SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4884 / 4888 / 4889)

This script is Copyright (C) 2011-2013 Tenable Network Security, Inc.


Synopsis :

The remote SuSE 11 host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to
2.6.32.43 and fixes various bugs and security issues.

The following security issues were fixed :

- The normal mmap paths all avoid creating a mapping where
the pgoff inside the mapping could wrap around due to
overflow. However, an expanding mremap() can take such a
non-wrapping mapping and make it bigger and cause a
wrapping condition. (CVE-2011-2496)

- A local unprivileged user able to access a NFS
filesystem could use file locking to deadlock parts of
an nfs server under some circumstance. (CVE-2011-2491)

- Fixed a race between ksmd and other memory management
code, which could result in a NULL ptr dereference and
kernel crash. (CVE-2011-2183)

- In both trigger_scan and sched_scan operations, we were
checking for the SSID length before assigning the value
correctly. Since the memory was just kzalloced, the
check was always failing and SSID with over 32
characters were allowed to go through. This required
CAP_NET_ADMIN privileges to be exploited.
(CVE-2011-2517)

- A malicious user or buggy application could inject
diagnosing byte code and trigger an infinite loop in
inet_diag_bc_audit(). (CVE-2011-2213)

- The code for evaluating LDM partitions (in
fs/partitions/ldm.c) contained bugs that could crash the
kernel for certain corrupted LDM partitions.
(CVE-2011-1017 / CVE-2011-1012 / CVE-2011-2182)

- Multiple integer overflows in the next_pidmap function
in kernel/pid.c in the Linux kernel allowed local users
to cause a denial of service (system crash) via a
crafted (1) getdents or (2) readdir system call.
(CVE-2011-1593)

- The proc filesystem implementation in the Linux kernel
did not restrict access to the /proc directory tree of a
process after this process performs an exec of a setuid
program, which allowed local users to obtain sensitive
information or cause a denial of service via open,
lseek, read, and write system calls. (CVE-2011-1020)

- When using a setuid root mount.cifs, local users could
hijack password protected mounted CIFS shares of other
local users. (CVE-2011-1585)

- Kernel information via the TPM devices could by used by
local attackers to read kernel memory. (CVE-2011-1160)

- The Linux kernel automatically evaluated partition
tables of storage devices. The code for evaluating EFI
GUID partitions (in fs/partitions/efi.c) contained a bug
that causes a kernel oops on certain corrupted GUID
partition tables, which might be used by local attackers
to crash the kernel or potentially execute code.
(CVE-2011-1577)

- In a bluetooth ioctl, struct sco_conninfo has one
padding byte in the end. Local variable cinfo of type
sco_conninfo was copied to userspace with this
uninizialized one byte, leading to an old stack contents
leak. (CVE-2011-1078)

- In a bluetooth ioctl, struct ca is copied from
userspace. It was not checked whether the 'device' field
was NULL terminated. This potentially leads to BUG()
inside of alloc_netdev_mqs() and/or information leak by
creating a device with a name made of contents of kernel
stack. (CVE-2011-1079)

- In ebtables rule loading, struct tmp is copied from
userspace. It was not checked whether the 'name' field
is NULL terminated. This may have lead to buffer
overflow and passing contents of kernel stack as a
module name to try_then_request_module() and,
consequently, to modprobe commandline. It would be seen
by all userspace processes. (CVE-2011-1080)

- The econet_sendmsg function in net/econet/af_econet.c in
the Linux kernel on the x86_64 platform allowed remote
attackers to obtain potentially sensitive information
from kernel stack memory by reading uninitialized data
in the ah field of an Acorn Universal Networking (AUN)
packet. (CVE-2011-1173)

- net/ipv4/netfilter/arp_tables.c in the IPv4
implementation in the Linux kernel did not place the
expected '0' character at the end of string data in the
values of certain structure members, which allowed local
users to obtain potentially sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability
to issue a crafted request, and then reading the
argument to the resulting modprobe process.
(CVE-2011-1170)

- net/ipv4/netfilter/ip_tables.c in the IPv4
implementation in the Linux kernel did not place the
expected '0' character at the end of string data in the
values of certain structure members, which allowed local
users to obtain potentially sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability
to issue a crafted request, and then reading the
argument to the resulting modprobe process.
(CVE-2011-1171)

- net/ipv6/netfilter/ip6_tables.c in the IPv6
implementation in the Linux kernel did not place the
expected '0' character at the end of string data in the
values of certain structure members, which allowed local
users to obtain potentially sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability
to issue a crafted request, and then reading the
argument to the resulting modprobe process.
(CVE-2011-1172)

- Multiple integer overflows in the (1)
agp_allocate_memory and (2) agp_create_user_memory
functions in drivers/char/agp/generic.c in the Linux
kernel before allowed local users to trigger buffer
overflows, and consequently cause a denial of service
(system crash) or possibly have unspecified other
impact, via vectors related to calls that specify a
large number of memory pages. (CVE-2011-1746)

