kernel: multiple vulnerabilities

David Howells discovered a local Denial of Service vulnerability in the keyring allocator. A local attacker could exploit this to crash the kernel by attempting to add a specially crafted invalid keyring. (CAN-2005-2099)

Balazs Scheidler discovered a local Denial of Service vulnerability in the xfrm_compile_policy() function. By calling setsockopt() with an invalid xfrm_user policy message, a local attacker could cause the kernel to write to an array beyond its boundaries, thus causing a kernel crash. (CAN-2005-2456)

Tim Yamin discovered that the driver for compressed ISO file systems did not sufficiently validate the input data. By tricking an user into mounting a malicious CD-ROM with a specially crafted compressed ISO file system, he could cause a kernel crash. (CAN-2005-2457)

It was discovered that the kernel's embedded zlib compression library was still vulnerable to two old vulnerabilities of the standalone zlib library. This library is used by various drivers and can also be used by third party modules, so the impact varies. (CAN-2005-2458, CAN-2005-2459)

Peter Sandstrom discovered a remote Denial of Service vulnerability in the SNMP handler. Certain UDP packages lead to a function call with the wrong argument, which resulted in a crash of the network stack. (CAN-2005-2548)

Herbert Xu discovered that the setsockopt() function was not restricted to privileged users. This allowed a local attacker to bypass intended IPSec policies, set invalid policies to exploit flaws like CAN-2005-2456, or cause a Denial of Service by adding policies until kernel memory is exhausted. Now the call is restricted to processes with the CAP_NET_ADMIN capability. (CAN-2005-2555)