http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f8e9881c2aef1e982e5abc25c046820cd0b7cf64

[oss-security] 20111028 Re: CVE Request: Multiple remote denial of service in Linux bridge networking code 2.6.37-3.0

https://github.com/torvalds/linux/commit/f8e9881c2aef1e982e5abc25c046820cd0b7cf64

The openSUSE 11.4 kernel was updated to fix bugs and security issues.

Following security issues have been fixed: CVE-2011-4604: If root does read() on a specific socket, it's possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used.

CVE-2011-2699: Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.

CVE-2011-1173: A kernel information leak via ip6_tables was fixed.

CVE-2011-1172: A kernel information leak via ip6_tables netfilter was fixed.

CVE-2011-1171: A kernel information leak via ip_tables was fixed.

CVE-2011-1170: A kernel information leak via arp_tables was fixed.

CVE-2011-1080: A kernel information leak via netfilter was fixed.

CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.

CVE-2011-2534: Buffer overflow in the clusterip_proc_write function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux kernel might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating '0' character.

CVE-2011-1770: Integer underflow in the dccp_parse_options function (net/dccp/options.c) in the Linux kernel allowed remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggered a buffer over-read.

CVE-2011-2723: The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel, when Generic Receive Offload (GRO) is enabled, reset certain fields in incorrect situations, which allowed remote attackers to cause a denial of service (system crash) via crafted network traffic.

CVE-2011-2898: A kernel information leak in the AF_PACKET protocol was fixed which might have allowed local attackers to read kernel memory.

CVE-2011-4087: A local denial of service when using bridged networking via a flood ping was fixed.

CVE-2011-2203: A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel.

CVE-2011-4081: Using the crypto interface a local user could Oops the kernel by writing to a AF_ALG socket.

A bug was discovered in the XFS filesystem's handling of pathnames. A local attacker could exploit this to crash the system, leading to a denial of service, or gain root privileges. (CVE-2011-4077)

Nick Bowler discovered the kernel GHASH message digest algorithm incorrectly handled error conditions. A local attacker could exploit this to cause a kernel oops. (CVE-2011-4081)

Scot Doyle discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2011-4087)

A flaw was found in the Journaling Block Device (JBD). A local attacker able to mount ext3 or ext4 file systems could exploit this to crash the system, leading to a denial of service. (CVE-2011-4132)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326)

Clement Lecigne discovered a bug in the HFS file system bounds checking. When a malformed HFS file system is mounted a local user could crash the system or gain root privileges. (CVE-2011-4330)

Peter Huewe discovered an information leak in the handling of reading security-related TPM data. A local, unprivileged user could read the results of a previous TPM command. (CVE-2011-1162)

Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494)

Qianfeng Zhang discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2011-2942)

Yasuaki Ishimatsu discovered a flaw in the kernel's clock implementation. A local unprivileged attacker could exploit this causing a denial of service. (CVE-2011-3209)

Zheng Liu discovered a flaw in how the ext4 filesystem splits extents.
A local unprivileged attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-3638)

Scot Doyle discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-4087)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)

Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)

Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)

Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)

Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)

Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)

Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)

It was discovered that the security fix for CVE-2010-4250 introduced a regression. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1479)

Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493)

It was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573)

Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service.
(CVE-2011-1576)

Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)

Phil Oester discovered that the network bonding system did not correctly handle large queues. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1581)

It was discovered that CIFS incorrectly handled authentication. When a user had a CIFS share mounted that required authentication, a local user could mount the same share without knowing the correct password.
(CVE-2011-1585)

It was discovered that the GRE protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ip_gre module was loading, and crash the system, leading to a denial of service. (CVE-2011-1767)

It was discovered that the IP/IP protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ipip module was loading, and crash the system, leading to a denial of service. (CVE-2011-1768)

Ben Greear discovered that CIFS did not correctly handle direct I/O. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-1771)

Timo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776)

Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833)

Ben Hutchings reported a flaw in the kernel's handling of corrupt LDM partitions. A local user could exploit this to cause a denial of service or escalate privileges. (CVE-2011-2182)

Dan Rosenberg discovered that the IPv4 diagnostic routines did not correctly validate certain requests. A local attacker could exploit this to consume CPU resources, leading to a denial of service.
(CVE-2011-2213)

It was discovered that an mmap() call with the MAP_PRIVATE flag on '/dev/zero' was incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2011-2479)

Vasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could exploit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484)

It was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy.
(CVE-2011-2492)

Sami Liedes discovered that ext4 did not correctly handle missing root inodes. A local attacker could trigger the mount of a specially crafted filesystem to cause the system to crash, leading to a denial of service. (CVE-2011-2493)

Robert Swiecki discovered that mapping extensions were incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2496)

Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497)

Ben Pfaff discovered that Classless Queuing Disciplines (qdiscs) were being incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2525)

It was discovered that GFS2 did not correctly check block sizes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2689)

It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695)

Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.
(CVE-2011-2699)

Mauro Carvalho Chehab discovered that the si4713 radio driver did not correctly check the length of memory copies. If this hardware was available, a local attacker could exploit this to crash the system or gain root privileges. (CVE-2011-2700)

Herbert Xu discovered that certain fields were incorrectly handled when Generic Receive Offload (CVE-2011-2723)

The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918)

Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service.
(CVE-2011-2928)

Qianfeng Zhang discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service.
(CVE-2011-2942)

Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188)

Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191)

Yasuaki Ishimatsu discovered a flaw in the kernel's clock implementation. A local unprivileged attacker could exploit this causing a denial of service. (CVE-2011-3209)

Yogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-3363)

A flaw was discovered in the Linux kernel's AppArmor security interface when invalid information was written to it. An unprivileged local user could use this to cause a denial of service on the system.
(CVE-2011-3619)

A flaw was found in the Linux kernel's /proc/*/*map* interface. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-3637)

Scot Doyle discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-4087)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326)

Ben Hutchings discovered several flaws in the Linux Rose (X.25 PLP) layer. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root. (CVE-2011-4914).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)

Phil Oester discovered that the network bonding system did not correctly handle large queues. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1581)

Ben Hutchings reported a flaw in the kernel's handling of corrupt LDM partitions. A local user could exploit this to cause a denial of service or escalate privileges. (CVE-2011-2182)

Vasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could exploit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484)

Sami Liedes discovered that ext4 did not correctly handle missing root inodes. A local attacker could trigger the mount of a specially crafted filesystem to cause the system to crash, leading to a denial of service. (CVE-2011-2493)

A flaw was discovered in the Linux kernel's AppArmor security interface when invalid information was written to it. An unprivileged local user could use this to cause a denial of service on the system.
(CVE-2011-3619)

Scot Doyle discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-4087)

A bug was found in the way headroom check was performed in udp6_ufo_fragment() function. A remote attacker could use this flaw to crash the system. (CVE-2011-4326).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
75882	openSUSE Security Update : kernel (openSUSE-SU-2012:0236-1)	Nessus	SuSE Local Security Checks	high
57305	USN-1304-1 : linux-ti-omap4 vulnerabilities	Nessus	Ubuntu Local Security Checks	high
57058	Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1294-1)	Nessus	Ubuntu Local Security Checks	high
56768	Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1256-1)	Nessus	Ubuntu Local Security Checks	critical
55923	Ubuntu 11.04 : linux vulnerabilities (USN-1193-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2011-4087

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins