The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - CVE-2008-2931: missing check before setting mount     propagation

  - CVE-2007-6716: dio: use kzalloc to zero out struct dio

  - CVE-2008-3272: snd_seq_oss_synth_make_info leak

  - CVE-2008-3275: vfs: fix lookup on deleted directory

  - CVE-2007-6417: tmpfs: restore missing clear_highpage

From Red Hat Security Advisory 2008:0972 :

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* a flaw was found in the Linux kernel's Direct-IO implementation.
This could have allowed a local unprivileged user to cause a denial of service. (CVE-2007-6716, Important)

* when running ptrace in 31-bit mode on an IBM S/390 or IBM System z kernel, a local unprivileged user could cause a denial of service by reading from or writing into a padding area in the user_regs_struct32 structure. (CVE-2008-1514, Important)

* the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could have allowed a local unprivileged user to obtain access to privileged information.
(CVE-2008-4210, Important)

* Tobias Klein reported a missing check in the Linux kernel's Open Sound System (OSS) implementation. This deficiency could have led to an information leak. (CVE-2008-3272, Moderate)

* a potential denial of service attack was discovered in the Linux kernel's PWC USB video driver. A local unprivileged user could have used this flaw to bring the kernel USB subsystem into the busy-waiting state. (CVE-2007-5093, Low)

* the ext2 and ext3 file systems code failed to properly handle corrupted data structures, leading to a possible local denial of service issue when read or write operations were performed.
(CVE-2008-3528, Low)

In addition, these updated packages fix the following bugs :

* when using the CIFS 'forcedirectio' option, appending to an open file on a CIFS share resulted in that file being overwritten with the data to be appended.

* a kernel panic occurred when a device with PCI ID 8086:10c8 was present on a system with a loaded ixgbe driver.

* due to an aacraid driver regression, the kernel failed to boot when trying to load the aacraid driver and printed the following error message: 'aac_srb: aac_fib_send failed with status: 8195'.

* due to an mpt driver regression, when RAID 1 was configured on Primergy systems with an LSI SCSI IME 53C1020/1030 controller, the kernel panicked during boot.

* the mpt driver produced a large number of extraneous debugging messages when performing a 'Host reset' operation.

* due to a regression in the sym driver, the kernel panicked when a SCSI hot swap was performed using MCP18 hardware.

* all cores on a multi-core system now scale their frequencies in accordance with the policy set by the system's CPU frequency governor.

* the netdump subsystem suffered from several stability issues. These are addressed in this updated kernel.

* under certain conditions, the ext3 file system reported a negative count of used blocks.

* reading /proc/self/mem incorrectly returned 'Invalid argument' instead of 'input/output error' due to a regression.

* under certain conditions, the kernel panicked when a USB device was removed while the system was busy accessing the device.

* a race condition in the kernel could have led to a kernel crash during the creation of a new process.

All Red Hat Enterprise Linux 4 Users should upgrade to these updated packages, which contain backported patches to correct these issues.

From Red Hat Security Advisory 2008:0885 :

Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* a missing capability check was found in the Linux kernel do_change_type routine. This could allow a local unprivileged user to gain privileged access or cause a denial of service. (CVE-2008-2931, Important)

* a flaw was found in the Linux kernel Direct-IO implementation. This could allow a local unprivileged user to cause a denial of service.
(CVE-2007-6716, Important)

* Tobias Klein reported a missing check in the Linux kernel Open Sound System (OSS) implementation. This deficiency could lead to a possible information leak. (CVE-2008-3272, Moderate)

* a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate)

* a flaw was found in the Linux kernel tmpfs implementation. This could allow a local unprivileged user to read sensitive information from the kernel. (CVE-2007-6417, Moderate)

Bug fixes :

* when copying a small IPoIB packet from the original skb it was received in to a new, smaller skb, all fields in the new skb were not initialized. This may have caused a kernel oops.

* previously, data may have been written beyond the end of an array, causing memory corruption on certain systems, resulting in hypervisor crashes during context switching.

* a kernel crash may have occurred on heavily-used Samba servers after 24 to 48 hours of use.

* under heavy memory pressure, pages may have been swapped out from under the SGI Altix XPMEM driver, causing silent data corruption in the kernel.

* the ixgbe driver is untested, but support was advertised for the Intel 82598 network card. If this card was present when the ixgbe driver was loaded, a NULL pointer dereference and a panic occurred.

