Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities in several third-party components and libraries :

  - Kernel
  - krb5
  - glibc
  - mtp2sas
  - mptsas
  - mptspi

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-0007 advisory.

  - Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the     Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system     crash) via unspecified vectors. (CVE-2010-2492)

  - The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the     Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before     2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a     large memory-allocation amount. (CVE-2010-2803)

  - The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before     2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users     to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and     obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID     ioctl call that specifies a large buffer size. (CVE-2010-2955)

  - drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the     Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate     pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and     consequently gain privileges, via crafted use of the ioctl interface, related to (1) pwrite and (2) pread     operations. (CVE-2010-2962)

  - Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before     2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified     other impact via crafted use of the io_submit system call. (CVE-2010-3067)

  - The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does     not initialize a certain structure member, which allows local users to obtain potentially sensitive     information from kernel stack memory via an ioctl call. (CVE-2010-3078)

  - kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs is enabled, does not properly     handle interaction between mutex possession and llseek operations, which allows local users to cause a     denial of service (NULL pointer dereference and outage of all function tracing files) via an lseek call on     a file descriptor associated with the set_ftrace_filter file. (CVE-2010-3079)

  - Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the     Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have     unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device. (CVE-2010-3080)

  - The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before     2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit     compatibility layer, which allows local users to gain privileges by leveraging the ability of the     compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length     value, related to a stack pointer underflow issue, as exploited in the wild in September 2010.
    (CVE-2010-3081)

  - Buffer overflow in the niu_get_ethtool_tcam_all function in drivers/net/niu.c in the Linux kernel before     2.6.36-rc4 allows local users to cause a denial of service or possibly have unspecified other impact via     the ETHTOOL_GRXCLSRLALL ethtool command. (CVE-2010-3084)

  - The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not     properly initialize a certain structure member, which allows local users to obtain potentially sensitive     information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-3298)

  - The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before     2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path     to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to     the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573     regression. (CVE-2010-3301)

  - The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs     extraneous initializations of packet data structures, which allows remote attackers to cause a denial of     service (panic) via a certain sequence of SCTP traffic. (CVE-2010-3432)

  - Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux     kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a     denial of service (invalid pointer dereference and system crash) via a crafted index value in a     PKT_CTRL_CMD_STATUS ioctl call. (CVE-2010-3437)

  - Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before     2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or     possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2)     SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. (CVE-2010-3442)

  - The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network     queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain     structure members, which allows local users to obtain potentially sensitive information from kernel memory     via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for     CVE-2010-2942. (CVE-2010-3477)

  - The KVM implementation in the Linux kernel before 2.6.36 does not properly reload the FS and GS segment     registers, which allows host OS users to cause a denial of service (host OS crash) via a KVM_RUN ioctl     call in conjunction with a modified Local Descriptor Table (LDT). (CVE-2010-3698)

  - The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not     properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of     service (memory corruption and panic) via a crafted value in the last element of this array.
    (CVE-2010-3705)

  - The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize     a certain block of heap memory, which allows local users to obtain potentially sensitive information via     an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than     CVE-2010-2478. (CVE-2010-3861)

  - Integer overflow in the rds_rdma_pages function in net/rds/rdma.c in the Linux kernel allows local users     to cause a denial of service (crash) and possibly execute arbitrary code via a crafted iovec struct in a     Reliable Datagram Sockets (RDS) request, which triggers a buffer overflow. (CVE-2010-3865)

  - Heap-based buffer overflow in the bcm_connect function in net/can/bcm.c (aka the Broadcast Manager) in the     Controller Area Network (CAN) implementation in the Linux kernel before 2.6.36.2 on 64-bit platforms might     allow local users to cause a denial of service (memory corruption) via a connect operation.
    (CVE-2010-3874)

  - net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain     structure members, which allows local users to obtain potentially sensitive information from kernel stack     memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.
    (CVE-2010-3876)

  - net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode,     which allows local users to cause a denial of service (kernel infinite loop) via crafted     INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as     demonstrated by INET_DIAG_BC_JMP instructions. (CVE-2010-3880)

