http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39.3

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=13fcb7bd322164c67926ffe272846d4860196dc6

[oss-security] 20110803 Re: CVE request: Linux kernel af_packet information leak

https://bugzilla.redhat.com/show_bug.cgi?id=728023

https://github.com/torvalds/linux/commit/13fcb7bd322164c67926ffe272846d4860196dc6

Updated kernel-rt packages that fix several security issues and two bugs are now available for Red Hat Enterprise MRG 2.0.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A malicious CIFS (Common Internet File System) server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* The way fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on were handled could allow a remote attacker to cause a denial of service. (CVE-2011-4326, Important)

* GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A flaw in the FUSE (Filesystem in Userspace) implementation could allow a local user in the fuse group who has access to mount a FUSE file system to cause a denial of service. (CVE-2011-3353, Moderate)

* A flaw in the b43 driver. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate)

* A flaw in the way CIFS shares with DFS referrals at their root were handled could allow an attacker on the local network, who is able to deploy a malicious CIFS server, to create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate)

* A flaw in the m_stop() implementation could allow a local, unprivileged user to trigger a denial of service. (CVE-2011-3637, Moderate)

* Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-4081, Moderate)

* A flaw in the key management facility could allow a local, unprivileged user to cause a denial of service via the keyctl utility.
(CVE-2011-4110, Moderate)

* A flaw in the Journaling Block Device (JBD) could allow a local attacker to crash the system by mounting a specially crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate)

* A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)

* I/O statistics from the taskstats subsystem could be read without any restrictions, which could allow a local, unprivileged user to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low)

* Flaws in tpacket_rcv() and packet_recvmsg() could allow a local, unprivileged user to leak information to user-space. (CVE-2011-2898, Low)

Red Hat would like to thank Darren Lavender for reporting CVE-2011-3191; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363; Nick Bowler for reporting CVE-2011-4081; Peter Huewe for reporting CVE-2011-1162; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494.

This update also fixes the following bugs :

* Previously, a mismatch in the build-id of the kernel-rt and the one in the related debuginfo package caused failures in SystemTap and perf. (BZ#768413)

* IBM x3650m3 systems were not able to boot the MRG Realtime kernel because they require a pmcraid driver that was not available. The pmcraid driver is included in this update. (BZ#753992)

Users should upgrade to these updated packages, which correct these issues. The system must be rebooted for this update to take effect.

The openSUSE 11.4 kernel was updated to fix bugs and security issues.

Following security issues have been fixed: CVE-2011-4604: If root does read() on a specific socket, it's possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used.

CVE-2011-2699: Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.

CVE-2011-1173: A kernel information leak via ip6_tables was fixed.

CVE-2011-1172: A kernel information leak via ip6_tables netfilter was fixed.

CVE-2011-1171: A kernel information leak via ip_tables was fixed.

CVE-2011-1170: A kernel information leak via arp_tables was fixed.

CVE-2011-1080: A kernel information leak via netfilter was fixed.

CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.

CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '0' character.

CVE-2011-1770: Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel allowed remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggered a buffer over-read.

CVE-2011-2723: The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel, when Generic Receive Offload (GRO) is enabled, reset certain fields in incorrect situations, which allowed remote attackers to cause a denial of service (system crash) via crafted network traffic.

CVE-2011-2898: A kernel information leak in the AF_PACKET protocol was fixed which might have allowed local attackers to read kernel memory.

CVE-2011-4087: A local denial of service when using bridged networking via a flood ping was fixed.

CVE-2011-2203: A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel.

CVE-2011-4081: Using the crypto interface a local user could Oops the kernel by writing to a AF_ALG socket.

The openSUSE 11.3 kernel was updated to fix various bugs and security issues.

Following security issues have been fixed: CVE-2011-4604: If root does read() on a specific socket, it's possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used.

CVE-2011-2525: A flaw allowed the tc_fill_qdisc() function in the Linux kernels packet scheduler API implementation to be called on built-in qdisc structures. A local, unprivileged user could have used this flaw to trigger a NULL pointer dereference, resulting in a denial of service.

CVE-2011-2699: Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.

CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.

