openSUSE Security Update : kernel (openSUSE-SU-2010:0664-1)

This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This openSUSE 11.2 kernel was updated to 2.6.31.14, fixing several
security issues and bugs.

A lot of ext4 filesystem stability fixes were also added.

Following security issues have been fixed: CVE-2010-3301: Mismatch
between 32bit and 64bit register usage in the system call entry path
could be used by local attackers to gain root privileges. This problem
only affects x86_64 kernels.

CVE-2010-3081: Incorrect buffer handling in the biarch-compat buffer
handling could be used by local attackers to gain root privileges.
This problem affects foremost x86_64, or potentially other biarch
platforms, like PowerPC and S390x.

CVE-2010-3084: A buffer overflow in the ETHTOOL_GRXCLSRLALL code could
be used to crash the kernel or potentially execute code.

CVE-2010-2955: A kernel information leak via the WEXT ioctl was fixed.

CVE-2010-2960: The keyctl_session_to_parent function in
security/keys/keyctl.c in the Linux kernel expects that a certain
parent session keyring exists, which allowed local users to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT
argument to the keyctl function.

CVE-2010-3080: A double free in an alsa error path was fixed, which
could lead to kernel crashes.

CVE-2010-3079: Fixed a ftrace NULL pointer dereference problem which
could lead to kernel crashes.

CVE-2010-3298: Fixed a kernel information leak in the net/usb/hso
driver.

CVE-2010-3296: Fixed a kernel information leak in the cxgb3 driver.

CVE-2010-3297: Fixed a kernel information leak in the net/eql driver.

CVE-2010-3078: Fixed a kernel information leak in the xfs filesystem.
CVE-2010-2942: Fixed a kernel information leak in the net scheduler
code.

CVE-2010-2954: The irda_bind function in net/irda/af_irda.c in the
Linux kernel did not properly handle failure of the irda_open_tsap
function, which allowed local users to cause a denial of service (NULL
pointer dereference and panic) and possibly have unspecified other
impact via multiple unsuccessful calls to bind on an AF_IRDA (aka
PF_IRDA) socket.

CVE-2010-2226: The xfs_swapext function in fs/xfs/xfs_dfrag.c in the
Linux kernel did not properly check the file descriptors passed to the
SWAPEXT ioctl, which allowed local users to leverage write access and
obtain read access by swapping one file into another file.

CVE-2010-2946: The 'os2' xattr namespace on the jfs filesystem could
be used to bypass xattr namespace rules.

CVE-2010-2959: Integer overflow in net/can/bcm.c in the Controller
Area Network (CAN) implementation in the Linux kernel allowed
attackers to execute arbitrary code or cause a denial of service
(system crash) via crafted CAN traffic.

CVE-2010-3015: Integer overflow in the ext4_ext_get_blocks function in
fs/ext4/extents.c in the Linux kernel allowed local users to cause a
denial of service (BUG and system crash) via a write operation on the
last block of a large file, followed by a sync operation.

CVE-2010-2492: Buffer overflow in the ecryptfs_uid_hash macro in
fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel
might have allowed local users to gain privileges or cause a denial of
service (system crash) via unspecified vectors.

CVE-2010-2248: fs/cifs/cifssmb.c in the CIFS implementation in the
Linux kernel allowed remote attackers to cause a denial of service
(panic) via an SMB response packet with an invalid CountHigh value, as
demonstrated by a response from an OS/2 server, related to the
CIFSSMBWrite and CIFSSMBWrite2 functions.

CVE-2010-2803: The drm_ioctl function in drivers/gpu/drm/drm_drv.c in
the Direct Rendering Manager (DRM) subsystem in the Linux kernel
allowed local users to obtain potentially sensitive information from
kernel memory by requesting a large memory-allocation amount.

CVE-2010-2478: A potential buffer overflow in the ETHTOOL_GRXCLSRLALL
ethtool code was fixed which could be used by local attackers to crash
the kernel or potentially execute code.

CVE-2010-2524: The DNS resolution functionality in the CIFS
implementation in the Linux kernel, when CONFIG_CIFS_DFS_UPCALL is
enabled, relies on a user's keyring for the dns_resolver upcall in the
cifs.upcall userspace helper, which allowed local users to spoof the
results of DNS queries and perform arbitrary CIFS mounts via vectors
involving an add_key call, related to a 'cache stuffing' issue and
MS-DFS referrals.