  - The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol     implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user     space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system     calls. (CVE-2010-3904)

  - The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a     certain structure, which allows local users to obtain potentially sensitive information from kernel stack     memory via vectors related to the shmctl system call and the old shm interface. (CVE-2010-4072)

  - The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which     allows local users to obtain potentially sensitive information from kernel stack memory via vectors     related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in     ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in     ipc/compat_mq.c. (CVE-2010-4073)

  - The USB subsystem in the Linux kernel before 2.6.36-rc5 does not properly initialize certain structure     members, which allows local users to obtain potentially sensitive information from kernel stack memory via     vectors related to TIOCGICOUNT ioctl calls, and the (1) mos7720_ioctl function in     drivers/usb/serial/mos7720.c and (2) mos7840_ioctl function in drivers/usb/serial/mos7840.c.
    (CVE-2010-4074)

  - The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not     properly initialize a certain structure member, which allows local users to obtain potentially sensitive     information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4075)

  - The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does     not properly initialize a certain structure member, which allows local users to obtain potentially     sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. (CVE-2010-4077)

  - The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the Linux kernel before 2.6.36-rc8 does     not properly initialize a certain structure member, which allows local users to obtain potentially     sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call. (CVE-2010-4079)

  - The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does     not initialize a certain structure, which allows local users to obtain potentially sensitive information     from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call. (CVE-2010-4080)

  - The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does     not initialize a certain structure, which allows local users to obtain potentially sensitive information     from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call. (CVE-2010-4081)

  - The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5     does not properly initialize a certain structure member, which allows local users to obtain potentially     sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call. (CVE-2010-4082)

  - The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a     certain structure, which allows local users to obtain potentially sensitive information from kernel stack     memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.
    (CVE-2010-4083)

  - The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether     a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM     instruction, which allows local users to obtain potentially sensitive information from kernel stack memory     via a crafted socket filter. (CVE-2010-4158)

  - Multiple integer overflows in the (1) pppol2tp_sendmsg function in net/l2tp/l2tp_ppp.c, and the (2)     l2tp_ip_sendmsg function in net/l2tp/l2tp_ip.c, in the PPPoL2TP and IPoL2TP implementations in the Linux     kernel before 2.6.36.2 allow local users to cause a denial of service (heap memory corruption and panic)     or possibly gain privileges via a crafted sendto call. (CVE-2010-4160)

  - Multiple integer overflows in fs/bio.c in the Linux kernel before 2.6.36.2 allow local users to cause a     denial of service (system crash) via a crafted device ioctl to a SCSI device. (CVE-2010-4162)

  - The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.36.2 allows local users     to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device.
    (CVE-2010-4163)

  - The hci_uart_tty_open function in the HCI UART driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel     2.6.36, and possibly other versions, does not verify whether the tty has a write operation, which allows     local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth     driver. (CVE-2010-4242)

  - Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows     local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread     group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread     function in fs/exec.c. (CVE-2010-4248)

  - The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125     does not properly select times for garbage collection of inflight sockets, which allows local users to     cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for     SOCK_SEQPACKET sockets. (CVE-2010-4249)

  - The igb_receive_skb function in drivers/net/igb/igb_main.c in the Intel Gigabit Ethernet (aka igb)     subsystem in the Linux kernel before 2.6.34, when Single Root I/O Virtualization (SR-IOV) and promiscuous     mode are enabled but no VLANs are registered, allows remote attackers to cause a denial of service (NULL     pointer dereference and panic) and possibly have unspecified other impact via a VLAN tagged frame.
    (CVE-2010-4263)

  - Linux kernel 2.6.33 and 2.6.34.y does not initialize the kvm_vcpu_events->interrupt.pad structure member,     which allows local users to obtain potentially sensitive information from kernel stack memory via     unspecified vectors. (CVE-2010-4525)

  - The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.37-rc7 allows local     users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI     device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for     CVE-2010-4163. (CVE-2010-4668)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2010-0723 advisory.