* on certain systems, if multiple InfiniBand queue pairs simultaneously fell into an error state, an overrun may have occurred, stopping traffic.

* with bridging, when forward delay was set to zero, setting an interface to the forwarding state was delayed by one or possibly two timers, depending on whether STP was enabled. This may have caused long delays in moving an interface to the forwarding state. This issue caused packet loss when migrating virtual machines, preventing them from being migrated without interrupting applications.

* on certain multinode systems, IPMI device nodes were created in reverse order of where they physically resided.

* process hangs may have occurred while accessing application data files via asynchronous direct I/O system calls.

* on systems with heavy lock traffic, a possible deadlock may have caused anything requiring locks over NFS to stop, or be very slow.
Errors such as 'lockd: server [IP] not responding, timed out' were logged on client systems.

* unexpected removals of USB devices may have caused a NULL pointer dereference in kobject_get_path.

* on Itanium-based systems, repeatedly creating and destroying Windows guests may have caused Dom0 to crash, due to the 'XENMEM_add_to_physmap' hypercall, used by para-virtualized drivers on HVM, being SMP-unsafe.

* when using an MD software RAID, crashes may have occurred when devices were removed or changed while being iterated through. Correct locking is now used.

* break requests had no effect when using 'Serial Over Lan' with the Intel 82571 network card. This issue may have caused log in problems.

* on Itanium-based systems, module_free() referred the first parameter before checking it was valid. This may have caused a kernel panic when exiting SystemTap.

Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

- a flaw was found in the Linux kernel's Direct-IO     implementation. This could have allowed a local     unprivileged user to cause a denial of service.
    (CVE-2007-6716, Important)

  - when running ptrace in 31-bit mode on an IBM S/390 or     IBM System z kernel, a local unprivileged user could     cause a denial of service by reading from or writing     into a padding area in the user_regs_struct32 structure.
    (CVE-2008-1514, Important)

  - the do_truncate() and generic_file_splice_write()     functions did not clear the setuid and setgid bits. This     could have allowed a local unprivileged user to obtain     access to privileged information. (CVE-2008-4210,     Important)

  - Tobias Klein reported a missing check in the Linux     kernel's Open Sound System (OSS) implementation. This     deficiency could have led to an information leak.
    (CVE-2008-3272, Moderate)

  - a potential denial of service attack was discovered in     the Linux kernel's PWC USB video driver. A local     unprivileged user could have used this flaw to bring the     kernel USB subsystem into the busy-waiting state.
    (CVE-2007-5093, Low)

  - the ext2 and ext3 file systems code failed to properly     handle corrupted data structures, leading to a possible     local denial of service issue when read or write     operations were performed. (CVE-2008-3528, Low)

In addition, these updated packages fix the following bugs :

  - when using the CIFS 'forcedirectio' option, appending to     an open file on a CIFS share resulted in that file being     overwritten with the data to be appended.

  - a kernel panic occurred when a device with PCI ID     8086:10c8 was present on a system with a loaded ixgbe     driver.

  - due to an aacraid driver regression, the kernel failed     to boot when trying to load the aacraid driver and     printed the following error message: 'aac_srb:
    aac_fib_send failed with status: 8195'.

  - due to an mpt driver regression, when RAID 1 was     configured on Primergy systems with an LSI SCSI IME     53C1020/1030 controller, the kernel panicked during     boot.

  - the mpt driver produced a large number of extraneous     debugging messages when performing a 'Host reset'     operation.

  - due to a regression in the sym driver, the kernel     panicked when a SCSI hot swap was performed using MCP18     hardware.

  - all cores on a multi-core system now scale their     frequencies in accordance with the policy set by the     system's CPU frequency governor.

  - the netdump subsystem suffered from several stability     issues. These are addressed in this updated kernel.

  - under certain conditions, the ext3 file system reported     a negative count of used blocks.

  - reading /proc/self/mem incorrectly returned 'Invalid     argument' instead of 'input/output error' due to a     regression.

  - under certain conditions, the kernel panicked when a USB     device was removed while the system was busy accessing     the device.

  - a race condition in the kernel could have led to a     kernel crash during the creation of a new process.

