openSUSE Security Update: Linux Kernel: security and bugfix update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2010:0664-1 Rating: critical References: #426536 #465707 #486997 #508259 #556837 #557201 #567376 #567860 #567867 #569071 #571494 #573244 #575697 #576026 #583867 #584554 #585385 #585927 #586711 #587265 #588579 #589280 #589329 #589788 #590738 #591371 #593906 #593940 #596031 #596462 #599508 #599955 #601328 #602209 #606743 #608576 #610362 #611760 #612213 #612457 #614054 #615141 #616612 #616614 #618156 #618157 #619850 #620372 #624587 #627386 #627447 #628604 #631801 #632309 #633581 #633585 #635413 #635425 #636112 #637436 #637502 #638274 #638277 #639481 #639482 #639483 #639708 #639709 Affected Products: openSUSE 11.2 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: This openSUSE 11.2 kernel was updated to 2.6.31.14, fixing several security issues and bugs. A lot of ext4 filesystem stability fixes were also added. Following security issues have been fixed: CVE-2010-3301: Mismatch between 32bit and 64bit register usage in the system call entry path could be used by local attackers to gain root privileges. This problem only affects x86_64 kernels. CVE-2010-3081: Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. CVE-2010-3084: A buffer overflow in the ETHTOOL_GRXCLSRLALL code could be used to crash the kernel or potentially execute code. CVE-2010-2955: A kernel information leak via the WEXT ioctl was fixed. CVE-2010-2960: The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel expects that a certain parent session keyring exists, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function. CVE-2010-3080: A double free in an alsa error path was fixed, which could lead to kernel crashes. CVE-2010-3079: Fixed a ftrace NULL pointer dereference problem which could lead to kernel crashes. CVE-2010-3298: Fixed a kernel information leak in the net/usb/hso driver. CVE-2010-3296: Fixed a kernel information leak in the cxgb3 driver. CVE-2010-3297: Fixed a kernel information leak in the net/eql driver. CVE-2010-3078: Fixed a kernel information leak in the xfs filesystem. CVE-2010-2942: Fixed a kernel information leak in the net scheduler code. CVE-2010-2954: The irda_bind function in net/irda/af_irda.c in the Linux kernel did not properly handle failure of the irda_open_tsap function, which allowed local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket. CVE-2010-2226: The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel did not properly check the file descriptors passed to the SWAPEXT ioctl, which allowed local users to leverage write access and obtain read access by swapping one file into another file. CVE-2010-2946: The 'os2' xattr namespace on the jfs filesystem could be used to bypass xattr namespace rules. CVE-2010-2959: Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel allowed attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. CVE-2010-3015: Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation. CVE-2010-2492: Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel might have allowed local users to gain privileges or cause a denial of service (system crash) via unspecified vectors. CVE-2010-2248: fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel allowed remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. CVE-2010-2803: The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. CVE-2010-2478: A potential buffer overflow in the ETHTOOL_GRXCLSRLALL ethtool code was fixed which could be used by local attackers to crash the kernel or potentially execute code. CVE-2010-2524: The DNS resolution functionality in the CIFS implementation in the Linux kernel, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allowed local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals. CVE-2010-2798: The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel used an incorrect size value in calculations associated with sentinel directory entries, which allowed local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. CVE-2010-2537: The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls allowed a local user to overwrite append-only files. CVE-2010-2538: The BTRFS_IOC_CLONE_RANGE ioctl was subject to an integer overflow in specifying offsets to copy from a file, which potentially allowed a local user to read sensitive filesystem data. CVE-2010-2521: Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel allowed remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. CVE-2010-2066: The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel allowed local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor. CVE-2010-2495: The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel did not properly validate certain values associated with an interface, which allowed attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors related to a routing change. CVE-2010-2071: The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Linux kernel did not check file ownership before setting an ACL, which allowed local users to bypass file permissions by setting arbitrary ACLs, as demonstrated using setfacl. CVE-2010-1641: The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel did not verify the ownership of a file, which allowed local users to bypass intended access restrictions via a SETFLAGS ioctl request. CVE-2010-1087: The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x allowed attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible. CVE-2010-1636: The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the btrfs functionality in the Linux kernel did not ensure that a cloned file descriptor has been opened for reading, which allowed local users to read sensitive information from a write-only file descriptor. CVE-2010-1437: Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function. CVE-2010-1148: The cifs_create function in fs/cifs/dir.