SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4039 / 4042 / 4043)

This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 11 host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to
2.6.32.29 and fixes various bugs and security issues.

- The ax25_getname function in net/ax25/af_ax25.c in the
Linux kernel did not initialize a certain structure,
which allowed local users to obtain potentially
sensitive information from kernel stack memory by
reading a copy of this structure. (CVE-2010-3875)

- net/packet/af_packet.c in the Linux kernel did not
properly initialize certain structure members, which
allowed local users to obtain potentially sensitive
information from kernel stack memory by leveraging the
CAP_NET_RAW capability to read copies of the applicable
structures. (CVE-2010-3876)

- The get_name function in net/tipc/socket.c in the Linux
kernel did not initialize a certain structure, which
allowed local users to obtain potentially sensitive
information from kernel stack memory by reading a copy
of this structure. (CVE-2010-3877)

- The sctp_auth_asoc_get_hmac function in net/sctp/auth.c
in the Linux kernel did not properly validate the
hmac_ids array of an SCTP peer, which allowed remote
attackers to cause a denial of service (memory
corruption and panic) via a crafted value in the last
element of this array. (CVE-2010-3705)

- A stack memory information leak in the xfs FSGEOMETRY_V1
ioctl was fixed. (CVE-2011-0711)

- Multiple buffer overflows in the caiaq Native
Instruments USB audio functionality in the Linux kernel
might have allowed attackers to cause a denial of
service or possibly have unspecified other impact via a
long USB device name, related to (1) the
snd_usb_caiaq_audio_init function in
sound/usb/caiaq/audio.c and (2) the
snd_usb_caiaq_midi_init function in
sound/usb/caiaq/midi.c. (CVE-2011-0712)

- The task_show_regs function in arch/s390/kernel/traps.c
in the Linux kernel on the s390 platform allowed local
users to obtain the values of the registers of an
arbitrary process by reading a status file under /proc/.
(CVE-2011-0710)

- The xfs implementation in the Linux kernel did not look
up inode allocation btrees before reading inode buffers,
which allowed remote authenticated users to read
unlinked files, or read or overwrite disk blocks that
are currently assigned to an active file but were
previously assigned to an unlinked file, by accessing a
stale NFS filehandle. (CVE-2010-2943)

- The uart_get_count function in
drivers/serial/serial_core.c in the Linux kernel did not
properly initialize a certain structure member, which
allowed local users to obtain potentially sensitive
information from kernel stack memory via a TIOCGICOUNT
ioctl call. (CVE-2010-4075)

- The rs_ioctl function in drivers/char/amiserial.c in the
Linux kernel did not properly initialize a certain
structure member, which allowed local users to obtain
potentially sensitive information from kernel stack
memory via a TIOCGICOUNT ioctl call. (CVE-2010-4076)

- The ntty_ioctl_tiocgicount function in
drivers/char/nozomi.c in the Linux kernel did not
properly initialize a certain structure member, which
allowed local users to obtain potentially sensitive
information from kernel stack memory via a TIOCGICOUNT
ioctl call. (CVE-2010-4077)

- fs/exec.c in the Linux kernel did not enable the OOM
Killer to assess use of stack memory by arrays
representing the (1) arguments and (2) environment,
which allows local users to cause a denial of service
(memory consumption) via a crafted exec system call, aka
an OOM dodging issue, a related issue to CVE-2010-3858.
(CVE-2010-4243)

- The blk_rq_map_user_iov function in block/blk-map.c in
the Linux kernel allowed local users to cause a denial
of service (panic) via a zero-length I/O request in a
device ioctl to a SCSI device, related to an unaligned
map. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2010-4163. (CVE-2010-4668)

- Integer underflow in the irda_getsockopt function in
net/irda/af_irda.c in the Linux kernel on platforms
other than x86 allowed local users to obtain potentially
sensitive information from kernel heap memory via an
IRLMP_ENUMDEVICES getsockopt call. (CVE-2010-4529)

- The aun_incoming function in net/econet/af_econet.c in
the Linux kernel, when Econet is enabled, allows remote
attackers to cause a denial of service (NULL pointer
dereference and OOPS) by sending an Acorn Universal
Networking (AUN) packet over UDP. (CVE-2010-4342)

