SuSE: 2007-035: Linux kernel Security Update
Summary
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: kernel
Announcement ID: SUSE-SA:2007:035
Date: Thu, 14 Jun 2007 16:00:00 +0000
Affected Products: SUSE SLES 9
Novell Linux Desktop 9
Open Enterprise Server
Novell Linux POS 9
Vulnerability Type: remote denial of service
Severity (1-10): 7
SUSE Default Package: yes
Cross-References: CVE-2006-2936, CVE-2006-5749, CVE-2006-5753
CVE-2006-5754, CVE-2006-5871, CVE-2006-6106
CVE-2006-6535, CVE-2006-7203, CVE-2007-1353
CVE-2007-1357, CVE-2007-1592
Content of This Advisory:
1) Security Vulnerability Resolved:
kernel security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This kernel update fixes the following security problems in our SUSE
Linux Enterprise Server 9, Novell Linux Desktop 9 and Open Enterprise
Server kernels.
- CVE-2006-2936: The ftdi_sio driver allowed local users to cause a
denial of service (memory consumption) by writing more data to the
serial port than the hardware can handle, which causes the data
to be queued. This requires this driver to be loaded, which only
happens if such a device is plugged in.
- CVE-2006-5871: smbfs when UNIX extensions are enabled,
ignores certain mount options, which could cause clients to use
server-specified UID, GID and MODE settings.
- CVE-2006-6106: Multiple buffer overflows in the cmtp_recv_interopmsg
function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the
Linux kernel allowed remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via CAPI messages with
a large value for the length of the (1) manu (manufacturer) or (2)
serial (serial number) field.
- CVE-2006-6535: The dev_queue_xmit function in Linux kernel 2.6 can
fail before calling the local_bh_disable function, which could
lead to data corruption and "node lockups". This issue might not
be exploitable at all for an attacker.
- CVE-2006-5749: The isdn_ppp_ccp_reset_alloc_state function in
drivers/isdn/isdn_ppp.c in the Linux kernel does not call the
init_timer function for the ISDN PPP CCP reset state timer, which
has unknown attack vectors and results in a system crash.
- CVE-2006-5753: Unspecified vulnerability in the listxattr system
call in Linux kernel, when a "bad inode" is present, allows local
users to cause a denial of service (data corruption) and possibly
gain privileges.
- CVE-2006-5754: The aio_setup_ring function in Linux kernel does not
properly initialize a variable, which allows local users to cause
a denial of service (crash).
- CVE-2007-1357: A denial of service problem against the AppleTalk
protocol was fixed. A remote attacker in the same AppleTalk
network segment could cause the machine to crash if it has AppleTalk
protocol loaded.
Please note that we do not load the AppleTalk protocol by default
and such an attack would only be working within a AppleTalk network,
since the protocol is not routed over the Internet.
- CVE-2007-1592: A local user could affect a double-free of a ipv6
structure potentially causing a local denial of service attack.
- - A local denial of service was fixed in the USB visor driver,
where local attackers could cause a huge amount of kernel
memory to be allocated and so run the machine out of memory.
This is classified as low severity, since local denial
of service using memory consumption are also possible
in other ways.
- CVE-2007-1353: The setsockopt function in the L2CAP and HCI Bluetooth
support in the Linux kernel allows context-dependent attackers to
read kernel memory and obtain sensitive information via unspecified
vectors involving the copy_from_user function accessing an
uninitialized stack buffer.
- CVE-2006-7203: The compat_sys_mount function in fs/compat.c allows
local users to cause a denial of service (NULL pointer dereference
and oops) by mounting a smbfs file system in compatibility mode
("mount -t smbfs").
and the following non security bugs:
- - patches.fixes/ia64-accessed-dirty-race-fix:
Fix race in the accessed/dirty bit handlers.
- - patches.fixes/dm-mpath-emc-status-fix:
EMC multipath hw handler does not return its status.
- - patches.suse/nfs-write-limit:
Make suggested values the default so that benefit of this patch
is available without tuning.
- - patches.fixes/bdev-imapping-race.diff:
Fix race between sync_single_inode() and iput()
- - patches.fixes/mp_uart_backup_timer.patch:
8250 UART backup timer fix.
- - patches.arch/x86_64-smphalt:
Fix race in shutdown that can lead to hangs.
- - patches.fixes/cciss-cpq-disk-stats:
Update disk statistics for cciss and cpqarray devices.
- - patches.fixes/usb-hid-203911-event-field-not-found.diff:
backport of a suppression of a warning from newer kernels.
- - patches.fixes/fs-rewrite-remove_arg_zero:
If necessary, free pages when removing arg zero during exec.
- - patches.suse/lkcd-allocate-isa-bounce-pool:
LKCD running out of memory during dump.
- - patches.fixes/xfs-fix-inode-i_sem-counter-problem.diff:
Fix inode i_sem count problem.
- - patches.fixes/dio_should_wait-zab1.patch:
aio/dio: fix another refcount bug.
- - patches.fixes/ptrace-signal-race:
Fix ptracer race condition to prevent BUG_ON in do_notify_parent.
- - patches.fixes/raw-dont-call-device-remove-on-bind:
raw device file disappears after binding by using raw command
- - patches.fixes/sunrpc-busy-atomic:
test and set SK_BUSY atomically.
- - patches.arch/x86_64-intel-disable-smi:
Allow to disable most SMI interrupts on a Intel chipset
- - patches.arch/woodcrest_est_x64_short:
Support Intel Woodcrest and Conroe CPUs.
- - patches.arch/x86_64-ia32-stack-account:
Correct x86_64 stack accounting for ia32 binaries.
