SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 6236)

High Nessus Plugin ID 59137

Synopsis

The remote SuSE 10 host is missing a security-related patch.

Description

The Linux kernel on SUSE Linux Enterprise 10 Service Pack 2 was updated to fix various security issues and several bugs.

The following security issues were fixed: CVE-2009-0834: The audit_syscall_entry function in the Linux kernel on the x86_64 platform did not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls.

- nfsd in the Linux kernel did not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option. (CVE-2009-1072)

- The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod. (CVE-2009-0835)

- Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) or potential code execution via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.
(CVE-2009-1439)

This requires that kernel can be made to mount a 'cifs' filesystem from a malicious CIFS server.

- The exit_notify function in kernel/exit.c in the Linux kernel did not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.
(CVE-2009-1337)

- The shm_get_stat function in ipc/shm.c in the shm subsystem in the Linux kernel, when CONFIG_SHMEM is disabled, misinterprets the data type of an inode, which allows local users to cause a denial of service (system hang) via an SHM_INFO shmctl call, as demonstrated by running the ipcs program. (SUSE is enabling CONFIG_SHMEM, so is by default not affected, the fix is just for completeness). (CVE-2009-0859)

The GCC option -fwrapv has been added to compilation to work around potentially removing integer overflow checks.

- Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel might allow attackers to obtain sensitive information via a large length value, which causes 'garbage' memory to be sent. (CVE-2009-1265)

Also a number of bugs were fixed, for details please see the RPM changelog.

Solution

Apply ZYPP patch number 6236.

See Also

http://support.novell.com/security/cve/CVE-2009-0834.html

http://support.novell.com/security/cve/CVE-2009-0835.html

http://support.novell.com/security/cve/CVE-2009-0859.html

http://support.novell.com/security/cve/CVE-2009-1072.html

http://support.novell.com/security/cve/CVE-2009-1265.html

http://support.novell.com/security/cve/CVE-2009-1337.html

http://support.novell.com/security/cve/CVE-2009-1439.html

Plugin Details

Severity: High

ID: 59137

File Name: suse_kernel-6236.nasl

Version: Revision: 1.5

Type: local

Agent: unix

Published: 2012/05/17

Updated: 2016/12/22

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: cpe:/o:suse:suse_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2009/05/12

Reference Information

CVE: CVE-2009-0834, CVE-2009-0835, CVE-2009-0859, CVE-2009-1072, CVE-2009-1265, CVE-2009-1337, CVE-2009-1439

CWE: 16, 20, 119, 264