http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39.3

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=13fcb7bd322164c67926ffe272846d4860196dc6

[oss-security] 20110803 Re: CVE request: Linux kernel af_packet information leak

https://bugzilla.redhat.com/show_bug.cgi?id=728023

https://github.com/torvalds/linux/commit/13fcb7bd322164c67926ffe272846d4860196dc6

Updated kernel-rt packages that fix several security issues and two bugs are now available for Red Hat Enterprise MRG 2.0.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A malicious CIFS (Common Internet File System) server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* The way fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on were handled could allow a remote attacker to cause a denial of service. (CVE-2011-4326, Important)

* GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A flaw in the FUSE (Filesystem in Userspace) implementation could allow a local user in the fuse group who has access to mount a FUSE file system to cause a denial of service. (CVE-2011-3353, Moderate)

* A flaw in the b43 driver. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate)

* A flaw in the way CIFS shares with DFS referrals at their root were handled could allow an attacker on the local network, who is able to deploy a malicious CIFS server, to create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate)

* A flaw in the m_stop() implementation could allow a local, unprivileged user to trigger a denial of service. (CVE-2011-3637, Moderate)

* Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-4081, Moderate)

* A flaw in the key management facility could allow a local, unprivileged user to cause a denial of service via the keyctl utility.
(CVE-2011-4110, Moderate)

* A flaw in the Journaling Block Device (JBD) could allow a local attacker to crash the system by mounting a specially crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate)

* A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)

* I/O statistics from the taskstats subsystem could be read without any restrictions, which could allow a local, unprivileged user to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low)

* Flaws in tpacket_rcv() and packet_recvmsg() could allow a local, unprivileged user to leak information to user-space. (CVE-2011-2898, Low)

Red Hat would like to thank Darren Lavender for reporting CVE-2011-3191; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363; Nick Bowler for reporting CVE-2011-4081; Peter Huewe for reporting CVE-2011-1162; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494.

This update also fixes the following bugs :

* Previously, a mismatch in the build-id of the kernel-rt and the one in the related debuginfo package caused failures in SystemTap and perf. (BZ#768413)

* IBM x3650m3 systems were not able to boot the MRG Realtime kernel because they require a pmcraid driver that was not available. The pmcraid driver is included in this update. (BZ#753992)

Users should upgrade to these updated packages, which correct these issues. The system must be rebooted for this update to take effect.

The openSUSE 11.4 kernel was updated to fix bugs and security issues.

Following security issues have been fixed: CVE-2011-4604: If root does read() on a specific socket, it's possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used.

CVE-2011-2699: Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.

CVE-2011-1173: A kernel information leak via ip6_tables was fixed.

CVE-2011-1172: A kernel information leak via ip6_tables netfilter was fixed.

CVE-2011-1171: A kernel information leak via ip_tables was fixed.

CVE-2011-1170: A kernel information leak via arp_tables was fixed.

CVE-2011-1080: A kernel information leak via netfilter was fixed.

CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.

CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '0' character.

CVE-2011-1770: Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel allowed remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggered a buffer over-read.

CVE-2011-2723: The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel, when Generic Receive Offload (GRO) is enabled, reset certain fields in incorrect situations, which allowed remote attackers to cause a denial of service (system crash) via crafted network traffic.

CVE-2011-2898: A kernel information leak in the AF_PACKET protocol was fixed which might have allowed local attackers to read kernel memory.

CVE-2011-4087: A local denial of service when using bridged networking via a flood ping was fixed.

CVE-2011-2203: A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel.

CVE-2011-4081: Using the crypto interface a local user could Oops the kernel by writing to a AF_ALG socket.

The openSUSE 11.3 kernel was updated to fix various bugs and security issues.

Following security issues have been fixed: CVE-2011-4604: If root does read() on a specific socket, it's possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used.

CVE-2011-2525: A flaw allowed the tc_fill_qdisc() function in the Linux kernels packet scheduler API implementation to be called on built-in qdisc structures. A local, unprivileged user could have used this flaw to trigger a NULL pointer dereference, resulting in a denial of service.

