in the frequencybeing calculated to a value larger than the CPU's specification. Thiscould have resulted in timer values being miscalculated and firing atincorrect times. Note: This fix is optional. To enable the fix, thesystem must be booted with the avoid_smi kernel parameter.* In certain situations, a bug found in either the HTB or TBF networkpacket schedulers in the Linux kernel could have caused a kernel panicwhen using Broadcom network cards with the bnx2 driver.* A KVM pvclock fix in the kernel-2.6.18-164.2.1.el5 update introduced abug: Some SMP guest operating systems experienced time drift. This couldcause problems for time-sensitive applications.* In certain situations, kdump occasionally dumped a vmcore file with noregisters on Intel Itanium systems that were under high disk I/O load.In these cases, this prevented the kernel stack backtrace in the vmcorefrom being viewed with the crash utility.* In certain situations, when using IP over InfiniBand and networkinterface bonding, a bug in the ipoib driver in the Linux kernel causedproblems, such as packet loss and not being able to communicate withsome hosts. Restarting the network service via service network restarttemporarily resolved this issue. This update resolves this bug, andusing IP over InfiniBand and network interface bonding now works asexpected.* A glock reference counting bug in GFS2 has been fixed. When the glockmemory shrinker run while the system was under heavy memory pressure,the system could crash or experience very poor performance.* Previously, when using GFS2, if two nodes concurrently updated thesame file, each node would overwrite the other node's data, as the fileposition for such a file was not being updated correctly. This issueonly occurred when using open() with the O_APPEND flag, and then issuinga write() without first performing another operation on the inode, suchas stat() or read().* Running time ifconfig ethx up on a network interface that was underheavy load may have triggered a soft lockup (BUG: soft lockup). Thiscould have possibly caused cluster nodes to be fenced.* A logic error in the Linux kernel memory management could have causeda BUG: sleeping function called from invalid context message on somesystems when running certain backup software or performing an LVMsnapshot, while at the same time performing a copy-on-write (COW) of afile page.* Detection of AMD multi-node processors could have confusedHardware-assisted virtual machine (HVM) guests and caused a crash onboot during identify_cpu(). This update ensures the topology informationis not used by virtual machines.* A bug in the lpfc driver intermittently caused ports on an EmulexFibre Channel Host Bus Adapter (HBA) to be offlined during targetcontroller faults.* Previously, if an administrator set/proc/sys/net/ipv4/route/secret_interval to 0, and then attempted tochange the value by echoing a non-zero value to the file, theadministrator's shell would hang. This bug could have also possibly sentother processes into an uninterpretable sleep state, and was introducedin the kernel-2.6.18-164.el5 update.* Under some circumstances, a locking bug could have caused an onlineext3 file system resize to deadlock, which may have, in turn, caused thefile system or the entire system to become unresponsive. In either case,a reboot was required after the deadlock. With this update, usingresize2fs to perform an online resize of an ext3 file system works asexpected.