openSUSE-SU-2011:0004-1 (important): kernel: security and bugfix update.

3 Jan 2011

      openSUSE Security Update: kernel: security and bugfix update.
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2011:0004-1
Rating:             important
References:         #547887 #584028 #628591 #629901 #629908 #641811 
                    #641983 #642043 #642302 #642311 #642312 #642313 
                    #642484 #642486 #645659 #649187 #650128 #651218 
                    #651626 #652563 #652939 #652940 #652945 #653258 
                    #653260 #653930 #654581 #655215 #655839 #657350 
                    #659076 
Affected Products:
                    openSUSE 11.3
______________________________________________________________________________

   An update that contains security fixes can now be
   installed. It includes one version update.

Description:

   The openSUSE 11.3 kernel was updated to fix various bugs
   and security issues.

   Following security issues have been fixed: CVE-2010-4347: A
   local user could inject ACPI code into the kernel via the
   world-writable "custom_debug" file, allowing local
   privilege escalation.

   CVE-2010-4258: A local attacker could use a Oops (kernel
   crash) caused by other flaws to write a 0 byte to a
   attacker controlled address in the kernel. This could lead
   to privilege escalation together with other issues.

   CVE-2010-4157: A 32bit vs 64bit integer mismatch in
   gdth_ioctl_alloc could lead to memory corruption in the
   GDTH driver.

   CVE-2010-4165: The do_tcp_setsockopt function in
   net/ipv4/tcp.c in the Linux kernel did not properly
   restrict TCP_MAXSEG (aka MSS) values, which allows local
   users to cause a denial of service (OOPS) via a setsockopt
   call that specifies a small value, leading to a
   divide-by-zero error or incorrect use of a signed integer.

   CVE-2010-4164: A remote (or local) attacker communicating
   over X.25 could cause a kernel panic by attempting to
   negotiate malformed facilities.

   CVE-2010-4175:  A local attacker could cause memory
   overruns in the RDS protocol stack, potentially crashing
   the kernel. So far it is considered not to be exploitable.

   CVE-2010-4169: Use-after-free vulnerability in
   mm/mprotect.c in the Linux kernel allwed local users to
   cause a denial of service via vectors involving an mprotect
   system call.

   CVE-2010-3874: A minor heap overflow in the CAN network
   module was fixed. Due to nature of the memory allocator it
   is likely not exploitable.

   CVE-2010-4158: A memory information leak in berkely packet
   filter rules allowed local attackers to read uninitialized
   memory of the kernel stack.

   CVE-2010-4162: A local denial of service in the blockdevice
   layer was fixed.

   CVE-2010-4163: By submitting certain I/O requests with 0
   length, a local user could have caused a kernel panic.

   CVE-2010-0435: The Hypervisor in KVM 83, when the Intel
   VT-x extension is enabled, allows guest OS users to cause a
   denial of service (NULL pointer dereference and host OS
   crash) via vectors related to instruction emulation.

   CVE-2010-3861: The ethtool_get_rxnfc function in
   net/core/ethtool.c in the Linux kernel did not initialize a
   certain block of heap memory, which allowed local users to
   obtain potentially sensitive information via an
   ETHTOOL_GRXCLSRLALL ethtool command with a large
   info.rule_cnt value.

   CVE-2010-3442: Multiple integer overflows in the
   snd_ctl_new function in sound/core/control.c in the Linux
   kernel allowed local users to cause a denial of service
   (heap memory corruption) or possibly have unspecified other
   impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2)
   SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.

   CVE-2010-3437: A range checking overflow in pktcdvd ioctl
   was fixed.

   CVE-2010-4078: The sisfb_ioctl function in
   drivers/video/sis/sis_main.c in the Linux kernel did not
   properly initialize a certain structure member, which
   allowed local users to obtain potentially sensitive
   information from kernel stack memory via an FBIOGET_VBLANK
   ioctl call.

   CVE-2010-4080: The snd_hdsp_hwdep_ioctl function in
   sound/pci/rme9652/hdsp.c in the Linux kernel did not
   initialize a certain structure, which allowed local users
   to obtain potentially sensitive information from kernel
   stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl
   call.

   CVE-2010-4081: The snd_hdspm_hwdep_ioctl function in
   sound/pci/rme9652/hdspm.c in the Linux kernel did not
   initialize a certain structure, which allowed local users
   to obtain potentially sensitive information from kernel
   stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl
   call.

   CVE-2010-4082: The viafb_ioctl_get_viafb_info function in
   drivers/video/via/ioctl.c in the Linux kernel did not
   properly initialize a certain structure member, which
   allowed local users to obtain potentially sensitive
   information from kernel stack memory via a VIAFB_GET_INFO
   ioctl call.

   CVE-2010-4073: The ipc subsystem in the Linux kernel did
   not initialize certain structures, which allowed local
   users to obtain potentially sensitive information from
   kernel stack memory via vectors related to the (1)
   compat_sys_semctl, (2) compat_sys_msgctl, and (3)
   compat_sys_shmctl functions in ipc/compat.c; and the (4)
   compat_sys_mq_open and (5) compat_sys_mq_getsetattr
   functions in ipc/compat_mq.c.

