Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components :

  - Apache Geronimo
  - Apache Tomcat
  - Apache Xerces2
  - cURL/libcURL
  - ISC BIND
  - Libxml2
  - Linux kernel
  - Linux kernel 64-bit
  - Linux kernel Common Internet File System
  - Linux kernel eCryptfs
  - NTP
  - Python
  - Java Runtime Environment (JRE)
  - Java SE Development Kit (JDK)
  - Java SE Abstract Window Toolkit (AWT)
  - Java SE Plugin
  - Java SE Provider
  - Java SE Swing
  - Java SE Web Start

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0039 for details.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2009-1193 advisory.

    - [fs] ecryptfs: check tag 11 packet literal data buffer size (Eric Sandeen ) [512862 512863]     {CVE-2009-2406}
    - [fs] ecryptfs: check tag 3 packet encrypted key size (Eric Sandeen ) [512886 512887] {CVE-2009-2407}
    - [misc] personality handling: fix PER_CLEAR_ON_SETID (Vitaly Mayatskikh ) [511173 508842] {CVE-2009-1895}
    - [misc] hrtimer: fix a soft lockup (Amerigo Wang ) [418061 418071] {CVE-2007-5966}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

CVE-2007-5966 kernel: non-root can trigger cpu_idle soft lockup CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service CVE-2009-1388 kernel: do_coredump() vs ptrace_start() deadlock CVE-2009-1389 kernel: r8169: fix crash when large packets are received CVE-2009-1895 kernel: personality: fix PER_CLEAR_ON_SETID CVE-2009-2406 kernel: ecryptfs stack overflow in parse_tag_11_packet() CVE-2009-2407 kernel: ecryptfs heap overflow in parse_tag_3_packet()

Security fixes :

  - the possibility of a timeout value overflow was found in     the Linux kernel high-resolution timers functionality,     hrtimers. This could allow a local, unprivileged user to     execute arbitrary code, or cause a denial of service     (kernel panic). (CVE-2007-5966, Important)

  - a flaw was found in the Intel PRO/1000 network driver in     the Linux kernel. Frames with sizes near the MTU of an     interface may be split across multiple hardware receive     descriptors. Receipt of such a frame could leak through     a validation check, leading to a corruption of the     length check. A remote attacker could use this flaw to     send a specially crafted packet that would cause a     denial of service or code execution. (CVE-2009-1385,     Important)

  - Michael Tokarev reported a flaw in the Realtek r8169     Ethernet driver in the Linux kernel. This driver allowed     interfaces using this driver to receive frames larger     than could be handled, which could lead to a remote     denial of service or code execution. (CVE-2009-1389,     Important)

  - the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not     cleared when a setuid or setgid program was executed. A     local, unprivileged user could use this flaw to bypass     the mmap_min_addr protection mechanism and perform a     NULL pointer dereference attack, or bypass the Address     Space Layout Randomization (ASLR) security feature.
    (CVE-2009-1895, Important)

  - Ramon de Carvalho Valle reported two flaws in the Linux     kernel eCryptfs implementation. A local attacker with     permissions to perform an eCryptfs mount could modify     the metadata of the files in that eCrypfts mount to     cause a buffer overflow, leading to a denial of service     or privilege escalation. (CVE-2009-2406, CVE-2009-2407,     Important)

  - Konstantin Khlebnikov discovered a race condition in the     ptrace implementation in the Linux kernel. This race     condition can occur when the process tracing and the     process being traced participate in a core dump. A     local, unprivileged user could use this flaw to trigger     a deadlock, resulting in a partial denial of service.
    (CVE-2009-1388, Moderate)

Bug fixes :

  - possible host (dom0) crash when installing a Xen     para-virtualized guest while another para-virtualized     guest was rebooting. (BZ#497812)

  - no audit record for a directory removal if the directory     and its subtree were recursively watched by an audit     rule. (BZ#507561)

  - running 'echo 1 > /proc/sys/vm/drop_caches' on systems     under high memory load could cause a kernel panic.
    (BZ#503692)

  - on 32-bit systems, core dumps for some multithreaded     applications did not include all thread information.
    (BZ#505322)