Security fixes :

  - a missing capability check was found in the Linux kernel     do_change_type routine. This could allow a local     unprivileged user to gain privileged access or cause a     denial of service. (CVE-2008-2931, Important)

  - a flaw was found in the Linux kernel Direct-IO     implementation. This could allow a local unprivileged     user to cause a denial of service. (CVE-2007-6716,     Important)

  - Tobias Klein reported a missing check in the Linux     kernel Open Sound System (OSS) implementation. This     deficiency could lead to a possible information leak.
    (CVE-2008-3272, Moderate)

  - a deficiency was found in the Linux kernel virtual     filesystem (VFS) implementation. This could allow a     local unprivileged user to attempt file creation within     deleted directories, possibly causing a denial of     service. (CVE-2008-3275, Moderate)

  - a flaw was found in the Linux kernel tmpfs     implementation. This could allow a local unprivileged     user to read sensitive information from the kernel.
    (CVE-2007-6417, Moderate)

Bug fixes :

  - when copying a small IPoIB packet from the original skb     it was received in to a new, smaller skb, all fields in     the new skb were not initialized. This may have caused a     kernel oops.

  - previously, data may have been written beyond the end of     an array, causing memory corruption on certain systems,     resulting in hypervisor crashes during context     switching.

  - a kernel crash may have occurred on heavily-used Samba     servers after 24 to 48 hours of use.

  - under heavy memory pressure, pages may have been swapped     out from under the SGI Altix XPMEM driver, causing     silent data corruption in the kernel.

  - the ixgbe driver is untested, but support was advertised     for the Intel 82598 network card. If this card was     present when the ixgbe driver was loaded, a NULL pointer     dereference and a panic occurred.

  - on certain systems, if multiple InfiniBand queue pairs     simultaneously fell into an error state, an overrun may     have occurred, stopping traffic.

  - with bridging, when forward delay was set to zero,     setting an interface to the forwarding state was delayed     by one or possibly two timers, depending on whether STP     was enabled. This may have caused long delays in moving     an interface to the forwarding state. This issue caused     packet loss when migrating virtual machines, preventing     them from being migrated without interrupting     applications.

  - on certain multinode systems, IPMI device nodes were     created in reverse order of where they physically     resided.

  - process hangs may have occurred while accessing     application data files via asynchronous direct I/O     system calls.

  - on systems with heavy lock traffic, a possible deadlock     may have caused anything requiring locks over NFS to     stop, or be very slow. Errors such as 'lockd: server     [IP] not responding, timed out' were logged on client     systems.

  - unexpected removals of USB devices may have caused a     NULL pointer dereference in kobject_get_path.

  - on Itanium-based systems, repeatedly creating and     destroying Windows guests may have caused Dom0 to crash,     due to the 'XENMEM_add_to_physmap' hypercall, used by     para-virtualized drivers on HVM, being SMP-unsafe.

  - when using an MD software RAID, crashes may have     occurred when devices were removed or changed while     being iterated through. Correct locking is now used.

  - break requests had no effect when using 'Serial Over     Lan' with the Intel 82571 network card. This issue may     have caused log in problems.

  - on Itanium-based systems, module_free() referred the     first parameter before checking it was valid. This may     have caused a kernel panic when exiting SystemTap.

This update of the SUSE Linux Enterprise 10 Service Pack 1 kernel contains lots of bugfixes and several security fixes :

  - Added missing capability checks in sbni_ioctl().
    (CVE-2008-3525)

  - On AMD64 some string operations could leak kernel     information into userspace. (CVE-2008-0598)

  - Added range checking in ASN.1 handling for the CIFS and     SNMP NAT netfilter modules. (CVE-2008-1673)

  - Fixed range checking in the snd_seq OSS ioctl, which     could be used to leak information from the kernel.
    (CVE-2008-3272)

  - Fixed a memory leak when looking up deleted directories     which could be used to run the system out of memory.
    (CVE-2008-3275)

  - The do_change_type function in fs/namespace.c did not     verify that the caller has the CAP_SYS_ADMIN capability,     which allows local users to gain privileges or cause a     denial of service by modifying the properties of a     mountpoint. (CVE-2008-2931)

  - Various NULL ptr checks have been added to the tty ops     functions, which might have been used by local attackers     to execute code. We think that this affects only devices     openable by root, so the impact is limited.
    (CVE-2008-2812)

This kernel security update fixes lots of bugs and some

Updated kernel packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* a missing capability check was found in the Linux kernel do_change_type routine. This could allow a local unprivileged user to gain privileged access or cause a denial of service. (CVE-2008-2931, Important)