- The backend driver in Xen 3.x allowed guest OS users to
cause a denial of service via a kernel thread leak,
which prevented the device and guest OS from being shut
down or create a zombie domain, causing a hang in
zenwatch, or preventing unspecified xm commands from
working properly, related to (1) netback, (2) blkback,
or (3) blktap. (CVE-2010-3699)

- The install_special_mapping function in mm/mmap.c in the
Linux kernel did not make an expected security_file_mmap
function call, which allows local users to bypass
intended mmap_min_addr restrictions and possibly conduct
NULL pointer dereference attacks via a crafted
assembly-language application. (CVE-2010-4346)

- Fixed a verify_ioctl overflow in 'cuse' in the fuse
filesystem. The code should only be called by root users
though. (CVE-2010-4650)

- Race condition in the sctp_icmp_proto_unreachable
function in net/sctp/input.c in the Linux kernel allowed
remote attackers to cause a denial of service (panic)
via an ICMP unreachable message to a socket that is
already locked by a user, which causes the socket to be
freed and triggers list corruption, related to the
sctp_wait_for_connect function. (CVE-2010-4526)

- The load_mixer_volumes function in sound/oss/soundcard.c
in the OSS sound subsystem in the Linux kernel
incorrectly expected that a certain name field ends with
a '0' character, which allowed local users to conduct
buffer overflow attacks and gain privileges, or possibly
obtain sensitive information from kernel memory, via a
SOUND_MIXER_SETLEVELS ioctl call. (CVE-2010-4527)

- Fixed a LSM bug in IMA (Integrity Measuring
Architecture). IMA is not enabled in SUSE kernels, so we
were not affected. (CVE-2011-0006)

See also :