  - a stack buffer used by get_event_name() was not large     enough for the nul terminator sprintf() writes. This     could lead to an invalid pointer or kernel panic.
    (BZ#506906)

  - when using the aic94xx driver, a system with SATA drives     may not boot due to a bug in libsas. (BZ#506029)

  - incorrect stylus button handling when moving it away     then returning it to the tablet for Wacom Cintiq 21UX     and Intuos tablets. (BZ#508275)

  - CPU 'soft lockup' messages and possibly a system hang on     systems with certain Broadcom network devices and     running the Linux kernel from the kernel-xen package.
    (BZ#503689)

  - on 64-bit PowerPC, getitimer() failed for programs using     the ITIMER_REAL timer and that were also compiled for     64-bit systems (this caused such programs to abort).
    (BZ#510018)

  - write operations could be blocked even when using     O_NONBLOCK. (BZ#510239)

  - the 'pci=nomsi' option was required for installing and     booting Red Hat Enterprise Linux 5.2 on systems with VIA     VT3364 chipsets. (BZ#507529)

  - shutting down, destroying, or migrating Xen guests with     large amounts of memory could cause other guests to be     temporarily unresponsive. (BZ#512311)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-1895     Julien Tinnes and Tavis Ormandy reported an issue in the     Linux personality code. Local users can take advantage     of a setuid binary that can either be made to     dereference a NULL pointer or drop privileges and return     control to the user. This allows a user to bypass     mmap_min_addr restrictions which can be exploited to     execute arbitrary code.

  - CVE-2009-2287     Matt T. Yourst discovered an issue in the kvm subsystem.
    Local users with permission to manipulate /dev/kvm can     cause a denial of service (hang) by providing an invalid     cr3 value to the KVM_SET_SREGS call.

  - CVE-2009-2406 CVE-2009-2407     Ramon de Carvalho Valle discovered two issues with the     eCryptfs layered filesystem using the fsfuzzer utility.
    A local user with permissions to perform an eCryptfs     mount may modify the contents of a eCryptfs file,     overflowing the stack and potentially gaining elevated     privileges.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-1385     Neil Horman discovered a missing fix from the e1000     network driver. A remote user may cause a denial of     service by way of a kernel panic triggered by specially     crafted frame sizes.

  - CVE-2009-1389     Michael Tokarev discovered an issue in the r8169 network     driver. Remote users on the same LAN may cause a denial     of service by way of a kernel panic triggered by     receiving a large size frame.

  - CVE-2009-1630     Frank Filz discovered that local users may be able to     execute files without execute permission when accessed     via an nfs4 mount.

  - CVE-2009-1633     Jeff Layton and Suresh Jayaraman fixed several buffer     overflows in the CIFS filesystem which allow remote     servers to cause memory corruption.

  - CVE-2009-1895     Julien Tinnes and Tavis Ormandy reported an issue in the     Linux personality code. Local users can take advantage     of a setuid binary that can either be made to     dereference a NULL pointer or drop privileges and return     control to the user. This allows a user to bypass     mmap_min_addr restrictions which can be exploited to     execute arbitrary code.

  - CVE-2009-1914     Mikulas Patocka discovered an issue in sparc64 kernels     that allows local users to cause a denial of service     (crash) by reading the /proc/iomem file.

  - CVE-2009-1961     Miklos Szeredi reported an issue in the ocfs2     filesystem. Local users can create a denial of service     (filesystem deadlock) using a particular sequence of     splice system calls.

  - CVE-2009-2406 CVE-2009-2407     Ramon de Carvalho Valle discovered two issues with the     eCryptfs layered filesystem using the fsfuzzer utility.
    A local user with permissions to perform an eCryptfs     mount may modify the contents of a eCryptfs file,     overflowing the stack and potentially gaining elevated     privileges.

Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* the possibility of a timeout value overflow was found in the Linux kernel high-resolution timers functionality, hrtimers. This could allow a local, unprivileged user to execute arbitrary code, or cause a denial of service (kernel panic). (CVE-2007-5966, Important)

* a flaw was found in the Intel PRO/1000 network driver in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important)

* Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the Linux kernel. This driver allowed interfaces using this driver to receive frames larger than could be handled, which could lead to a remote denial of service or code execution. (CVE-2009-1389, Important)

* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.
(CVE-2009-1895, Important)

* Ramon de Carvalho Valle reported two flaws in the Linux kernel eCryptfs implementation. A local attacker with permissions to perform an eCryptfs mount could modify the metadata of the files in that eCrypfts mount to cause a buffer overflow, leading to a denial of service or privilege escalation. (CVE-2009-2406, CVE-2009-2407, Important)

* Konstantin Khlebnikov discovered a race condition in the ptrace implementation in the Linux kernel. This race condition can occur when the process tracing and the process being traced participate in a core dump. A local, unprivileged user could use this flaw to trigger a deadlock, resulting in a partial denial of service. (CVE-2009-1388, Moderate)

Bug fixes (see References below for a link to more detailed notes) :

* possible dom0 crash when a Xen para-virtualized guest was installed while another para-virtualized guest was rebooting. (BZ#497812)

* no directory removal audit record if the directory and its subtree were recursively watched by an audit rule. (BZ#507561)

* running 'echo 1 > /proc/sys/vm/drop_caches' under high memory load could cause a kernel panic. (BZ#503692)

* on 32-bit systems, core dumps for some multithreaded applications did not include all thread information. (BZ#505322)

* a stack buffer used by get_event_name() was too small for nul terminator sprintf() writes. This could lead to an invalid pointer or kernel panic. (BZ#506906)

* when using the aic94xx driver, systems with SATA drives may not boot due to a libsas bug. (BZ#506029)

* Wacom Cintiq 21UX and Intuos stylus buttons were handled incorrectly when moved away from and back to these tablets. (BZ#508275)

* CPU 'soft lockup' messages and possibe system hangs on systems with certain Broadcom network devices and running the Linux kernel from the kernel-xen package. (BZ#503689)

* on 64-bit PowerPC, getitimer() failed for programs using the ITIMER_REAL timer that were also compiled for 64-bit systems. This caused such programs to abort. (BZ#510018)

* write operations could be blocked even when using O_NONBLOCK.
(BZ#510239)

* the 'pci=nomsi' option was required for installing and booting Red Hat Enterprise Linux 5.2 on systems with VIA VT3364 chipsets.
(BZ#507529)

* shutting down, destroying, or migrating Xen guests with large amounts of memory could cause other guests to be temporarily unresponsive. (BZ#512311)

Users should upgrade to these updated packages, which contain backported patches to correct these issues. Systems must be rebooted for this update to take effect.

a. JRE Security Update

  JRE update to version 1.5.0_20, which addresses multiple security   issues that existed in earlier releases of JRE.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,   CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,   CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,   CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,   CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,   CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,   CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

b. Update Apache Tomcat version

  Update for VirtualCenter and ESX patch update the Tomcat package to   version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5)   which addresses multiple security issues that existed   in the previous version of Apache Tomcat.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515,   CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.18:  CVE-2008-1232, CVE-2008-1947, CVE-2008-2370.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.16:  CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,   CVE-2007-6286, CVE-2008-0002.
  c. Third-party library update for ntp.
   The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the   following security issue. Note that the same security issue is   present in the ESX Service Console as described in section d. of   this advisory.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   The NTP security issue identified by CVE-2009-0159 is not relevant   for ESXi 3.5 and ESXi 4.0.
 d. Service Console update for ntp

  Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2    The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   The Service Console present in ESX is affected by the following   security issues.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   NTP authentication is not enabled by default on the Service Console.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   A buffer overflow flaw was found in the ntpq diagnostic command. A   malicious, remote server could send a specially crafted reply to an   ntpq request that could crash ntpq or, potentially, execute   arbitrary code with the privileges of the user running the ntpq   command.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-0159 to this issue.
  e. Updated Service Console package kernel

  Updated Service Console package kernel addresses the security   issues listed below.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028,   CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676,   CVE-2009-0778 to the security issues fixed in kernel   2.6.18-128.1.6.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337,   CVE-2009-0787, CVE-2009-1336 to the security issues fixed in   kernel 2.6.18-128.1.10.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072,   CVE-2009-1630, CVE-2009-1192 to the security issues fixed in   kernel 2.6.18-128.1.14.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388,   CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the   security issues fixed in kernel 2.6.18-128.4.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2692, CVE-2009-2698 to the   security issues fixed in kernel 2.6.18-128.7.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747,   CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues   fixed in kernel 2.6.18-164.

 f. Updated Service Console package python

  Service Console package Python update to version 2.4.3-24.el5.

