http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1

[oss-security] 20110909 Re: CVE request -- kernel: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message

https://bugzilla.redhat.com/show_bug.cgi?id=736761

https://github.com/torvalds/linux/commit/c2183d1e9b3f313dd8ba2b1b0197c8d9fb86a7ae

Updated kernel-rt packages that fix several security issues and two bugs are now available for Red Hat Enterprise MRG 2.0.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A malicious CIFS (Common Internet File System) server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* The way fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on were handled could allow a remote attacker to cause a denial of service. (CVE-2011-4326, Important)

* GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate)

* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A flaw in the FUSE (Filesystem in Userspace) implementation could allow a local user in the fuse group who has access to mount a FUSE file system to cause a denial of service. (CVE-2011-3353, Moderate)

* A flaw in the b43 driver. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate)

* A flaw in the way CIFS shares with DFS referrals at their root were handled could allow an attacker on the local network, who is able to deploy a malicious CIFS server, to create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate)

* A flaw in the m_stop() implementation could allow a local, unprivileged user to trigger a denial of service. (CVE-2011-3637, Moderate)

* Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-4081, Moderate)

* A flaw in the key management facility could allow a local, unprivileged user to cause a denial of service via the keyctl utility.
(CVE-2011-4110, Moderate)

* A flaw in the Journaling Block Device (JBD) could allow a local attacker to crash the system by mounting a specially crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate)

* A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)

* I/O statistics from the taskstats subsystem could be read without any restrictions, which could allow a local, unprivileged user to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low)

* Flaws in tpacket_rcv() and packet_recvmsg() could allow a local, unprivileged user to leak information to user-space. (CVE-2011-2898, Low)

Red Hat would like to thank Darren Lavender for reporting CVE-2011-3191; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363; Nick Bowler for reporting CVE-2011-4081; Peter Huewe for reporting CVE-2011-1162; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494.

This update also fixes the following bugs :

* Previously, a mismatch in the build-id of the kernel-rt and the one in the related debuginfo package caused failures in SystemTap and perf. (BZ#768413)

* IBM x3650m3 systems were not able to boot the MRG Realtime kernel because they require a pmcraid driver that was not available. The pmcraid driver is included in this update. (BZ#753992)

Users should upgrade to these updated packages, which correct these issues. The system must be rebooted for this update to take effect.

The openSUSE 11.4 kernel was updated to 2.6.37.6 fixing lots of bugs and security issues.

Following security issues have been fixed: CVE-2011-1833: Added a kernel option to ensure ecryptfs is mounting only on paths belonging to the current ui, which would have allowed local attackers to potentially gain privileges via symlink attacks.

CVE-2011-2695: Multiple off-by-one errors in the ext4 subsystem in the Linux kernel allowed local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer.

CVE-2011-3363: Always check the path in CIFS mounts to avoid interesting filesystem path interaction issues and potential crashes.

CVE-2011-2918: In the perf framework software event overflows could deadlock or delete an uninitialized timer.

CVE-2011-3353: In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system.

CVE-2011-2183: Fixed a race between ksmd and other memory management code, which could result in a NULL ptr dereference and kernel crash.

CVE-2011-3191: A signedness issue in CIFS could possibly have lead to to memory corruption, if a malicious server could send crafted replies to the host.

CVE-2011-1776: The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel did not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allowed physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device, a different vulnerability than CVE-2011-1577.

Following non-security bugs were fixed :

  - novfs: Unable to change password in the Novell Client     for Linux (bnc#713229).

  - novfs: last modification time not reliable (bnc#642896).

  - novfs: unlink directory after unmap (bnc#649625).

  - fs: novfs: Fix exit handlers on local_unlink     (bnc#649625).

  - novfs: 'Unable to save Login Script' appears when trying     to save a user login script (bnc#638985).

  - fs: novfs: Limit check for datacopy between user and     kernel space.

  - novfs: Fix checking of login id (bnc#626119).

  - novfs: Set the sticky bit for the novfs mountpoint     (bnc#686412).

  - ACPICA: Fix issues/fault with automatic 'serialized'     method support (bnc#678097).

  - drm/radeon/kms: Fix I2C mask definitions (bnc#712023).