* a flaw was found in the Linux kernel Direct-IO implementation. This could allow a local unprivileged user to cause a denial of service.
(CVE-2007-6716, Important)

* Tobias Klein reported a missing check in the Linux kernel Open Sound System (OSS) implementation. This deficiency could lead to a possible information leak. (CVE-2008-3272, Moderate)

* a deficiency was found in the Linux kernel virtual filesystem (VFS) implementation. This could allow a local unprivileged user to attempt file creation within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate)

* a flaw was found in the Linux kernel tmpfs implementation. This could allow a local unprivileged user to read sensitive information from the kernel. (CVE-2007-6417, Moderate)

Bug fixes :

* when copying a small IPoIB packet from the original skb it was received in to a new, smaller skb, all fields in the new skb were not initialized. This may have caused a kernel oops.

* previously, data may have been written beyond the end of an array, causing memory corruption on certain systems, resulting in hypervisor crashes during context switching.

* a kernel crash may have occurred on heavily-used Samba servers after 24 to 48 hours of use.

* under heavy memory pressure, pages may have been swapped out from under the SGI Altix XPMEM driver, causing silent data corruption in the kernel.

* the ixgbe driver is untested, but support was advertised for the Intel 82598 network card. If this card was present when the ixgbe driver was loaded, a NULL pointer dereference and a panic occurred.

* on certain systems, if multiple InfiniBand queue pairs simultaneously fell into an error state, an overrun may have occurred, stopping traffic.

* with bridging, when forward delay was set to zero, setting an interface to the forwarding state was delayed by one or possibly two timers, depending on whether STP was enabled. This may have caused long delays in moving an interface to the forwarding state. This issue caused packet loss when migrating virtual machines, preventing them from being migrated without interrupting applications.

* on certain multinode systems, IPMI device nodes were created in reverse order of where they physically resided.

* process hangs may have occurred while accessing application data files via asynchronous direct I/O system calls.

* on systems with heavy lock traffic, a possible deadlock may have caused anything requiring locks over NFS to stop, or be very slow.
Errors such as 'lockd: server [IP] not responding, timed out' were logged on client systems.

* unexpected removals of USB devices may have caused a NULL pointer dereference in kobject_get_path.

* on Itanium-based systems, repeatedly creating and destroying Windows guests may have caused Dom0 to crash, due to the 'XENMEM_add_to_physmap' hypercall, used by para-virtualized drivers on HVM, being SMP-unsafe.

* when using an MD software RAID, crashes may have occurred when devices were removed or changed while being iterated through. Correct locking is now used.

* break requests had no effect when using 'Serial Over Lan' with the Intel 82571 network card. This issue may have caused log in problems.

* on Itanium-based systems, module_free() referred the first parameter before checking it was valid. This may have caused a kernel panic when exiting SystemTap.

Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

The openSUSE 11.0 kernel was updated to 2.6.25.16.

It fixes various stability bugs and also security bugs.

CVE-2008-1673: Fixed the range checking in the ASN.1 decoder in NAT for SNMP and CIFS, which could have been used by a remote attacker to crash the machine.

CVE-2008-3276: An integer overflow flaw was found in the Linux kernel dccp_setsockopt_change() function. An attacker may leverage this vulnerability to trigger a kernel panic on a victim's machine remotely.

CVE-2008-3272: The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obtain sensitive information.

CVE-2008-3275: The (1) real_lookup and (2) __lookup_hash functions in fs/namei.c in the vfs implementation do not prevent creation of a child dentry for a deleted (aka S_DEAD) directory, which allows local users to cause a denial of service ('overflow' of the UBIFS orphan area) via a series of attempted file creations within deleted directories.

Also lots of bugs were fixed.

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* a flaw was found in the Linux kernel's Direct-IO implementation.
This could have allowed a local unprivileged user to cause a denial of service. (CVE-2007-6716, Important)

* when running ptrace in 31-bit mode on an IBM S/390 or IBM System z kernel, a local unprivileged user could cause a denial of service by reading from or writing into a padding area in the user_regs_struct32 structure. (CVE-2008-1514, Important)

* the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could have allowed a local unprivileged user to obtain access to privileged information.
(CVE-2008-4210, Important)

* Tobias Klein reported a missing check in the Linux kernel's Open Sound System (OSS) implementation. This deficiency could have led to an information leak. (CVE-2008-3272, Moderate)

* a potential denial of service attack was discovered in the Linux kernel's PWC USB video driver. A local unprivileged user could have used this flaw to bring the kernel USB subsystem into the busy-waiting state. (CVE-2007-5093, Low)

* the ext2 and ext3 file systems code failed to properly handle corrupted data structures, leading to a possible local denial of service issue when read or write operations were performed.
(CVE-2008-3528, Low)

In addition, these updated packages fix the following bugs :

* when using the CIFS 'forcedirectio' option, appending to an open file on a CIFS share resulted in that file being overwritten with the data to be appended.