- Integer overflow in the agp_generic_insert_memory
function in drivers/char/agp/generic.c in the Linux
kernel allowed local users to gain privileges or cause a
denial of service (system crash) via a crafted
AGPIOC_BIND agp_ioctl ioctl call. (CVE-2011-1745)

- The bcm_release function in net/can/bcm.c in the Linux
kernel did not properly validate a socket data
structure, which allowed local users to cause a denial
of service (NULL pointer dereference) or possibly have
unspecified other impact via a crafted release
operation. (CVE-2011-1598)

- The raw_release function in net/can/raw.c in the Linux
kernel did not properly validate a socket data
structure, which allows local users to cause a denial of
service (NULL pointer dereference) or possibly have
unspecified other impact via a crafted release
operation. (CVE-2011-1748)

See also :

https://bugzilla.novell.com/show_bug.cgi?id=466279
https://bugzilla.novell.com/show_bug.cgi?id=584493
https://bugzilla.novell.com/show_bug.cgi?id=626119
https://bugzilla.novell.com/show_bug.cgi?id=638985
https://bugzilla.novell.com/show_bug.cgi?id=649000
https://bugzilla.novell.com/show_bug.cgi?id=650545
https://bugzilla.novell.com/show_bug.cgi?id=653850
https://bugzilla.novell.com/show_bug.cgi?id=654501
https://bugzilla.novell.com/show_bug.cgi?id=655973
https://bugzilla.novell.com/show_bug.cgi?id=662432
https://bugzilla.novell.com/show_bug.cgi?id=663513
https://bugzilla.novell.com/show_bug.cgi?id=666423
https://bugzilla.novell.com/show_bug.cgi?id=667226
https://bugzilla.novell.com/show_bug.cgi?id=668483
https://bugzilla.novell.com/show_bug.cgi?id=668927
https://bugzilla.novell.com/show_bug.cgi?id=669889
https://bugzilla.novell.com/show_bug.cgi?id=670465
https://bugzilla.novell.com/show_bug.cgi?id=670816
https://bugzilla.novell.com/show_bug.cgi?id=670868
https://bugzilla.novell.com/show_bug.cgi?id=674648
https://bugzilla.novell.com/show_bug.cgi?id=674982
https://bugzilla.novell.com/show_bug.cgi?id=676601
https://bugzilla.novell.com/show_bug.cgi?id=676602
https://bugzilla.novell.com/show_bug.cgi?id=677443
https://bugzilla.novell.com/show_bug.cgi?id=677563
https://bugzilla.novell.com/show_bug.cgi?id=678728
https://bugzilla.novell.com/show_bug.cgi?id=680040
https://bugzilla.novell.com/show_bug.cgi?id=680845
https://bugzilla.novell.com/show_bug.cgi?id=681180
https://bugzilla.novell.com/show_bug.cgi?id=681181
https://bugzilla.novell.com/show_bug.cgi?id=681182
https://bugzilla.novell.com/show_bug.cgi?id=681185
https://bugzilla.novell.com/show_bug.cgi?id=681186
https://bugzilla.novell.com/show_bug.cgi?id=681639
https://bugzilla.novell.com/show_bug.cgi?id=682076
https://bugzilla.novell.com/show_bug.cgi?id=682251
https://bugzilla.novell.com/show_bug.cgi?id=682319
https://bugzilla.novell.com/show_bug.cgi?id=682482
https://bugzilla.novell.com/show_bug.cgi?id=682567
https://bugzilla.novell.com/show_bug.cgi?id=683107
https://bugzilla.novell.com/show_bug.cgi?id=683282
https://bugzilla.novell.com/show_bug.cgi?id=684297
https://bugzilla.novell.com/show_bug.cgi?id=684472
https://bugzilla.novell.com/show_bug.cgi?id=684852
https://bugzilla.novell.com/show_bug.cgi?id=684927
https://bugzilla.novell.com/show_bug.cgi?id=685226
https://bugzilla.novell.com/show_bug.cgi?id=685276
https://bugzilla.novell.com/show_bug.cgi?id=686325
https://bugzilla.novell.com/show_bug.cgi?id=686404
https://bugzilla.novell.com/show_bug.cgi?id=686412
https://bugzilla.novell.com/show_bug.cgi?id=686921
https://bugzilla.novell.com/show_bug.cgi?id=686980
https://bugzilla.novell.com/show_bug.cgi?id=687113
https://bugzilla.novell.com/show_bug.cgi?id=687478
https://bugzilla.novell.com/show_bug.cgi?id=687759
https://bugzilla.novell.com/show_bug.cgi?id=687760
https://bugzilla.novell.com/show_bug.cgi?id=687789
https://bugzilla.novell.com/show_bug.cgi?id=688326
https://bugzilla.novell.com/show_bug.cgi?id=688432
