Mandriva Linux Security Advisory 2009:289: kernel

28

Some vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a
PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
which makes it easier for local users to leverage the details of
memory usage to (1) conduct NULL pointer dereference attacks, (2)
bypass the mmap_min_addr protection mechanism, or (3) defeat address
space layout randomization (ASLR). (CVE-2009-1895)

Stack-based buffer overflow in the parse_tag_11_packet function in
fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel
before 2.6.30.4 allows local users to cause a denial of service
(system crash) or possibly gain privileges via vectors involving a
crafted eCryptfs file, related to not ensuring that the key signature
length in a Tag 11 packet is compatible with the key signature buffer
size. (CVE-2009-2406)

Heap-based buffer overflow in the parse_tag_3_packet function in
fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel
before 2.6.30.4 allows local users to cause a denial of service
(system crash) or possibly gain privileges via vectors involving a
crafted eCryptfs file, related to a large encrypted key size in a
Tag 3 packet. (CVE-2009-2407)

The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the
Linux kernel 2.6.31 allows local users to cause a denial of service
(kernel OOPS) and possibly execute arbitrary code via unspecified
vectors that cause a negative dentry and trigger a NULL pointer
dereference, as demonstrated via a Mutt temporary directory in an
eCryptfs mount. (CVE-2009-2908)

The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in
the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when
running on x86 systems, does not prevent access to MMU hypercalls
from ring 0, which allows local guest OS users to cause a denial of
service (guest kernel crash) and read or write guest kernel memory
via unspecified random addresses. (CVE-2009-3290)

Additionaly, it includes the fixes from the stable kernel version
2.6.27.37. It also fixes also fixes IBM x3650 M2 hanging when using
both network interfaces and Wake on Lan problems on r8169. For details,
check the package changelog.

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate