SuSE: 2010-060: Linux kernel Security Update
Summary
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: kernel
Announcement ID: SUSE-SA:2010:060
Date: Tue, 14 Dec 2010 12:00:00 +0000
Affected Products: SLE SDK 10 SP3
SUSE Linux Enterprise Desktop 10 SP3
SUSE Linux Enterprise Server 10 SP3
Vulnerability Type: remote denial of service
CVSS v2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
SUSE Default Package: yes
Cross-References: CVE-2010-2226, CVE-2010-2248, CVE-2010-2942
CVE-2010-2946, CVE-2010-3067, CVE-2010-3086
CVE-2010-3310, CVE-2010-3437, CVE-2010-3442
CVE-2010-4072, CVE-2010-4073, CVE-2010-4078
CVE-2010-4080, CVE-2010-4081, CVE-2010-4083
CVE-2010-4157, CVE-2010-4158, CVE-2010-4162
CVE-2010-4164
Content of This Advisory:
1) Security Vulnerability Resolved:
Linux kernel security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes
several security issues and bugs.
Following security issues were fixed:
CVE-2010-3442: Multiple integer overflows in the snd_ctl_new
function in sound/core/control.c in the Linux kernel before
2.6.36-rc5-next-20100929 allow local users to cause a denial of
service (heap memory corruption) or possibly have unspecified
other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2)
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.
CVE-2010-3437: Integer signedness error in the pkt_find_dev_from_minor
function in drivers/block/pktcdvd.c in the Linux kernel before
2.6.36-rc6 allows local users to obtain sensitive information from
kernel memory or cause a denial of service (invalid pointer dereference
and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS
ioctl call.
CVE-2010-4078: Uninitialized stack memory disclosure in the
FBIOGET_VBLANK ioctl in the sis and ivtv drivers could leak kernel
memory to userspace.
CVE-2010-4080 / CVE-2010-4081: Uninitialized stack memory disclosure
in the rme9652 ALSA driver could leak kernel memory to userspace.
CVE-2010-4073 / CVE-2010-4072 / CVE-2010-4083: Uninitialized stack
memory disclosure in the SystemV IPC handling functions could leak
kernel memory to userspace.
CVE-2010-3067: Integer overflow in the do_io_submit function in
fs/aio.c in the Linux kernel allowed local users to cause a denial
of service or possibly have unspecified other impact via crafted use
of the io_submit system call.
CVE-2010-3310: Multiple integer signedness errors in net/rose/af_rose.c
in the Linux kernel allowed local users to cause a denial of service
(heap memory corruption) or possibly have unspecified other impact
via a rose_getname function call, related to the rose_bind and
rose_connect functions.
CVE-2010-2226: The xfs_swapext function in fs/xfs/xfs_dfrag.c in the
Linux kernel did not properly check the file descriptors passed to
the SWAPEXT ioctl, which allowed local users to leverage write access
and obtain read access by swapping one file into another file.
CVE-2010-2946: fs/jfs/xattr.c in the Linux kernel did not properly
handle a certain legacy format for storage of extended attributes,
which might have allowed local users by bypass intended xattr namespace
restrictions via an "os2." substring at the beginning of a name.
CVE-2010-2942: The actions implementation in the network queuing
functionality in the Linux kernel did not properly initialize
certain structure members when performing dump operations, which
allowed local users to obtain potentially sensitive information
from kernel memory via vectors related to (1) the tcf_gact_dump
function in net/sched/act_gact.c, (2) the tcf_mirred_dump
function in net/sched/act_mirred.c, (3) the tcf_nat_dump function
in net/sched/act_nat.c, (4) the tcf_simp_dump function in
net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in
net/sched/act_skbedit.c.
CVE-2010-2248: fs/cifs/cifssmb.c in the CIFS implementation in the
Linux kernel allowed remote attackers to cause a denial of service
(panic) via an SMB response packet with an invalid CountHigh value,
as demonstrated by a response from an OS/2 server, related to the
CIFSSMBWrite and CIFSSMBWrite2 functions.
CVE-2010-4157: A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc
could lead to memory corruption in the GDTH driver.
CVE-2010-4164: A remote (or local) attacker communicating over X.25
could cause a kernel panic by attempting to negotiate malformed
facilities.
CVE-2010-3086: A missing lock prefix in the x86 futex code could be
used by local attackers to cause a denial of service.
CVE-2010-4158: A memory information leak in Berkley packet filter
rules allowed local attackers to read uninitialized memory of the
kernel stack.
CVE-2010-4162: A local denial of service in the blockdevice layer
was fixed.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please reboot the machine after installing the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
References