  When the assert() system call was disabled, an input sanitization   flaw was revealed in the Python string object implementation that   led to a buffer overflow. The missing check for negative size values   meant the Python memory allocator could allocate less memory than   expected. This could result in arbitrary code execution with the   Python interpreter's privileges.

  Multiple buffer and integer overflow flaws were found in the Python   Unicode string processing and in the Python Unicode and string   object implementations. An attacker could use these flaws to cause   a denial of service.

  Multiple integer overflow flaws were found in the Python imageop   module. If a Python application used the imageop module to   process untrusted images, it could cause the application to   disclose sensitive information, crash or, potentially, execute   arbitrary code with the Python interpreter's privileges.

  Multiple integer underflow and overflow flaws were found in the   Python snprintf() wrapper implementation. An attacker could use   these flaws to cause a denial of service (memory corruption).

  Multiple integer overflow flaws were found in various Python   modules. An attacker could use these flaws to cause a denial of   service.

  An integer signedness error, leading to a buffer overflow, was   found in the Python zlib extension module. If a Python application   requested the negative byte count be flushed for a decompression   stream, it could cause the application to crash or, potentially,   execute arbitrary code with the Python interpreter's privileges.

  A flaw was discovered in the strxfrm() function of the Python   locale module. Strings generated by this function were not properly   NULL-terminated, which could possibly cause disclosure of data   stored in the memory of a Python application using this function.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721   CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143   CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues.

 g. Updated Service Console package bind

  Service Console package bind updated to version 9.3.6-4.P1.el5

  The Berkeley Internet Name Domain (BIND) is an implementation of the   Domain Name System (DNS) protocols. BIND includes a DNS server   (named); a resolver library (routines for applications to use when   interfacing with DNS); and tools for verifying that the DNS server   is operating correctly.

  A flaw was found in the way BIND handles dynamic update message   packets containing the 'ANY' record type. A remote attacker could   use this flaw to send a specially crafted dynamic update packet   that could cause named to exit with an assertion failure.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-0696 to this issue.

 h. Updated Service Console package libxml2

  Service Console package libxml2 updated to version 2.6.26-2.1.2.8.

  libxml is a library for parsing and manipulating XML files. A   Document Type Definition (DTD) defines the legal syntax (and also   which elements can be used) for certain types of files, such as XML   files.

  A stack overflow flaw was found in the way libxml processes the   root XML document element definition in a DTD. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  Multiple use-after-free flaws were found in the way libxml parses   the Notation and Enumeration attribute types. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2414 and CVE-2009-2416 to these   issues.

 i. Updated Service Console package curl

  Service Console package curl updated to version 7.15.5-2.1.el5_3.5

  A cURL is affected by the previously published 'null prefix attack',   caused by incorrect handling of NULL characters in X.509   certificates. If an attacker is able to get a carefully-crafted   certificate signed by a trusted Certificate Authority, the attacker   could use the certificate during a man-in-the-middle attack and   potentially confuse cURL into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2417 to this issue

 j. Updated Service Console package gnutls

  Service Console package gnutil updated to version 1.4.1-3.el5_3.5

  A flaw was discovered in the way GnuTLS handles NULL characters in   certain fields of X.509 certificates. If an attacker is able to get   a carefully-crafted certificate signed by a Certificate Authority   trusted by an application using GnuTLS, the attacker could use the   certificate during a man-in-the-middle attack and potentially   confuse the application into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2730 to this issue

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR). (CVE-2009-1895)

Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size. (CVE-2009-2406)

Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet. (CVE-2009-2407)

The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux kernel 2.6.31 allows local users to cause a denial of service (kernel OOPS) and possibly execute arbitrary code via unspecified vectors that cause a negative dentry and trigger a NULL pointer dereference, as demonstrated via a Mutt temporary directory in an eCryptfs mount.
(CVE-2009-2908)

The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when running on x86 systems, does not prevent access to MMU hypercalls from ring 0, which allows local guest OS users to cause a denial of service (guest kernel crash) and read or write guest kernel memory via unspecified random addresses. (CVE-2009-3290)

Additionaly, it includes the fixes from the stable kernel version 2.6.27.37. It also fixes also fixes IBM x3650 M2 hanging when using both network interfaces and Wake on Lan problems on r8169. For details, check the package changelog.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

This kernel update for openSUSE 10.3 fixes some bugs and several security problems.

The following security issues are fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges.

CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use.

CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use.

The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively.

CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network.

CVE-2009-0676: A memory disclosure via the SO_BSDCOMPAT socket option was fixed.

CVE-2009-1630: The nfs_permission function in fs/nfs/dir.c in the NFS client implementation when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.

random: make get_random_int() was made more random to enhance ASLR protection.

The SUSE Linux Enterprise 11 Kernel was updated to 2.6.27.29 fixing various bugs and security issues.

The following security issues were fixed :

  - A missing NULL pointer check in the socket sendpage     function can be used by local attackers to gain root     privileges. (CVE-2009-2692)

  - A kernel stack overflow when mounting eCryptfs     filesystems in parse_tag_11_packet() was fixed. Code     execution might be possible of ecryptfs is in use.
    (CVE-2009-2406)

  - A kernel heap overflow when mounting eCryptfs     filesystems in parse_tag_3_packet() was fixed. Code     execution might be possible of ecryptfs is in use.
    (CVE-2009-2407)

The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively.

  - A crash in the r8169 driver when receiving large packets     was fixed. This is probably exploitable only in the     local network. (CVE-2009-1389)

No CVE yet: A sigaltstack kernel memory disclosure was fixed.

The NULL page protection using mmap_min_addr was enabled (was disabled before).

This update also adds the Microsoft Hyper-V drivers from upstream.

Additionaly a lot of bugs were fixed.

The SUSE Linux Enterprise 11 Kernel was updated to 2.6.27.29 fixing various bugs and security issues.

Following security issues were fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges.

CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use.

CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use.

The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively.

CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network.

No CVE yet: A sigaltstack kernel memory disclosure was fixed.

The NULL page protection using mmap_min_addr was enabled (was disabled before).

This update also adds the Microsoft Hyper-V drivers from upstream.

This kernel update for openSUSE 11.0 fixes some bugs and several security problems.

The following security issues are fixed: CVE-2009-2692: A missing NULL pointer check in the socket sendpage function can be used by local attackers to gain root privileges.

CVE-2009-2406: A kernel stack overflow when mounting eCryptfs filesystems in parse_tag_11_packet() was fixed. Code execution might be possible of ecryptfs is in use.

CVE-2009-2407: A kernel heap overflow when mounting eCryptfs filesystems in parse_tag_3_packet() was fixed. Code execution might be possible of ecryptfs is in use.

The compiler option -fno-delete-null-pointer-checks was added to the kernel build, and the -fwrapv compiler option usage was fixed to be used everywhere. This works around the compiler removing checks too aggressively.

CVE-2009-1389: A crash in the r8169 driver when receiving large packets was fixed. This is probably exploitable only in the local network.

CVE-2009-1895: Personality flags on set*id were not cleared correctly, so ASLR and NULL page protection could be bypassed.

CVE-2009-1046: A utf-8 console memory corruption that can be used for local privilege escalation was fixed.

The NULL page protection using mmap_min_addr was enabled (was disabled before).

No CVE yet: A sigaltstack kernel memory disclosure was fixed.

CVE-2008-5033: A local denial of service (Oops) in video4linux tvaudio was fixed.

