SuSE: 2011-012: Linux kernel Security Update
Summary
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: kernel
Announcement ID: SUSE-SA:2011:012
Date: Tue, 08 Mar 2011 15:00:00 +0000
Affected Products: SUSE Linux Enterprise High Availability Extension 11 SP1
SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Server 11 SP1
Vulnerability Type: remote denial of service, local privilege escalation
CVSS v2 Base Score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)
SUSE Default Package: yes
Cross-References: CVE-2010-2943, CVE-2010-3699, CVE-2010-3705
CVE-2010-3858, CVE-2010-3875, CVE-2010-3876
CVE-2010-3877, CVE-2010-4075, CVE-2010-4076
CVE-2010-4077, CVE-2010-4163, CVE-2010-4243
CVE-2010-4342, CVE-2010-4346, CVE-2010-4526
CVE-2010-4527, CVE-2010-4529, CVE-2010-4650
CVE-2010-4668, CVE-2011-0006, CVE-2011-0710
CVE-2011-0711, CVE-2011-0712
Content of This Advisory:
1) Security Vulnerability Resolved:
Linux kernel security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to
2.6.32.29 and fixes various bugs and security issues.
CVE-2010-3875: The ax25_getname function in net/ax25/af_ax25.c in the
Linux kernel did not initialize a certain structure, which allowed
local users to obtain potentially sensitive information from kernel
stack memory by reading a copy of this structure.
CVE-2010-3876: net/packet/af_packet.c in the Linux kernel did not
properly initialize certain structure members, which allowed local
users to obtain potentially sensitive information from kernel stack
memory by leveraging the CAP_NET_RAW capability to read copies of
the applicable structures.
CVE-2010-3877: The get_name function in net/tipc/socket.c in the
Linux kernel did not initialize a certain structure, which allowed
local users to obtain potentially sensitive information from kernel
stack memory by reading a copy of this structure.
CVE-2010-3705: The sctp_auth_asoc_get_hmac function in net/sctp/auth.c
in the Linux kernel did not properly validate the hmac_ids array of an
SCTP peer, which allowed remote attackers to cause a denial of service
(memory corruption and panic) via a crafted value in the last element
of this array.
CVE-2011-0711: A stack memory information leak in the xfs FSGEOMETRY_V1
ioctl was fixed.
CVE-2011-0712: Multiple buffer overflows in the caiaq Native
Instruments USB audio functionality in the Linux kernel might have
allowed attackers to cause a denial of service or possibly have
unspecified other impact via a long USB device name, related to (1)
the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and
(2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.
CVE-2011-0710: The task_show_regs function in arch/s390/kernel/traps.c
in the Linux kernel on the s390 platform allowed local users to obtain
the values of the registers of an arbitrary process by reading a
status file under /proc/.
CVE-2010-2943: The xfs implementation in the Linux kernel did not
look up inode allocation btrees before reading inode buffers, which
allowed remote authenticated users to read unlinked files, or read
or overwrite disk blocks that are currently assigned to an active
file but were previously assigned to an unlinked file, by accessing
a stale NFS file handle.
CVE-2010-4075: The uart_get_count function in
drivers/serial/serial_core.c in the Linux kernel did not properly
initialize a certain structure member, which allowed local users to
obtain potentially sensitive information from kernel stack memory
via a TIOCGICOUNT ioctl call.
CVE-2010-4076: The rs_ioctl function in drivers/char/amiserial.c in the
Linux kernel did not properly initialize a certain structure member,
which allowed local users to obtain potentially sensitive information
from kernel stack memory via a TIOCGICOUNT ioctl call.
CVE-2010-4077: The ntty_ioctl_tiocgicount function in
drivers/char/nozomi.c in the Linux kernel did not properly initialize
a certain structure member, which allowed local users to obtain
potentially sensitive information from kernel stack memory via a
TIOCGICOUNT ioctl call.
CVE-2010-4243: fs/exec.c in the Linux kernel did not enable the OOM
Killer to assess use of stack memory by arrays representing the (1)
arguments and (2) environment, which allows local users to cause a
denial of service (memory consumption) via a crafted exec system call,
aka an OOM dodging issue, a related issue to CVE-2010-3858.
CVE-2010-4668: The blk_rq_map_user_iov function in block/blk-map.c
in the Linux kernel allowed local users to cause a denial of service
(panic) via a zero-length I/O request in a device ioctl to a SCSI
device, related to an unaligned map. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2010-4163.
CVE-2010-4529: Integer underflow in the irda_getsockopt function in
net/irda/af_irda.c in the Linux kernel on platforms other than x86
allowed local users to obtain potentially sensitive information from
kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call.
CVE-2010-4342: The aun_incoming function in net/econet/af_econet.c
in the Linux kernel, when Econet is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS)
by sending an Acorn Universal Networking (AUN) packet over UDP.
CVE-2010-3699: The backend driver in Xen 3.x allowed guest OS users to cause a denial of service via a kernel thread leak, which prevented
the device and guest OS from being shut down or create a zombie domain,
causing a hang in zenwatch, or preventing unspecified xm commands from
working properly, related to (1) netback, (2) blkback, or (3) blktap.
CVE-2010-4346: The install_special_mapping function in mm/mmap.c in the
Linux kernel did not make an expected security_file_mmap function call,
which allows local users to bypass intended mmap_min_addr restrictions
and possibly conduct NULL pointer dereference attacks via a crafted
assembly-language application.
CVE-2010-4650: Fixed a verify_ioctl overflow in "cuse" in the fuse
filesystem. The code should only be called by root users though.
CVE-2010-4526: Race condition in the sctp_icmp_proto_unreachable
function in net/sctp/input.c in the Linux kernel allowed remote
attackers to cause a denial of service (panic) via an ICMP unreachable
message to a socket that is already locked by a user, which causes
the socket to be freed and triggers list corruption, related to the
sctp_wait_for_connect function.
CVE-2010-4527: The load_mixer_volumes function in sound/oss/soundcard.c
in the OSS sound subsystem in the Linux kernel incorrectly expected
that a certain name field ends with a '0' character, which allowed
local users to conduct buffer overflow attacks and gain privileges,
or possibly obtain sensitive information from kernel memory, via a
SOUND_MIXER_SETLEVELS ioctl call.
CVE-2011-0006: Fixed a LSM bug in IMA (Integrity Measuring Architecture).
IMA is not enabled in SUSE kernels, so we were not affected.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please reboot the machine after installing the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
References
