SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 7257)

This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 10 host is missing a security-related patch.

Description :

This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes
several security issues and bugs.

The following security issues were fixed :

- Multiple integer overflows in the snd_ctl_new function
in sound/core/control.c in the Linux kernel before
2.6.36-rc5-next-20100929 allow local users to cause a
denial of service (heap memory corruption) or possibly
have unspecified other impact via a crafted (1)
SNDRV_CTL_IOCTL_ELEM_ADD or (2)
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. (CVE-2010-3442)

- Integer signedness error in the pkt_find_dev_from_minor
function in drivers/block/pktcdvd.c in the Linux kernel
before 2.6.36-rc6 allows local users to obtain sensitive
information from kernel memory or cause a denial of
service (invalid pointer dereference and system crash)
via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl
call. (CVE-2010-3437)

- Uninitialized stack memory disclosure in the
FBIOGET_VBLANK ioctl in the sis and ivtv drivers could
leak kernel memory to userspace. (CVE-2010-4078)

- Uninitialized stack memory disclosure in the rme9652
ALSA driver could leak kernel memory to userspace.
(CVE-2010-4080 / CVE-2010-4081)

- Uninitialized stack memory disclosure in the SystemV IPC
handling functions could leak kernel memory to
userspace. (CVE-2010-4073 / CVE-2010-4072 /
CVE-2010-4083)

- Integer overflow in the do_io_submit function in
fs/aio.c in the Linux kernel allowed local users to
cause a denial of service or possibly have unspecified
other impact via crafted use of the io_submit system
call. (CVE-2010-3067)

- Multiple integer signedness errors in net/rose/af_rose.c
in the Linux kernel allowed local users to cause a
denial of service (heap memory corruption) or possibly
have unspecified other impact via a rose_getname
function call, related to the rose_bind and rose_connect
functions. (CVE-2010-3310)

- The xfs_swapext function in fs/xfs/xfs_dfrag.c in the
Linux kernel did not properly check the file descriptors
passed to the SWAPEXT ioctl, which allowed local users
to leverage write access and obtain read access by
swapping one file into another file. (CVE-2010-2226)

- fs/jfs/xattr.c in the Linux kernel did not properly
handle a certain legacy format for storage of extended
attributes, which might have allowed local users by
bypass intended xattr namespace restrictions via an
'os2.' substring at the beginning of a name.
(CVE-2010-2946)

- The actions implementation in the network queueing
functionality in the Linux kernel did not properly
initialize certain structure members when performing
dump operations, which allowed local users to obtain
potentially sensitive information from kernel memory via
vectors related to (1) the tcf_gact_dump function in
net/sched/act_gact.c, (2) the tcf_mirred_dump function
in net/sched/act_mirred.c, (3) the tcf_nat_dump function
in net/sched/act_nat.c, (4) the tcf_simp_dump function
in net/sched/act_simple.c, and (5) the tcf_skbedit_dump
function in net/sched/act_skbedit.c. (CVE-2010-2942)

- fs/cifs/cifssmb.c in the CIFS implementation in the
Linux kernel allowed remote attackers to cause a denial
of service (panic) via an SMB response packet with an
invalid CountHigh value, as demonstrated by a response
from an OS/2 server, related to the CIFSSMBWrite and
CIFSSMBWrite2 functions. (CVE-2010-2248)

- A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc
could lead to memory corruption in the GDTH driver.
(CVE-2010-4157)

- A remote (or local) attacker communicating over X.25
could cause a kernel panic by attempting to negotiate
malformed facilities. (CVE-2010-4164)

- A missing lock prefix in the x86 futex code could be
used by local attackers to cause a denial of service.
(CVE-2010-3086)

- A memory information leak in berkely packet filter rules
allowed local attackers to read uninitialized memory of
the kernel stack. (CVE-2010-4158)

- A local denial of service in the blockdevice layer was
fixed. (CVE-2010-4162)

See also :

http://support.novell.com/security/cve/CVE-2010-2226.html
http://support.novell.com/security/cve/CVE-2010-2248.html
http://support.novell.com/security/cve/CVE-2010-2942.html
http://support.novell.com/security/cve/CVE-2010-2946.html
http://support.novell.com/security/cve/CVE-2010-3067.html
http://support.novell.com/security/cve/CVE-2010-3086.html
http://support.novell.com/security/cve/CVE-2010-3310.html
http://support.novell.com/security/cve/CVE-2010-3437.html
http://support.novell.com/security/cve/CVE-2010-3442.html
http://support.novell.com/security/cve/CVE-2010-4072.html
http://support.novell.com/security/cve/CVE-2010-4073.html
http://support.novell.com/security/cve/CVE-2010-4078.html
http://support.novell.com/security/cve/CVE-2010-4080.html
http://support.novell.com/security/cve/CVE-2010-4081.html
http://support.novell.com/security/cve/CVE-2010-4083.html
http://support.novell.com/security/cve/CVE-2010-4157.html
http://support.novell.com/security/cve/CVE-2010-4158.html
http://support.novell.com/security/cve/CVE-2010-4162.html
http://support.novell.com/security/cve/CVE-2010-4164.html

Solution :

Apply ZYPP patch number 7257.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now