CVE-2009-1385: A Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1000/e1000_main.c in the e1000 driver the e1000e driver in the Linux kernel, and Intel Wired Ethernet (aka e1000) before 7.5.5 allows remote attackers to cause a denial of service (panic) via a crafted frame size.

Update to linux kernel 2.6.27.29:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.26 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.27 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.28 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.29 Fixes security bugs: CVE-2009-1895 CVE-2009-2406 CVE-2009-2407 Adds
-fno-delete- null-pointer-checks gcc compile flag to protect against issues similar to CVE-2009-1897.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fix security bugs: CVE-2009-1895 CVE-2009-2406 CVE-2009-2407 Add -fno- delete-null-pointer-checks gcc compile flag to protect against issues similar to CVE-2009-1897. Fix virtio_blk driver bug (reported against Fedora 10.) iwl3945 wireless driver rfkill fixes. Fix DPMS on some nVidia adapters when using the nouveau driver.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Michael Tokarev discovered that the RTL8169 network driver did not correctly validate buffer sizes. A remote attacker on the local network could send specially crafted traffic that would crash the system or potentially grant elevated privileges. (CVE-2009-1389)

Julien Tinnes and Tavis Ormandy discovered that when executing setuid processes the kernel did not clear certain personality flags. A local attacker could exploit this to map the NULL memory page, causing other vulnerabilities to become exploitable. Ubuntu 6.06 was not affected.
(CVE-2009-1895)

Matt T. Yourst discovered that KVM did not correctly validate the page table root. A local attacker could exploit this to crash the system, leading to a denial of service. Ubuntu 6.06 was not affected.
(CVE-2009-2287)

Ramon de Carvalho Valle discovered that eCryptfs did not correctly validate certain buffer sizes. A local attacker could create specially crafted eCryptfs files to crash the system or gain elevated privileges. Ubuntu 6.06 was not affected. (CVE-2009-2406, CVE-2009-2407).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2009-1193.

ID	Name	Product	Family	Severity
89117	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)	Nessus	Misc.	critical
79507	OracleVM 2.2 : kernel (OVMSA-2013-0039)	Nessus	OracleVM Local Security Checks	high
67904	Oracle Linux 5 : kernel (ELSA-2009-1193)	Nessus	Oracle Linux Local Security Checks	medium
60634	Scientific Linux Security Update : kernel for SL 5.x on i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
44710	Debian DSA-1845-1 : linux-2.6 - denial of service, privilege escalation	Nessus	Debian Local Security Checks	high
44709	Debian DSA-1844-1 : linux-2.6.24 - denial of service/privilege escalation	Nessus	Debian Local Security Checks	high
43773	CentOS 5 : kernel (CESA-2009:1193)	Nessus	CentOS Local Security Checks	high
42870	VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.	Nessus	VMware ESX Local Security Checks	medium
42284	Mandriva Linux Security Advisory : kernel (MDVSA-2009:289)	Nessus	Mandriva Local Security Checks	high
42009	openSUSE 10 Security Update : kernel (kernel-6440)	Nessus	SuSE Local Security Checks	high
41414	SuSE 11 Security Update : Linux kernel (SAT Patch Numbers 1212 / 1218 / 1219)	Nessus	SuSE Local Security Checks	high
40789	openSUSE Security Update : kernel (kernel-1214)	Nessus	SuSE Local Security Checks	high
40783	openSUSE Security Update : kernel (kernel-1211)	Nessus	SuSE Local Security Checks	high
40487	RHEL 5 : kernel (RHSA-2009:1193)	Nessus	Red Hat Local Security Checks	high
40482	Fedora 10 : kernel-2.6.27.29-170.2.78.fc10 (2009-8264)	Nessus	Fedora Local Security Checks	high
40481	Fedora 11 : kernel-2.6.29.6-217.2.3.fc11 (2009-8144)	Nessus	Fedora Local Security Checks	high
40416	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerabilities (USN-807-1)	Nessus	Ubuntu Local Security Checks	high
801471	CentOS RHSA-2009-1193 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2009-2407

high

Tenable Plugins

critical

high

medium

high

high

high

high

medium

high

high

high

high

high

high

high

high

high

high