CVE-2011-1576: The Generic Receive Offload (GRO) implementation in the Linux kernel allowed remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to (1) a memory leak or (2) memory corruption, a different vulnerability than CVE-2011-1478.

CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '\0' character.

CVE-2011-1770: Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel allowed remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggered a buffer over-read.

CVE-2011-2723: The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel, when Generic Receive Offload (GRO) is enabled, reset certain fields in incorrect situations, which allowed remote attackers to cause a denial of service (system crash) via crafted network traffic.

CVE-2011-2898: A kernel information leak in the AF_PACKET protocol was fixed which might have allowed local attackers to read kernel memory.

CVE-2011-2203: A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel.

CVE-2011-4081: Using the crypto interface a local user could Oops the kernel by writing to a AF_ALG socket.

Description of changes:


* CVE-2011-2898: Information leak in packet subsystem

Uninitialized struct padding in the packet subsystem led to an information leak of two bytes of kernel memory to userspace.


* CVE-2011-2723: Remote denial of service vulnerability in gro.

The skb_gro_header_slow function in the Linux kernel had a bug which allowed a remote attacker to put certain gro fields in an inconsistent state, resulting in a denial of service.


* CVE-2011-2496: Local denial of service in mremap().

Robert Swiecki discovered that mremap() could be abused for local denial of service by triggering a BUG_ON assert.


* CVE-2011-2484: Denial of service in taskstats subsystem.

The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.


* CVE-2011-1833: Information disclosure in eCryptfs.

Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs incorrectly validated permissions on the requested source directory. A local attacker could use this flaw to mount an arbitrary directory, possibly leading to information disclosure.


[2.6.32-200.20.1.el6uek]
- af_packet: prevent information leak {CVE-2011-2898}
- gro: Only reset frag0 when skb can be pulled {CVE-2011-2723}
- vm: fix vm_pgoff wrap in upward expansion {CVE-2011-2496}
- taskstats: don't allow duplicate entries in listener mode {CVE-2011-2484}
- Ecryptfs: Add mount option to check uid of device being mounted {CVE-2011-1833}

From Red Hat Security Advisory 2011:1350 :

Updated kernel packages that fix several security issues, various bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)

* An integer overflow flaw in agp_allocate_memory() could allow a local user to cause a denial of service or escalate their privileges.
(CVE-2011-1746, Important)

* A race condition flaw was found in the Linux kernel's eCryptfs implementation. A local attacker could use the mount.ecryptfs_private utility to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update, which provides the user-space part of the fix, must also be installed. (CVE-2011-1833, Moderate)

* A denial of service flaw was found in the way the taskstats subsystem handled the registration of process exit handlers. A local, unprivileged user could register an unlimited amount of these handlers, leading to excessive CPU time and memory use.
(CVE-2011-2484, Moderate)

* A flaw was found in the way mapping expansions were handled. A local, unprivileged user could use this flaw to cause a wrapping condition, triggering a denial of service. (CVE-2011-2496, Moderate)

* A flaw was found in the Linux kernel's Performance Events implementation. It could falsely lead the NMI (Non-Maskable Interrupt) Watchdog to detect a lockup and panic the system. A local, unprivileged user could use this flaw to cause a denial of service (kernel panic) using the perf tool. (CVE-2011-2521, Moderate)

* A flaw in skb_gro_header_slow() in the Linux kernel could lead to GRO (Generic Receive Offload) fields being left in an inconsistent state. An attacker on the local network could use this flaw to trigger a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* A flaw was found in the way the Linux kernel's Performance Events implementation handled PERF_COUNT_SW_CPU_CLOCK counter overflow. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-2918, Moderate)

* A flaw was found in the Linux kernel's Trusted Platform Module (TPM) implementation. A local, unprivileged user could use this flaw to leak information to user-space. (CVE-2011-1160, Low)

* Flaws were found in the tpacket_rcv() and packet_recvmsg() functions in the Linux kernel. A local, unprivileged user could use these flaws to leak information to user-space. (CVE-2011-2898, Low)

Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting CVE-2011-1745, CVE-2011-2022, CVE-2011-1746, and CVE-2011-2484; the Ubuntu Security Team for reporting CVE-2011-1833; Robert Swiecki for reporting CVE-2011-2496; Li Yu for reporting CVE-2011-2521; Brent Meshier for reporting CVE-2011-2723; and Peter Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1833.