https://bugzilla.novell.com/show_bug.cgi?id=466279
https://bugzilla.novell.com/show_bug.cgi?id=552250
https://bugzilla.novell.com/show_bug.cgi?id=564423
https://bugzilla.novell.com/show_bug.cgi?id=602969
https://bugzilla.novell.com/show_bug.cgi?id=620929
https://bugzilla.novell.com/show_bug.cgi?id=622868
https://bugzilla.novell.com/show_bug.cgi?id=623393
https://bugzilla.novell.com/show_bug.cgi?id=625965
https://bugzilla.novell.com/show_bug.cgi?id=629170
https://bugzilla.novell.com/show_bug.cgi?id=630970
https://bugzilla.novell.com/show_bug.cgi?id=632317
https://bugzilla.novell.com/show_bug.cgi?id=633026
https://bugzilla.novell.com/show_bug.cgi?id=636435
https://bugzilla.novell.com/show_bug.cgi?id=638258
https://bugzilla.novell.com/show_bug.cgi?id=640850
https://bugzilla.novell.com/show_bug.cgi?id=642309
https://bugzilla.novell.com/show_bug.cgi?id=643266
https://bugzilla.novell.com/show_bug.cgi?id=643513
https://bugzilla.novell.com/show_bug.cgi?id=648647
https://bugzilla.novell.com/show_bug.cgi?id=648701
https://bugzilla.novell.com/show_bug.cgi?id=648916
https://bugzilla.novell.com/show_bug.cgi?id=649473
https://bugzilla.novell.com/show_bug.cgi?id=650067
https://bugzilla.novell.com/show_bug.cgi?id=650366
https://bugzilla.novell.com/show_bug.cgi?id=650748
https://bugzilla.novell.com/show_bug.cgi?id=651152
https://bugzilla.novell.com/show_bug.cgi?id=652391
https://bugzilla.novell.com/show_bug.cgi?id=655220
https://bugzilla.novell.com/show_bug.cgi?id=655278
https://bugzilla.novell.com/show_bug.cgi?id=655964
https://bugzilla.novell.com/show_bug.cgi?id=657248
https://bugzilla.novell.com/show_bug.cgi?id=657763
https://bugzilla.novell.com/show_bug.cgi?id=658037
https://bugzilla.novell.com/show_bug.cgi?id=658254
https://bugzilla.novell.com/show_bug.cgi?id=658337
https://bugzilla.novell.com/show_bug.cgi?id=658353
https://bugzilla.novell.com/show_bug.cgi?id=658461
https://bugzilla.novell.com/show_bug.cgi?id=658551
https://bugzilla.novell.com/show_bug.cgi?id=658720
https://bugzilla.novell.com/show_bug.cgi?id=659101
https://bugzilla.novell.com/show_bug.cgi?id=659394
https://bugzilla.novell.com/show_bug.cgi?id=659419
https://bugzilla.novell.com/show_bug.cgi?id=660546
https://bugzilla.novell.com/show_bug.cgi?id=661605
https://bugzilla.novell.com/show_bug.cgi?id=661945
https://bugzilla.novell.com/show_bug.cgi?id=662031
https://bugzilla.novell.com/show_bug.cgi?id=662192
https://bugzilla.novell.com/show_bug.cgi?id=662202
https://bugzilla.novell.com/show_bug.cgi?id=662212
https://bugzilla.novell.com/show_bug.cgi?id=662335
https://bugzilla.novell.com/show_bug.cgi?id=662340
https://bugzilla.novell.com/show_bug.cgi?id=662360
https://bugzilla.novell.com/show_bug.cgi?id=662673
https://bugzilla.novell.com/show_bug.cgi?id=662722
https://bugzilla.novell.com/show_bug.cgi?id=662800
https://bugzilla.novell.com/show_bug.cgi?id=662931
https://bugzilla.novell.com/show_bug.cgi?id=662945
https://bugzilla.novell.com/show_bug.cgi?id=663537
https://bugzilla.novell.com/show_bug.cgi?id=663582
https://bugzilla.novell.com/show_bug.cgi?id=663706
https://bugzilla.novell.com/show_bug.cgi?id=664149
https://bugzilla.novell.com/show_bug.cgi?id=664463
https://bugzilla.novell.com/show_bug.cgi?id=665480
https://bugzilla.novell.com/show_bug.cgi?id=665499
https://bugzilla.novell.com/show_bug.cgi?id=665524
https://bugzilla.novell.com/show_bug.cgi?id=665663
https://bugzilla.novell.com/show_bug.cgi?id=666012
https://bugzilla.novell.com/show_bug.cgi?id=666893
https://bugzilla.novell.com/show_bug.cgi?id=668545
https://bugzilla.novell.com/show_bug.cgi?id=668633
https://bugzilla.novell.com/show_bug.cgi?id=668929
https://bugzilla.novell.com/show_bug.cgi?id=670129
https://bugzilla.novell.com/show_bug.cgi?id=670577
https://bugzilla.novell.com/show_bug.cgi?id=670864
https://bugzilla.novell.com/show_bug.cgi?id=671256
https://bugzilla.novell.com/show_bug.cgi?id=671274
https://bugzilla.novell.com/show_bug.cgi?id=671483
https://bugzilla.novell.com/show_bug.cgi?id=672292
https://bugzilla.novell.com/show_bug.cgi?id=672492
https://bugzilla.novell.com/show_bug.cgi?id=672499
https://bugzilla.novell.com/show_bug.cgi?id=672524
https://bugzilla.novell.com/show_bug.cgi?id=674735
http://support.novell.com/security/cve/CVE-2010-2943.html
http://support.novell.com/security/cve/CVE-2010-3699.html
http://support.novell.com/security/cve/CVE-2010-3705.html
http://support.novell.com/security/cve/CVE-2010-3858.html
http://support.novell.com/security/cve/CVE-2010-3875.html
http://support.novell.com/security/cve/CVE-2010-3876.html
http://support.novell.com/security/cve/CVE-2010-3877.html
http://support.novell.com/security/cve/CVE-2010-4075.html
http://support.novell.com/security/cve/CVE-2010-4076.html
http://support.novell.com/security/cve/CVE-2010-4077.html
http://support.novell.com/security/cve/CVE-2010-4163.html
http://support.novell.com/security/cve/CVE-2010-4243.html
http://support.novell.com/security/cve/CVE-2010-4342.html
http://support.novell.com/security/cve/CVE-2010-4346.html
http://support.novell.com/security/cve/CVE-2010-4526.html
http://support.novell.com/security/cve/CVE-2010-4527.html
http://support.novell.com/security/cve/CVE-2010-4529.html
http://support.novell.com/security/cve/CVE-2010-4650.html
http://support.novell.com/security/cve/CVE-2010-4668.html
http://support.novell.com/security/cve/CVE-2011-0006.html
http://support.novell.com/security/cve/CVE-2011-0710.html
http://support.novell.com/security/cve/CVE-2011-0711.html
http://support.novell.com/security/cve/CVE-2011-0712.html

Solution :

Apply SAT patch number 4039 / 4042 / 4043 as appropriate.

Risk factor :

High / CVSS Base Score : 8.3
(CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true