    - [misc] make compat_alloc_user_space() incorporate the access_ok()       (Don Howard) [634463 634464] {CVE-2010-3081}
    - [fs] xfs: fix missing untrusted inode lookup tag (Dave Chinner)       [624366 607032] {CVE-2010-2943}
    - [net] sched: fix some kernel memory leaks (Jiri Pirko) [624904 624638]       {CVE-2010-2942}
    - [usb] fix usbfs information leak (Eugene Teo) [566628 566629] {CVE-2010-1083}
    - [fs] xfs: rename XFS_IGET_BULKSTAT to XFS_IGET_UNTRUSTED (Dave Chinner)       [624366 607032] {CVE-2010-2943}
    - [fs] xfs: validate untrusted inode numbers during lookup (Dave Chinner)       [624366 607032] {CVE-2010-2943}
    - [fs] xfs: always use iget in bulkstat (Dave Chinner) [624366 607032]       {CVE-2010-2943}
    - [xen] fix guest crash on non-EPT machine may crash host (Paolo Bonzini)       [621429 621430] {CVE-2010-2938}
    - [fs] ext4: consolidate in_range definitions (Eric Sandeen) [624331 624332]       {CVE-2010-3015}
    - [mm] accept an abutting stack segment (Jiri Pirko) [607857 607858]       {CVE-2010-2240}
    - [mm] pass correct mm when growing stack (Jiri Pirko) [607857 607858]       {CVE-2010-2240}
    - [mm] fix up some user-visible effects of stack guard page (Jiri Pirko)       [607857 607858] {CVE-2010-2240}
    - [mm] fix page table unmap for stack guard page properly (Jiri Pirko)       [607857 607858] {CVE-2010-2240}
    - [mm] fix missing unmap for stack guard page failure case (Jiri Pirko)       [607857 607858] {CVE-2010-2240}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

This update fixes the following security issues :

* A buffer overflow flaw was found in the ecryptfs_uid_hash() function in the Linux kernel eCryptfs implementation. On systems that have the eCryptfs netlink transport (Red Hat Enterprise Linux 5 does) or where the '/dev/ecryptfs' file has world-writable permissions (which it does not, by default, on Red Hat Enterprise Linux 5), a local, unprivileged user could use this flaw to cause a denial of service or possibly escalate their privileges. (CVE-2010-2492, Important)

* A miscalculation of the size of the free space of the initial directory entry in a directory leaf block was found in the Linux kernel Global File System 2 (GFS2) implementation. A local, unprivileged user with write access to a GFS2-mounted file system could perform a rename operation on that file system to trigger a NULL pointer dereference, possibly resulting in a denial of service or privilege escalation. (CVE-2010-2798, Important)

* A flaw was found in the Xen hypervisor implementation when running a system that has an Intel CPU without Extended Page Tables (EPT) support. While attempting to dump information about a crashing fully-virtualized guest, the flaw could cause the hypervisor to crash the host as well. A user with permissions to configure a fully-virtualized guest system could use this flaw to crash the host.
(CVE-2010-2938, Moderate)

* Information leak flaws were found in the Linux kernel's Traffic Control Unit implementation. A local attacker could use these flaws to cause the kernel to leak kernel memory to user-space, possibly leading to the disclosure of sensitive information. (CVE-2010-2942, Moderate)

* A flaw was found in the Linux kernel's XFS file system implementation. The file handle lookup could return an invalid inode as valid. If an XFS file system was mounted via NFS (Network File System), a local attacker could access stale data or overwrite existing data that reused the inodes. (CVE-2010-2943, Moderate)

* An integer overflow flaw was found in the extent range checking code in the Linux kernel's ext4 file system implementation. A local, unprivileged user with write access to an ext4-mounted file system could trigger this flaw by writing to a file at a very large file offset, resulting in a local denial of service. (CVE-2010-3015, Moderate)

* An information leak flaw was found in the Linux kernel's USB implementation. Certain USB errors could result in an uninitialized kernel buffer being sent to user-space. An attacker with physical access to a target system could use this flaw to cause an information leak. (CVE-2010-1083, Low)

Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492; Grant Diffey of CenITex for reporting CVE-2010-2798;
Toshiyuki Okajima for reporting CVE-2010-3015; and Marcus Meissner for reporting CVE-2010-1083.