This update also fixes various bugs and adds one enhancement.
Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - Flaws in the AGPGART driver implementation when handling     certain IOCTL commands could allow a local user to cause     a denial of service or escalate their privileges.
    (CVE-2011-1745, CVE-2011-2022, Important)

  - An integer overflow flaw in agp_allocate_memory() could     allow a local user to cause a denial of service or     escalate their privileges. (CVE-2011-1746, Important)

  - A race condition flaw was found in the Linux kernel's     eCryptfs implementation. A local attacker could use the     mount.ecryptfs_private utility to mount (and then     access) a directory they would otherwise not have access     to. Note: To correct this issue, a previous     ecryptfs-utils update, which provides the user-space     part of the fix, must also be installed. (CVE-2011-1833,     Moderate)

  - A denial of service flaw was found in the way the     taskstats subsystem handled the registration of process     exit handlers. A local, unprivileged user could register     an unlimited amount of these handlers, leading to     excessive CPU time and memory use. (CVE-2011-2484,     Moderate)

  - A flaw was found in the way mapping expansions were     handled. A local, unprivileged user could use this flaw     to cause a wrapping condition, triggering a denial of     service. (CVE-2011-2496, Moderate)

  - A flaw was found in the Linux kernel's Performance     Events implementation. It could falsely lead the NMI     (Non-Maskable Interrupt) Watchdog to detect a lockup and     panic the system. A local, unprivileged user could use     this flaw to cause a denial of service (kernel panic)     using the perf tool. (CVE-2011-2521, Moderate)

  - A flaw in skb_gro_header_slow() in the Linux kernel     could lead to GRO (Generic Receive Offload) fields being     left in an inconsistent state. An attacker on the local     network could use this flaw to trigger a denial of     service. GRO is enabled by default in all network     drivers that support it. (CVE-2011-2723, Moderate)

  - A flaw was found in the way the Linux kernel's     Performance Events implementation handled     PERF_COUNT_SW_CPU_CLOCK counter overflow. A local,     unprivileged user could use this flaw to cause a denial     of service. (CVE-2011-2918, Moderate)

  - A flaw was found in the Linux kernel's Trusted Platform     Module (TPM) implementation. A local, unprivileged user     could use this flaw to leak information to user-space.
    (CVE-2011-1160, Low)

  - Flaws were found in the tpacket_rcv() and     packet_recvmsg() functions in the Linux kernel. A local,     unprivileged user could use these flaws to leak     information to user-space. (CVE-2011-2898, Low)

This update also fixes various bugs and adds one enhancement.
Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2011-2183     Andrea Righi reported an issue in KSM, a memory-saving     de-duplication feature. By exploiting a race with     exiting tasks, local users can cause a kernel oops,     resulting in a denial of service.

  - CVE-2011-2213     Dan Rosenberg discovered an issue in the INET socket     monitoring interface. Local users could cause a denial     of service by injecting code and causing the kernel to     execute an infinite loop.

  - CVE-2011-2898     Eric Dumazet reported an information leak in the raw     packet socket implementation.

  - CVE-2011-3353     Han-Wen Nienhuys reported a local denial of service     issue in the FUSE (Filesystem in Userspace) support in     the Linux kernel. Local users could cause a buffer     overflow, leading to a kernel oops and resulting in a     denial of service.

  - CVE-2011-4077     Carlos Maiolino reported an issue in the XFS filesystem.
    A local user with the ability to mount a filesystem     could corrupt memory resulting in a denial of service or     possibly gain elevated privileges.

  - CVE-2011-4110     David Howells reported an issue in the kernel's access     key retention system which allow local users to cause a     kernel oops leading to a denial of service.

  - CVE-2011-4127     Paolo Bonzini of Red Hat reported an issue in the ioctl     passthrough support for SCSI devices. Users with     permission to access restricted portions of a device     (e.g. a partition or a logical volume) can obtain access     to the entire device by way of the SG_IO ioctl. This     could be exploited by a local user or privileged VM     guest to achieve a privilege escalation.