* a kernel panic occurred when a device with PCI ID 8086:10c8 was present on a system with a loaded ixgbe driver.

* due to an aacraid driver regression, the kernel failed to boot when trying to load the aacraid driver and printed the following error message: 'aac_srb: aac_fib_send failed with status: 8195'.

* due to an mpt driver regression, when RAID 1 was configured on Primergy systems with an LSI SCSI IME 53C1020/1030 controller, the kernel panicked during boot.

* the mpt driver produced a large number of extraneous debugging messages when performing a 'Host reset' operation.

* due to a regression in the sym driver, the kernel panicked when a SCSI hot swap was performed using MCP18 hardware.

* all cores on a multi-core system now scale their frequencies in accordance with the policy set by the system's CPU frequency governor.

* the netdump subsystem suffered from several stability issues. These are addressed in this updated kernel.

* under certain conditions, the ext3 file system reported a negative count of used blocks.

* reading /proc/self/mem incorrectly returned 'Invalid argument' instead of 'input/output error' due to a regression.

* under certain conditions, the kernel panicked when a USB device was removed while the system was busy accessing the device.

* a race condition in the kernel could have led to a kernel crash during the creation of a new process.

All Red Hat Enterprise Linux 4 Users should upgrade to these updated packages, which contain backported patches to correct these issues.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2008:0972 advisory.

  - kernel PWC driver DoS (CVE-2007-5093)

  - kernel: dio: zero struct dio with kzalloc instead of manually (CVE-2007-6716)

  - kernel: ptrace: Padding area write - unprivileged kernel crash (CVE-2008-1514)

  - kernel snd_seq_oss_synth_make_info leak (CVE-2008-3272)

  - Linux kernel ext[234] directory corruption denial of service (CVE-2008-3528)

  - kernel: open() call allows setgid bit when user is not in new file's group (CVE-2008-4210)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This kernel update fixes various bugs and also several security issues :

CVE-2008-4576: Fixed a crash in SCTP INIT-ACK, on mismatch between SCTP AUTH availability. This might be exploited remotely for a denial of service (crash) attack.

CVE-2008-3833: The generic_file_splice_write function in fs/splice.c in the Linux kernel does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory.

CVE-2008-4210: fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O.

CVE-2008-4302: fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.

CVE-2008-3528: The ext[234] filesystem code fails to properly handle corrupted data structures. With a mounted filesystem image or partition that have corrupted dir->i_size and dir->i_blocks, a user performing either a read or write operation on the mounted image or partition can lead to a possible denial of service by spamming the logfile.

CVE-2007-6716: fs/direct-io.c in the dio subsystem in the Linux kernel did not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test.

CVE-2008-3525: Added missing capability checks in sbni_ioctl().

CVE-2008-3272: Fixed range checking in the snd_seq OSS ioctl, which could be used to leak information from the kernel.

CVE-2008-2931: The do_change_type function in fs/namespace.c did not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.

CVE-2008-2812: Various NULL ptr checks have been added to tty op functions, which might have been used by local attackers to execute code. We think that this affects only devices openable by root, so the impact is limited.

CVE-2008-1673: Added range checking in ASN.1 handling for the CIFS and SNMP NAT netfilter modules.

CVE-2008-3527: arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDSO) implementation in the Linux kernel before 2.6.21 did not properly check boundaries, which allows local users to gain privileges or cause a denial of service via unspecified vectors, related to the install_special_mapping, syscall, and syscall32_nopage functions.

The openSUSE 10.3 kernel was update to 2.6.22.19. This includes bugs and security fixes.

CVE-2008-4576: Fixed a crash in SCTP INIT-ACK, on mismatch between SCTP AUTH availability. This might be exploited remotely for a denial of service (crash) attack.