CVE-2010-2798: The gfs2_dirent_find_space function in fs/gfs2/dir.c in
the Linux kernel used an incorrect size value in calculations
associated with sentinel directory entries, which allowed local users
to cause a denial of service (NULL pointer dereference and panic) and
possibly have unspecified other impact by renaming a file in a GFS2
filesystem, related to the gfs2_rename function in
fs/gfs2/ops_inode.c.

CVE-2010-2537: The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls
allowed a local user to overwrite append-only files.

CVE-2010-2538: The BTRFS_IOC_CLONE_RANGE ioctl was subject to an
integer overflow in specifying offsets to copy from a file, which
potentially allowed a local user to read sensitive filesystem data.

CVE-2010-2521: Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the
XDR implementation in the NFS server in the Linux kernel allowed
remote attackers to cause a denial of service (panic) or possibly
execute arbitrary code via a crafted NFSv4 compound WRITE request,
related to the read_buf and nfsd4_decode_compound functions.

CVE-2010-2066: The mext_check_arguments function in
fs/ext4/move_extent.c in the Linux kernel allowed local users to
overwrite an append-only file via a MOVE_EXT ioctl call that specifies
this file as a donor.

CVE-2010-2495: The pppol2tp_xmit function in drivers/net/pppol2tp.c in
the L2TP implementation in the Linux kernel did not properly validate
certain values associated with an interface, which allowed attackers
to cause a denial of service (NULL pointer dereference and OOPS) or
possibly have unspecified other impact via vectors related to a
routing change.

CVE-2010-2071: The btrfs_xattr_set_acl function in fs/btrfs/acl.c in
btrfs in the Linux kernel did not check file ownership before setting
an ACL, which allowed local users to bypass file permissions by
setting arbitrary ACLs, as demonstrated using setfacl.

CVE-2010-1641: The do_gfs2_set_flags function in fs/gfs2/file.c in the
Linux kernel did not verify the ownership of a file, which allowed
local users to bypass intended access restrictions via a SETFLAGS
ioctl request.

CVE-2010-1087: The nfs_wait_on_request function in fs/nfs/pagelist.c
in Linux kernel 2.6.x allowed attackers to cause a denial of service
(Oops) via unknown vectors related to truncating a file and an
operation that is not interruptible.

CVE-2010-1636: The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in
the btrfs functionality in the Linux kernel did not ensure that a
cloned file descriptor has been opened for reading, which allowed
local users to read sensitive information from a write-only file
descriptor.

CVE-2010-1437: Race condition in the find_keyring_by_name function in
security/keys/keyring.c in the Linux kernel allowed local users to
cause a denial of service (memory corruption and system crash) or
possibly have unspecified other impact via keyctl session commands
that trigger access to a dead keyring that is undergoing deletion by
the key_cleanup function.

CVE-2010-1148: The cifs_create function in fs/cifs/dir.c in the Linux
kernel allowed local users to cause a denial of service (NULL pointer
dereference and OOPS) or possibly have unspecified other impact via a
NULL nameidata (aka nd) field in a POSIX file-creation request to a
server that supports UNIX extensions.

CVE-2010-1162: The release_one_tty function in drivers/char/tty_io.c
in the Linux kernel omitted certain required calls to the put_pid
function, which has unspecified impact and local attack vectors.

CVE-2010-1146: The Linux kernel, when a ReiserFS filesystem exists,
did not restrict read or write access to the .reiserfs_priv directory,
which allowed local users to gain privileges by modifying (1) extended
attributes or (2) ACLs, as demonstrated by deleting a file under
.reiserfs_priv/xattrs/.

CVE-2009-4537: drivers/net/r8169.c in the r8169 driver in the Linux
kernel did not properly check the size of an Ethernet frame that
exceeds the MTU, which allowed remote attackers to (1) cause a denial
of service (temporary network outage) via a packet with a crafted
size, in conjunction with certain packets containing A characters and
certain packets containing E characters; or (2) cause a denial of
service (system crash) via a packet with a crafted size, in
conjunction with certain packets containing '\0' characters, related
to the value of the status register and erroneous behavior associated
with the RxMaxSize register. NOTE: this vulnerability exists because
of an incorrect fix for CVE-2009-1389.