* Scientific Linux 5.4 guests using KVM pvclock, calling theclock_gettime(CLOCK_REALTIME) and gettimeofday() functions in sequencecould have, in rare cases, caused clock_gettime() to return a smallervalue than gettimeofday(). If the sequence was reversed, gettimeofday()could return a smaller value than clock_gettime(CLOCK_REALTIME). Thiscould cause applications to hang and use large amounts of CPU (up to100%), or cause problems for applications that depend on timestamps toorder events. Note: This update only resolves this issue for Intel 64and AMD64 systems. The issue can still present on i386 systems.The system must be rebooted for this update to take effect.Note1: Due to the fuse kernel module now being part of the kernel, weare updating fuse on the older releases to match the fuse that wasreleased by The Upstream Vendor.Note2: xfs is now part of the kernel in x86_64. Because of this thereis no kernel-module-xfs for x86_64.Note3: ipw3945 support has been changed to iwlwifi3945 in SL 54, and isin the kernel. Because of this there is no kernel-module-ipw3945 for SL54.Note4: Support for the Atheros chipset in now in the kernel. We are notsure if the infrastructure is in place for SL 50-53, so we are stillproviding the madwifi kernel modules for SL 50-53.SL 5.xSRPMS:kernel-2.6.18-164.11.1.el5.src.rpmi386:kernel-2.6.18-164.11.1.el5.i686.rpmkernel-debug-2.6.18-164.11.1.el5.i686.rpmkernel-debug-devel-2.6.18-164.11.1.el5.i686.rpmkernel-devel-2.6.18-164.11.1.el5.i686.rpmkernel-doc-2.6.18-164.11.1.el5.noarch.rpmkernel-headers-2.6.18-164.11.1.el5.i386.rpmkernel-PAE-2.6.18-164.11.1.el5.i686.rpmkernel-PAE-devel-2.6.18-164.11.1.el5.i686.rpmkernel-xen-2.6.18-164.11.1.el5.i686.rpmkernel-xen-devel-2.6.18-164.11.1.el5.i686.rpmDependancies:kernel-module-aufs-2.6.18-164.11.1.el5-0.20090202.cvs-6.sl5.i686.rpmkernel-module-aufs-2.6.18-164.11.1.el5PAE-0.20090202.cvs-6.sl5.i686.rpmkernel-module-aufs-2.6.18-164.11.1.el5xen-0.20090202.cvs-6.sl5.i686.rpmkernel-module-ndiswrapper-2.6.18-164.11.1.el5-1.55-1.SL.i686.rpmkernel-module-ndiswrapper-2.6.18-164.11.1.el5PAE-1.55-1.SL.i686.rpmkernel-module-ndiswrapper-2.6.18-164.11.1.el5xen-1.55-1.SL.i686.rpmkernel-module-openafs-2.6.18-164.11.1.el5-1.4.11-76.sl5.i686.rpmkernel-module-openafs-2.6.18-164.11.1.el5PAE-1.4.11-76.sl5.i686.rpmkernel-module-openafs-2.6.18-164.11.1.el5xen-1.4.11-76.sl5.i686.rpmkernel-module-xfs-2.6.18-164.11.1.el5-0.4-2.sl5.i686.rpmkernel-module-xfs-2.6.18-164.11.1.el5PAE-0.4-2.sl5.i686.rpmkernel-module-xfs-2.6.18-164.11.1.el5xen-0.4-2.sl5.i686.rpmDependancies for SL50,51,52,53:kernel-module-ipw3945-2.6.18-164.11.1.el5-1.2.0-2.sl5.i686.rpmkernel-module-ipw3945-2.6.18-164.11.1.el5PAE-1.2.0-2.sl5.i686.rpmkernel-module-ipw3945-2.6.18-164.11.1.el5xen-1.2.0-2.sl5.i686.rpmkernel-module-madwifi-2.6.18-164.11.1.el5-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-2.6.18-164.11.1.el5PAE-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-164.11.1.el5-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-164.11.1.el5PAE-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.i686.rpmx86_64:kernel-2.6.18-164.11.1.el5.x86_64.rpmkernel-debug-2.6.18-164.11.1.el5.x86_64.rpmkernel-debug-devel-2.6.18-164.11.1.el5.x86_64.rpmkernel-devel-2.6.18-164.11.1.el5.x86_64.rpmkernel-doc-2.6.18-164.11.1.el5.noarch.rpmkernel-headers-2.6.18-164.11.1.el5.x86_64.rpmkernel-xen-2.6.18-164.11.1.el5.x86_64.rpmkernel-xen-devel-2.6.18-164.11.1.el5.x86_64.rpmDependancies:kernel-module-aufs-2.6.18-164.11.1.el5-0.20090202.cvs-6.sl5.x86_64.rpmkernel-module-aufs-2.6.18-164.11.1.el5xen-0.20090202.cvs-6.sl5.x86_64.rpmkernel-module-ndiswrapper-2.6.18-164.11.1.el5-1.55-1.SL.x86_64.rpmkernel-module-ndiswrapper-2.6.18-164.11.1.el5xen-1.55-1.SL.x86_64.rpmkernel-module-openafs-2.6.18-164.11.1.el5-1.4.11-76.sl5.x86_64.rpmkernel-module-openafs-2.6.18-164.11.1.el5xen-1.4.11-76.sl5.x86_64.rpmDependancies for SL50,51,52,53:kernel-module-ipw3945-2.6.18-164.11.1.el5-1.2.0-2.sl5.x86_64.rpmkernel-module-ipw3945-2.6.18-164.11.1.el5xen-1.2.0-2.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-164.11.1.el5-0.9.4-15.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-164.11.1.el5-0.9.4-15.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.x86_64.rpm-Connie Sieh-Troy Dawson