Red Hat ENTERPRISE LINUX 5.4 - TECHNICAL NOTES Manual page 137

• several flaws were found in the way the Linux kernel CIFS implementation handles Unicode strings.
CIFS clients convert Unicode strings sent by a server to their local character sets, and then write
those strings into memory. If a malicious server sent a long enough string, it could write past the
end of the target memory region and corrupt other memory areas, possibly leading to a denial
of service or privilege escalation on the client mounting the CIFS share.
801
CVE-2009-1633
, Important)
• the Linux kernel Network File System daemon (nfsd) implementation did not drop the CAP_MKNOD
capability when handling requests from local, unprivileged users. This flaw could possibly lead to an
information leak or privilege escalation.
• Frank Filz reported the NFSv4 client was missing a file permission check for the execute bit in some
situations. This could allow local, unprivileged users to run non-executable files on NFSv4 mounted
file systems. (CVE-2009-1630
• a missing check was found in the hypervisor_callback() function in the Linux kernel provided by the
kernel-xen package. This could cause a denial of service of a 32-bit guest if an application running
in that guest accesses a certain memory location in the kernel.
• a flaw was found in the AGPGART driver. The agp_generic_alloc_page() and
agp_generic_alloc_pages() functions did not zero out the memory pages they allocate, which may
later be available to user-space processes. This flaw could possibly lead to an information leak.
805
(CVE-2009-1192 , Low)
Bug fixes:
• a race in the NFS client between destroying cached access rights and unmounting an NFS file
system could have caused a system crash. "Busy inodes" messages may have been logged.
806
(BZ#498653 )
• nanosleep() could sleep several milliseconds less than the specified time on Intel Itanium®-based
systems. (BZ#500349
• LEDs for disk drives in AHCI mode may have displayed a fault state when there were no faults.
808
(BZ#500120 )
• ptrace_do_wait() reported tasks were stopped each time the process doing the trace called wait(),
instead of reporting it once.
• epoll_wait() may have caused a system lockup and problems for applications.
• missing capabilities could possibly allow users with an fsuid other than 0 to perform actions on some
file system types that would otherwise be prevented.
• on NFS mounted file systems, heavy write loads may have blocked nfs_getattr() for long periods,
causing commands that use stat(2), such as ls, to hang.
• in rare circumstances, if an application performed multiple O_DIRECT reads per virtual memory
page and also performed fork(2), the buffer storing the result of the I/O may have ended up with
invalid data. (BZ#486921
• when using GFS2, gfs2_quotad may have entered an uninterpretable sleep state.
• with this update, get_random_int() is more random and no longer uses a common seed value,
reducing the possibility of predicting the values returned.
RHSA-2009:1106: Important security and bug fix update
(CVE-2009-1072
803
, Moderate)
807
)
809
(BZ#486945 )
813
)
(CVE-2009-1439
802
, Moderate)
(CVE-2009-1758
811
(BZ#497271 )
812
(BZ#486926 )
815
(BZ#499783 )
800
,
804
, Moderate)
810
(BZ#497322 )
814
(BZ#501742 )
119