Linux Kernel: Security/Bugfix update to 2.6.31.8

[Lighty]

The Linux kernel for openSUSE 11.2 was updated to 2.6.31.8
fixing lots of bugs and several security issues.

Following security issues were fixed: CVE-2009-4131: A file
overwrite issue on the ext4 filesystem could be used by
local attackers that have write access to a filesystem to
change/overwrite files of other users, including root.

CVE-2009-1298: A remote denial of service by sending overly
long packets could be used by remote attackers to crash a
machine.

CVE-2009-4026: The mac80211 subsystem in the Linux kernel
allows remote attackers to cause a denial of service
(panic) via a crafted Delete Block ACK (aka DELBA) packet,
related to an erroneous "code shuffling patch."

CVE-2009-4027: Race condition in the mac80211 subsystem in
the Linux kernel allows remote attackers to cause a denial
of service (system crash) via a Delete Block ACK (aka
DELBA) packet that triggers a certain state change in the
absence of an aggregation session.

CVE-2009-3939: The poll_mode_io file for the megaraid_sas
driver in the Linux kernel has world-writable permissions,
which allows local users to change the I/O mode of the
driver by modifying this file.

CVE-2009-4005: The collect_rx_frame function in
drivers/isdn/hisax/hfc_usb.c in the Linux kernel allows
attackers to have an unspecified impact via a crafted HDLC
packet that arrives over ISDN and triggers a buffer
under-read. This requires the attacker to access the
machine on ISDN protocol level.

CVE-2009-3080: Array index error in the gdth_read_event
function in drivers/scsi/gdth.c in the Linux kernel allows
local users to cause a denial of service or possibly gain
privileges via a negative event index in an IOCTL request.

CVE-2009-3624: The get_instantiation_keyring function in
security/keys/keyctl.c in the KEYS subsystem in the Linux
kernel does not properly maintain the reference count of a
keyring, which allows local users to gain privileges or
cause a denial of service (OOPS) via vectors involving
calls to this function without specifying a keyring by ID,
as demonstrated by a series of keyctl request2 and keyctl
list commands.

CVE-2009-4021: The fuse_direct_io function in
fs/fuse/file.c in the fuse subsystem in the Linux kernel
might allow attackers to cause a denial of service (invalid
pointer dereference and OOPS) via vectors possibly related
to a memory-consumption attack.

CVE-2009-3547: Multiple race conditions in fs/pipe.c in the
Linux kernel allow local users to cause a denial of service
(NULL pointer dereference and system crash) or gain
privileges by attempting to open an anonymous pipe via a
/proc/*/fd/ pathname. As openSUSE 11.2 by default sets
mmap_min_addr protection, this issue will just Oops the
kernel and not be able to execute code.

CVE-2009-3621: net/unix/af_unix.c in the Linux kernel
allows local users to cause a denial of service (system
hang) by creating an abstract-namespace AF_UNIX listening
socket, performing a shutdown operation on this socket, and
then performing a series of connect operations to this
socket.

CVE-2009-4138: drivers/firewire/ohci.c in the Linux kernel
when packet-per-buffer mode is used, allows local users to
cause a denial of service (NULL pointer dereference and
system crash) or possibly have unknown other impact via an
unspecified ioctl associated with receiving an ISO packet
that contains zero in the payload-length field.

CVE-2009-4308: The ext4_decode_error function in
fs/ext4/super.c in the ext4 filesystem in the Linux kernel
allows user-assisted remote attackers to cause a denial of
service (NULL pointer dereference), and possibly have
unspecified other impact, via a crafted read-only
filesystem that lacks a journal.

CVE-2009-4307: The ext4_fill_flex_info function in
fs/ext4/super.c in the Linux kernel allows user-assisted
remote attackers to cause a denial of service
(divide-by-zero error and panic) via a malformed ext4
filesystem containing a super block with a large FLEX_BG
group size (aka s_log_groups_per_flex value).

CVE-2009-4306: Unspecified vulnerability in the
EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation
in the ext4 filesystem in the Linux kernel allows local
users to cause a denial of service (filesystem corruption)
via unknown vectors, a different vulnerability than
CVE-2009-4131.

CVE-2009-4131: The EXT4_IOC_MOVE_EXT (aka move extents)
ioctl implementation in the ext4 filesystem in the Linux
kernel allows local users to overwrite arbitrary files via
a crafted request, related to insufficient checks for file
permissions. This can lead to privilege escalations.


Also, the rt2870 and rt2860 drivers were refreshed to the
level they are in the Linux 2.6.32 kernel, bringing new
device support and new functionality.