Linux Kernel: Security/Bugfix update

[Lighty]

Linux Kernel: Security/Bugfix update

The openSUSE 11.3 kernel was updated to fix various bugs
and security issues.

Following security issues have been fixed: CVE-2010-4347: A
local user could inject ACPI code into the kernel via the
world-writable "custom_debug" file, allowing local
privilege escalation.

CVE-2010-4258: A local attacker could use a Oops (kernel
crash) caused by other flaws to write a 0 byte to a
attacker controlled address in the kernel. This could lead
to privilege escalation together with other issues.

CVE-2010-4157: A 32bit vs 64bit integer mismatch in
gdth_ioctl_alloc could lead to memory corruption in the
GDTH driver.

CVE-2010-4165: The do_tcp_setsockopt function in
net/ipv4/tcp.c in the Linux kernel did not properly
restrict TCP_MAXSEG (aka MSS) values, which allows local
users to cause a denial of service (OOPS) via a setsockopt
call that specifies a small value, leading to a
divide-by-zero error or incorrect use of a signed integer.

CVE-2010-4164: A remote (or local) attacker communicating
over X.25 could cause a kernel panic by attempting to
negotiate malformed facilities.

CVE-2010-4175: A local attacker could cause memory
overruns in the RDS protocol stack, potentially crashing
the kernel. So far it is considered not to be exploitable.

CVE-2010-4169: Use-after-free vulnerability in
mm/mprotect.c in the Linux kernel allwed local users to
cause a denial of service via vectors involving an mprotect
system call.

CVE-2010-3874: A minor heap overflow in the CAN network
module was fixed. Due to nature of the memory allocator it
is likely not exploitable.

CVE-2010-4158: A memory information leak in berkely packet
filter rules allowed local attackers to read uninitialized
memory of the kernel stack.

CVE-2010-4162: A local denial of service in the blockdevice
layer was fixed.

CVE-2010-4163: By submitting certain I/O requests with 0
length, a local user could have caused a kernel panic.

CVE-2010-0435: The Hypervisor in KVM 83, when the Intel
VT-x extension is enabled, allows guest OS users to cause a
denial of service (NULL pointer dereference and host OS
crash) via vectors related to instruction emulation.

CVE-2010-3861: The ethtool_get_rxnfc function in
net/core/ethtool.c in the Linux kernel did not initialize a
certain block of heap memory, which allowed local users to
obtain potentially sensitive information via an
ETHTOOL_GRXCLSRLALL ethtool command with a large
info.rule_cnt value.

CVE-2010-3442: Multiple integer overflows in the
snd_ctl_new function in sound/core/control.c in the Linux
kernel allowed local users to cause a denial of service
(heap memory corruption) or possibly have unspecified other
impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2)
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.

CVE-2010-3437: A range checking overflow in pktcdvd ioctl
was fixed.

CVE-2010-4078: The sisfb_ioctl function in
drivers/video/sis/sis_main.c in the Linux kernel did not
properly initialize a certain structure member, which
allowed local users to obtain potentially sensitive
information from kernel stack memory via an FBIOGET_VBLANK
ioctl call.

CVE-2010-4080: The snd_hdsp_hwdep_ioctl function in
sound/pci/rme9652/hdsp.c in the Linux kernel did not
initialize a certain structure, which allowed local users
to obtain potentially sensitive information from kernel
stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl
call.

CVE-2010-4081: The snd_hdspm_hwdep_ioctl function in
sound/pci/rme9652/hdspm.c in the Linux kernel did not
initialize a certain structure, which allowed local users
to obtain potentially sensitive information from kernel
stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl
call.

CVE-2010-4082: The viafb_ioctl_get_viafb_info function in
drivers/video/via/ioctl.c in the Linux kernel did not
properly initialize a certain structure member, which
allowed local users to obtain potentially sensitive
information from kernel stack memory via a VIAFB_GET_INFO
ioctl call.

CVE-2010-4073: The ipc subsystem in the Linux kernel did
not initialize certain structures, which allowed local
users to obtain potentially sensitive information from
kernel stack memory via vectors related to the (1)
compat_sys_semctl, (2) compat_sys_msgctl, and (3)
compat_sys_shmctl functions in ipc/compat.c; and the (4)
compat_sys_mq_open and (5) compat_sys_mq_getsetattr
functions in ipc/compat_mq.c.

CVE-2010-4072: The copy_shmid_to_user function in ipc/shm.c
in the Linux kernel did not initialize a certain structure,
which allowed local users to obtain potentially sensitive
information from kernel stack memory via vectors related to
the shmctl system call and the "old shm interface."

CVE-2010-4083: The copy_semid_to_user function in ipc/sem.c
in the Linux kernel did not initialize a certain structure,
which allowed local users to obtain potentially sensitive
information from kernel stack memory via a (1) IPC_INFO,
(2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a
semctl system call.

CVE-2010-3432: The sctp_packet_config function in
net/sctp/output.c in the Linux kernel performed extraneous
initializations of packet data structures, which allowed
remote attackers to cause a denial of service (panic) via a
certain sequence of SCTP traffic.

CVE-2010-3067: Integer overflow in the do_io_submit
function in fs/aio.c in the Linux kernel allowed local
users to cause a denial of service or possibly have
unspecified other impact via crafted use of the io_submit
system call.

CVE-2010-3865: A iovec integer overflow in RDS sockets was
fixed which could lead to local attackers gaining kernel
privileges.