   CVE-2010-4072: The copy_shmid_to_user function in ipc/shm.c
   in the Linux kernel did not initialize a certain structure,
   which allowed local users to obtain potentially sensitive
   information from kernel stack memory via vectors related to
   the shmctl system call and the "old shm interface."

   CVE-2010-4083: The copy_semid_to_user function in ipc/sem.c
   in the Linux kernel did not initialize a certain structure,
   which allowed local users to obtain potentially sensitive
   information from kernel stack memory via a (1) IPC_INFO,
   (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a
   semctl system call.

   CVE-2010-3432: The sctp_packet_config function in
   net/sctp/output.c in the Linux kernel performed extraneous
   initializations of packet data structures, which allowed
   remote attackers to cause a denial of service (panic) via a
   certain sequence of SCTP traffic.

   CVE-2010-3067: Integer overflow in the do_io_submit
   function in fs/aio.c in the Linux kernel allowed local
   users to cause a denial of service or possibly have
   unspecified other impact via crafted use of the io_submit
   system call.

   CVE-2010-3865: A iovec integer overflow in RDS sockets was
   fixed which could lead to local attackers gaining kernel
   privileges.

Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 11.3:

      zypper in -t patch kernel-3709

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE 11.3 (i586 x86_64) [New Version: 2.6.34.7]:

      kernel-debug-2.6.34.7-0.7.1
      kernel-debug-base-2.6.34.7-0.7.1
      kernel-debug-devel-2.6.34.7-0.7.1
      kernel-default-2.6.34.7-0.7.1
      kernel-default-base-2.6.34.7-0.7.1
      kernel-default-devel-2.6.34.7-0.7.1
      kernel-desktop-2.6.34.7-0.7.1
      kernel-desktop-base-2.6.34.7-0.7.1
      kernel-desktop-devel-2.6.34.7-0.7.1
      kernel-ec2-2.6.34.7-0.7.1
      kernel-ec2-base-2.6.34.7-0.7.1
      kernel-ec2-devel-2.6.34.7-0.7.1
      kernel-ec2-extra-2.6.34.7-0.7.1
      kernel-syms-2.6.34.7-0.7.1
      kernel-trace-2.6.34.7-0.7.1
      kernel-trace-base-2.6.34.7-0.7.1
      kernel-trace-devel-2.6.34.7-0.7.1
      kernel-vanilla-2.6.34.7-0.7.1
      kernel-vanilla-base-2.6.34.7-0.7.1
      kernel-vanilla-devel-2.6.34.7-0.7.1
      kernel-xen-2.6.34.7-0.7.1
      kernel-xen-base-2.6.34.7-0.7.1
      kernel-xen-devel-2.6.34.7-0.7.1
      preload-kmp-default-1.1_k2.6.34.7_0.7-19.1.11
      preload-kmp-desktop-1.1_k2.6.34.7_0.7-19.1.11

   - openSUSE 11.3 (noarch) [New Version: 2.6.34.7]:

      kernel-devel-2.6.34.7-0.7.1
      kernel-source-2.6.34.7-0.7.1
      kernel-source-vanilla-2.6.34.7-0.7.1

   - openSUSE 11.3 (i586) [New Version: 2.6.34.7]:

      kernel-pae-2.6.34.7-0.7.1
      kernel-pae-base-2.6.34.7-0.7.1
      kernel-pae-devel-2.6.34.7-0.7.1
      kernel-vmi-2.6.34.7-0.7.1
      kernel-vmi-base-2.6.34.7-0.7.1
      kernel-vmi-devel-2.6.34.7-0.7.1

References:

   https://bugzilla.novell.com/547887
   https://bugzilla.novell.com/584028
   https://bugzilla.novell.com/628591
   https://bugzilla.novell.com/629901
   https://bugzilla.novell.com/629908
   https://bugzilla.novell.com/641811
   https://bugzilla.novell.com/641983
   https://bugzilla.novell.com/642043
   https://bugzilla.novell.com/642302
   https://bugzilla.novell.com/642311
   https://bugzilla.novell.com/642312
   https://bugzilla.novell.com/642313
   https://bugzilla.novell.com/642484
   https://bugzilla.novell.com/642486
   https://bugzilla.novell.com/645659
   https://bugzilla.novell.com/649187
   https://bugzilla.novell.com/650128
   https://bugzilla.novell.com/651218
   https://bugzilla.novell.com/651626
   https://bugzilla.novell.com/652563
   https://bugzilla.novell.com/652939
   https://bugzilla.novell.com/652940
   https://bugzilla.novell.com/652945
   https://bugzilla.novell.com/653258
   https://bugzilla.novell.com/653260
   https://bugzilla.novell.com/653930
   https://bugzilla.novell.com/654581
   https://bugzilla.novell.com/655215
   https://bugzilla.novell.com/655839
   https://bugzilla.novell.com/657350
   https://bugzilla.novell.com/659076

openSUSE-SU-2011:0004-1 (important): kernel: security and bugfix update.

opensuse-security＠opensuse.org