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a NULL nameidata (aka nd) field in a POSIX file-creation request to a server that supports UNIX extensions. CVE-2010-1162: The release_one_tty function in drivers/char/tty_io.c in the Linux kernel omitted certain required calls to the put_pid function, which has unspecified impact and local attack vectors. CVE-2010-1146: The Linux kernel, when a ReiserFS filesystem exists, did not restrict read or write access to the .reiserfs_priv directory, which allowed local users to gain privileges by modifying (1) extended attributes or (2) ACLs, as demonstrated by deleting a file under .reiserfs_priv/xattrs/. CVE-2009-4537: drivers/net/r8169.c in the r8169 driver in the Linux kernel did not properly check the size of an Ethernet frame that exceeds the MTU, which allowed remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.2: zypper in -t patch kernel-3175 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.2 (i586 x86_64) [New Version: 2.6.31.14]: kernel-debug-2.6.31.14-0.1.1 kernel-debug-base-2.6.31.14-0.1.1 kernel-debug-devel-2.6.31.14-0.1.1 kernel-default-2.6.31.14-0.1.1 kernel-default-base-2.6.31.14-0.1.1 kernel-default-devel-2.6.31.14-0.1.1 kernel-desktop-2.6.31.14-0.1.1 kernel-desktop-base-2.6.31.14-0.1.1 kernel-desktop-devel-2.6.31.14-0.1.1 kernel-syms-2.6.31.14-0.1.1 kernel-trace-2.6.31.14-0.1.1 kernel-trace-base-2.6.31.14-0.1.1 kernel-trace-devel-2.6.31.14-0.1.1 kernel-vanilla-2.6.31.14-0.1.1 kernel-vanilla-base-2.6.31.14-0.1.1 kernel-vanilla-devel-2.6.31.14-0.1.1 kernel-xen-2.6.31.14-0.1.1 kernel-xen-base-2.6.31.14-0.1.1 kernel-xen-devel-2.6.31.14-0.1.1 preload-kmp-default-1.1_2.6.31.14_0.1-6.9.26 preload-kmp-desktop-1.1_2.6.31.14_0.1-6.9.26 - openSUSE 11.2 (noarch) [New Version: 2.6.31.14]: kernel-source-2.6.31.14-0.1.1 kernel-source-vanilla-2.6.31.14-0.1.1 - openSUSE 11.2 (i586) [New Version: 2.6.31.14]: kernel-pae-2.6.31.14-0.1.1 kernel-pae-base-2.6.31.14-0.1.1 kernel-pae-devel-2.6.31.14-0.1.1 References: https://bugzilla.novell.com/426536 https://bugzilla.novell.com/465707 https://bugzilla.novell.com/486997 https://bugzilla.novell.com/508259 https://bugzilla.novell.com/556837 https://bugzilla.novell.com/557201 https://bugzilla.novell.com/567376 https://bugzilla.novell.com/567860 https://bugzilla.novell.com/567867 https://bugzilla.novell.com/569071 https://bugzilla.novell.com/571494 https://bugzilla.novell.com/573244 https://bugzilla.novell.com/575697 https://bugzilla.novell.com/576026 https://bugzilla.novell.com/583867 https://bugzilla.novell.com/584554 https://bugzilla.novell.com/585385 https://bugzilla.novell.com/585927 https://bugzilla.novell.com/586711 https://bugzilla.novell.com/587265 https://bugzilla.novell.com/588579 https://bugzilla.novell.com/589280 https://bugzilla.novell.com/589329 https://bugzilla.novell.com/589788 https://bugzilla.novell.com/590738 https://bugzilla.novell.com/591371 https://bugzilla.novell.com/593906 https://bugzilla.novell.com/593940 https://bugzilla.novell.com/596031 https://bugzilla.novell.com/596462 https://bugzilla.novell.com/599508 https://bugzilla.novell.com/599955 https://bugzilla.novell.com/601328 https://bugzilla.novell.com/602209 https://bugzilla.novell.com/606743 https://bugzilla.novell.com/608576 https://bugzilla.novell.com/610362 https://bugzilla.novell.com/611760 https://bugzilla.novell.com/612213 https://bugzilla.novell.com/612457 https://bugzilla.novell.com/614054 https://bugzilla.novell.com/615141 https://bugzilla.novell.com/616612 https://bugzilla.novell.com/616614 https://bugzilla.novell.com/618156 https://bugzilla.novell.com/618157 https://bugzilla.novell.com/619850 https://bugzilla.novell.com/620372 https://bugzilla.novell.com/624587 https://bugzilla.novell.com/627386 https://bugzilla.novell.com/627447 https://bugzilla.novell.com/628604 https://bugzilla.novell.com/631801 https://bugzilla.novell.com/632309 https://bugzilla.novell.com/633581 https://bugzilla.novell.com/633585 https://bugzilla.novell.com/635413 https://bugzilla.novell.com/635425 https://bugzilla.novell.com/636112 https://bugzilla.novell.com/637436 https://bugzilla.novell.com/637502 https://bugzilla.novell.com/638274 https://bugzilla.novell.com/638277 https://bugzilla.novell.com/639481 https://bugzilla.novell.com/639482 https://bugzilla.novell.com/639483 https://bugzilla.novell.com/639708 https://bugzilla.novell.com/639709