Oracle Linux 5 : Unbreakable Enterprise kernel (ELSA-2010-2011)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Oracle Linux host is missing one or more security updates.

Description :

Description of changes:

Following Security fixes are included in this unbreakable enterprise
kernel errata:

CVE-2010-3432
The sctp_packet_config function in net/sctp/output.c in the Linux kernel
before 2.6.35.6 performs extraneous initializations of packet data
structures, which allows remote attackers to cause a denial of service
(panic) via a certain sequence of SCTP traffic.
CVE-2010-2962
drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM)
in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem
in the Linux kernel before 2.6.36 does not properly validate pointers to
blocks of memory, which allows local users to write to arbitrary kernel
memory locations, and consequently gain privileges, via crafted use of
the ioctl interface, related to (1) pwrite and (2) pread operations.
CVE-2010-2955
The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the
Linux kernel before 2.6.36-rc3-next-20100831 does not properly
initialize certain structure members, which allows local users to
leverage an off-by-one error in the ioctl_standard_iw_point function in
net/wireless/wext-core.c, and obtain potentially sensitive information
from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl
call that specifies a large buffer size.
CVE-2010-3705
The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux
kernel before 2.6.36 does not properly validate the hmac_ids array of an
SCTP peer, which allows remote attackers to cause a denial of service
(memory corruption and panic) via a crafted value in the last element of
this array.
CVE-2010-3084
Buffer overflow in the niu_get_ethtool_tcam_all function in
drivers/net/niu.c in the Linux kernel before 2.6.36-rc4 allows local
users to cause a denial of service or possibly have unspecified other
impact via the ETHTOOL_GRXCLSRLALL ethtool command.
CVE-2010-3437
Integer signedness error in the pkt_find_dev_from_minor function in
drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows
local users to obtain sensitive information from kernel memory or cause
a denial of service (invalid pointer dereference and system crash) via a
crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.
CVE-2010-3079
kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs
is enabled, does not properly handle interaction between mutex
possession and llseek operations, which allows local users to cause a
denial of service (NULL pointer dereference and outage of all function
tracing files) via an lseek call on a file descriptor associated with
the set_ftrace_filter file.
CVE-2010-3698
The KVM implementation in the Linux kernel before 2.6.36 does not
properly reload the FS and GS segment registers, which allows host OS
users to cause a denial of service (host OS crash) via a KVM_RUN ioctl
call in conjunction with a modified Local Descriptor Table (LDT).
CVE-2010-3442
Multiple integer overflows in the snd_ctl_new function in
sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929
allow local users to cause a denial of service (heap memory corruption)
or possibly have unspecified other impact via a crafted (1)
SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.


[2.6.32-100.24.1.el5]
- [sctp] Do not reset the packet during sctp_packet_con[CVE-2010-3432]
- [drm/i915] Sanity check pread/pwrite [CVE-2010-2962]
- [wireless] fix kernel heap content leak [CVE-2010-2955]
- [sctp] Fix out-of-bounds reading in sctp_asoc_get_hmac() [CVE-2010-3705]
- [niu] Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL [CVE-2010-3084]
- Fix pktcdvd ioctl dev_minor range check [CVE-2010-3437]
- Do not allow llseek to set_ftrace_filter [CVE-2010-3079]
- [kvm] Fix fs/gs reload oops with invalid ldt [CVE-2010-3698]
- [alsa] prevent heap corruption in snd_ctl_new() [CVE-2010-3442]
- Fix LACP bonding mode (Tina Yang)
- Fix grat arps on bonded interfaces (Tina Yang)

See also :

https://oss.oracle.com/pipermail/el-errata/2010-December/001775.html

Solution :

Update the affected unbreakable enterprise kernel packages.

Risk factor :

High / CVSS Base Score : 8.3
(CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C)

Family: Oracle Linux Local Security Checks

Nessus Plugin ID: 68175 ()

Bugtraq ID:

CVE ID: CVE-2010-2955
CVE-2010-2962
CVE-2010-3079
CVE-2010-3084
CVE-2010-3432
CVE-2010-3437
CVE-2010-3442
CVE-2010-3698
CVE-2010-3705