This update also fixes several bugs. Documentation for these bug fixes will be available shortly from the Technical Notes document linked to in the References.

Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

a. ESX third-party update for Service Console kernel

   This update takes the console OS kernel package to    kernel-2.6.18-238.9.1 which resolves multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-1083, CVE-2010-2492, CVE-2010-2798,    CVE-2010-2938, CVE-2010-2942, CVE-2010-2943, CVE-2010-3015,    CVE-2010-3066, CVE-2010-3067, CVE-2010-3078, CVE-2010-3086,    CVE-2010-3296, CVE-2010-3432, CVE-2010-3442, CVE-2010-3477,    CVE-2010-3699, CVE-2010-3858, CVE-2010-3859, CVE-2010-3865,    CVE-2010-3876, CVE-2010-3877, CVE-2010-3880, CVE-2010-3904,    CVE-2010-4072, CVE-2010-4073, CVE-2010-4075, CVE-2010-4080,    CVE-2010-4081, CVE-2010-4083, CVE-2010-4157, CVE-2010-4158,    CVE-2010-4161, CVE-2010-4238, CVE-2010-4242, CVE-2010-4243,    CVE-2010-4247, CVE-2010-4248, CVE-2010-4249, CVE-2010-4251,    CVE-2010-4255, CVE-2010-4263, CVE-2010-4343, CVE-2010-4346,    CVE-2010-4526, CVE-2010-4655, CVE-2011-0521, CVE-2011-0710,    CVE-2011-1010, CVE-2011-1090 and CVE-2011-1478 to these issues.

b. ESX third-party update for Service Console krb5 RPMs

   This patch updates the krb5-libs and krb5-workstation RPMs of the    console OS to version 1.6.1-55.el5_6.1, which resolves multiple    security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-1323, CVE-2011-0281, and CVE-2011-0282    to these issues.

c. ESXi and ESX update to third-party component glibc

   The glibc third-party library is updated to resolve multiple    security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2010-0296, CVE-2011-0536, CVE-2011-1071,    CVE-2011-1095, CVE-2011-1658, and CVE-2011-1659 to these issues.

d. ESX update to third-party drivers mptsas, mpt2sas, and mptspi

   The mptsas, mpt2sas, and mptspi drivers are updated which addresses    multiple security issues in the mpt2sas driver.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has    assigned the names CVE-2011-1494 and CVE-2011-1495 to these issues.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

* Buffer overflow in eCryptfs. When /dev/ecryptfs has world-writable permissions (which it does not, by default, on Red Hat Enterprise Linux 6), a local, unprivileged user could use this flaw to cause a denial of service or possibly escalate their privileges.
(CVE-2010-2492, Important)

* Integer overflow in the RDS protocol implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important)

* Missing boundary checks in the PPP over L2TP sockets implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4160, Important)

* NULL pointer dereference in the igb driver. If both Single Root I/O Virtualization (SR-IOV) and promiscuous mode were enabled on an interface using igb, it could result in a denial of service when a tagged VLAN packet is received on that interface. (CVE-2010-4263, Important)

* Missing initialization flaw in the XFS file system implementation, and in the network traffic policing implementation, could allow a local, unprivileged user to cause an information leak. (CVE-2010-3078, CVE-2010-3477, Moderate)

* NULL pointer dereference in the Open Sound System compatible sequencer driver could allow a local, unprivileged user with access to /dev/sequencer to cause a denial of service. /dev/sequencer is only accessible to root and users in the audio group by default.
(CVE-2010-3080, Moderate)

* Flaw in the ethtool IOCTL handler could allow a local user to cause an information leak. (CVE-2010-3861, Moderate)