CVE-2008-3528: The ext[234] filesystem code fails to properly handle corrupted data structures. With a mounted filesystem image or partition that have corrupted dir->i_size and dir->i_blocks, a user performing either a read or write operation on the mounted image or partition can lead to a possible denial of service by spamming the logfile.

CVE-2007-6716: fs/direct-io.c in the dio subsystem in the Linux kernel did not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test.

CVE-2008-3525: Added missing capability checks in sbni_ioctl().

CVE-2008-3272: Fixed range checking in the snd_seq OSS ioctl, which could be used to leak information from the kernel.

CVE-2008-3276: An integer overflow flaw was found in the Linux kernel dccp_setsockopt_change() function. An attacker may leverage this vulnerability to trigger a kernel panic on a victim's machine remotely.

CVE-2008-1673: Added range checking in ASN.1 handling for the CIFS and SNMP NAT netfilter modules.

CVE-2008-2826: A integer overflow in SCTP was fixed, which might have been used by remote attackers to crash the machine or potentially execute code.

CVE-2008-2812: Various NULL ptr checks have been added to tty op functions, which might have been used by local attackers to execute code. We think that this affects only devices openable by root, so the impact is limited.

This update of the SUSE Linux Enterprise 10 Service Pack 1 kernel contains lots of bugfixes and several security fixes :

  - Added missing capability checks in sbni_ioctl().
    (CVE-2008-3525)

  - On AMD64 some string operations could leak kernel     information into userspace. (CVE-2008-0598)

  - Added range checking in ASN.1 handling for the CIFS and     SNMP NAT netfilter modules. (CVE-2008-1673)

  - Fixed range checking in the snd_seq OSS ioctl, which     could be used to leak information from the kernel.
    (CVE-2008-3272)

  - Fixed a memory leak when looking up deleted directories     which could be used to run the system out of memory.
    (CVE-2008-3275)

  - The do_change_type function in fs/namespace.c did not     verify that the caller has the CAP_SYS_ADMIN capability,     which allows local users to gain privileges or cause a     denial of service by modifying the properties of a     mountpoint. (CVE-2008-2931)

  - Various NULL ptr checks have been added to tty op     functions, which might have been used by local attackers     to execute code. We think that this affects only devices     openable by root, so the impact is limited.
    (CVE-2008-2812)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or leak sensitive data. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-3272     Tobias Klein reported a locally exploitable data leak in     the snd_seq_oss_synth_make_info() function. This may     allow local users to gain access to sensitive     information.

  - CVE-2008-3275     Zoltan Sogor discovered a coding error in the VFS that     allows local users to exploit a kernel memory leak     resulting in a denial of service.

  - CVE-2008-3276     Eugene Teo reported an integer overflow in the DCCP     subsystem that may allow remote attackers to cause a     denial of service in the form of a kernel panic.

  - CVE-2008-3526     Eugene Teo reported a missing bounds check in the SCTP     subsystem. By exploiting an integer overflow in the     SCTP_AUTH_KEY handling code, remote attackers may be     able to cause a denial of service in the form of a     kernel panic.

  - CVE-2008-3534     Kel Modderman reported an issue in the tmpfs filesystem     that allows local users to crash a system by triggering     a kernel BUG() assertion.

  - CVE-2008-3535     Alexey Dobriyan discovered an off-by-one-error in the     iov_iter_advance function which can be exploited by     local users to crash a system, resulting in a denial of     service.

  - CVE-2008-3792     Vlad Yasevich reported several NULL pointer reference     conditions in the SCTP subsystem that can be triggered     by entering sctp-auth codepaths when the AUTH feature is     inactive. This may allow attackers to cause a denial of     service condition via a system panic.

  - CVE-2008-3915     Johann Dahm and David Richter reported an issue in the     nfsd subsystem that may allow remote attackers to cause     a denial of service via a buffer overflow.

It was discovered that there were multiple NULL pointer function dereferences in the Linux kernel terminal handling code. A local attacker could exploit this to execute arbitrary code as root, or crash the system, leading to a denial of service. (CVE-2008-2812)

The do_change_type routine did not correctly validation administrative users. A local attacker could exploit this to block mount points or cause private mounts to be shared, leading to denial of service or a possible loss of privacy. (CVE-2008-2931)

Tobias Klein discovered that the OSS interface through ALSA did not correctly validate the device number. A local attacker could exploit this to access sensitive kernel memory, leading to a denial of service or a loss of privacy. (CVE-2008-3272)

Zoltan Sogor discovered that new directory entries could be added to already deleted directories. A local attacker could exploit this, filling up available memory and disk space, leading to a denial of service. (CVE-2008-3275)

In certain situations, the fix for CVE-2008-0598 from USN-623-1 was causing infinite loops in the writev syscall. This update corrects the mistake. We apologize for the inconvenience.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-6282     Dirk Nehring discovered a vulnerability in the IPsec     code that allows remote users to cause a denial of     service by sending a specially crafted ESP packet.

