openSUSE Security Update: Linux Kernel: Security/Bugfix update to fix local privilege escalations ______________________________________________________________________________ Announcement ID: openSUSE-SU-2010:1047-1 Rating: important References: #595215 #642302 #642311 #642312 #642313 #642314 #642484 #642486 #643477 #645659 #646045 #651218 #651356 #651626 #652563 #652940 #652945 #653260 Affected Products: openSUSE 11.1 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update. Description: This security update of the openSUSE 11.1 kernel updates the kernel to 2.6.27.56 and fixes various security issues and other bugs. Following security issues were fixed by this update: CVE-2010-2963: A problem in the compat ioctl handling in video4linux allowed local attackers with a video device plugged in to gain privileges on x86_64 systems. CVE-2010-4157: A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc could lead to memory corruption in the GDTH driver. CVE-2010-4164: A remote (or local) attacker communicating over X.25 could cause a kernel panic by attempting to negotiate malformed facilities. CVE-2010-3874: A minor heap overflow in the CAN network module was fixed. Due to nature of the memory allocator it is likely not exploitable. CVE-2010-4158: A memory information leak in berkely packet filter rules allowed local attackers to read uninitialized memory of the kernel stack. CVE-2010-4162: A local denial of service in the blockdevice layer was fixed. CVE-2010-3437: A range checking overflow in pktcdvd ioctl was fixed. CVE-2010-4078: The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call. CVE-2010-4082: The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call. CVE-2010-4073: The ipc subsystem in the Linux kernel did not initialize certain structures, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c. CVE-2010-4072: The copy_shmid_to_user function in ipc/shm.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the "old shm interface." CVE-2010-4083: The copy_semid_to_user function in ipc/sem.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call. CVE-2010-3067: Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. CVE-2010-3442: Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. CVE-2010-4080: The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call. CVE-2010-4081: The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.1: zypper in -t patch kernel-3619 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.1 (i586 ppc x86_64) [New Version: 2.6.27.56]: kernel-default-2.6.27.56-0.1.1 kernel-default-base-2.6.27.56-0.1.1 kernel-default-extra-2.6.27.56-0.1.1 kernel-source-2.6.27.56-0.1.1 kernel-syms-2.6.27.56-0.1.1 kernel-vanilla-2.6.27.56-0.1.1 - openSUSE 11.1 (i586 x86_64) [New Version: 2.6.27.56]: kernel-debug-2.6.27.56-0.1.1 kernel-debug-base-2.6.27.56-0.1.1 kernel-debug-extra-2.6.27.56-0.1.1 kernel-trace-2.6.27.56-0.1.1 kernel-trace-base-2.6.27.56-0.1.1 kernel-trace-extra-2.6.27.56-0.1.1 kernel-xen-2.6.27.56-0.1.1 kernel-xen-base-2.6.27.56-0.1.1 kernel-xen-extra-2.6.27.56-0.1.1 - openSUSE 11.1 (noarch): kernel-docs-2.6.3-3.13.135 - openSUSE 11.1 (i586) [New Version: 2.6.27.56]: kernel-pae-2.6.27.56-0.1.1 kernel-pae-base-2.6.27.56-0.1.1 kernel-pae-extra-2.6.27.56-0.1.1 - openSUSE 11.1 (ppc) [New Version: 2.6.27.56]: kernel-kdump-2.6.27.56-0.1.1 kernel-ppc64-2.6.27.56-0.1.1 kernel-ppc64-base-2.6.27.56-0.1.1 kernel-ppc64-extra-2.6.27.56-0.1.1 kernel-ps3-2.6.27.56-0.1.1 References: https://bugzilla.novell.com/595215 https://bugzilla.novell.com/642302 https://bugzilla.novell.com/642311 https://bugzilla.novell.com/642312 https://bugzilla.novell.com/642313 https://bugzilla.novell.com/642314 https://bugzilla.novell.com/642484 https://bugzilla.novell.com/642486 https://bugzilla.novell.com/643477 https://bugzilla.novell.com/645659 https://bugzilla.novell.com/646045 https://bugzilla.novell.com/651218 https://bugzilla.novell.com/651356 https://bugzilla.novell.com/651626 https://bugzilla.novell.com/652563 https://bugzilla.novell.com/652940 https://bugzilla.novell.com/652945 https://bugzilla.novell.com/653260