  - ext4: Fix max file size and logical block counting of     extent format file (bnc#706374).

  - novfs: fix off-by-one allocation error (bnc#669378     bnc#719710).

  - novfs: fix some kmalloc/kfree issues (bnc#669378     bnc#719710).

  - novfs: fix some DirCache locking issues (bnc#669378     bnc#719710).

  - memsw: remove noswapaccount kernel parameter     (bnc#719450).

  - Provide memory controller swap extension. Keep the     feature disabled by default. Use swapaccount=1 kernel     boot parameter for enabling it.

  - Config cleanups: CONFIG_OLPC should be enabled only for     i386 non PAE

  - TTY: pty, fix pty counting (bnc#711203).

  - USB: OHCI: fix another regression for NVIDIA controllers     (bnc#682204).

  - xen/blkfront: avoid NULL de-reference in CDROM ioctl     handling.

  - x86, mtrr: lock stop machine during MTRR rendezvous     sequence (bnc#672008).

The openSUSE 11.3 kernel was updated to fix various bugs and security issues.

Following security issues have been fixed: CVE-2011-1833: Added a kernel option to ensure ecryptfs is mounting only on paths belonging to the current ui, which would have allowed local attackers to potentially gain privileges via symlink attacks.

CVE-2011-3363: Always check the path in CIFS mounts to avoid interesting filesystem path interaction issues and potential crashes.

CVE-2011-2918: In the perf framework software event overflows could deadlock or delete an uninitialized timer.

CVE-2011-3353: In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system.

CVE-2011-3191: A signedness issue in CIFS could possibly have lead to to memory corruption, if a malicious server could send crafted replies to the host.

CVE-2011-1776: The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel did not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allowed physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device, a different vulnerability than CVE-2011-1577.

Following non security bugs were fixed :

  - drm/radeon/kms: Fix I2C mask definitions (bnc#712023).

  - ext4: Fix max file size and logical block counting of     extent format file (bnc#706374).

  - TTY: pty, fix pty counting (bnc#711203).

  - Update Xen patches to 2.6.34.10.

  - xen/blkfront: fix data size for xenbus_gather in     connect().

  - xen/xenbus: fix xenbus_transaction_start() hang caused     by double xenbus_transaction_end().

  - xen/blkback: don't fail empty barrier requests.

  - xen/blktap: fix locking (bnc#685276).

  - xen/xenbus: don't BUG() on user mode induced conditions     (bnc#696107).

  - xen/blkfront: avoid NULL de-reference in CDROM ioctl     handling (bnc#701355).

  - intr-remap: allow disabling source id checking     (bnc#710352).

IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699 , Important)

A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191 , Important)

A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. (CVE-2011-4326 , Important)

The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188 , Moderate)

A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service. (CVE-2011-3353 , Moderate)

A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359 , Moderate)

A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363 , Moderate)

A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. (CVE-2011-3593 , Moderate)

A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162 , Low)

A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially crafted partition tables. (CVE-2011-1577 , Low)

The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494 , Low)

It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user.
(CVE-2011-2905 , Low)

Description of changes:

* CVE-2011-1161: Information leak in transmission logic of TPM driver.

A missing buffer size check in tpm_transmit could allow leaking of potentially sensitive kernel memory.

* CVE-2011-1162: Information leak in TPM driver.

A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command.  (CVE-2011-1162, Low)

* CVE-2011-2494: Information leak in task/process statistics.

The I/O statistics from the taskstats subsystem could be read without any restrictions.  A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process.  (CVE-2011-2494, Low)

* CVE-2011-3188: Weak TCP sequence number generation.

The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections.  Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* CVE-2011-1577: Missing boundary checks in GPT partition handling.


A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially crafted partition tables.  (CVE-2011-1577, Low)

* CVE-2011-3191: Memory corruption in CIFS.

A malicious CIFS server could overflow a signed integer value, causing a memcpy() to scribble over a large amount of memory.

* CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.

A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation.  A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service.  (CVE-2011-3353, Moderate)

* CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.

A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on.  A remote attacker could use this flaw to cause a denial of service.  (CVE-2011-4326, Important)

* CVE-2011-3593: Denial of service in VLAN with priority tagged frames.

