Scientific Linux Security Update : kernel on SL5.x i386/x86_64

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

This update fixes the following security issues :

- multiple flaws were found in the mmap and mremap
implementations. A local user could use these flaws to
cause a local denial of service or escalate their
privileges. (CVE-2010-0291, Important)

- a NULL pointer dereference flaw was found in the Fast
Userspace Mutexes (futexes) implementation. The unlock
code path did not check if the futex value associated
with pi_state->owner had been modified. A local user
could use this flaw to modify the futex value, possibly
leading to a denial of service or privilege escalation
when the pi_state->owner pointer is dereferenced.
(CVE-2010-0622, Important)

- a NULL pointer dereference flaw was found in the Linux
kernel Network File System (NFS) implementation. A local
user on a system that has an NFS-mounted file system
could use this flaw to cause a denial of service or
escalate their privileges on that system.
(CVE-2010-1087, Important)

- a flaw was found in the sctp_process_unk_param()
function in the Linux kernel Stream Control Transmission
Protocol (SCTP) implementation. A remote attacker could
send a specially-crafted SCTP packet to an SCTP
listening port on a target system, causing a kernel
panic (denial of service). (CVE-2010-1173, Important)

- a flaw was found in the Linux kernel Transparent
Inter-Process Communication protocol (TIPC)
implementation. If a client application, on a local
system where the tipc module is not yet in network mode,
attempted to send a message to a remote TIPC node, it
would dereference a NULL pointer on the local system,
causing a kernel panic (denial of service).
(CVE-2010-1187, Important)

- a buffer overflow flaw was found in the Linux kernel
Global File System 2 (GFS2) implementation. In certain
cases, a quota could be written past the end of a memory
page, causing memory corruption, leaving the quota
stored on disk in an invalid state. A user with write
access to a GFS2 file system could trigger this flaw to
cause a kernel crash (denial of service) or escalate
their privileges on the GFS2 server. This issue can only
be triggered if the GFS2 file system is mounted with the
'quota=on' or 'quota=account' mount option.
(CVE-2010-1436, Important)

- a race condition between finding a keyring by name and
destroying a freed keyring was found in the Linux kernel
key management facility. A local user could use this
flaw to cause a kernel panic (denial of service) or
escalate their privileges. (CVE-2010-1437, Important)

- a flaw was found in the link_path_walk() function in the
Linux kernel. Using the file descriptor returned by the
open() function with the O_NOFOLLOW flag on a
subordinate NFS-mounted file system, could result in a
NULL pointer dereference, causing a denial of service or
privilege escalation. (CVE-2010-1088, Moderate)

- a missing permission check was found in the
gfs2_set_flags() function in the Linux kernel GFS2
implementation. A local user could use this flaw to
change certain file attributes of files, on a GFS2 file
system, that they do not own. (CVE-2010-1641, Low)

Red Hat would like to thank Jukka Taimisto and Olli Jarva of
Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of
their customer, for responsibly reporting CVE-2010-1173
Mario
Mikocevic for responsibly reporting CVE-2010-1436
and Dan Rosenberg
for responsibly reporting CVE-2010-1641.

This update also fixes several bugs.

The system must be rebooted for this update to take effect.

See also :

http://www.nessus.org/u?ed5addc0

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 60810 ()

Bugtraq ID:

CVE ID: CVE-2010-0291
CVE-2010-0622
CVE-2010-1087
CVE-2010-1088
CVE-2010-1173
CVE-2010-1187
CVE-2010-1436
CVE-2010-1437
CVE-2010-1641