openSUSE Security Update : kernel-debug (openSUSE-SU-2011:0003-1)

High Nessus Plugin ID 53741

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 8.9

Synopsis

The remote openSUSE host is missing a security update.

Description

This update of the openSUSE 11.2 kernel fixes various bugs and lots of security issues.

Following security issues have been fixed: CVE-2010-4258: A local attacker could use a Oops (kernel crash) caused by other flaws to write a 0 byte to a attacker controlled address in the kernel. This could lead to privilege escalation together with other issues.

CVE-2010-4160: A overflow in sendto() and recvfrom() routines was fixed that could be used by local attackers to potentially crash the kernel using some socket families like L2TP.

CVE-2010-4157: A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc could lead to memory corruption in the GDTH driver.

CVE-2010-4165: The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel did not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer.

CVE-2010-4164: A remote (or local) attacker communicating over X.25 could cause a kernel panic by attempting to negotiate malformed facilities.

CVE-2010-4175: A local attacker could cause memory overruns in the RDS protocol stack, potentially crashing the kernel. So far it is considered not to be exploitable.

CVE-2010-3874: A minor heap overflow in the CAN network module was fixed. Due to nature of the memory allocator it is likely not exploitable.

CVE-2010-3874: A minor heap overflow in the CAN network module was fixed. Due to nature of the memory allocator it is likely not exploitable.

CVE-2010-4158: A memory information leak in berkely packet filter rules allowed local attackers to read uninitialized memory of the kernel stack.

CVE-2010-4162: A local denial of service in the blockdevice layer was fixed.

CVE-2010-4163: By submitting certain I/O requests with 0 length, a local user could have caused a kernel panic.

CVE-2010-3861: The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel did not initialize a certain block of heap memory, which allowed local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value.

CVE-2010-3442: Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.

CVE-2010-3437: A range checking overflow in pktcdvd ioctl was fixed.

CVE-2010-4078: The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.

CVE-2010-4080: The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.

CVE-2010-4081: The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.

CVE-2010-4082: The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call.

CVE-2010-3067: Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.

CVE-2010-3865: A iovec integer overflow in RDS sockets was fixed which could lead to local attackers gaining kernel privileges.

Solution

Update the affected kernel-debug packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=642043

https://bugzilla.novell.com/show_bug.cgi?id=642302

https://bugzilla.novell.com/show_bug.cgi?id=642311

https://bugzilla.novell.com/show_bug.cgi?id=642313

https://bugzilla.novell.com/show_bug.cgi?id=642484

https://bugzilla.novell.com/show_bug.cgi?id=642486

https://bugzilla.novell.com/show_bug.cgi?id=645659

https://bugzilla.novell.com/show_bug.cgi?id=649187

https://bugzilla.novell.com/show_bug.cgi?id=650128

https://bugzilla.novell.com/show_bug.cgi?id=651218

https://bugzilla.novell.com/show_bug.cgi?id=652563

https://bugzilla.novell.com/show_bug.cgi?id=652939

https://bugzilla.novell.com/show_bug.cgi?id=652940

https://bugzilla.novell.com/show_bug.cgi?id=652945

https://bugzilla.novell.com/show_bug.cgi?id=653258

https://bugzilla.novell.com/show_bug.cgi?id=653260

https://bugzilla.novell.com/show_bug.cgi?id=654581

https://bugzilla.novell.com/show_bug.cgi?id=657350

https://lists.opensuse.org/opensuse-updates/2011-01/msg00001.html

Plugin Details

Severity: High

ID: 53741

File Name: suse_11_2_kernel-debug-101215.nasl

Version: 1.7

Type: local

Agent: unix

Published: 2011/05/05

Updated: 2019/10/25

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 8.9

CVSS v2.0

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:kernel-debug, p-cpe:/a:novell:opensuse:kernel-debug-base, p-cpe:/a:novell:opensuse:kernel-debug-devel, p-cpe:/a:novell:opensuse:kernel-default, p-cpe:/a:novell:opensuse:kernel-default-base, p-cpe:/a:novell:opensuse:kernel-default-devel, p-cpe:/a:novell:opensuse:kernel-desktop, p-cpe:/a:novell:opensuse:kernel-desktop-base, p-cpe:/a:novell:opensuse:kernel-desktop-devel, p-cpe:/a:novell:opensuse:kernel-pae, p-cpe:/a:novell:opensuse:kernel-pae-base, p-cpe:/a:novell:opensuse:kernel-pae-devel, p-cpe:/a:novell:opensuse:kernel-source, p-cpe:/a:novell:opensuse:kernel-source-vanilla, p-cpe:/a:novell:opensuse:kernel-syms, p-cpe:/a:novell:opensuse:kernel-trace, p-cpe:/a:novell:opensuse:kernel-trace-base, p-cpe:/a:novell:opensuse:kernel-trace-devel, p-cpe:/a:novell:opensuse:kernel-vanilla, p-cpe:/a:novell:opensuse:kernel-vanilla-base, p-cpe:/a:novell:opensuse:kernel-vanilla-devel, p-cpe:/a:novell:opensuse:kernel-xen, p-cpe:/a:novell:opensuse:kernel-xen-base, p-cpe:/a:novell:opensuse:kernel-xen-devel, p-cpe:/a:novell:opensuse:preload-kmp-default, p-cpe:/a:novell:opensuse:preload-kmp-desktop, cpe:/o:novell:opensuse:11.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2010/12/15

Exploitable With

Core Impact

Reference Information

CVE: CVE-2010-3067, CVE-2010-3437, CVE-2010-3442, CVE-2010-3861, CVE-2010-3865, CVE-2010-3874, CVE-2010-4078, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4157, CVE-2010-4158, CVE-2010-4160, CVE-2010-4162, CVE-2010-4163, CVE-2010-4164, CVE-2010-4165, CVE-2010-4175, CVE-2010-4258