A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set.  When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service.  (CVE-2011-3593, Moderate)

* CVE-2011-2699: Predictable IPv6 fragment identification numbers.

IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services.  (CVE-2011-2699, Important)

kernel-uek:

[2.6.32-200.23.1.el5uek]
- net: Remove atmclip.h to prevent break kabi check.
- KConfig: add CONFIG_UEK5=n to ol6/config-generic

  [2.6.32-200.22.1.el5uek]
- ipv6: make fragment identifications less predictable (Joe Jin) {CVE-2011-2699}
- vlan: fix panic when handling priority tagged frames (Joe Jin) {CVE-2011-3593}
- ipv6: udp: fix the wrong headroom check (Maxim Uvarov) {CVE-2011-4326}
- b43: allocate receive buffers big enough for max frame len + offset (Maxim Uvarov) {CVE-2011-3359}
- fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message (Maxim Uvarov) {CVE-2011-3353}
- cifs: fix possible memory corruption in CIFSFindNext (Maxim Uvarov) {CVE-2011-3191}
- crypto: md5 - Add export support (Maxim Uvarov) {CVE-2011-2699}
- fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops (Maxim Uvarov) {CVE-2011-1577}
- block: use struct parsed_partitions *state universally in partition check code (Maxim Uvarov)
- net: Compute protocol sequence numbers and fragment IDs using MD5. (Maxim Uvarov) {CVE-2011-3188}
- crypto: Move md5_transform to lib/md5.c (Maxim Uvarov) {CVE-2011-3188}
- perf tools: do not look at ./config for configuration (Maxim Uvarov) {CVE-2011-2905}
- Make TASKSTATS require root access (Maxim Uvarov) {CVE-2011-2494}
- TPM: Zero buffer after copying to userspace (Maxim Uvarov) {CVE-2011-1162}
- TPM: Call tpm_transmit with correct size (Maxim Uvarov){CVE-2011-1161}
- fnic: fix panic while booting in fnic(Xiaowei Hu)
- Revert 'PCI hotplug: acpiphp: set current_state to D0 in register_slot' (Guru Anbalagane)
- xen: drop xen_sched_clock in favour of using plain wallclock time (Jeremy Fitzhardinge)

[2.6.32-200.21.1.el5uek]
- PCI: Set device power state to PCI_D0 for device without native PM support    (Ajaykumar Hotchandani) [orabug 13033435]

From Red Hat Security Advisory 2011:1465 :

Updated kernel packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important)

* A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. (CVE-2011-4326, Important)

* The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service. (CVE-2011-3353, Moderate)

* A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate)

* A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate)

* A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. (CVE-2011-3593, Moderate)

* A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)

* A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially crafted partition tables. (CVE-2011-1577, Low)

* The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low)

* It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user.
(CVE-2011-2905, Low)

Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363;
Gideon Naim for reporting CVE-2011-3593; Peter Huewe for reporting CVE-2011-1162; Timo Warns for reporting CVE-2011-1577; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494.

This update also fixes various bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

  - IPv6 fragment identification value generation could     allow a remote attacker to disrupt a target system's     networking, preventing legitimate users from accessing     its services. (CVE-2011-2699, Important)

  - A signedness issue was found in the Linux kernel's CIFS     (Common Internet File System) implementation. A     malicious CIFS server could send a specially crafted     response to a directory read request that would result     in a denial of service or privilege escalation on a     system that has a CIFS share mounted. (CVE-2011-3191,     Important)

  - A flaw was found in the way the Linux kernel handled     fragmented IPv6 UDP datagrams over the bridge with UDP     Fragmentation Offload (UFO) functionality on. A remote     attacker could use this flaw to cause a denial of     service. (CVE-2011-4326, Important)

  - The way IPv4 and IPv6 protocol sequence numbers and     fragment IDs were generated could allow a     man-in-the-middle attacker to inject packets and     possibly hijack connections. Protocol sequence numbers     and fragment IDs are now more random. (CVE-2011-3188,     Moderate)

  - A buffer overflow flaw was found in the Linux kernel's     FUSE (Filesystem in Userspace) implementation. A local     user in the fuse group who has access to mount a FUSE     file system could use this flaw to cause a denial of     service. (CVE-2011-3353, Moderate)

