SuSE: 2011-005: Linux kernel Security Update
Summary
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: kernel
Announcement ID: SUSE-SA:2011:005
Date: Tue, 25 Jan 2011 11:00:00 +0000
Affected Products: SLE SDK 10 SP3
SUSE Linux Enterprise Desktop 10 SP3
SUSE Linux Enterprise Server 10 SP3
Vulnerability Type: local privilege escalation
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
SUSE Default Package: yes
Cross-References: CVE-2010-3699, CVE-2010-3848, CVE-2010-3849
CVE-2010-3850, CVE-2010-4160, CVE-2010-4258
Content of This Advisory:
1) Security Vulnerability Resolved:
Linux kernel security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes
several security issues and bugs.
Following security issues were fixed:
CVE-2010-4258: A local attacker could use a Oops (kernel crash) caused
by other flaws to write a 0 byte to a attacker controlled address
in the kernel. This could lead to privilege escalation together with
other issues.
CVE-2010-3699: The backend driver in Xen 3.x allows guest OS users to
cause a denial of service via a kernel thread leak, which prevents the
device and guest OS from being shut down or create a zombie domain,
causes a hang in zenwatch, or prevents unspecified xm commands from
working properly, related to (1) netback, (2) blkback, or (3) blktap.
CVE-2010-3849: The econet_sendmsg function in net/econet/af_econet.c
in the Linux kernel, when an econet address is configured, allowed
local users to cause a denial of service (NULL pointer dereference
and OOPS) via a sendmsg call that specifies a NULL value for the
remote address field.
CVE-2010-3848: Stack-based buffer overflow in the econet_sendmsg
function in net/econet/af_econet.c in the Linux kernel when an econet
address is configured, allowed local users to gain privileges by
providing a large number of iovec structures.
CVE-2010-3850: The ec_dev_ioctl function in net/econet/af_econet.c
in the Linux kernel did not require the CAP_NET_ADMIN capability,
which allowed local users to bypass intended access restrictions and
configure econet addresses via an SIOCSIFADDR ioctl call.
CVE-2010-4160: An overflow in sendto() and recvfrom() routines was
fixed that could be used by local attackers to potentially crash the
kernel using some socket families like L2TP.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please reboot the machine after installing the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
References