See also :

http://lists.opensuse.org/opensuse-updates/2010-09/msg00045.html
https://bugzilla.novell.com/show_bug.cgi?id=426536
https://bugzilla.novell.com/show_bug.cgi?id=465707
https://bugzilla.novell.com/show_bug.cgi?id=486997
https://bugzilla.novell.com/show_bug.cgi?id=508259
https://bugzilla.novell.com/show_bug.cgi?id=556837
https://bugzilla.novell.com/show_bug.cgi?id=557201
https://bugzilla.novell.com/show_bug.cgi?id=567376
https://bugzilla.novell.com/show_bug.cgi?id=567860
https://bugzilla.novell.com/show_bug.cgi?id=567867
https://bugzilla.novell.com/show_bug.cgi?id=569071
https://bugzilla.novell.com/show_bug.cgi?id=571494
https://bugzilla.novell.com/show_bug.cgi?id=573244
https://bugzilla.novell.com/show_bug.cgi?id=575697
https://bugzilla.novell.com/show_bug.cgi?id=576026
https://bugzilla.novell.com/show_bug.cgi?id=583867
https://bugzilla.novell.com/show_bug.cgi?id=584554
https://bugzilla.novell.com/show_bug.cgi?id=585385
https://bugzilla.novell.com/show_bug.cgi?id=585927
https://bugzilla.novell.com/show_bug.cgi?id=586711
https://bugzilla.novell.com/show_bug.cgi?id=587265
https://bugzilla.novell.com/show_bug.cgi?id=588579
https://bugzilla.novell.com/show_bug.cgi?id=589280
https://bugzilla.novell.com/show_bug.cgi?id=589329
https://bugzilla.novell.com/show_bug.cgi?id=589788
https://bugzilla.novell.com/show_bug.cgi?id=590738
https://bugzilla.novell.com/show_bug.cgi?id=591371
https://bugzilla.novell.com/show_bug.cgi?id=593906
https://bugzilla.novell.com/show_bug.cgi?id=593940
https://bugzilla.novell.com/show_bug.cgi?id=596031
https://bugzilla.novell.com/show_bug.cgi?id=596462
https://bugzilla.novell.com/show_bug.cgi?id=599508
https://bugzilla.novell.com/show_bug.cgi?id=599955
https://bugzilla.novell.com/show_bug.cgi?id=601328
https://bugzilla.novell.com/show_bug.cgi?id=602209
https://bugzilla.novell.com/show_bug.cgi?id=606743
https://bugzilla.novell.com/show_bug.cgi?id=608576
https://bugzilla.novell.com/show_bug.cgi?id=610362
https://bugzilla.novell.com/show_bug.cgi?id=611760
https://bugzilla.novell.com/show_bug.cgi?id=612213
https://bugzilla.novell.com/show_bug.cgi?id=612457
https://bugzilla.novell.com/show_bug.cgi?id=614054
https://bugzilla.novell.com/show_bug.cgi?id=615141
https://bugzilla.novell.com/show_bug.cgi?id=616612
https://bugzilla.novell.com/show_bug.cgi?id=616614
https://bugzilla.novell.com/show_bug.cgi?id=618156
https://bugzilla.novell.com/show_bug.cgi?id=618157
https://bugzilla.novell.com/show_bug.cgi?id=619850
https://bugzilla.novell.com/show_bug.cgi?id=620372
https://bugzilla.novell.com/show_bug.cgi?id=624587
https://bugzilla.novell.com/show_bug.cgi?id=627386
https://bugzilla.novell.com/show_bug.cgi?id=627447
https://bugzilla.novell.com/show_bug.cgi?id=628604
https://bugzilla.novell.com/show_bug.cgi?id=631801
https://bugzilla.novell.com/show_bug.cgi?id=632309
https://bugzilla.novell.com/show_bug.cgi?id=633581
https://bugzilla.novell.com/show_bug.cgi?id=633585
https://bugzilla.novell.com/show_bug.cgi?id=635413
https://bugzilla.novell.com/show_bug.cgi?id=635425
https://bugzilla.novell.com/show_bug.cgi?id=636112
https://bugzilla.novell.com/show_bug.cgi?id=637436
https://bugzilla.novell.com/show_bug.cgi?id=637502
https://bugzilla.novell.com/show_bug.cgi?id=638274
https://bugzilla.novell.com/show_bug.cgi?id=638277
https://bugzilla.novell.com/show_bug.cgi?id=639481
https://bugzilla.novell.com/show_bug.cgi?id=639482
https://bugzilla.novell.com/show_bug.cgi?id=639483
https://bugzilla.novell.com/show_bug.cgi?id=639708
https://bugzilla.novell.com/show_bug.cgi?id=639709

Solution :

Update the affected kernel packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true