  - A flaw was found in the b43 driver in the Linux kernel.
    If a system had an active wireless interface that uses     the b43 driver, an attacker able to send a specially     crafted frame to that interface could cause a denial of     service. (CVE-2011-3359, Moderate)

  - A flaw was found in the way CIFS shares with DFS     referrals at their root were handled. An attacker on the     local network who is able to deploy a malicious CIFS     server could create a CIFS network share that, when     mounted, would cause the client system to crash.
    (CVE-2011-3363, Moderate)

  - A flaw was found in the way the Linux kernel handled     VLAN 0 frames with the priority tag set. When using     certain network drivers, an attacker on the local     network could use this flaw to cause a denial of     service. (CVE-2011-3593, Moderate)

  - A flaw in the way memory containing security-related     data was handled in tpm_read() could allow a local,     unprivileged user to read the results of a previously     run TPM command. (CVE-2011-1162, Low)

  - A heap overflow flaw was found in the Linux kernel's EFI     GUID Partition Table (GPT) implementation. A local     attacker could use this flaw to cause a denial of     service by mounting a disk that contains specially     crafted partition tables. (CVE-2011-1577, Low)

  - The I/O statistics from the taskstats subsystem could be     read without any restrictions. A local, unprivileged     user could use this flaw to gather confidential     information, such as the length of a password used in a     process. (CVE-2011-2494, Low)

  - It was found that the perf tool, a part of the Linux     kernel's Performance Events implementation, could load     its configuration file from the current working     directory. If a local user with access to the perf tool     were tricked into running perf in a directory that     contains a specially crafted configuration file, it     could cause perf to overwrite arbitrary files and     directories accessible to that user. (CVE-2011-2905,     Low)

This update also fixes various bugs.

Aristide Fattori and Roberto Paleari reported a flaw in the Linux kernel's handling of IPv4 icmp packets. A remote user could exploit this to cause a denial of service. (CVE-2011-1927)

A flaw was found in the Linux Ethernet bridge's handling of IGMP (Internet Group Management Protocol) packets. An unprivileged local user could exploit this flaw to crash the system. (CVE-2011-0716)

Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service.
(CVE-2011-3353)

A flaw was discovered in the Linux kernel's AppArmor security interface when invalid information was written to it. An unprivileged local user could use this to cause a denial of service on the system.
(CVE-2011-3619)

A flaw was found in KVM's Programmable Interval Timer (PIT). When a virtual interrupt control is not available a local user could use this to cause a denial of service by starting a timer. (CVE-2011-4622)

A flaw was discovered in the XFS filesystem. If a local user mounts a specially crafted XFS image it could potential execute arbitrary code on the system. (CVE-2012-0038)

Chen Haogang discovered an integer overflow that could result in memory corruption. A local unprivileged user could use this to crash the system. (CVE-2012-0044).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The linux kernel did not properly account for PTE pages when deciding which task to kill in out of memory conditions. A local, unprivileged could exploit this flaw to cause a denial of service. (CVE-2011-2498)

A flaw was discovered in the TOMOYO LSM's handling of mount system calls. An unprivileged user could oops the system causing a denial of service. (CVE-2011-2518)

Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service.
(CVE-2011-3353)

A bug was discovered in the Linux kernel's calculation of OOM (Out of memory) scores, that would result in the wrong process being killed. A user could use this to kill the process with the highest OOM score, even if that process belongs to another user or the system.
(CVE-2011-4097)

A flaw was found in KVM's Programmable Interval Timer (PIT). When a virtual interrupt control is not available a local user could use this to cause a denial of service by starting a timer. (CVE-2011-4622)

A flaw was discovered in the XFS filesystem. If a local user mounts a specially crafted XFS image it could potential execute arbitrary code on the system. (CVE-2012-0038)

Chen Haogang discovered an integer overflow that could result in memory corruption. A local unprivileged user could use this to crash the system. (CVE-2012-0044)

A flaw was found in the linux kernels IPv4 IGMP query processing. A remote attacker could exploit this to cause a denial of service.
(CVE-2012-0207).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service.
(CVE-2011-3353)