* Flaw in bcm_connect() in the Controller Area Network (CAN) Broadcast Manager. On 64-bit systems, writing the socket address may overflow the procname character array. (CVE-2010-3874, Moderate)

* Flaw in the module for monitoring the sockets of INET transport protocols could allow a local, unprivileged user to cause a denial of service. (CVE-2010-3880, Moderate)

* Missing boundary checks in the block layer implementation could allow a local, unprivileged user to cause a denial of service.
(CVE-2010-4162, CVE-2010-4163, CVE-2010-4668, Moderate)

* NULL pointer dereference in the Bluetooth HCI UART driver could allow a local, unprivileged user to cause a denial of service.
(CVE-2010-4242, Moderate)

* Flaw in the Linux kernel CPU time clocks implementation for the POSIX clock interface could allow a local, unprivileged user to cause a denial of service. (CVE-2010-4248, Moderate)

* Flaw in the garbage collector for AF_UNIX sockets could allow a local, unprivileged user to trigger a denial of service.
(CVE-2010-4249, Moderate)

* Missing upper bound integer check in the AIO implementation could allow a local, unprivileged user to cause an information leak.
(CVE-2010-3067, Low)

* Missing initialization flaws could lead to information leaks.
(CVE-2010-3298, CVE-2010-3876, CVE-2010-4072, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, CVE-2010-4158, Low)

* Missing initialization flaw in KVM could allow a privileged host user with access to /dev/kvm to cause an information leak.
(CVE-2010-4525, Low)

Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492; Thomas Pollet for reporting CVE-2010-3865; Dan Rosenberg for reporting CVE-2010-4160, CVE-2010-3078, CVE-2010-3874, CVE-2010-4162, CVE-2010-4163, CVE-2010-3298, CVE-2010-4073, CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082, CVE-2010-4083, and CVE-2010-4158; Kosuke Tatsukawa for reporting CVE-2010-4263; Tavis Ormandy for reporting CVE-2010-3080 and CVE-2010-3067; Kees Cook for reporting CVE-2010-3861 and CVE-2010-4072; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; Vegard Nossum for reporting CVE-2010-4249; Vasiliy Kulikov for reporting CVE-2010-3876;
and Stephan Mueller of atsec information security for reporting CVE-2010-4525.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount symlinks, which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088)

The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. (CVE-2009-3228)

The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel node set. (CVE-2010-0415)

The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. (CVE-2009-3620)

The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. (CVE-2010-0622)

The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function.
(CVE-2009-2287)

The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. (CVE-2009-3722)

The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. (CVE-2009-4308)

The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function.
(CVE-2009-2846)

Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions.
(CVE-2010-2521)

mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643. (CVE-2008-7256)

The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors.
(CVE-2010-1162)

mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. (CVE-2010-1643)

The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173)

The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference. (CVE-2010-1187)

The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173)

fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248)

Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors.
(CVE-2010-2492)

The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file.
(CVE-2010-2226)

The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. (CVE-2010-2798)

The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)

The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. (CVE-2010-2803)

Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. (CVE-2010-2959)

Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device. (CVE-2010-3080)

A vulnerability in Linux kernel caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the compat_alloc_user_space method with an arbitrary length input. (CVE-2010-3081)

The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. (CVE-2010-3301)

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2010:0723 advisory.

    The kernel packages contain the Linux kernel, the core of any Linux     operating system.

    This update fixes the following security issues:

    * A buffer overflow flaw was found in the ecryptfs_uid_hash() function in     the Linux kernel eCryptfs implementation. On systems that have the eCryptfs     netlink transport (Red Hat Enterprise Linux 5 does) or where the     /dev/ecryptfs file has world writable permissions (which it does not, by     default, on Red Hat Enterprise Linux 5), a local, unprivileged user could     use this flaw to cause a denial of service or possibly escalate their     privileges. (CVE-2010-2492, Important)

