openSUSE Security Update: Linux Kernel: security and bugfix update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2011:0003-1 Rating: important References: #642043 #642302 #642311 #642313 #642484 #642486 #645659 #649187 #650128 #651218 #652563 #652939 #652940 #652945 #653258 #653260 #654581 #657350 Affected Products: openSUSE 11.2 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: This update of the openSUSE 11.2 kernel fixes various bugs and lots of security issues. Following security issues have been fixed: CVE-2010-4258: A local attacker could use a Oops (kernel crash) caused by other flaws to write a 0 byte to a attacker controlled address in the kernel. This could lead to privilege escalation together with other issues. CVE-2010-4160: A overflow in sendto() and recvfrom() routines was fixed that could be used by local attackers to potentially crash the kernel using some socket families like L2TP. CVE-2010-4157: A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc could lead to memory corruption in the GDTH driver. CVE-2010-4165: The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel did not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer. CVE-2010-4164: A remote (or local) attacker communicating over X.25 could cause a kernel panic by attempting to negotiate malformed facilities. CVE-2010-4175: A local attacker could cause memory overruns in the RDS protocol stack, potentially crashing the kernel. So far it is considered not to be exploitable. CVE-2010-3874: A minor heap overflow in the CAN network module was fixed. Due to nature of the memory allocator it is likely not exploitable. CVE-2010-3874: A minor heap overflow in the CAN network module was fixed. Due to nature of the memory allocator it is likely not exploitable. CVE-2010-4158: A memory information leak in berkely packet filter rules allowed local attackers to read uninitialized memory of the kernel stack. CVE-2010-4162: A local denial of service in the blockdevice layer was fixed. CVE-2010-4163: By submitting certain I/O requests with 0 length, a local user could have caused a kernel panic. CVE-2010-3861: The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel did not initialize a certain block of heap memory, which allowed local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value. CVE-2010-3442: Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. CVE-2010-3437: A range checking overflow in pktcdvd ioctl was fixed. CVE-2010-4078: The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call. CVE-2010-4080: The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call. CVE-2010-4081: The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call. CVE-2010-4082: The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call. CVE-2010-3067: Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. CVE-2010-3865: A iovec integer overflow in RDS sockets was fixed which could lead to local attackers gaining kernel privileges. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.2: zypper in -t patch kernel-debug-3706 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.2 (i586 x86_64) [New Version: 2.6.31.14]: kernel-debug-2.6.31.14-0.6.1 kernel-debug-base-2.6.31.14-0.6.1 kernel-debug-devel-2.6.31.14-0.6.1 kernel-default-2.6.31.14-0.6.1 kernel-default-base-2.6.31.14-0.6.1 kernel-default-devel-2.6.31.14-0.6.1 kernel-desktop-2.6.31.14-0.6.1 kernel-desktop-base-2.6.31.14-0.6.1 kernel-desktop-devel-2.6.31.14-0.6.1 kernel-syms-2.6.31.14-0.6.1 kernel-trace-2.6.31.14-0.6.1 kernel-trace-base-2.6.31.14-0.6.1 kernel-trace-devel-2.6.31.14-0.6.1 kernel-vanilla-2.6.31.14-0.6.1 kernel-vanilla-base-2.6.31.14-0.6.1 kernel-vanilla-devel-2.6.31.14-0.6.1 kernel-xen-2.6.31.14-0.6.1 kernel-xen-base-2.6.31.14-0.6.1 kernel-xen-devel-2.6.31.14-0.6.1 preload-kmp-default-1.1_2.6.31.14_0.6-6.9.39 preload-kmp-desktop-1.1_2.6.31.14_0.6-6.9.39 - openSUSE 11.2 (noarch) [New Version: 2.6.31.14]: kernel-source-2.6.31.14-0.6.1 kernel-source-vanilla-2.6.31.14-0.6.1 - openSUSE 11.2 (i586) [New Version: 2.6.31.14]: kernel-pae-2.6.31.14-0.6.1 kernel-pae-base-2.6.31.14-0.6.1 kernel-pae-devel-2.6.31.14-0.6.1 References: https://bugzilla.novell.com/642043 https://bugzilla.novell.com/642302 https://bugzilla.novell.com/642311 https://bugzilla.novell.com/642313 https://bugzilla.novell.com/642484 https://bugzilla.novell.com/642486 https://bugzilla.novell.com/645659 https://bugzilla.novell.com/649187 https://bugzilla.novell.com/650128 https://bugzilla.novell.com/651218 https://bugzilla.novell.com/652563 https://bugzilla.novell.com/652939 https://bugzilla.novell.com/652940 https://bugzilla.novell.com/652945 https://bugzilla.novell.com/653258 https://bugzilla.novell.com/653260 https://bugzilla.novell.com/654581 https://bugzilla.novell.com/657350