A flaw was found in KVM's Programmable Interval Timer (PIT). When a virtual interrupt control is not available a local user could use this to cause a denial of service by starting a timer. (CVE-2011-4622)

A flaw was discovered in the XFS filesystem. If a local user mounts a specially crafted XFS image it could potential execute arbitrary code on the system. (CVE-2012-0038)

Chen Haogang discovered an integer overflow that could result in memory corruption. A local unprivileged user could use this to crash the system. (CVE-2012-0044).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2011-2183     Andrea Righi reported an issue in KSM, a memory-saving     de-duplication feature. By exploiting a race with     exiting tasks, local users can cause a kernel oops,     resulting in a denial of service.

  - CVE-2011-2213     Dan Rosenberg discovered an issue in the INET socket     monitoring interface. Local users could cause a denial     of service by injecting code and causing the kernel to     execute an infinite loop.

  - CVE-2011-2898     Eric Dumazet reported an information leak in the raw     packet socket implementation.

  - CVE-2011-3353     Han-Wen Nienhuys reported a local denial of service     issue in the FUSE (Filesystem in Userspace) support in     the Linux kernel. Local users could cause a buffer     overflow, leading to a kernel oops and resulting in a     denial of service.

  - CVE-2011-4077     Carlos Maiolino reported an issue in the XFS filesystem.
    A local user with the ability to mount a filesystem     could corrupt memory resulting in a denial of service or     possibly gain elevated privileges.

  - CVE-2011-4110     David Howells reported an issue in the kernel's access     key retention system which allow local users to cause a     kernel oops leading to a denial of service.

  - CVE-2011-4127     Paolo Bonzini of Red Hat reported an issue in the ioctl     passthrough support for SCSI devices. Users with     permission to access restricted portions of a device     (e.g. a partition or a logical volume) can obtain access     to the entire device by way of the SG_IO ioctl. This     could be exploited by a local user or privileged VM     guest to achieve a privilege escalation.

  - CVE-2011-4611     Maynard Johnson reported an issue with the perf support     on POWER7 systems that allows local users to cause a     denial of service.

  - CVE-2011-4622     Jan Kiszka reported an issue in the KVM PIT timer     support. Local users with the permission to use KVM can     cause a denial of service by starting a PIT timer     without first setting up the irqchip.

  - CVE-2011-4914     Ben Hutchings reported various bounds checking issues     within the ROSE protocol support in the kernel. Remote     users could possibly use this to gain access to     sensitive memory or cause a denial of service.

Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service.

Peter Huewe discovered an information leak in the handling of reading security-related TPM data. A local, unprivileged user could read the results of a previous TPM command. (CVE-2011-1162)

Clement Lecigne discovered a bug in the HFS filesystem. A local attacker could exploit this to cause a kernel oops. (CVE-2011-2203)

Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353)

A flaw was found in the b43 driver in the Linux kernel. An attacker could use this flaw to cause a denial of service if the system has an active wireless interface using the b43 driver. (CVE-2011-3359)

A flaw was found in how the Linux kernel handles user-defined key types. An unprivileged local user could exploit this to crash the system. (CVE-2011-4110)

Peter Huewe discovered an information leak in the handling of reading security-related TPM data. A local, unprivileged user could read the results of a previous TPM command. (CVE-2011-1162)

Clement Lecigne discovered a bug in the HFS filesystem. A local attacker could exploit this to cause a kernel oops. (CVE-2011-2203)

Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353)

A flaw was found in how the Linux kernel handles user-defined key types. An unprivileged local user could exploit this to crash the system. (CVE-2011-4110)

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.46 and fixes various bugs and security issues.

The following security issues have been fixed :

  - A signedness issue in CIFS could possibly have lead to     to memory corruption, if a malicious server could send     crafted replies to the host. (CVE-2011-3191)

  - In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not     check the length of the write so the message processing     could overrun and result in a BUG_ON() in     fuse_copy_fill(). This flaw could be used by local users     able to mount FUSE filesystems to crash the system.
    (CVE-2011-3353)

  - The befs_follow_link function in fs/befs/linuxvfs.c in     the Linux kernel did not validate the length attribute     of long symlinks, which allowed local users to cause a     denial of service (incorrect pointer dereference and     OOPS) by accessing a long symlink on a malformed Be     filesystem. (CVE-2011-2928)

Also the following non security bugs have been fixed :

  - CONFIG_CGROUP_MEM_RES_CTLR_SWAP enabled

  - CONFIG_CGROUP_MEM_RES_CTLR_SWAP_ENABLED disabled by     default. Swap accounting can be turned on by     swapaccount=1 kernel command line parameter.
    (bnc#719450)

  - Make swap accounting default behavior configurable     (bnc#719450, bnc#650309, fate#310471).

