SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4884 / 4888 / 4889)

High Nessus Plugin ID 55686

Synopsis

The remote SuSE 11 host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.43 and fixes various bugs and security issues.

The following security issues were fixed :

- The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow. However, an expanding mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. (CVE-2011-2496)

- A local unprivileged user able to access a NFS filesystem could use file locking to deadlock parts of an nfs server under some circumstance. (CVE-2011-2491)

- Fixed a race between ksmd and other memory management code, which could result in a NULL ptr dereference and kernel crash. (CVE-2011-2183)

- In both trigger_scan and sched_scan operations, we were checking for the SSID length before assigning the value correctly. Since the memory was just kzalloced, the check was always failing and SSID with over 32 characters were allowed to go through. This required CAP_NET_ADMIN privileges to be exploited.
(CVE-2011-2517)

- A malicious user or buggy application could inject diagnosing byte code and trigger an infinite loop in inet_diag_bc_audit(). (CVE-2011-2213)

- The code for evaluating LDM partitions (in fs/partitions/ldm.c) contained bugs that could crash the kernel for certain corrupted LDM partitions.
(CVE-2011-1017 / CVE-2011-1012 / CVE-2011-2182)

- Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel allowed local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call.
(CVE-2011-1593)

- The proc filesystem implementation in the Linux kernel did not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allowed local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls. (CVE-2011-1020)

- When using a setuid root mount.cifs, local users could hijack password protected mounted CIFS shares of other local users. (CVE-2011-1585)

- Kernel information via the TPM devices could by used by local attackers to read kernel memory. (CVE-2011-1160)

- The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions (in fs/partitions/efi.c) contained a bug that causes a kernel oops on certain corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code.
(CVE-2011-1577)

- In a bluetooth ioctl, struct sco_conninfo has one padding byte in the end. Local variable cinfo of type sco_conninfo was copied to userspace with this uninizialized one byte, leading to an old stack contents leak. (CVE-2011-1078)

- In a bluetooth ioctl, struct ca is copied from userspace. It was not checked whether the 'device' field was NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. (CVE-2011-1079)

- In ebtables rule loading, struct tmp is copied from userspace. It was not checked whether the 'name' field is NULL terminated. This may have lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. It would be seen by all userspace processes. (CVE-2011-1080)

- The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel on the x86_64 platform allowed remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet. (CVE-2011-1173)

- net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel did not place the expected '0' character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
(CVE-2011-1170)

- net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel did not place the expected '0' character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
(CVE-2011-1171)

- net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel did not place the expected '0' character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.
(CVE-2011-1172)

- Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before allowed local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages. (CVE-2011-1746)

- Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call. (CVE-2011-1745)

- The bcm_release function in net/can/bcm.c in the Linux kernel did not properly validate a socket data structure, which allowed local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation. (CVE-2011-1598)

- The raw_release function in net/can/raw.c in the Linux kernel did not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation. (CVE-2011-1748)

Solution

Apply SAT patch number 4884 / 4888 / 4889 as appropriate.

CPE: p-cpe:/a:novell:suse_linux:11:btrfs-kmp-default, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-pae, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-xen, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-default, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-pae, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-xen, p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-default, p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-pae, p-cpe:/a:novell:suse_linux:11:kernel-default, p-cpe:/a:novell:suse_linux:11:kernel-default-base, p-cpe:/a:novell:suse_linux:11:kernel-default-devel, p-cpe:/a:novell:suse_linux:11:kernel-default-extra, p-cpe:/a:novell:suse_linux:11:kernel-default-man, p-cpe:/a:novell:suse_linux:11:kernel-desktop-devel, p-cpe:/a:novell:suse_linux:11:kernel-ec2, p-cpe:/a:novell:suse_linux:11:kernel-ec2-base, p-cpe:/a:novell:suse_linux:11:kernel-pae, p-cpe:/a:novell:suse_linux:11:kernel-pae-base, p-cpe:/a:novell:suse_linux:11:kernel-pae-devel, p-cpe:/a:novell:suse_linux:11:kernel-pae-extra, p-cpe:/a:novell:suse_linux:11:kernel-source, p-cpe:/a:novell:suse_linux:11:kernel-syms, p-cpe:/a:novell:suse_linux:11:kernel-trace, p-cpe:/a:novell:suse_linux:11:kernel-trace-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-devel, p-cpe:/a:novell:suse_linux:11:kernel-xen, p-cpe:/a:novell:suse_linux:11:kernel-xen-base, p-cpe:/a:novell:suse_linux:11:kernel-xen-devel, p-cpe:/a:novell:suse_linux:11:kernel-xen-extra, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2011/07/18

Reference Information

CVE: CVE-2011-1012, CVE-2011-1017, CVE-2011-1020, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1160, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1173, CVE-2011-1577, CVE-2011-1585, CVE-2011-1593, CVE-2011-1598, CVE-2011-1745, CVE-2011-1746, CVE-2011-1748, CVE-2011-2182, CVE-2011-2183, CVE-2011-2213, CVE-2011-2491, CVE-2011-2496, CVE-2011-2517

SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 4884 / 4888 / 4889)

High Nessus Plugin ID 55686

Synopsis

Description

Solution

See Also

Plugin Details

Risk Information

CVSS v2.0

Vulnerability Information

Reference Information