    * A miscalculation of the size of the free space of the initial directory     entry in a directory leaf block was found in the Linux kernel Global File     System 2 (GFS2) implementation. A local, unprivileged user with write     access to a GFS2-mounted file system could perform a rename operation on     that file system to trigger a NULL pointer dereference, possibly resulting     in a denial of service or privilege escalation. (CVE-2010-2798, Important)

    * A flaw was found in the Xen hypervisor implementation when running a     system that has an Intel CPU without Extended Page Tables (EPT) support.
    While attempting to dump information about a crashing fully-virtualized     guest, the flaw could cause the hypervisor to crash the host as well. A     user with permissions to configure a fully-virtualized guest system could     use this flaw to crash the host. (CVE-2010-2938, Moderate)

    * Information leak flaws were found in the Linux kernel's Traffic Control     Unit implementation. A local attacker could use these flaws to cause the     kernel to leak kernel memory to user-space, possibly leading to the     disclosure of sensitive information. (CVE-2010-2942, Moderate)

    * A flaw was found in the Linux kernel's XFS file system implementation.
    The file handle lookup could return an invalid inode as valid. If an XFS     file system was mounted via NFS (Network File System), a local attacker     could access stale data or overwrite existing data that reused the inodes.
    (CVE-2010-2943, Moderate)

    * An integer overflow flaw was found in the extent range checking code in     the Linux kernel's ext4 file system implementation. A local, unprivileged     user with write access to an ext4-mounted file system could trigger this     flaw by writing to a file at a very large file offset, resulting in a local     denial of service. (CVE-2010-3015, Moderate)

    * An information leak flaw was found in the Linux kernel's USB     implementation. Certain USB errors could result in an uninitialized kernel     buffer being sent to user-space. An attacker with physical access to a     target system could use this flaw to cause an information leak.
    (CVE-2010-1083, Low)

    Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492;
    Grant Diffey of CenITex for reporting CVE-2010-2798; Toshiyuki Okajima for     reporting CVE-2010-3015; and Marcus Meissner for reporting CVE-2010-1083.

    This update also fixes several bugs. Documentation for these bug fixes will     be available shortly from the Technical Notes document linked to in the     References.

    Users should upgrade to these updated packages, which contain backported     patches to correct these issues. The system must be rebooted for this     update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This openSUSE 11.2 kernel was updated to 2.6.31.14, fixing several security issues and bugs.

A lot of ext4 filesystem stability fixes were also added.

Following security issues have been fixed: CVE-2010-3301: Mismatch between 32bit and 64bit register usage in the system call entry path could be used by local attackers to gain root privileges. This problem only affects x86_64 kernels.

CVE-2010-3081: Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges.
This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x.

CVE-2010-3084: A buffer overflow in the ETHTOOL_GRXCLSRLALL code could be used to crash the kernel or potentially execute code.

CVE-2010-2955: A kernel information leak via the WEXT ioctl was fixed.

CVE-2010-2960: The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel expects that a certain parent session keyring exists, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function.

CVE-2010-3080: A double free in an alsa error path was fixed, which could lead to kernel crashes.

CVE-2010-3079: Fixed a ftrace NULL pointer dereference problem which could lead to kernel crashes.

CVE-2010-3298: Fixed a kernel information leak in the net/usb/hso driver.

CVE-2010-3296: Fixed a kernel information leak in the cxgb3 driver.

CVE-2010-3297: Fixed a kernel information leak in the net/eql driver.

CVE-2010-3078: Fixed a kernel information leak in the xfs filesystem.
CVE-2010-2942: Fixed a kernel information leak in the net scheduler code.

CVE-2010-2954: The irda_bind function in net/irda/af_irda.c in the Linux kernel did not properly handle failure of the irda_open_tsap function, which allowed local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket.

CVE-2010-2226: The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel did not properly check the file descriptors passed to the SWAPEXT ioctl, which allowed local users to leverage write access and obtain read access by swapping one file into another file.

CVE-2010-2946: The 'os2' xattr namespace on the jfs filesystem could be used to bypass xattr namespace rules.

CVE-2010-2959: Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel allowed attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic.

CVE-2010-3015: Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel allowed local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation.

CVE-2010-2492: Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel might have allowed local users to gain privileges or cause a denial of service (system crash) via unspecified vectors.

CVE-2010-2248: fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel allowed remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions.

CVE-2010-2803: The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount.

CVE-2010-2478: A potential buffer overflow in the ETHTOOL_GRXCLSRLALL ethtool code was fixed which could be used by local attackers to crash the kernel or potentially execute code.

CVE-2010-2524: The DNS resolution functionality in the CIFS implementation in the Linux kernel, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allowed local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a 'cache stuffing' issue and MS-DFS referrals.

CVE-2010-2798: The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel used an incorrect size value in calculations associated with sentinel directory entries, which allowed local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c.

CVE-2010-2537: The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls allowed a local user to overwrite append-only files.

CVE-2010-2538: The BTRFS_IOC_CLONE_RANGE ioctl was subject to an integer overflow in specifying offsets to copy from a file, which potentially allowed a local user to read sensitive filesystem data.

CVE-2010-2521: Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel allowed remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions.

CVE-2010-2066: The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel allowed local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor.

CVE-2010-2495: The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel did not properly validate certain values associated with an interface, which allowed attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors related to a routing change.

CVE-2010-2071: The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Linux kernel did not check file ownership before setting an ACL, which allowed local users to bypass file permissions by setting arbitrary ACLs, as demonstrated using setfacl.

CVE-2010-1641: The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel did not verify the ownership of a file, which allowed local users to bypass intended access restrictions via a SETFLAGS ioctl request.

CVE-2010-1087: The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x allowed attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible.

CVE-2010-1636: The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the btrfs functionality in the Linux kernel did not ensure that a cloned file descriptor has been opened for reading, which allowed local users to read sensitive information from a write-only file descriptor.

CVE-2010-1437: Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function.

CVE-2010-1148: The cifs_create function in fs/cifs/dir.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a NULL nameidata (aka nd) field in a POSIX file-creation request to a server that supports UNIX extensions.

CVE-2010-1162: The release_one_tty function in drivers/char/tty_io.c in the Linux kernel omitted certain required calls to the put_pid function, which has unspecified impact and local attack vectors.

CVE-2010-1146: The Linux kernel, when a ReiserFS filesystem exists, did not restrict read or write access to the .reiserfs_priv directory, which allowed local users to gain privileges by modifying (1) extended attributes or (2) ACLs, as demonstrated by deleting a file under .reiserfs_priv/xattrs/.

CVE-2009-4537: drivers/net/r8169.c in the r8169 driver in the Linux kernel did not properly check the size of an Ethernet frame that exceeds the MTU, which allowed remote attackers to (1) cause a denial of service (temporary network outage) via a packet with a crafted size, in conjunction with certain packets containing A characters and certain packets containing E characters; or (2) cause a denial of service (system crash) via a packet with a crafted size, in conjunction with certain packets containing '\0' characters, related to the value of the status register and erroneous behavior associated with the RxMaxSize register. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1389.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leak. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2010-2492     Andre Osterhues reported an issue in the eCryptfs     subsystem. A buffer overflow condition may allow local     users to cause a denial of service or gain elevated     privileges.

  - CVE-2010-2954     Tavis Ormandy reported an issue in the irda subsystem     which may allow local users to cause a denial of service     via a NULL pointer dereference.

  - CVE-2010-3078     Dan Rosenberg discovered an issue in the XFS file system     that allows local users to read potentially sensitive     kernel memory.

  - CVE-2010-3080     Tavis Ormandy reported an issue in the ALSA sequencer     OSS emulation layer. Local users with sufficient     privileges to open /dev/sequencer (by default on Debian,     this is members of the 'audio' group) can cause a denial     of service via a NULL pointer dereference.

  - CVE-2010-3081     Ben Hawkes discovered an issue in the 32-bit     compatibility code for 64-bit systems. Local users can     gain elevated privileges due to insufficient checks in     compat_alloc_user_space allocations.

