SuSE9 Security Update : Linux kernel (YOU Patch Number 12636)

Critical Nessus Plugin ID 48901


The remote SuSE 9 host is missing a security-related patch.


This update fixes various security issues and some bugs in the SUSE Linux Enterprise 9 kernel.

The following security issues were fixed :

- A crafted NFS write request might have caused a buffer overwrite, potentially causing a kernel crash.

- The x86_64 copy_to_user implementation might have leaked kernel memory depending on specific user buffer setups.

- drivers/net/r8169.c in the r8169 driver in the Linux kernel did not properly check the size of an Ethernet frame that exceeds the MTU, which allows remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.

- Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux kernel 2.6 when IPV6_RECVPKTINFO is set on a listening socket, allowed remote attackers to cause a denial of service (kernel panic) via a SYN packet while the socket is in a listening (TCP_LISTEN) state, which is not properly handled causes the skb structure to be freed. (CVE-2010-1188)

- The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation in the Linux kernel did not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allowed local users to cause a denial of service ('overflow' of the UBIFS orphan area) via a series of attempted file creations within deleted directories. (CVE-2008-3275)

- The nfs_lock function in fs/nfs/file.c in the Linux kernel did not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on an NFS filesystem and then changing this files permissions, a related issue to CVE-2010-0727. (CVE-2007-6733)

- The do_coredump function in fs/exec.c in Linux kernel did not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might have allowed local users to obtain sensitive information. (CVE-2007-6206)

- fs/namei.c in the Linux kernel did not always follow NFS automount 'symlinks,' which allowed attackers to have an unknown impact, related to LOOKUP_FOLLOW.

- Stack-based buffer overflow in the hfs subsystem in the Linux kernel allowed remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c. (CVE-2009-4020)

- The processcompl_compat function in drivers/usb/core/devio.c in Linux kernel did not clear the transfer buffer before returning to userspace when a USB command fails, which might have made it easier for physically proximate attackers to obtain sensitive information (kernel memory). (CVE-2010-1083)


Apply YOU patch number 12636.

See Also

Plugin Details

Severity: Critical

ID: 48901

File Name: suse9_12636.nasl

Version: $Revision: 1.9 $

Type: local

Agent: unix

Published: 2010/08/27

Modified: 2016/12/21

Dependencies: 12634

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:suse:suse_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2010/08/17

Reference Information

CVE: CVE-2007-6206, CVE-2007-6733, CVE-2008-0598, CVE-2008-3275, CVE-2009-1389, CVE-2009-4020, CVE-2009-4537, CVE-2010-0727, CVE-2010-1083, CVE-2010-1088, CVE-2010-1188, CVE-2010-2521

CWE: 16, 20, 119, 200, 399