  - CVE-2008-0598     Tavis Ormandy discovered a vulnerability that allows     local users to access uninitialized kernel memory,     possibly leaking sensitive data. This issue is specific     to the amd64-flavour kernel images.

  - CVE-2008-2729     Andi Kleen discovered an issue where uninitialized     kernel memory was being leaked to userspace during an     exception. This issue may allow local users to gain     access to sensitive data. Only the amd64-flavour Debian     kernel images are affected.

  - CVE-2008-2812     Alan Cox discovered an issue in multiple tty drivers     that allows local users to trigger a denial of service     (NULL pointer dereference) and possibly obtain elevated     privileges.

  - CVE-2008-2826     Gabriel Campana discovered an integer overflow in the     sctp code that can be exploited by local users to cause     a denial of service.

  - CVE-2008-2931     Miklos Szeredi reported a missing privilege check in the     do_change_type() function. This allows local,     unprivileged users to change the properties of mount     points.

  - CVE-2008-3272     Tobias Klein reported a locally exploitable data leak in     the snd_seq_oss_synth_make_info() function. This may     allow local users to gain access to sensitive     information.

  - CVE-2008-3275     Zoltan Sogor discovered a coding error in the VFS that     allows local users to exploit a kernel memory leak     resulting in a denial of service.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2008-0972.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2008-0885.

ID	Name	Product	Family	Severity
79448	OracleVM 2.1 : kernel (OVMSA-2008-2006)	Nessus	OracleVM Local Security Checks	high
67762	Oracle Linux 4 : kernel (ELSA-2008-0972)	Nessus	Oracle Linux Local Security Checks	medium
67747	Oracle Linux 5 : kernel (ELSA-2008-0885)	Nessus	Oracle Linux Local Security Checks	high
60497	Scientific Linux Security Update : kernel on SL4.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
60477	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
59131	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 5608)	Nessus	SuSE Local Security Checks	critical
59130	SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 5605)	Nessus	SuSE Local Security Checks	critical
43710	CentOS 5 : kernel (CESA-2008:0885)	Nessus	CentOS Local Security Checks	high
41534	SuSE 10 Security Update : Linux Kernel (x86) (ZYPP Patch Number 5565)	Nessus	SuSE Local Security Checks	critical
40009	openSUSE Security Update : kernel (kernel-171)	Nessus	SuSE Local Security Checks	critical
37341	CentOS 4 : kernel (CESA-2008:0972)	Nessus	CentOS Local Security Checks	medium
34841	RHEL 4 : kernel (RHSA-2008:0972)	Nessus	Red Hat Local Security Checks	medium
34755	openSUSE 10 Security Update : kernel (kernel-5751)	Nessus	SuSE Local Security Checks	critical
34457	openSUSE 10 Security Update : kernel (kernel-5700)	Nessus	SuSE Local Security Checks	critical
34331	SuSE 10 Security Update : the Linux Kernel (x86) (ZYPP Patch Number 5566)	Nessus	SuSE Local Security Checks	critical
34288	RHEL 5 : kernel (RHSA-2008:0885)	Nessus	Red Hat Local Security Checks	high
34171	Debian DSA-1636-1 : linux-2.6.24 - denial of service/information leak	Nessus	Debian Local Security Checks	high
34048	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : linux, linux-source-2.6.15/20/22 vulnerabilities (USN-637-1)	Nessus	Ubuntu Local Security Checks	high
34032	Debian DSA-1630-1 : linux-2.6 - denial of service/information leak	Nessus	Debian Local Security Checks	high
801459	CentOS RHSA-2008-0972 Security Check	Log Correlation Engine	Generic	high
801457	CentOS RHSA-2008-0885 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2008-3272

medium

Tenable Plugins

high

medium

high

medium

high

critical

critical

high

critical

critical

medium

medium

critical

critical

critical

high

high

high

high

high

high