Mailinglist Archive: opensuse-updates (59 mails)

< Previous Next >
openSUSE-SU-2010:0664-1 (critical): Linux Kernel: security and bugfix update
  • From: opensuse-security@xxxxxxxxxxxx
  • Date: Thu, 23 Sep 2010 19:08:11 +0200 (CEST)
  • Message-id: <20100923170811.CE930BE38@xxxxxxxxxxxxxx>
openSUSE Security Update: Linux Kernel: security and bugfix update
______________________________________________________________________________

Announcement ID: openSUSE-SU-2010:0664-1
Rating: critical
References: #426536 #465707 #486997 #508259 #556837 #557201
#567376 #567860 #567867 #569071 #571494 #573244
#575697 #576026 #583867 #584554 #585385 #585927
#586711 #587265 #588579 #589280 #589329 #589788
#590738 #591371 #593906 #593940 #596031 #596462
#599508 #599955 #601328 #602209 #606743 #608576
#610362 #611760 #612213 #612457 #614054 #615141
#616612 #616614 #618156 #618157 #619850 #620372
#624587 #627386 #627447 #628604 #631801 #632309
#633581 #633585 #635413 #635425 #636112 #637436
#637502 #638274 #638277 #639481 #639482 #639483
#639708 #639709
Affected Products:
openSUSE 11.2
______________________________________________________________________________

An update that contains security fixes can now be
installed. It includes one version update.

Description:

This openSUSE 11.2 kernel was updated to 2.6.31.14, fixing
several security issues and bugs.

A lot of ext4 filesystem stability fixes were also added.

Following security issues have been fixed: CVE-2010-3301:
Mismatch between 32bit and 64bit register usage in the
system call entry path could be used by local attackers to
gain root privileges. This problem only affects x86_64
kernels.

CVE-2010-3081: Incorrect buffer handling in the
biarch-compat buffer handling could be used by local
attackers to gain root privileges. This problem affects
foremost x86_64, or potentially other biarch platforms,
like PowerPC and S390x.

CVE-2010-3084: A buffer overflow in the ETHTOOL_GRXCLSRLALL
code could be used to crash the kernel or potentially
execute code.

CVE-2010-2955: A kernel information leak via the WEXT ioctl
was fixed.

CVE-2010-2960: The keyctl_session_to_parent function in
security/keys/keyctl.c in the Linux kernel expects that a
certain parent session keyring exists, which allowed local
users to cause a denial of service (NULL pointer
dereference and system crash) or possibly have unspecified
other impact via a KEYCTL_SESSION_TO_PARENT argument to the
keyctl function.

CVE-2010-3080: A double free in an alsa error path was
fixed, which could lead to kernel crashes.

CVE-2010-3079: Fixed a ftrace NULL pointer dereference
problem which could lead to kernel crashes.

CVE-2010-3298: Fixed a kernel information leak in the
net/usb/hso driver.

CVE-2010-3296: Fixed a kernel information leak in the cxgb3
driver.

CVE-2010-3297: Fixed a kernel information leak in the
net/eql driver.

CVE-2010-3078: Fixed a kernel information leak in the xfs
filesystem. CVE-2010-2942: Fixed a kernel information leak
in the net scheduler code.

CVE-2010-2954: The irda_bind function in net/irda/af_irda.c
in the Linux kernel did not properly handle failure of the
irda_open_tsap function, which allowed local users to cause
a denial of service (NULL pointer dereference and panic)
and possibly have unspecified other impact via multiple
unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA)
socket.

CVE-2010-2226: The xfs_swapext function in
fs/xfs/xfs_dfrag.c in the Linux kernel did not properly
check the file descriptors passed to the SWAPEXT ioctl,
which allowed local users to leverage write access and
obtain read access by swapping one file into another file.

CVE-2010-2946: The 'os2' xattr namespace on the jfs
filesystem could be used to bypass xattr namespace rules.

CVE-2010-2959: Integer overflow in net/can/bcm.c in the
Controller Area Network (CAN) implementation in the Linux
kernel allowed attackers to execute arbitrary code or cause
a denial of service (system crash) via crafted CAN traffic.

CVE-2010-3015: Integer overflow in the ext4_ext_get_blocks
function in fs/ext4/extents.c in the Linux kernel allowed
local users to cause a denial of service (BUG and system
crash) via a write operation on the last block of a large
file, followed by a sync operation.

CVE-2010-2492: Buffer overflow in the ecryptfs_uid_hash
macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem
in the Linux kernel might have allowed local users to gain
privileges or cause a denial of service (system crash) via
unspecified vectors.

CVE-2010-2248: fs/cifs/cifssmb.c in the CIFS implementation
in the Linux kernel allowed remote attackers to cause a
denial of service (panic) via an SMB response packet with
an invalid CountHigh value, as demonstrated by a response
from an OS/2 server, related to the CIFSSMBWrite and
CIFSSMBWrite2 functions.

