SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 7257)
High Nessus Plugin ID 51158
SynopsisThe remote SuSE 10 host is missing a security-related patch.
DescriptionThis kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs.
The following security issues were fixed :
- Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. (CVE-2010-3442)
- Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call. (CVE-2010-3437)
- Uninitialized stack memory disclosure in the FBIOGET_VBLANK ioctl in the sis and ivtv drivers could leak kernel memory to userspace. (CVE-2010-4078)
- Uninitialized stack memory disclosure in the rme9652 ALSA driver could leak kernel memory to userspace.
(CVE-2010-4080 / CVE-2010-4081)
- Uninitialized stack memory disclosure in the SystemV IPC handling functions could leak kernel memory to userspace. (CVE-2010-4073 / CVE-2010-4072 / CVE-2010-4083)
- Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. (CVE-2010-3067)
- Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions. (CVE-2010-3310)
- The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel did not properly check the file descriptors passed to the SWAPEXT ioctl, which allowed local users to leverage write access and obtain read access by swapping one file into another file. (CVE-2010-2226)
- fs/jfs/xattr.c in the Linux kernel did not properly handle a certain legacy format for storage of extended attributes, which might have allowed local users by bypass intended xattr namespace restrictions via an 'os2.' substring at the beginning of a name.
- The actions implementation in the network queueing functionality in the Linux kernel did not properly initialize certain structure members when performing dump operations, which allowed local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump function in net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in net/sched/act_skbedit.c. (CVE-2010-2942)
- fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel allowed remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248)
- A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc could lead to memory corruption in the GDTH driver.
- A remote (or local) attacker communicating over X.25 could cause a kernel panic by attempting to negotiate malformed facilities. (CVE-2010-4164)
- A missing lock prefix in the x86 futex code could be used by local attackers to cause a denial of service.
- A memory information leak in berkely packet filter rules allowed local attackers to read uninitialized memory of the kernel stack. (CVE-2010-4158)
- A local denial of service in the blockdevice layer was fixed. (CVE-2010-4162)
SolutionApply ZYPP patch number 7257.