  - Added a missing reset for ioc_reset_in_progress in     SoftReset in the mtpsas driver. (bnc#711969)

  - Add support for the Digi/IBM PCIe 2-port Adapter.
    (bnc#708675)

  - Always enable MSI-X on 5709. (bnc#707737)

  - sched: fix broken SCHED_RESET_ON_FORK handling.
    (bnc#708877)

  - sched: Fix rt_rq runtime leakage bug. (bnc#707096)

  - ACPI: allow passing down C1 information if no other     C-states exist.

  - KDB: turn off kdb usb support by default. (bnc#694670 /     bnc#603804)

  - xfs: Added event tracing support.

  - xfs: fix xfs_fsblock_t tracing.

  - igb: extend maximum frame size to receive VLAN tagged     frames. (bnc#688859)

  - cfq: Do not allow queue merges for queues that have no     process references. (bnc#712929)

  - cfq: break apart merged cfqqs if they stop cooperating.
    (bnc#712929)

  - cfq: calculate the seek_mean per cfq_queue not per     cfq_io_context. (bnc#712929)

  - cfq: change the meaning of the cfqq_coop flag.
    (bnc#712929)

  - cfq-iosched: get rid of the coop_preempt flag.
    (bnc#712929)

  - cfq: merge cooperating cfq_queues. (bnc#712929)

  - Fix FDDI and TR config checks in ipv4 arp and LLC.
    (bnc#715235)

  - writeback: do uninterruptible sleep in     balance_dirty_pages(). (bnc#699354 / bnc#699357)

  - xfs: fix memory reclaim recursion deadlock on locked     inode buffer. (bnc#699355 / bnc#699354)

  - xfs: use GFP_NOFS for page cache allocation. (bnc#699355     / bnc#699354)

  - virtio-net: init link state correctly. (bnc#714966)

  - cpufreq: pcc-cpufreq: sanity check to prevent a NULL     pointer dereference. (bnc#709412)

  - x86: ucode-amd: Do not warn when no ucode is available     for a CPU

  - patches.arch/x86_64-unwind-annotations: Refresh.
    (bnc#588458)

  - patches.suse/stack-unwind: Refresh. (bnc#588458)

  - splice: direct_splice_actor() should not use pos in sd.
    (bnc#715763)

  - qdio: 2nd stage retry on SIGA-W busy conditions     (bnc#713138,LTC#74402).

  - TTY: pty, fix pty counting. (bnc#711203)

  - Avoid deadlock in GFP_IO/GFP_FS allocation. (bnc#632870)

  - novfs: fix some DirCache locking issues. (bnc#669378)

  - novfs: fix some kmalloc/kfree issues. (bnc#669378)

  - novfs: fix off-by-one allocation error. (bnc#669378)

  - novfs: unlink directory after unmap. (bnc#649625)

  - novfs: last modification time not reliable. (bnc#642896)

  - x86 / IO APIC: Reset IRR in clear_IO_APIC_pin().
    (bnc#701686, bnc#667386)

  - mptfusion : Added check for SILI bit in READ_6 CDB for     DATA UNDERRUN ERRATA. (bnc#712456)

  - xfs: serialise unaligned direct IOs. (bnc#707125)

  - NFS: Ensure that we handle NFS4ERR_STALE_STATEID     correctly. (bnc#701443)

  - NFSv4: Do not call nfs4_state_mark_reclaim_reboot() from     error handlers. (bnc#701443)

  - NFSv4: Fix open recovery. (bnc#701443)

  - NFSv4.1: Do not call nfs4_schedule_state_recovery()     unnecessarily. (bnc#701443)

