-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: kernel
Announcement ID: SUSE-SA:2011:002
Date: Mon, 03 Jan 2011 15:00:00 +0000
Affected Products: openSUSE 11.2
Vulnerability Type: potential local privilege escalation
CVSS v2 Base Score: 6.6 (AV:L/AC:L/Au:N/C:C/I:N/A:C)
SUSE Default Package: yes
Cross-References: CVE-2010-3067, CVE-2010-3437, CVE-2010-3442
CVE-2010-3861, CVE-2010-3865, CVE-2010-3874
CVE-2010-4078, CVE-2010-4080, CVE-2010-4081
CVE-2010-4082, CVE-2010-4157, CVE-2010-4158
CVE-2010-4160, CVE-2010-4162, CVE-2010-4163
CVE-2010-4164, CVE-2010-4165, CVE-2010-4175
CVE-2010-4258
Content of This Advisory:
1) Security Vulnerability Resolved:
Linux kernel security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This update of the openSUSE 11.2 kernel fixes various bugs
and lots of security issues.
Following security issues have been fixed:
CVE-2010-4258: A local attacker could use a Oops (kernel crash) caused
by other flaws to write a 0 byte to a attacker controlled address in the
kernel. This could lead to privilege escalation together with other issues.
CVE-2010-4160: A overflow in sendto() and recvfrom() routines was fixed
that could be used by local attackers to potentially crash the kernel
using some socket families like L2TP.
CVE-2010-4157: A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc
could lead to memory corruption in the GDTH driver.
CVE-2010-4165: The do_tcp_setsockopt function in net/ipv4/tcp.c in the
Linux kernel did not properly restrict TCP_MAXSEG (aka MSS) values, which
allows local users to cause a denial of service (OOPS) via a setsockopt
call that specifies a small value, leading to a divide-by-zero error or
incorrect use of a signed integer.
CVE-2010-4164: A remote (or local) attacker communicating over X.25
could cause a kernel panic by attempting to negotiate malformed
facilities.
CVE-2010-4175: A local attacker could cause memory overruns in the RDS
protocol stack, potentially crashing the kernel. So far it is considered
not to be exploitable.
CVE-2010-3874: A minor heap overflow in the CAN network module was fixed.
Due to nature of the memory allocator it is likely not exploitable.
CVE-2010-3874: A minor heap overflow in the CAN network module was fixed.
Due to nature of the memory allocator it is likely not exploitable.
CVE-2010-4158: A memory information leak in Berkeley packet filter rules
allowed local attackers to read uninitialized memory of the kernel stack.
CVE-2010-4162: A local denial of service in the blockdevice layer was fixed.
CVE-2010-4163: By submitting certain I/O requests with 0 length, a local
user could have caused a kernel panic.
CVE-2010-3861: The ethtool_get_rxnfc function in net/core/ethtool.c
in the Linux kernel did not initialize a certain block of heap memory,
which allowed local users to obtain potentially sensitive information via
an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value.
CVE-2010-3442: Multiple integer overflows in the snd_ctl_new function
in sound/core/control.c in the Linux kernel allowed local users to
cause a denial of service (heap memory corruption) or possibly have
unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or
(2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.
CVE-2010-3437: A range checking overflow in pktcdvd ioctl was fixed.
CVE-2010-4078: The sisfb_ioctl function in drivers/video/sis/sis_main.c in
the Linux kernel did not properly initialize a certain structure member,
which allowed local users to obtain potentially sensitive information
from kernel stack memory via an FBIOGET_VBLANK ioctl call.
CVE-2010-4080: The snd_hdsp_hwdep_ioctl function in
sound/pci/rme9652/hdsp.c in the Linux kernel did not initialize
a certain structure, which allowed local users to obtain
potentially sensitive information from kernel stack memory via an
SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.
CVE-2010-4081: The snd_hdspm_hwdep_ioctl function in
sound/pci/rme9652/hdspm.c in the Linux kernel did not initialize
a certain structure, which allowed local users to obtain
potentially sensitive information from kernel stack memory via an
SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.
CVE-2010-4082: The viafb_ioctl_get_viafb_info function in
drivers/video/via/ioctl.c in the Linux kernel did not properly
initialize a certain structure member, which allowed local users to
obtain potentially sensitive information from kernel stack memory via
a VIAFB_GET_INFO ioctl call.
CVE-2010-3067: Integer overflow in the do_io_submit function in fs/aio.c
in the Linux kernel allowed local users to cause a denial of service or
possibly have unspecified other impact via crafted use of the io_submit
system call.
CVE-2010-3865: A iovec integer overflow in RDS sockets was fixed which
could lead to local attackers gaining kernel privileges.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please reboot the machine after installing the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
x86 Platform:
openSUSE 11.2:
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-debug-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-debug-base-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-debug-devel-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-default-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-default-base-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-default-devel-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-desktop-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-desktop-base-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-desktop-devel-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-pae-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-pae-base-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-pae-devel-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-syms-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-trace-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-trace-base-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-trace-devel-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-vanilla-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-vanilla-base-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-vanilla-devel-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-xen-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-xen-base-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/kernel-xen-devel-2.6.31.14-0.6.1.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/preload-kmp-default-1.1_2.6.31.14_0.6-6.9.39.i586.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/i586/preload-kmp-desktop-1.1_2.6.31.14_0.6-6.9.39.i586.rpm
Platform Independent:
openSUSE 11.2:
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/noarch/kernel-source-2.6.31.14-0.6.1.noarch.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/noarch/kernel-source-vanilla-2.6.31.14-0.6.1.noarch.rpm
x86-64 Platform:
openSUSE 11.2:
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-debug-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-debug-base-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-debug-devel-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-default-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-default-base-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-default-devel-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-desktop-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-desktop-base-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-desktop-devel-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-syms-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-trace-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-trace-base-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-trace-devel-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-vanilla-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-vanilla-base-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-vanilla-devel-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-xen-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-xen-base-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/kernel-xen-devel-2.6.31.14-0.6.1.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/preload-kmp-default-1.1_2.6.31.14_0.6-6.9.39.x86_64.rpm
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/11.2/rpm/x86_64/preload-kmp-desktop-1.1_2.6.31.14_0.6-6.9.39.x86_64.rpm
Sources:
openSUSE 11.2:
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================
