Jump to content
Sign in to follow this  
paul

Advisories MDVSA-2010:188: kernel

Recommended Posts

Some vulnerabilities were discovered and corrected in the Linux

2.6 kernel:

 

fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always

follow NFS automount symlinks, which allows attackers to have an

unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088)

 

The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem

in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9

does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure

members, which might allow local users to obtain sensitive information

from kernel memory via unspecified vectors. (CVE-2009-3228)

 

The do_pages_move function in mm/migrate.c in the Linux kernel before

2.6.33-rc7 does not validate node values, which allows local users

to read arbitrary kernel memory locations, cause a denial of service

(OOPS), and possibly have unspecified other impact by specifying a

node that is not part of the kernel node set. (CVE-2010-0415)

 

The ATI Rage 128 (aka r128) driver in the Linux kernel before

2.6.31-git11 does not properly verify Concurrent Command Engine (CCE)

state initialization, which allows local users to cause a denial of

service (NULL pointer dereference and system crash) or possibly gain

privileges via unspecified ioctl calls. (CVE-2009-3620)

 

The wake_futex_pi function in kernel/futex.c in the Linux kernel

before 2.6.33-rc7 does not properly handle certain unlock operations

for a Priority Inheritance (PI) futex, which allows local users to

cause a denial of service (OOPS) and possibly have unspecified other

impact via vectors involving modification of the futex value from

user space. (CVE-2010-0622)

 

The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel

2.6 before 2.6.30, when running on x86 systems, does not validate

the page table root in a KVM_SET_SREGS call, which allows local

users to cause a denial of service (crash or hang) via a crafted cr3

value, which triggers a NULL pointer dereference in the gfn_to_rmap

function. (CVE-2009-2287)

 

The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem

in the Linux kernel before 2.6.31.1 does not properly verify the

Current Privilege Level (CPL) before accessing a debug register,

which allows guest OS users to cause a denial of service (trap)

on the host OS via a crafted application. (CVE-2009-3722)

 

The ext4_decode_error function in fs/ext4/super.c in the ext4

filesystem in the Linux kernel before 2.6.32 allows user-assisted

remote attackers to cause a denial of service (NULL pointer

dereference), and possibly have unspecified other impact, via a

crafted read-only filesystem that lacks a journal. (CVE-2009-4308)

 

The eisa_eeprom_read function in the parisc isa-eeprom component

(drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6

allows local users to access restricted memory via a negative ppos

argument, which bypasses a check that assumes that ppos is positive

and causes an out-of-bounds read in the readb function. (CVE-2009-2846)

 

Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the

XDR implementation in the NFS server in the Linux kernel before

2.6.34-rc6 allow remote attackers to cause a denial of service (panic)

or possibly execute arbitrary code via a crafted NFSv4 compound

WRITE request, related to the read_buf and nfsd4_decode_compound

functions. (CVE-2010-2521)

 

mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict

overcommit is enabled and CONFIG_SECURITY is disabled, does not

properly handle the export of shmemfs objects by knfsd, which allows

attackers to cause a denial of service (NULL pointer dereference and

knfsd crash) or possibly have unspecified other impact via unknown

vectors. NOTE: this vulnerability exists because of an incomplete

fix for CVE-2010-1643. (CVE-2008-7256)

 

The release_one_tty function in drivers/char/tty_io.c in the

Linux kernel before 2.6.34-rc4 omits certain required calls to the

put_pid function, which has unspecified impact and local attack

vectors. (CVE-2010-1162)

 

mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict

overcommit is enabled, does not properly handle the export of shmemfs

objects by knfsd, which allows attackers to cause a denial of service

(NULL pointer dereference and knfsd crash) or possibly have unspecified

other impact via unknown vectors. (CVE-2010-1643)

 

The sctp_process_unk_param function in net/sctp/sm_make_chunk.c

in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled,

allows remote attackers to cause a denial of service (system crash)

via an SCTPChunkInit packet containing multiple invalid parameters

that require a large amount of error data. (CVE-2010-1173)

 

The Transparent Inter-Process Communication (TIPC) functionality in

Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions,

allows local users to cause a denial of service (kernel OOPS) by

sending datagrams through AF_TIPC before entering network mode,

which triggers a NULL pointer dereference. (CVE-2010-1187)

 

The sctp_process_unk_param function in net/sctp/sm_make_chunk.c

in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled,

allows remote attackers to cause a denial of service (system crash)

via an SCTPChunkInit packet containing multiple invalid parameters

that require a large amount of error data. (CVE-2010-1173)

 

fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel

before 2.6.34-rc4 allows remote attackers to cause a denial of service

(panic) via an SMB response packet with an invalid CountHigh value,

as demonstrated by a response from an OS/2 server, related to the

CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248)

 

Buffer overflow in the ecryptfs_uid_hash macro in

fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux

kernel before 2.6.35 might allow local users to gain privileges

or cause a denial of service (system crash) via unspecified

vectors. (CVE-2010-2492)

 

The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel

before 2.6.35 does not properly check the file descriptors passed

to the SWAPEXT ioctl, which allows local users to leverage write

access and obtain read access by swapping one file into another

file. (CVE-2010-2226)

 

The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux

kernel before 2.6.35 uses an incorrect size value in calculations

associated with sentinel directory entries, which allows local

users to cause a denial of service (NULL pointer dereference and

panic) and possibly have unspecified other impact by renaming a

file in a GFS2 filesystem, related to the gfs2_rename function in

fs/gfs2/ops_inode.c. (CVE-2010-2798)

 

The do_anonymous_page function in mm/memory.c in the Linux kernel

before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4,

and 2.6.35.x before 2.6.35.2 does not properly separate the stack

and the heap, which allows context-dependent attackers to execute

arbitrary code by writing to the bottom page of a shared memory

segment, as demonstrated by a memory-exhaustion attack against the

X.Org X server. (CVE-2010-2240)

 

The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct

Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53,

2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x

before 2.6.35.4 allows local users to obtain potentially sensitive

information from kernel memory by requesting a large memory-allocation

amount. (CVE-2010-2803)

 

Integer overflow in net/can/bcm.c in the Controller Area Network (CAN)

implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before

2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4

allows attackers to execute arbitrary code or cause a denial of service

(system crash) via crafted CAN traffic. (CVE-2010-2959)

 

Double free vulnerability in the snd_seq_oss_open function

in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before

2.6.36-rc4 might allow local users to cause a denial of service or

possibly have unspecified other impact via an unsuccessful attempt

to open the /dev/sequencer device. (CVE-2010-3080)

 

A vulnerability in Linux kernel caused by insecure allocation of user

space memory when translating system call inputs to 64-bit. A stack

pointer underflow can occur when using the compat_alloc_user_space

method with an arbitrary length input. (CVE-2010-3081)

 

The IA32 system call emulation functionality in

arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2

on the x86_64 platform does not zero extend the %eax register after

the 32-bit entry path to ptrace is used, which allows local users to

gain privileges by triggering an out-of-bounds access to the system

call table using the %rax register. NOTE: this vulnerability exists

because of a CVE-2007-4573 regression. (CVE-2010-3301)

 

To update your kernel, please follow the directions located at:

 

http://www.mandriva.com/en/security/kernelupdate

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...