CVE-2010-2803: The drm_ioctl function in
drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager
(DRM) subsystem in the Linux kernel allowed local users to
obtain potentially sensitive information from kernel memory
by requesting a large memory-allocation amount.

CVE-2010-2478: A potential buffer overflow in the
ETHTOOL_GRXCLSRLALL ethtool code was fixed which could be
used by local attackers to crash the kernel or potentially
execute code.

CVE-2010-2524: The DNS resolution functionality in the CIFS
implementation in the Linux kernel, when
CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's
keyring for the dns_resolver upcall in the cifs.upcall
userspace helper, which allowed local users to spoof the
results of DNS queries and perform arbitrary CIFS mounts
via vectors involving an add_key call, related to a "cache
stuffing" issue and MS-DFS referrals.

CVE-2010-2798: The gfs2_dirent_find_space function in
fs/gfs2/dir.c in the Linux kernel used an incorrect size
value in calculations associated with sentinel directory
entries, which allowed local users to cause a denial of
service (NULL pointer dereference and panic) and possibly
have unspecified other impact by renaming a file in a GFS2
filesystem, related to the gfs2_rename function in
fs/gfs2/ops_inode.c.

CVE-2010-2537: The BTRFS_IOC_CLONE and
BTRFS_IOC_CLONE_RANGE ioctls allowed a local user to
overwrite append-only files.

CVE-2010-2538: The BTRFS_IOC_CLONE_RANGE ioctl was subject
to an integer overflow in specifying offsets to copy from a
file, which potentially allowed a local user to read
sensitive filesystem data.

CVE-2010-2521: Multiple buffer overflows in
fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS
server in the Linux kernel allowed remote attackers to
cause a denial of service (panic) or possibly execute
arbitrary code via a crafted NFSv4 compound WRITE request,
related to the read_buf and nfsd4_decode_compound functions.

CVE-2010-2066: The mext_check_arguments function in
fs/ext4/move_extent.c in the Linux kernel allowed local
users to overwrite an append-only file via a MOVE_EXT ioctl
call that specifies this file as a donor.

CVE-2010-2495: The pppol2tp_xmit function in
drivers/net/pppol2tp.c in the L2TP implementation in the
Linux kernel did not properly validate certain values
associated with an interface, which allowed attackers to
cause a denial of service (NULL pointer dereference and
OOPS) or possibly have unspecified other impact via vectors
related to a routing change.

CVE-2010-2071: The btrfs_xattr_set_acl function in
fs/btrfs/acl.c in btrfs in the Linux kernel did not check
file ownership before setting an ACL, which allowed local
users to bypass file permissions by setting arbitrary ACLs,
as demonstrated using setfacl.

CVE-2010-1641: The do_gfs2_set_flags function in
fs/gfs2/file.c in the Linux kernel did not verify the
ownership of a file, which allowed local users to bypass
intended access restrictions via a SETFLAGS ioctl request.

CVE-2010-1087: The nfs_wait_on_request function in
fs/nfs/pagelist.c in Linux kernel 2.6.x allowed attackers
to cause a denial of service (Oops) via unknown vectors
related to truncating a file and an operation that is not
interruptible.

CVE-2010-1636: The btrfs_ioctl_clone function in
fs/btrfs/ioctl.c in the btrfs functionality in the Linux
kernel did not ensure that a cloned file descriptor has
been opened for reading, which allowed local users to read
sensitive information from a write-only file descriptor.

CVE-2010-1437: Race condition in the find_keyring_by_name
function in security/keys/keyring.c in the Linux kernel
allowed local users to cause a denial of service (memory
corruption and system crash) or possibly have unspecified
other impact via keyctl session commands that trigger
access to a dead keyring that is undergoing deletion by the
key_cleanup function.

CVE-2010-1148: The cifs_create function in fs/cifs/dir.c in
the Linux kernel allowed local users to cause a denial of
service (NULL pointer dereference and OOPS) or possibly
have unspecified other impact via a NULL nameidata (aka nd)
field in a POSIX file-creation request to a server that
supports UNIX extensions.

CVE-2010-1162: The release_one_tty function in
drivers/char/tty_io.c in the Linux kernel omitted certain
required calls to the put_pid function, which has
unspecified impact and local attack vectors.

CVE-2010-1146: The Linux kernel, when a ReiserFS filesystem
exists, did not restrict read or write access to the
.reiserfs_priv directory, which allowed local users to gain
privileges by modifying (1) extended attributes or (2)
ACLs, as demonstrated by deleting a file under
.reiserfs_priv/xattrs/.

CVE-2009-4537: drivers/net/r8169.c in the r8169 driver in
the Linux kernel did not properly check the size of an
Ethernet frame that exceeds the MTU, which allowed remote
attackers to (1) cause a denial of service (temporary
network outage) via a packet with a crafted size, in
conjunction with certain packets containing A characters
and certain packets containing E characters; or (2) cause a
denial of service (system crash) via a packet with a
crafted size, in conjunction with certain packets
containing '\0' characters, related to the value of the
status register and erroneous behavior associated with the
RxMaxSize register. NOTE: this vulnerability exists because
of an incorrect fix for CVE-2009-1389.


Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 11.2:

zypper in -t patch kernel-3175

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 11.2 (i586 x86_64) [New Version: 2.6.31.14]:

kernel-debug-2.6.31.14-0.1.1
kernel-debug-base-2.6.31.14-0.1.1
kernel-debug-devel-2.6.31.14-0.1.1
kernel-default-2.6.31.14-0.1.1
kernel-default-base-2.6.31.14-0.1.1
kernel-default-devel-2.6.31.14-0.1.1
kernel-desktop-2.6.31.14-0.1.1
kernel-desktop-base-2.6.31.14-0.1.1
kernel-desktop-devel-2.6.31.14-0.1.1
kernel-syms-2.6.31.14-0.1.1
kernel-trace-2.6.31.14-0.1.1
kernel-trace-base-2.6.31.14-0.1.1
kernel-trace-devel-2.6.31.14-0.1.1
kernel-vanilla-2.6.31.14-0.1.1
kernel-vanilla-base-2.6.31.14-0.1.1
kernel-vanilla-devel-2.6.31.14-0.1.1
kernel-xen-2.6.31.14-0.1.1
kernel-xen-base-2.6.31.14-0.1.1
kernel-xen-devel-2.6.31.14-0.1.1
preload-kmp-default-1.1_2.6.31.14_0.1-6.9.26
preload-kmp-desktop-1.1_2.6.31.14_0.1-6.9.26

- openSUSE 11.2 (noarch) [New Version: 2.6.31.14]:

kernel-source-2.6.31.14-0.1.1
kernel-source-vanilla-2.6.31.14-0.1.1

- openSUSE 11.2 (i586) [New Version: 2.6.31.14]:

kernel-pae-2.6.31.14-0.1.1
kernel-pae-base-2.6.31.14-0.1.1
kernel-pae-devel-2.6.31.14-0.1.1


References:

https://bugzilla.novell.com/426536
https://bugzilla.novell.com/465707
https://bugzilla.novell.com/486997
https://bugzilla.novell.com/508259
https://bugzilla.novell.com/556837
https://bugzilla.novell.com/557201
https://bugzilla.novell.com/567376
https://bugzilla.novell.com/567860
https://bugzilla.novell.com/567867
https://bugzilla.novell.com/569071
https://bugzilla.novell.com/571494
https://bugzilla.novell.com/573244
https://bugzilla.novell.com/575697
https://bugzilla.novell.com/576026
https://bugzilla.novell.com/583867
https://bugzilla.novell.com/584554
https://bugzilla.novell.com/585385
https://bugzilla.novell.com/585927
https://bugzilla.novell.com/586711
https://bugzilla.novell.com/587265
https://bugzilla.novell.com/588579
https://bugzilla.novell.com/589280
https://bugzilla.novell.com/589329
https://bugzilla.novell.com/589788
https://bugzilla.novell.com/590738
https://bugzilla.novell.com/591371
https://bugzilla.novell.com/593906
https://bugzilla.novell.com/593940
https://bugzilla.novell.com/596031
https://bugzilla.novell.com/596462
https://bugzilla.novell.com/599508
https://bugzilla.novell.com/599955
https://bugzilla.novell.com/601328
https://bugzilla.novell.com/602209
https://bugzilla.novell.com/606743
https://bugzilla.novell.com/608576
https://bugzilla.novell.com/610362
https://bugzilla.novell.com/611760
https://bugzilla.novell.com/612213
https://bugzilla.novell.com/612457
https://bugzilla.novell.com/614054
https://bugzilla.novell.com/615141
https://bugzilla.novell.com/616612
https://bugzilla.novell.com/616614
https://bugzilla.novell.com/618156
https://bugzilla.novell.com/618157
https://bugzilla.novell.com/619850
https://bugzilla.novell.com/620372
https://bugzilla.novell.com/624587
https://bugzilla.novell.com/627386
https://bugzilla.novell.com/627447
https://bugzilla.novell.com/628604
https://bugzilla.novell.com/631801
https://bugzilla.novell.com/632309
https://bugzilla.novell.com/633581
https://bugzilla.novell.com/633585
https://bugzilla.novell.com/635413
https://bugzilla.novell.com/635425
https://bugzilla.novell.com/636112
https://bugzilla.novell.com/637436
https://bugzilla.novell.com/637502
https://bugzilla.novell.com/638274
https://bugzilla.novell.com/638277
https://bugzilla.novell.com/639481
https://bugzilla.novell.com/639482
https://bugzilla.novell.com/639483
https://bugzilla.novell.com/639708
https://bugzilla.novell.com/639709


< Previous Next >
This Thread
  • No further messages