Mandriva- Advisories MDVSA-2008:008: Updated kernel packages fix multiple vulnerabilities and bugs

[Mandriva]

Advisories MDVSA-2008:008: Updated kernel packages fix multiple vulnerabilities and bugs
Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The CIFS filesystem, when Unix extension support is enabled, does
not honor the umask of a process, which allows local users to gain
privileges. (CVE-2007-3740)

The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
units, which allows local users to cause a denial of service (panic)
via unspecified vectors. (CVE-2007-4133)

The IA32 system call emulation functionality in Linux kernel 2.4.x
and 2.6.x before 2.6.22.7, when running on the x86_64 architecture,
does not zero extend the eax register after the 32bit entry path to
ptrace is used, which might allow local users to gain privileges by
triggering an out-of-bounds access to the system call table using
the %RAX register. (CVE-2007-4573)

Integer underflow in the ieee80211_** function in
net/ieee80211/ieee80211_**.c in the Linux kernel 2.6.x before
2.6.23 allows remote attackers to cause a denial of service (crash)
via a crafted SKB length value in a runt IEEE 802.11 frame when
the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two
error. (CVE-2007-4997)

The disconnect method in the Philips USB Webcam (pwc) driver in Linux
kernel 2.6.x before 2.6.22.6 relies on user space to close the device,
which allows user-assisted local attackers to cause a denial of service
(USB subsystem hang and CPU consumption in khubd) by not closing the
device after the disconnect is invoked. NOTE: this rarely crosses
privilege boundaries, unless the attacker can convince the victim to
unplug the affected device. (CVE-2007-5093)

The wait_task_stopped function in the Linux kernel before 2.6.23.8
checks a TASK_TRACED bit instead of an exit_state value, which
allows local users to cause a denial of service (machine crash) via
unspecified vectors. NOTE: some of these details are obtained from
third party information. (CVE-2007-5500)

The minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and
possibly other versions, allows local users to cause a denial of
service (hang) via a malformed minix file stream that triggers an
infinite loop in the minix_bmap function. NOTE: this issue might be
due to an integer overflow or signedness error. (CVE-2006-6058)

Buffer overflow in the isdn_net_setcfg function in isdn_net.c in
Linux kernel 2.6.23 allows local users to have an unknown impact via
a crafted argument to the isdn_ioctl function. (CVE-2007-6063)

Additionaly, support for Promise 4350 controller was added (stex
module).

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate
http://mandrivausers.org/index.php?showtopic=47059
http://mandrivausers.org/index.php?showtopic=47059
Fri, 11 Jan 2008 22:45:06 +0000