CVE-2011-2699: Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.

CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.

CVE-2011-1576: The Generic Receive Offload (GRO) implementation in the Linux kernel allowed remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to (1) a memory leak or (2) memory corruption, a different vulnerability than CVE-2011-1478.

CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '\0' character.

CVE-2011-1770: Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel allowed remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggered a buffer over-read.

CVE-2011-2723: The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel, when Generic Receive Offload (GRO) is enabled, reset certain fields in incorrect situations, which allowed remote attackers to cause a denial of service (system crash) via crafted network traffic.

CVE-2011-2898: A kernel information leak in the AF_PACKET protocol was fixed which might have allowed local attackers to read kernel memory.

CVE-2011-2203: A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel.

CVE-2011-4081: Using the crypto interface a local user could Oops the kernel by writing to a AF_ALG socket.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-2029 advisory.

  - Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux     kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private     mount with a mismatched uid. (CVE-2011-1833)

  - The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not     prevent multiple registrations of exit handlers, which allows local users to cause a denial of service     (memory and CPU consumption), and bypass the OOM Killer, via a crafted application. (CVE-2011-2484)

  - Integer overflow in the vma_to_resize function in mm/mremap.c in the Linux kernel before 2.6.39 allows     local users to cause a denial of service (BUG_ON and system crash) via a crafted mremap system call that     expands a memory mapping. (CVE-2011-2496)

  - The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel before 2.6.39.4, when     Generic Receive Offload (GRO) is enabled, resets certain fields in incorrect situations, which allows     remote attackers to cause a denial of service (system crash) via crafted network traffic. (CVE-2011-2723)

  - net/packet/af_packet.c in the Linux kernel before 2.6.39.3 does not properly restrict user-space access to     certain packet data structures associated with VLAN Tag Control Information, which allows local users to     obtain potentially sensitive information via a crafted application. (CVE-2011-2898)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-1350 advisory.

  - The tpm_open function in drivers/char/tpm/tpm.c in the Linux kernel before 2.6.39 does not initialize a     certain buffer, which allows local users to obtain potentially sensitive information from kernel memory     via unspecified vectors. (CVE-2011-1160)

  - Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux     kernel before 2.6.38.5 allows local users to gain privileges or cause a denial of service (system crash)     via a crafted AGPIOC_BIND agp_ioctl ioctl call. (CVE-2011-1745)

  - Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in     drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allow local users to trigger buffer     overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other     impact, via vectors related to calls that specify a large number of memory pages. (CVE-2011-1746)

  - Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux     kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private     mount with a mismatched uid. (CVE-2011-1833)

  - The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5     does not validate a certain start parameter, which allows local users to gain privileges or cause a denial     of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than     CVE-2011-1745. (CVE-2011-2022)

  - The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not     prevent multiple registrations of exit handlers, which allows local users to cause a denial of service     (memory and CPU consumption), and bypass the OOM Killer, via a crafted application. (CVE-2011-2484)

  - Integer overflow in the vma_to_resize function in mm/mremap.c in the Linux kernel before 2.6.39 allows     local users to cause a denial of service (BUG_ON and system crash) via a crafted mremap system call that     expands a memory mapping. (CVE-2011-2496)

  - The x86_assign_hw_event function in arch/x86/kernel/cpu/perf_event.c in the Performance Events subsystem     in the Linux kernel before 2.6.39 does not properly calculate counter values, which allows local users to     cause a denial of service (panic) via the perf program. (CVE-2011-2521)

  - The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel before 2.6.39.4, when     Generic Receive Offload (GRO) is enabled, resets certain fields in incorrect situations, which allows     remote attackers to cause a denial of service (system crash) via crafted network traffic. (CVE-2011-2723)

  - net/packet/af_packet.c in the Linux kernel before 2.6.39.3 does not properly restrict user-space access to     certain packet data structures associated with VLAN Tag Control Information, which allows local users to     obtain potentially sensitive information via a crafted application. (CVE-2011-2898)

