Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDVSA-2011:051 ] kernel
From: security () mandriva com
Date: Mon, 21 Mar 2011 16:05:00 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:051
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : kernel
 Date    : March 18, 2011
 Affected: Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 The do_anonymous_page function in mm/memory.c in the Linux kernel
 does not properly separate the stack and the heap, which allows
 context-dependent attackers to execute arbitrary code by writing
 to the bottom page of a shared memory segment, as demonstrated by a
 memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)
 
 The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel
 does not properly restrict TCP_MAXSEG (aka MSS) values, which allows
 local users to cause a denial of service (OOPS) via a setsockopt call
 that specifies a small value, leading to a divide-by-zero error or
 incorrect use of a signed integer. (CVE-2010-4165)
 
 The copy_shmid_to_user function in ipc/shm.c in the Linux kernel
 does not initialize a certain structure, which allows local users to
 obtain potentially sensitive information from kernel stack memory
 via vectors related to the shmctl system call and the old shm
 interface. (CVE-2010-4072)
 
 The ipc subsystem in the Linux kernel does not initialize certain
 structures, which allows local users to obtain potentially sensitive
 information from kernel stack memory via vectors related to the (1)
 compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl
 functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5)
 compat_sys_mq_getsetattr functions in ipc/compat_mq.c. (CVE-2010-4073)
 
 The copy_semid_to_user function in ipc/sem.c in the Linux kernel does
 not initialize a certain structure, which allows local users to obtain
 potentially sensitive information from kernel stack memory via a (1)
 IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a
 semctl system call. (CVE-2010-4083)
 
 The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux
 kernel does not properly initialize a certain structure member, which
 allows local users to obtain potentially sensitive information from
 kernel stack memory via an FBIOGET_VBLANK ioctl call. (CVE-2010-4078)
 
 The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel
 does not properly initialize a certain structure member, which allows
 local users to obtain potentially sensitive information from kernel
 stack memory via an EQL_GETMASTRCFG ioctl call. (CVE-2010-3297)
 
 Integer signedness error in the pkt_find_dev_from_minor function in
 drivers/block/pktcdvd.c in the Linux kernel allows local users to
 obtain sensitive information from kernel memory or cause a denial of
 service (invalid pointer dereference and system crash) via a crafted
 index value in a PKT_CTRL_CMD_STATUS ioctl call. (CVE-2010-3437)
 
 fs/jfs/xattr.c in the Linux kernel does not properly handle a certain
 legacy format for storage of extended attributes, which might allow
 local users by bypass intended xattr namespace restrictions via an
 os2. substring at the beginning of a name. (CVE-2010-2946)
 
 Multiple integer signedness errors in net/rose/af_rose.c in the
 Linux kernel allow local users to cause a denial of service (heap
 memory corruption) or possibly have unspecified other impact via a
 rose_getname function call, related to
 the rose_bind and rose_connect functions. (CVE-2010-3310)
 
 Integer overflow in the do_io_submit function in fs/aio.c in the
 Linux allows local users to cause a denial of service or possibly
 have unspecified other impact via crafted use of the io_submit system
 call. (CVE-2010-3067)
 
 net/bridge/netfilter/ebtables.c in the ebtables module in the
 netfilter framework in the Linux kernel does not require the
 CAP_NET_ADMIN capability for setting or modifying rules, which
 allows local users to bypass intended access restrictions and
 configure arbitrary network-traffic filtering via a modified ebtables
 application. (CVE-2010-0007)
 
 The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel
 does not initialize a certain structure, which allows local users to
 obtain potentially sensitive information from kernel stack memory by
 reading a copy of this structure. (CVE-2010-3875)
 
 fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel
 allows remote attackers to cause a denial of service (panic) via an
 SMB response packet with an invalid CountHigh value, as demonstrated
 by a response from an OS/2 server, related to the CIFSSMBWrite and
 CIFSSMBWrite2 functions. (CVE-2010-2248)
 
 The personality subsystem in the Linux kernel has a PER_CLEAR_ON_SETID
 setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO
 flags when executing a setuid or setgid program, which makes it
 easier for local users to leverage the details of memory usage to (1)
 conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr
 protection mechanism, or (3) defeat address space layout randomization
 (ASLR). (CVE-2009-1895)
 
 The load_flat_shared_library function in fs/binfmt_flat.c in the
 flat subsystem in the Linux kernel allows local users to cause a
 denial of service (NULL pointer dereference and system crash) or
 possibly have unspecified other impact by executing a shared flat
 binary. (CVE-2009-2768)
 
 The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client
 in the Linux kernel allows remote NFS servers to cause a denial of
 service (NULL pointer dereference and panic) by sending a certain
 response containing incorrect file attributes, which trigger attempted
 use of an open file that lacks NFSv4 state. (CVE-2009-3726)
 
 The UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c
 in the Linux kernel allows local users to gain privileges or cause
 a denial of service (NULL pointer dereference and system crash) via
 vectors involving the MSG_MORE flag and a UDP socket. (CVE-2009-2698)
 
 Array index error in the gdth_read_event function in
 drivers/scsi/gdth.c in the Linux kernel allows local users to cause
 a denial of service or possibly gain privileges via a negative event
 index in an IOCTL request. (CVE-2009-3080)
 
 Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR
 implementation in the NFS server in the Linux kernel allow remote
 attackers to cause a denial of service (panic) or possibly execute
 arbitrary code via a crafted NFSv4 compound WRITE request, related
 to the read_buf and nfsd4_decode_compound functions. (CVE-2010-2521)
 
 net/ipv6/tcp_ipv6.c in Linux kernel  inadvertently copies the
 ipv6_fl_socklist from a listening TCP socket to child sockets, which
 allows local users to cause a denial of service (OOPS) or double-free
 by opening a listeing IPv6 socket,
 attaching a flow label, and connecting to that socket. (CVE-2007-1592)
 
 The ec_dev_ioctl function in net/econet/af_econet.c in the Linux
 kernel does not require the CAP_NET_ADMIN capability, which allows
 local users to bypass intended access restrictions and configure
 econet addresses via an SIOCSIFADDR ioctl call. (CVE-2010-3850)
 
 All these problems have been corrected, to update your kernel, please
 follow the directions located at:
 
   http://www.mandriva.com/en/security/kernelupdate
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2240
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4165
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4072
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4083
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4078
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3297
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3437
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2946
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3310
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3067
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0007
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3875
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2248
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2768
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3726
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2521
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1592
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850
 _______________________________________________________________________

 Updated Packages:

 Corporate 4.0:
 890c747a6a23bec5203df80fea437577  corporate/4.0/i586/kernel-2.6.12.43mdk-1-1mdk.i586.rpm
 035e67228d5d802ec1f1c435c336f1e4  corporate/4.0/i586/kernel-BOOT-2.6.12.43mdk-1-1mdk.i586.rpm
 91e5bd4db307150fa5fbf50557800d0b  corporate/4.0/i586/kernel-doc-2.6.12.43mdk-1-1mdk.i586.rpm
 709df005ea5296caa560bb214106bba0  corporate/4.0/i586/kernel-i586-up-1GB-2.6.12.43mdk-1-1mdk.i586.rpm
 a6a70d6d6d243e8899d28418841d3b30  corporate/4.0/i586/kernel-i686-up-4GB-2.6.12.43mdk-1-1mdk.i586.rpm
 fbf3f03e88f64a342299a6d1f71b77ff  corporate/4.0/i586/kernel-smp-2.6.12.43mdk-1-1mdk.i586.rpm
 00075e6ecb976667e6acc84b90a457e2  corporate/4.0/i586/kernel-source-2.6.12.43mdk-1-1mdk.i586.rpm
 be59ed3d9edaef100c73689ed8889e44  corporate/4.0/i586/kernel-source-stripped-2.6.12.43mdk-1-1mdk.i586.rpm
 d97fb8a8f4e91bda8fe196ae42db2bda  corporate/4.0/i586/kernel-xbox-2.6.12.43mdk-1-1mdk.i586.rpm
 2ebefb2a2891b11ec2e0b8a1a0182861  corporate/4.0/i586/kernel-xen0-2.6.12.43mdk-1-1mdk.i586.rpm
 fde48ce47fab86665c576c49af171ff6  corporate/4.0/i586/kernel-xenU-2.6.12.43mdk-1-1mdk.i586.rpm 
 c5b74f984e252360a20582e9acac64da  corporate/4.0/SRPMS/kernel-2.6.12.43mdk-1-1mdk.src.rpm

 Corporate 4.0/X86_64:
 f2a01a7f51ed7472dd997e095753be7b  corporate/4.0/x86_64/kernel-2.6.12.43mdk-1-1mdk.x86_64.rpm
 524510d3382ec95de0ca76dd4f760b2e  corporate/4.0/x86_64/kernel-BOOT-2.6.12.43mdk-1-1mdk.x86_64.rpm
 b0e576639faa836c7895ce05b4a4ac26  corporate/4.0/x86_64/kernel-doc-2.6.12.43mdk-1-1mdk.x86_64.rpm
 e56515d6f9675fc366b963fbfc7fbab4  corporate/4.0/x86_64/kernel-smp-2.6.12.43mdk-1-1mdk.x86_64.rpm
 20ac4ec4df1df4c170676116769c3f78  corporate/4.0/x86_64/kernel-source-2.6.12.43mdk-1-1mdk.x86_64.rpm
 5309f98e74877b41d99b75a1e04f0f74  corporate/4.0/x86_64/kernel-source-stripped-2.6.12.43mdk-1-1mdk.x86_64.rpm
 cdae6ee98462fb2503a7f0fc41381dfe  corporate/4.0/x86_64/kernel-xen0-2.6.12.43mdk-1-1mdk.x86_64.rpm
 e4fedcae85c0c3ba6d2e169f3faf3d06  corporate/4.0/x86_64/kernel-xenU-2.6.12.43mdk-1-1mdk.x86_64.rpm 
 c5b74f984e252360a20582e9acac64da  corporate/4.0/SRPMS/kernel-2.6.12.43mdk-1-1mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNhz4MmqjQ0CJFipgRAvQCAKCjxkVbvV6tX/dquf3yaHOxUm7IxQCfRY5g
q9TSPal83qlvFGa4p/Zm6kM=
=51Io
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDVSA-2011:051 ] kernel security (Mar 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]