  - CVE-2011-4611     Maynard Johnson reported an issue with the perf support     on POWER7 systems that allows local users to cause a     denial of service.

  - CVE-2011-4622     Jan Kiszka reported an issue in the KVM PIT timer     support. Local users with the permission to use KVM can     cause a denial of service by starting a PIT timer     without first setting up the irqchip.

  - CVE-2011-4914     Ben Hutchings reported various bounds checking issues     within the ROSE protocol support in the kernel. Remote     users could possibly use this to gain access to     sensitive memory or cause a denial of service.

Updated kernel packages that fix several security issues, various bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* Flaws in the AGPGART driver implementation when handling certain IOCTL commands could allow a local user to cause a denial of service or escalate their privileges. (CVE-2011-1745, CVE-2011-2022, Important)

* An integer overflow flaw in agp_allocate_memory() could allow a local user to cause a denial of service or escalate their privileges.
(CVE-2011-1746, Important)

* A race condition flaw was found in the Linux kernel's eCryptfs implementation. A local attacker could use the mount.ecryptfs_private utility to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update, which provides the user-space part of the fix, must also be installed. (CVE-2011-1833, Moderate)

* A denial of service flaw was found in the way the taskstats subsystem handled the registration of process exit handlers. A local, unprivileged user could register an unlimited amount of these handlers, leading to excessive CPU time and memory use.
(CVE-2011-2484, Moderate)

* A flaw was found in the way mapping expansions were handled. A local, unprivileged user could use this flaw to cause a wrapping condition, triggering a denial of service. (CVE-2011-2496, Moderate)

* A flaw was found in the Linux kernel's Performance Events implementation. It could falsely lead the NMI (Non-Maskable Interrupt) Watchdog to detect a lockup and panic the system. A local, unprivileged user could use this flaw to cause a denial of service (kernel panic) using the perf tool. (CVE-2011-2521, Moderate)

* A flaw in skb_gro_header_slow() in the Linux kernel could lead to GRO (Generic Receive Offload) fields being left in an inconsistent state. An attacker on the local network could use this flaw to trigger a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* A flaw was found in the way the Linux kernel's Performance Events implementation handled PERF_COUNT_SW_CPU_CLOCK counter overflow. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-2918, Moderate)

* A flaw was found in the Linux kernel's Trusted Platform Module (TPM) implementation. A local, unprivileged user could use this flaw to leak information to user-space. (CVE-2011-1160, Low)

* Flaws were found in the tpacket_rcv() and packet_recvmsg() functions in the Linux kernel. A local, unprivileged user could use these flaws to leak information to user-space. (CVE-2011-2898, Low)

Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting CVE-2011-1745, CVE-2011-2022, CVE-2011-1746, and CVE-2011-2484; the Ubuntu Security Team for reporting CVE-2011-1833; Robert Swiecki for reporting CVE-2011-2496; Li Yu for reporting CVE-2011-2521; Brent Meshier for reporting CVE-2011-2723; and Peter Huewe for reporting CVE-2011-1160. The Ubuntu Security Team acknowledges Vasiliy Kulikov of Openwall and Dan Rosenberg as the original reporters of CVE-2011-1833.

This update also fixes various bugs and adds one enhancement.
Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.

ID	Name	Product	Family	Severity
76635	RHEL 6 : MRG (RHSA-2012:0010)	Nessus	Red Hat Local Security Checks	critical
75882	openSUSE Security Update : kernel (openSUSE-SU-2012:0236-1)	Nessus	SuSE Local Security Checks	high
75557	openSUSE Security Update : kernel (openSUSE-SU-2012:0206-1)	Nessus	SuSE Local Security Checks	high
68422	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2029)	Nessus	Oracle Linux Local Security Checks	medium
68364	Oracle Linux 6 : kernel (ELSA-2011-1350)	Nessus	Oracle Linux Local Security Checks	medium
61148	Scientific Linux Security Update : kernel on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
57583	Debian DSA-2389-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	medium
56404	RHEL 6 : kernel (RHSA-2011:1350)	Nessus	Red Hat Local Security Checks	medium

CVE-2011-2898

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins