SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4384 / 4386)

This script is Copyright (C) 2011-2013 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 11 host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to
2.6.32.36 and fixes various bugs and security issues.

The following security issues were fixed :

- When parsing the FAC_NATIONAL_DIGIS facilities field, it
was possible for a remote host to provide more
digipeaters than expected, resulting in heap corruption.
(CVE-2011-1493)

- (no CVEs assigned yet): In the rose networking stack,
when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host
could provide a length of less than 10, resulting in an
underflow in a memcpy size, causing a kernel panic due
to massive heap corruption. A length of greater than 20
results in a stack overflow of the callsign array

- The code for evaluating OSF partitions (in
fs/partitions/osf.c) contained a bug that leaks data
from kernel heap memory to userspace for certain
corrupted OSF partitions. (CVE-2011-1163)

- A bug in the order of dccp_rcv_state_process() was fixed
that still permitted reception even after closing the
socket. A Reset after close thus causes a NULL pointer
dereference by not preventing operations on an already
torn-down socket. (CVE-2011-1093)

- A signedness issue in drm_modeset_ctl() could be used by
local attackers with access to the drm devices to
potentially crash the kernel or escalate privileges.
(CVE-2011-1013)

- The epoll subsystem in Linux did not prevent users from
creating circular epoll file structures, potentially
leading to a denial of service (kernel deadlock).
(CVE-2011-1082)

- Multiple buffer overflows in the caiaq Native
Instruments USB audio functionality in the Linux kernel
might have allowed attackers to cause a denial of
service or possibly have unspecified other impact via a
long USB device name, related to (1) the
snd_usb_caiaq_audio_init function in
sound/usb/caiaq/audio.c and (2) the
snd_usb_caiaq_midi_init function in
sound/usb/caiaq/midi.c. (CVE-2011-0712)

- Local attackers could send signals to their programs
that looked like coming from the kernel, potentially
gaining privileges in the context of setuid programs.
(CVE-2011-1182)

- An issue in the core GRO code where an skb belonging to
an unknown VLAN is reused could result in a NULL pointer
dereference. (CVE-2011-1478)

- Specially crafted requests may be written to
/dev/sequencer resulting in an underflow when
calculating a size for a copy_from_user() operation in
the driver for MIDI interfaces. On x86, this just
returns an error, but it could have caused memory
corruption on other architectures. Other malformed
requests could have resulted in the use of uninitialized
variables. (CVE-2011-1476)

- Due to a failure to validate user-supplied indexes in
the driver for Yamaha YM3812 and OPL-3 chips, a
specially crafted ioctl request could have been sent to
/dev/sequencer, resulting in reading and writing beyond
the bounds of heap buffers, and potentially allowing
privilege escalation. (CVE-2011-1477)

- A information leak in the XFS geometry calls could be
used by local attackers to gain access to kernel
information. (CVE-2011-0191)

- A page allocator issue in NFS v4 ACL handling that could
lead to a denial of service (crash) was fixed.
(CVE-2011-1090)

- net/ipv4/inet_diag.c in the Linux kernel did not
properly audit INET_DIAG bytecode, which allowed local
users to cause a denial of service (kernel infinite
loop) via crafted INET_DIAG_REQ_BYTECODE instructions in
a netlink message that contains multiple attribute
elements, as demonstrated by INET_DIAG_BC_JMP
instructions. (CVE-2010-3880)

- Fixed a buffer size issue in 'usb iowarrior' module,
where a malicious device could overflow a kernel buffer.
(CVE-2010-4656)

- The dvb_ca_ioctl function in
drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel
did not check the sign of a certain integer field, which
allowed local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact
via a negative value. (CVE-2011-0521)

- In the IrDA module, length fields provided by a peer for
names and attributes may be longer than the destination
array sizes and were not checked, this allowed local
attackers (close to the irda port) to potentially
corrupt memory. (CVE-2011-1180)

- A system out of memory condition (denial of service)
could be triggered with a large socket backlog,
exploitable by local users. This has been addressed by
backlog limiting. (CVE-2010-4251)

- The Radeon GPU drivers in the Linux kernel did not
properly validate data related to the AA resolve
registers, which allowed local users to write to
arbitrary memory locations associated with (1) Video RAM
(aka VRAM) or (2) the Graphics Translation Table (GTT)
via crafted values. (CVE-2011-1016)

- Boundschecking was missing in AARESOLVE_OFFSET, which
allowed local attackers to overwrite kernel memory and
so escalate privileges or crash the kernel.
(CVE-2011-1573)

See also :

https://bugzilla.novell.com/show_bug.cgi?id=558740
https://bugzilla.novell.com/show_bug.cgi?id=566768
https://bugzilla.novell.com/show_bug.cgi?id=620929
https://bugzilla.novell.com/show_bug.cgi?id=622597
https://bugzilla.novell.com/show_bug.cgi?id=622868
https://bugzilla.novell.com/show_bug.cgi?id=629170
https://bugzilla.novell.com/show_bug.cgi?id=632317
https://bugzilla.novell.com/show_bug.cgi?id=637377
https://bugzilla.novell.com/show_bug.cgi?id=643266
https://bugzilla.novell.com/show_bug.cgi?id=644630
https://bugzilla.novell.com/show_bug.cgi?id=649473
https://bugzilla.novell.com/show_bug.cgi?id=650545
https://bugzilla.novell.com/show_bug.cgi?id=651599
https://bugzilla.novell.com/show_bug.cgi?id=654169
https://bugzilla.novell.com/show_bug.cgi?id=655973
https://bugzilla.novell.com/show_bug.cgi?id=656219
https://bugzilla.novell.com/show_bug.cgi?id=656587
https://bugzilla.novell.com/show_bug.cgi?id=658413
https://bugzilla.novell.com/show_bug.cgi?id=660507
https://bugzilla.novell.com/show_bug.cgi?id=663313
https://bugzilla.novell.com/show_bug.cgi?id=663513
https://bugzilla.novell.com/show_bug.cgi?id=666836
https://bugzilla.novell.com/show_bug.cgi?id=666842
https://bugzilla.novell.com/show_bug.cgi?id=667766
https://bugzilla.novell.com/show_bug.cgi?id=668101
https://bugzilla.novell.com/show_bug.cgi?id=668895
https://bugzilla.novell.com/show_bug.cgi?id=668896
https://bugzilla.novell.com/show_bug.cgi?id=668898
https://bugzilla.novell.com/show_bug.cgi?id=669058
https://bugzilla.novell.com/show_bug.cgi?id=669571
https://bugzilla.novell.com/show_bug.cgi?id=669889
https://bugzilla.novell.com/show_bug.cgi?id=670154
https://bugzilla.novell.com/show_bug.cgi?id=670615
https://bugzilla.novell.com/show_bug.cgi?id=670979
https://bugzilla.novell.com/show_bug.cgi?id=671296
https://bugzilla.novell.com/show_bug.cgi?id=671943
https://bugzilla.novell.com/show_bug.cgi?id=672453
https://bugzilla.novell.com/show_bug.cgi?id=672499
https://bugzilla.novell.com/show_bug.cgi?id=672505
https://bugzilla.novell.com/show_bug.cgi?id=673516
https://bugzilla.novell.com/show_bug.cgi?id=673934
https://bugzilla.novell.com/show_bug.cgi?id=674549
https://bugzilla.novell.com/show_bug.cgi?id=674691
https://bugzilla.novell.com/show_bug.cgi?id=674693
https://bugzilla.novell.com/show_bug.cgi?id=675115
https://bugzilla.novell.com/show_bug.cgi?id=675963
https://bugzilla.novell.com/show_bug.cgi?id=676202
https://bugzilla.novell.com/show_bug.cgi?id=676419
https://bugzilla.novell.com/show_bug.cgi?id=677286
https://bugzilla.novell.com/show_bug.cgi?id=677391
https://bugzilla.novell.com/show_bug.cgi?id=677398
https://bugzilla.novell.com/show_bug.cgi?id=677563
https://bugzilla.novell.com/show_bug.cgi?id=677676
https://bugzilla.novell.com/show_bug.cgi?id=677783
https://bugzilla.novell.com/show_bug.cgi?id=678466
https://bugzilla.novell.com/show_bug.cgi?id=679545
https://bugzilla.novell.com/show_bug.cgi?id=679588
https://bugzilla.novell.com/show_bug.cgi?id=679812
https://bugzilla.novell.com/show_bug.cgi?id=680845
https://bugzilla.novell.com/show_bug.cgi?id=681175
https://bugzilla.novell.com/show_bug.cgi?id=681497
https://bugzilla.novell.com/show_bug.cgi?id=681826
https://bugzilla.novell.com/show_bug.cgi?id=68199
https://bugzilla.novell.com/show_bug.cgi?id=682333
https://bugzilla.novell.com/show_bug.cgi?id=682940
https://bugzilla.novell.com/show_bug.cgi?id=682941
https://bugzilla.novell.com/show_bug.cgi?id=682965
https://bugzilla.novell.com/show_bug.cgi?id=683569
https://bugzilla.novell.com/show_bug.cgi?id=684085
https://bugzilla.novell.com/show_bug.cgi?id=684248
https://bugzilla.novell.com/show_bug.cgi?id=686813
http://support.novell.com/security/cve/CVE-2010-3880.html
http://support.novell.com/security/cve/CVE-2010-4251.html
http://support.novell.com/security/cve/CVE-2010-4656.html
http://support.novell.com/security/cve/CVE-2011-0191.html
http://support.novell.com/security/cve/CVE-2011-0521.html
http://support.novell.com/security/cve/CVE-2011-0712.html
http://support.novell.com/security/cve/CVE-2011-1013.html
http://support.novell.com/security/cve/CVE-2011-1016.html
http://support.novell.com/security/cve/CVE-2011-1082.html
http://support.novell.com/security/cve/CVE-2011-1090.html
http://support.novell.com/security/cve/CVE-2011-1093.html
http://support.novell.com/security/cve/CVE-2011-1163.html
http://support.novell.com/security/cve/CVE-2011-1180.html
http://support.novell.com/security/cve/CVE-2011-1182.html
http://support.novell.com/security/cve/CVE-2011-1476.html
http://support.novell.com/security/cve/CVE-2011-1477.html
http://support.novell.com/security/cve/CVE-2011-1478.html
http://support.novell.com/security/cve/CVE-2011-1493.html
http://support.novell.com/security/cve/CVE-2011-1573.html

Solution :

Apply SAT patch number 4384 / 4386 as appropriate.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now