https://bugzilla.novell.com/show_bug.cgi?id=688685
https://bugzilla.novell.com/show_bug.cgi?id=689041
https://bugzilla.novell.com/show_bug.cgi?id=689290
https://bugzilla.novell.com/show_bug.cgi?id=689596
https://bugzilla.novell.com/show_bug.cgi?id=689746
https://bugzilla.novell.com/show_bug.cgi?id=689797
https://bugzilla.novell.com/show_bug.cgi?id=690683
https://bugzilla.novell.com/show_bug.cgi?id=691216
https://bugzilla.novell.com/show_bug.cgi?id=691269
https://bugzilla.novell.com/show_bug.cgi?id=691408
https://bugzilla.novell.com/show_bug.cgi?id=691536
https://bugzilla.novell.com/show_bug.cgi?id=691538
https://bugzilla.novell.com/show_bug.cgi?id=691632
https://bugzilla.novell.com/show_bug.cgi?id=691633
https://bugzilla.novell.com/show_bug.cgi?id=691693
https://bugzilla.novell.com/show_bug.cgi?id=691829
https://bugzilla.novell.com/show_bug.cgi?id=692343
https://bugzilla.novell.com/show_bug.cgi?id=692454
https://bugzilla.novell.com/show_bug.cgi?id=692459
https://bugzilla.novell.com/show_bug.cgi?id=692460
https://bugzilla.novell.com/show_bug.cgi?id=692502
https://bugzilla.novell.com/show_bug.cgi?id=693013
https://bugzilla.novell.com/show_bug.cgi?id=693149
https://bugzilla.novell.com/show_bug.cgi?id=693374
https://bugzilla.novell.com/show_bug.cgi?id=693382
https://bugzilla.novell.com/show_bug.cgi?id=693636
https://bugzilla.novell.com/show_bug.cgi?id=696107
https://bugzilla.novell.com/show_bug.cgi?id=696586
https://bugzilla.novell.com/show_bug.cgi?id=697181
https://bugzilla.novell.com/show_bug.cgi?id=697901
https://bugzilla.novell.com/show_bug.cgi?id=698221
https://bugzilla.novell.com/show_bug.cgi?id=698247
https://bugzilla.novell.com/show_bug.cgi?id=698604
https://bugzilla.novell.com/show_bug.cgi?id=699946
https://bugzilla.novell.com/show_bug.cgi?id=700401
https://bugzilla.novell.com/show_bug.cgi?id=700879
https://bugzilla.novell.com/show_bug.cgi?id=701170
https://bugzilla.novell.com/show_bug.cgi?id=701622
https://bugzilla.novell.com/show_bug.cgi?id=701977
https://bugzilla.novell.com/show_bug.cgi?id=702013
https://bugzilla.novell.com/show_bug.cgi?id=702285
https://bugzilla.novell.com/show_bug.cgi?id=703013
https://bugzilla.novell.com/show_bug.cgi?id=703410
https://bugzilla.novell.com/show_bug.cgi?id=703490
https://bugzilla.novell.com/show_bug.cgi?id=703786
http://support.novell.com/security/cve/CVE-2011-1012.html
http://support.novell.com/security/cve/CVE-2011-1017.html
http://support.novell.com/security/cve/CVE-2011-1020.html
http://support.novell.com/security/cve/CVE-2011-1078.html
http://support.novell.com/security/cve/CVE-2011-1079.html
http://support.novell.com/security/cve/CVE-2011-1080.html
http://support.novell.com/security/cve/CVE-2011-1160.html
http://support.novell.com/security/cve/CVE-2011-1170.html
http://support.novell.com/security/cve/CVE-2011-1171.html
http://support.novell.com/security/cve/CVE-2011-1172.html
http://support.novell.com/security/cve/CVE-2011-1173.html
http://support.novell.com/security/cve/CVE-2011-1577.html
http://support.novell.com/security/cve/CVE-2011-1585.html
http://support.novell.com/security/cve/CVE-2011-1593.html
http://support.novell.com/security/cve/CVE-2011-1598.html
http://support.novell.com/security/cve/CVE-2011-1745.html
http://support.novell.com/security/cve/CVE-2011-1746.html
http://support.novell.com/security/cve/CVE-2011-1748.html
http://support.novell.com/security/cve/CVE-2011-2182.html
http://support.novell.com/security/cve/CVE-2011-2183.html
http://support.novell.com/security/cve/CVE-2011-2213.html
http://support.novell.com/security/cve/CVE-2011-2491.html
http://support.novell.com/security/cve/CVE-2011-2496.html
http://support.novell.com/security/cve/CVE-2011-2517.html

Solution :

Apply SAT patch number 4884 / 4888 / 4889 as appropriate.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)