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors.
(CVE-2010-2492)

The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a cache stuffing issue and MS-DFS referrals. (CVE-2010-2524)

The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)

Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation. (CVE-2010-3015)

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Junjiro R. Okajima discovered that knfsd did not correctly handle strict overcommit. A local attacker could exploit this to crash knfsd, leading to a denial of service. (Only Ubuntu 6.06 LTS and 8.04 LTS were affected.) (CVE-2008-7256, CVE-2010-1643)

Chris Guo, Jukka Taimisto, and Olli Jarva discovered that SCTP did not correctly handle invalid parameters. A remote attacker could send specially crafted traffic that could crash the system, leading to a denial of service. (CVE-2010-1173)

Mario Mikocevic discovered that GFS2 did not correctly handle certain quota structures. A local attacker could exploit this to crash the system, leading to a denial of service. (Ubuntu 6.06 LTS was not affected.) (CVE-2010-1436)

Toshiyuki Okajima discovered that the kernel keyring did not correctly handle dead keyrings. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-1437)

Brad Spengler discovered that Sparc did not correctly implement non-executable stacks. This made userspace applications vulnerable to exploits that would have been otherwise blocked due to non-executable memory protections. (Ubuntu 10.04 LTS was not affected.) (CVE-2010-1451)

Dan Rosenberg discovered that the btrfs clone function did not correctly validate permissions. A local attacker could exploit this to read sensitive information, leading to a loss of privacy. (Only Ubuntu 9.10 was affected.) (CVE-2010-1636)

Dan Rosenberg discovered that GFS2 set_flags function did not correctly validate permissions. A local attacker could exploit this to gain access to files, leading to a loss of privacy and potential privilege escalation. (Ubuntu 6.06 LTS was not affected.) (CVE-2010-1641)

Shi Weihua discovered that btrfs xattr_set_acl function did not correctly validate permissions. A local attacker could exploit this to gain access to files, leading to a loss of privacy and potential privilege escalation. (Only Ubuntu 9.10 and 10.04 LTS were affected.) (CVE-2010-2071)

Andre Osterhues discovered that eCryptfs did not correctly calculate hash values. A local attacker with certain uids could exploit this to crash the system or potentially gain root privileges. (Ubuntu 6.06 LTS was not affected.) (CVE-2010-2492).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
89680	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0012) (remote check)	Nessus	Misc.	high
68177	Oracle Linux 6 : kernel (ELSA-2011-0007)	Nessus	Oracle Linux Local Security Checks	high
68106	Oracle Linux 5 : kernel (ELSA-2010-0723)	Nessus	Oracle Linux Local Security Checks	high
67080	CentOS 5 : kernel (CESA-2010:0723)	Nessus	CentOS Local Security Checks	high
56508	VMSA-2011-0012 : VMware ESXi and ESX updates to third-party libraries and ESX Service Console	Nessus	VMware ESX Local Security Checks	high
51500	RHEL 6 : kernel (RHSA-2011:0007)	Nessus	Red Hat Local Security Checks	high
49795	Mandriva Linux Security Advisory : kernel (MDVSA-2010:198)	Nessus	Mandriva Local Security Checks	critical
49746	RHEL 5 : kernel (RHSA-2010:0723)	Nessus	Red Hat Local Security Checks	high
49671	openSUSE Security Update : kernel (openSUSE-SU-2010:0664-1)	Nessus	SuSE Local Security Checks	critical
49666	Mandriva Linux Security Advisory : kernel (MDVSA-2010:188)	Nessus	Mandriva Local Security Checks	critical
49276	Debian DSA-2110-1 : linux-2.6 - privilege escalation/denial of service/information leak	Nessus	Debian Local Security Checks	high
49190	Mandriva Linux Security Advisory : kernel (MDVSA-2010:172)	Nessus	Mandriva Local Security Checks	high
48253	Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : linux, linux-{source-2.6.15,ec2,mvl-dove,ti-omap} vulnerabilities (USN-966-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2010-2492

high

Tenable Plugins

high

high

high

high

high

high

critical

high

critical

critical

high

high

high