openSUSE Security Update : kernel-debug (openSUSE-SU-2011:0003-1)

This script is Copyright (C) 2011-2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update of the openSUSE 11.2 kernel fixes various bugs and lots of
security issues.

Following security issues have been fixed: CVE-2010-4258: A local
attacker could use a Oops (kernel crash) caused by other flaws to
write a 0 byte to a attacker controlled address in the kernel. This
could lead to privilege escalation together with other issues.

CVE-2010-4160: A overflow in sendto() and recvfrom() routines was
fixed that could be used by local attackers to potentially crash the
kernel using some socket families like L2TP.

CVE-2010-4157: A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc
could lead to memory corruption in the GDTH driver.

CVE-2010-4165: The do_tcp_setsockopt function in net/ipv4/tcp.c in the
Linux kernel did not properly restrict TCP_MAXSEG (aka MSS) values,
which allows local users to cause a denial of service (OOPS) via a
setsockopt call that specifies a small value, leading to a
divide-by-zero error or incorrect use of a signed integer.

CVE-2010-4164: A remote (or local) attacker communicating over X.25
could cause a kernel panic by attempting to negotiate malformed
facilities.

CVE-2010-4175: A local attacker could cause memory overruns in the RDS
protocol stack, potentially crashing the kernel. So far it is
considered not to be exploitable.

CVE-2010-3874: A minor heap overflow in the CAN network module was
fixed. Due to nature of the memory allocator it is likely not
exploitable.

CVE-2010-3874: A minor heap overflow in the CAN network module was
fixed. Due to nature of the memory allocator it is likely not
exploitable.

CVE-2010-4158: A memory information leak in berkely packet filter
rules allowed local attackers to read uninitialized memory of the
kernel stack.

CVE-2010-4162: A local denial of service in the blockdevice layer was
fixed.

CVE-2010-4163: By submitting certain I/O requests with 0 length, a
local user could have caused a kernel panic.

CVE-2010-3861: The ethtool_get_rxnfc function in net/core/ethtool.c in
the Linux kernel did not initialize a certain block of heap memory,
which allowed local users to obtain potentially sensitive information
via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt
value.

CVE-2010-3442: Multiple integer overflows in the snd_ctl_new function
in sound/core/control.c in the Linux kernel allowed local users to
cause a denial of service (heap memory corruption) or possibly have
unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or
(2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.

CVE-2010-3437: A range checking overflow in pktcdvd ioctl was fixed.

CVE-2010-4078: The sisfb_ioctl function in
drivers/video/sis/sis_main.c in the Linux kernel did not properly
initialize a certain structure member, which allowed local users to
obtain potentially sensitive information from kernel stack memory via
an FBIOGET_VBLANK ioctl call.

CVE-2010-4080: The snd_hdsp_hwdep_ioctl function in
sound/pci/rme9652/hdsp.c in the Linux kernel did not initialize a
certain structure, which allowed local users to obtain potentially
sensitive information from kernel stack memory via an
SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.

CVE-2010-4081: The snd_hdspm_hwdep_ioctl function in
sound/pci/rme9652/hdspm.c in the Linux kernel did not initialize a
certain structure, which allowed local users to obtain potentially
sensitive information from kernel stack memory via an
SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.

CVE-2010-4082: The viafb_ioctl_get_viafb_info function in
drivers/video/via/ioctl.c in the Linux kernel did not properly
initialize a certain structure member, which allowed local users to
obtain potentially sensitive information from kernel stack memory via
a VIAFB_GET_INFO ioctl call.

CVE-2010-3067: Integer overflow in the do_io_submit function in
fs/aio.c in the Linux kernel allowed local users to cause a denial of
service or possibly have unspecified other impact via crafted use of
the io_submit system call.

CVE-2010-3865: A iovec integer overflow in RDS sockets was fixed which
could lead to local attackers gaining kernel privileges.

See also :

http://lists.opensuse.org/opensuse-updates/2011-01/msg00001.html
https://bugzilla.novell.com/show_bug.cgi?id=642043
https://bugzilla.novell.com/show_bug.cgi?id=642302
https://bugzilla.novell.com/show_bug.cgi?id=642311
https://bugzilla.novell.com/show_bug.cgi?id=642313
https://bugzilla.novell.com/show_bug.cgi?id=642484
https://bugzilla.novell.com/show_bug.cgi?id=642486
https://bugzilla.novell.com/show_bug.cgi?id=645659
https://bugzilla.novell.com/show_bug.cgi?id=649187
https://bugzilla.novell.com/show_bug.cgi?id=650128
https://bugzilla.novell.com/show_bug.cgi?id=651218
https://bugzilla.novell.com/show_bug.cgi?id=652563
https://bugzilla.novell.com/show_bug.cgi?id=652939
https://bugzilla.novell.com/show_bug.cgi?id=652940
https://bugzilla.novell.com/show_bug.cgi?id=652945
https://bugzilla.novell.com/show_bug.cgi?id=653258
https://bugzilla.novell.com/show_bug.cgi?id=653260
https://bugzilla.novell.com/show_bug.cgi?id=654581
https://bugzilla.novell.com/show_bug.cgi?id=657350

Solution :

Update the affected kernel-debug packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now