Updated kernel packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. (CVE-2011-2699, Important)

* A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important)

* A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. (CVE-2011-4326, Important)

* The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate)

* A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service. (CVE-2011-3353, Moderate)

* A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate)

* A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate)

* A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. (CVE-2011-3593, Moderate)

* A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low)

* A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially crafted partition tables. (CVE-2011-1577, Low)

* The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low)

* It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user.
(CVE-2011-2905, Low)

Red Hat would like to thank Fernando Gont for reporting CVE-2011-2699;
Darren Lavender for reporting CVE-2011-3191; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363;
Gideon Naim for reporting CVE-2011-3593; Peter Huewe for reporting CVE-2011-1162; Timo Warns for reporting CVE-2011-1577; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494.

This update also fixes various bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section.

Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service.
(CVE-2011-1576)

Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833)

Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494)

Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495)

Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497)

It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695)

Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.
(CVE-2011-2699)

Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges.
(CVE-2011-2905)

Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service.
(CVE-2011-2928)

Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188)

Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191)

Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service.
(CVE-2011-3353)

Gideon Naim discovered a flaw in the Linux kernel's handling VLAN 0 frames. An attacker on the local network could exploit this flaw to cause a denial of service. (CVE-2011-3593).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service.
(CVE-2011-1576)

Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833)

Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494)

Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495)

Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497)

It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695)

Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.
(CVE-2011-2699)

Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges.
(CVE-2011-2905)

Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service.
(CVE-2011-2928)

Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188)

Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191)

Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service.
(CVE-2011-3353)

Gideon Naim discovered a flaw in the Linux kernel's handling VLAN 0 frames. An attacker on the local network could exploit this flaw to cause a denial of service. (CVE-2011-3593).

ID	Name	Product	Family	Severity
76635	RHEL 6 : MRG (RHSA-2012:0010)	Nessus	Red Hat Local Security Checks	critical
75881	openSUSE Security Update : kernel (openSUSE-SU-2011:1222-1)	Nessus	SuSE Local Security Checks	critical
75556	openSUSE Security Update : kernel (openSUSE-SU-2011:1221-1)	Nessus	SuSE Local Security Checks	critical
69585	Amazon Linux AMI : kernel (ALAS-2011-26)	Nessus	Amazon Linux Local Security Checks	high
68424	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2033)	Nessus	Oracle Linux Local Security Checks	critical
68393	Oracle Linux 6 : kernel (ELSA-2011-1465)	Nessus	Oracle Linux Local Security Checks	critical
61179	Scientific Linux Security Update : kernel on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
58268	Ubuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1387-1)	Nessus	Ubuntu Local Security Checks	high
58267	Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1386-1)	Nessus	Ubuntu Local Security Checks	high
57936	Ubuntu 11.04 : linux vulnerabilities (USN-1362-1)	Nessus	Ubuntu Local Security Checks	high
57935	Ubuntu 10.10 : linux vulnerabilities (USN-1361-1)	Nessus	Ubuntu Local Security Checks	high
57583	Debian DSA-2389-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	medium
57533	USN-1329-1 : linux-ti-omap4 vulnerability	Nessus	Ubuntu Local Security Checks	medium
57497	USN-1325-1 : linux-ti-omap4 vulnerabilities	Nessus	Ubuntu Local Security Checks	medium
57448	USN-1319-1 : linux-ti-omap4 vulnerabilities	Nessus	Ubuntu Local Security Checks	medium
57111	SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 5219 / 5222 / 5223)	Nessus	SuSE Local Security Checks	critical
56927	RHEL 6 : kernel (RHSA-2011:1465)	Nessus	Red Hat Local Security Checks	critical
56747	Ubuntu 10.04 LTS : linux vulnerabilities (USN-1253-1)	Nessus	Ubuntu Local Security Checks	critical
56644	Ubuntu 10.10 : linux-mvl-dove vulnerabilities (USN-1245-1)	Nessus	Ubuntu Local Security Checks	critical
56639	Ubuntu 10.04 LTS : linux-mvl-dove vulnerabilities (USN-1240-1)	Nessus	Ubuntu Local Security Checks	critical
56638	Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1239-1)	Nessus	Ubuntu Local Security Checks	critical

CVE-2011-3353

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins