SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7665)

high Nessus Plugin ID 59158
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote SuSE 10 host is missing a security-related patch.

Description

This kernel update for the SUSE Linux Enterprise 10 SP4 kernel fixes several security issues and bugs.

The following security issues were fixed :

- The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel did not properly handle packets for a CLOSED endpoint, which allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet. (CVE-2011-1093)

- The add_del_listener function in kernel/taskstats.c in the Linux kernel did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.
(CVE-2011-2484)

- Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call. (CVE-2011-1745)

- Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel allowed local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages. (CVE-2011-1746)

- The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 did not validate a certain start parameter, which allowed local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than CVE-2011-1745. (CVE-2011-2022)

- When using a setuid root mount.cifs, local users could hijack password protected mounted CIFS shares of other local users. (CVE-2011-1585)

- The do_task_stat function in fs/proc/array.c in the Linux kernel did not perform an expected uid check, which made it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary. (CVE-2011-0726)

- The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow. However, an expanding mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. (CVE-2011-2496)

- A local unprivileged user able to access a NFS filesystem could use file locking to deadlock parts of an nfs server under some circumstance. (CVE-2011-2491)

- The code for evaluating LDM partitions (in fs/partitions/ldm.c) contained bugs that could crash the kernel for certain corrupted LDM partitions.
(CVE-2011-1017 / CVE-2011-2182)

- Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel allowed local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call.
(CVE-2011-1593)

- Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel might have allowed local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow. (CVE-2011-1494)

- drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel did not validate (1) length and (2) offset values before performing memory copy operations, which might have allowed local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and
_ctl_diag_read_buffer functions. (CVE-2011-1495)

Solution

Apply ZYPP patch number 7665.

See Also

http://support.novell.com/security/cve/CVE-2011-0726.html

http://support.novell.com/security/cve/CVE-2011-1017.html

http://support.novell.com/security/cve/CVE-2011-1093.html

http://support.novell.com/security/cve/CVE-2011-1494.html

http://support.novell.com/security/cve/CVE-2011-1495.html

http://support.novell.com/security/cve/CVE-2011-1585.html

http://support.novell.com/security/cve/CVE-2011-1593.html

http://support.novell.com/security/cve/CVE-2011-1745.html

http://support.novell.com/security/cve/CVE-2011-1746.html

http://support.novell.com/security/cve/CVE-2011-2022.html

http://support.novell.com/security/cve/CVE-2011-2182.html

http://support.novell.com/security/cve/CVE-2011-2484.html

http://support.novell.com/security/cve/CVE-2011-2491.html

http://support.novell.com/security/cve/CVE-2011-2496.html

Plugin Details

Severity: High

ID: 59158

File Name: suse_kernel-7665.nasl

Version: 1.4

Type: local

Agent: unix

Published: 5/17/2012

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Information

CPE: cpe:/o:suse:suse_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 8/1/2011

Reference Information

CVE: CVE-2011-0726, CVE-2011-1017, CVE-2011-1093, CVE-2011-1494, CVE-2011-1495, CVE-2011-1585, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-2022, CVE-2011-2182, CVE-2011-2484, CVE-2011-2491, CVE-2011-2496