  - The Performance Events subsystem in the Linux kernel before 3.1 does not properly handle event overflows     associated with PERF_COUNT_SW_CPU_CLOCK events, which allows local users to cause a denial of service     (system hang) via a crafted application. (CVE-2011-2918)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - Flaws in the AGPGART driver implementation when handling     certain IOCTL commands could allow a local user to cause     a denial of service or escalate their privileges.
    (CVE-2011-1745, CVE-2011-2022, Important)

  - An integer overflow flaw in agp_allocate_memory() could     allow a local user to cause a denial of service or     escalate their privileges. (CVE-2011-1746, Important)

  - A race condition flaw was found in the Linux kernel's     eCryptfs implementation. A local attacker could use the     mount.ecryptfs_private utility to mount (and then     access) a directory they would otherwise not have access     to. Note: To correct this issue, a previous     ecryptfs-utils update, which provides the user-space     part of the fix, must also be installed. (CVE-2011-1833,     Moderate)

  - A denial of service flaw was found in the way the     taskstats subsystem handled the registration of process     exit handlers. A local, unprivileged user could register     an unlimited amount of these handlers, leading to     excessive CPU time and memory use. (CVE-2011-2484,     Moderate)

  - A flaw was found in the way mapping expansions were     handled. A local, unprivileged user could use this flaw     to cause a wrapping condition, triggering a denial of     service. (CVE-2011-2496, Moderate)

  - A flaw was found in the Linux kernel's Performance     Events implementation. It could falsely lead the NMI     (Non-Maskable Interrupt) Watchdog to detect a lockup and     panic the system. A local, unprivileged user could use     this flaw to cause a denial of service (kernel panic)     using the perf tool. (CVE-2011-2521, Moderate)

  - A flaw in skb_gro_header_slow() in the Linux kernel     could lead to GRO (Generic Receive Offload) fields being     left in an inconsistent state. An attacker on the local     network could use this flaw to trigger a denial of     service. GRO is enabled by default in all network     drivers that support it. (CVE-2011-2723, Moderate)

  - A flaw was found in the way the Linux kernel's     Performance Events implementation handled     PERF_COUNT_SW_CPU_CLOCK counter overflow. A local,     unprivileged user could use this flaw to cause a denial     of service. (CVE-2011-2918, Moderate)

  - A flaw was found in the Linux kernel's Trusted Platform     Module (TPM) implementation. A local, unprivileged user     could use this flaw to leak information to user-space.
    (CVE-2011-1160, Low)

  - Flaws were found in the tpacket_rcv() and     packet_recvmsg() functions in the Linux kernel. A local,     unprivileged user could use these flaws to leak     information to user-space. (CVE-2011-2898, Low)

This update also fixes various bugs and adds one enhancement.
Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2011-2183     Andrea Righi reported an issue in KSM, a memory-saving     de-duplication feature. By exploiting a race with     exiting tasks, local users can cause a kernel oops,     resulting in a denial of service.

  - CVE-2011-2213     Dan Rosenberg discovered an issue in the INET socket     monitoring interface. Local users could cause a denial     of service by injecting code and causing the kernel to     execute an infinite loop.

  - CVE-2011-2898     Eric Dumazet reported an information leak in the raw     packet socket implementation.

  - CVE-2011-3353     Han-Wen Nienhuys reported a local denial of service     issue in the FUSE (Filesystem in Userspace) support in     the Linux kernel. Local users could cause a buffer     overflow, leading to a kernel oops and resulting in a     denial of service.

  - CVE-2011-4077     Carlos Maiolino reported an issue in the XFS filesystem.
    A local user with the ability to mount a filesystem     could corrupt memory resulting in a denial of service or     possibly gain elevated privileges.

  - CVE-2011-4110     David Howells reported an issue in the kernel's access     key retention system which allow local users to cause a     kernel oops leading to a denial of service.