- - patches.fixes/cciss-fifo-full.patch:
set maximum number of commands according to the kind
of the controller.
- - patches.suse/dynamic-timeslice:
Updated to prevent an overflow leading to an oops when
max_timeslice is set too high.
32-bit architectures are still affected though.
- - ipatches.fixes/swapfile-no-i_sem.diff:
Don't hold i_sem on swapfiles.
- - patches.fixes/scsi-devinfo-hitachi-update:
LVM UUID fails after LVM update.
- - patches.fixes/refill-inactive-irq-latency-can_writepage:
avoid can_writepag slowdowns.
- - patches.drivers/libata-prepare-for-adhoc-working-EH:
libata: prepare for ad-hoc working EH
- - patches.drivers/libata-ata_piix-adhoc-EH:
ata_piix: implement ad-hoc EH.
- - patches.drivers/libata-sata_promise-adhoc-EH:
sata_promise: implement ad-hoc EH.
- - patches.fixes/nfs-silly-delete-fix:
avoid BUG when mount -f on nfs filesystem with
pending silly-delete.
- - patches.fixes/bonding-arpmon-2:
Send only one ARP probe when using bonding with
ARP monitoring
- - patches.fixes/ext3-bread-find-entry-fix.diff:
ext3: Fix ext3_bread and ext3_find_entry.
- - patches.fixes/reiserfs-readahead-fix.diff:
reiser: fix problem when READA returns EAGAIN.
- - patches.fixes/udf-readahead-fix.diff:
udf: replace READA by READ.
- - patches.fixes/fix-ext3-kmalloc-flags-with-journal-handle.diff:
ext3: use GFP_NOFS when allocating memory with an open journal handle.
- - patches.fixes/sunrpc-listen-race: knfsd:
Fix race that can disable NFS server.
- - patches.fixes/nfs-jiffie-wrap:
Avoid extra GETATTR calls caused by 'jiffie wrap'.
- - patches.arch/ibm-ppc64-lparcfg-quiet.patch
Quieten lparcfg.
- - patches.fixes/do_notify_parent_cldstop-deadlock:
fix a deadlock in do_notify_parent_cldstop()
- - patches.fixes/xfs-kern-28000a-buffer-unwritten-new:
Set the buffer new flag on writes to unwritten XFS extents.
This fixes a corruption in preallocated files on XFS.
- - patches.fixes/net-llc-fixup:
[LLC]: Use pskb_trim_rcsum() in llc_fixup_skb().
- - patches.fixes/firewire_swiotlb.patch:
make sure firewire doesn't bomb on systems with a lot of ram
but no iommu.
- - patches.suse/scsi-add-DID_COND_REQUEUE:
SLES 9 SP3 mptscsi device driver doesn't work with IBM SVC
- - patches.fixes/xfs-use-new-i_flags_lock-to-protect-i_flags:
XFS inode use after free, trips BUG() in generic_delete_inode()
- - patches.fixes/nfsd-crossmnt-fix:
Protect reference to exp across calls to nfsd_cross_mnt.
- - patches.suse/LAuS-kernel:
Updated minor number to remove clash with TPM LKM.
- - patches.drivers/ide-via82cxxx-sync-PCI-IDs-to-upstream:
via82cxxx: sync PCI IDs to upstream.
- - Check for mkinitrd failures in the %post script.
- - patches.fixes/lockd-flush-signals:
Allow lockd to unregister with portmap.
- - patches.fixes/dio-shortread-over-hole-at-eof:
fix O_DIRECT read of last block in a sparse file.
- - patches.fixes/reiserfs-fix-vs-13060.diff:
fix corruption with vs-13060.
- - patches.fixes/ext3-GFP_NOFS-for-symlinks.diff:
ext3_symlink should use GFP_NOFS allocations inside.
- - patches.fixes/xfs-flush_invalidate_dirty_pages_direct_read.diff:
Flush and invalidate dirty pages at start of direct read.
- - patches.fixes/i386-microcode.diff:
x86 microcode: don't check the size.
- - patches.fixes/fix-posix_locks_deadlock:
Fix a deadlock with POSIX deadlock detection.
Fixes for ia64:
- - patches.arch/ia64-sn2-hwperf-topology-nearest-node:
SN topology fix for large systems.
- - patches.arch/ia64-sn2-bte_unaligned_copy-overrun:
Avert transfer of extra cache line by bte_unaligned_copy().
Fixes for S/390:
- - Added latest patchset from IBM: Patchcluster 43
- Problem-ID: 29856 - cio: Use path verification for last path gone after vary off.
- Problem-ID: 30958 - cio: I/O error after cable pulls.
- Problem-ID: 32668 - qeth: increment sequence number for incoming packets
- Problem-ID: 32669 - cio: Retry internal operation on deferred condition code 1.
Also constitutes the fix for [#259406].
- Problem-ID: 32888 - qeth: connection hang with AWM and EDDP
- Problem-ID: 32612 - cio: Handle clear interrupts correctly.
- Problem-ID: 32828 - zfcp: Fix initialization of zfcp FSF timer.
- Problem-ID: 32724 - zfcp_hbaapi: Add license macro
- Problem-ID: 33533 - cio: Re-start path verification after aborting internal I/O
- Problem-ID: 33480 - qeth: keep set layer2 MAC address (Virt. NIC recovery)
- Problem-ID: 34136 - cio: Device status validity.
- Problem-ID: 34529 - qdio: time calculation is wrong
For further description of the named Problem-IDs, please look to
https://www.ibm.com/us-en
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please reboot after installing the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
References