  - CVE-2011-4127     Paolo Bonzini of Red Hat reported an issue in the ioctl     passthrough support for SCSI devices. Users with     permission to access restricted portions of a device     (e.g. a partition or a logical volume) can obtain access     to the entire device by way of the SG_IO ioctl. This     could be exploited by a local user or privileged VM     guest to achieve a privilege escalation.

  - CVE-2011-4611     Maynard Johnson reported an issue with the perf support     on POWER7 systems that allows local users to cause a     denial of service.

  - CVE-2011-4622     Jan Kiszka reported an issue in the KVM PIT timer     support. Local users with the permission to use KVM can     cause a denial of service by starting a PIT timer     without first setting up the irqchip.

  - CVE-2011-4914     Ben Hutchings reported various bounds checking issues     within the ROSE protocol support in the kernel. Remote     users could possibly use this to gain access to     sensitive memory or cause a denial of service.

Updated kernel packages that fix several security issues, various bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)

* An integer overflow flaw in agp_allocate_memory() could allow a local user to cause a denial of service or escalate their privileges.
(CVE-2011-1746, Important)

* A race condition flaw was found in the Linux kernel's eCryptfs implementation. A local attacker could use the mount.ecryptfs_private utility to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update, which provides the user-space part of the fix, must also be installed. (CVE-2011-1833, Moderate)

* A denial of service flaw was found in the way the taskstats subsystem handled the registration of process exit handlers. A local, unprivileged user could register an unlimited amount of these handlers, leading to excessive CPU time and memory use.
(CVE-2011-2484, Moderate)

* A flaw was found in the way mapping expansions were handled. A local, unprivileged user could use this flaw to cause a wrapping condition, triggering a denial of service. (CVE-2011-2496, Moderate)

* A flaw was found in the Linux kernel's Performance Events implementation. It could falsely lead the NMI (Non-Maskable Interrupt) Watchdog to detect a lockup and panic the system. A local, unprivileged user could use this flaw to cause a denial of service (kernel panic) using the perf tool. (CVE-2011-2521, Moderate)

* A flaw in skb_gro_header_slow() in the Linux kernel could lead to GRO (Generic Receive Offload) fields being left in an inconsistent state. An attacker on the local network could use this flaw to trigger a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* A flaw was found in the way the Linux kernel's Performance Events implementation handled PERF_COUNT_SW_CPU_CLOCK counter overflow. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-2918, Moderate)

* A flaw was found in the Linux kernel's Trusted Platform Module (TPM) implementation. A local, unprivileged user could use this flaw to leak information to user-space. (CVE-2011-1160, Low)

* Flaws were found in the tpacket_rcv() and packet_recvmsg() functions in the Linux kernel. A local, unprivileged user could use these flaws to leak information to user-space. (CVE-2011-2898, Low)

Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting CVE-2011-1745, CVE-2011-2022, CVE-2011-1746, and CVE-2011-2484; the Ubuntu Security Team for reporting CVE-2011-1833; Robert Swiecki for reporting CVE-2011-2496; Li Yu for reporting CVE-2011-2521; Brent Meshier for reporting CVE-2011-2723; and Peter Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1833.

This update also fixes various bugs and adds one enhancement.
Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.

ID	Name	Product	Family	Severity
76635	RHEL 6 : MRG (RHSA-2012:0010)	Nessus	Red Hat Local Security Checks	critical
75882	openSUSE Security Update : kernel (openSUSE-SU-2012:0236-1)	Nessus	SuSE Local Security Checks	high
75557	openSUSE Security Update : kernel (openSUSE-SU-2012:0206-1)	Nessus	SuSE Local Security Checks	high
68422	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2029)	Nessus	Oracle Linux Local Security Checks	medium
68364	Oracle Linux 6 : kernel (ELSA-2011-1350)	Nessus	Oracle Linux Local Security Checks	medium
61148	Scientific Linux Security Update : kernel on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
57583	Debian DSA-2389-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	medium
56404	RHEL 6 : kernel (RHSA-2011:1350)	Nessus	Red Hat Local Security Checks	medium

CVE-2011-2898

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high

medium

medium

medium

medium

medium