SuSE 11.1 Security Update : Linux kernel (SAT Patch Number 4376)

high Nessus Plugin ID 53571

Synopsis

The remote SuSE 11 host is missing one or more security updates.

Description

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.36 and fixes various bugs and security issues.

The following security issues were fixed :

- When parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption.
(CVE-2011-1493)

- (no CVEs assigned yet): In the rose networking stack, when parsing the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields, a remote host could provide a length of less than 10, resulting in an underflow in a memcpy size, causing a kernel panic due to massive heap corruption. A length of greater than 20 results in a stack overflow of the callsign array

- The code for evaluating OSF partitions (in fs/partitions/osf.c) contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions. (CVE-2011-1163)

- A bug in the order of dccp_rcv_state_process() was fixed that still permitted reception even after closing the socket. A Reset after close thus causes a NULL pointer dereference by not preventing operations on an already torn-down socket. (CVE-2011-1093)

- A signedness issue in drm_modeset_ctl() could be used by local attackers with access to the drm devices to potentially crash the kernel or escalate privileges.
(CVE-2011-1013)

- The epoll subsystem in Linux did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock).
(CVE-2011-1082)

- Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c. (CVE-2011-0712)

- Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs.
(CVE-2011-1182)

- An issue in the core GRO code where an skb belonging to an unknown VLAN is reused could result in a NULL pointer dereference. (CVE-2011-1478)

- Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. On x86, this just returns an error, but it could have caused memory corruption on other architectures. Other malformed requests could have resulted in the use of uninitialized variables. (CVE-2011-1476)

- Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation. (CVE-2011-1477)

- A information leak in the XFS geometry calls could be used by local attackers to gain access to kernel information. (CVE-2011-0191)

- A page allocator issue in NFS v4 ACL handling that could lead to a denial of service (crash) was fixed.
(CVE-2011-1090)

- net/ipv4/inet_diag.c in the Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions. (CVE-2010-3880)

- Fixed a buffer size issue in 'usb iowarrior' module, where a malicious device could overflow a kernel buffer.
(CVE-2010-4656)

- The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value. (CVE-2011-0521)

- In the IrDA module, length fields provided by a peer for names and attributes may be longer than the destination array sizes and were not checked, this allowed local attackers (close to the irda port) to potentially corrupt memory. (CVE-2011-1180)

- A system out of memory condition (denial of service) could be triggered with a large socket backlog, exploitable by local users. This has been addressed by backlog limiting. (CVE-2010-4251)

- The Radeon GPU drivers in the Linux kernel did not properly validate data related to the AA resolve registers, which allowed local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. (CVE-2011-1016)

- Boundschecking was missing in AARESOLVE_OFFSET, which allowed local attackers to overwrite kernel memory and so escalate privileges or crash the kernel.
(CVE-2011-1573)

Solution

Apply SAT patch number 4376.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=558740

https://bugzilla.novell.com/show_bug.cgi?id=566768

https://bugzilla.novell.com/show_bug.cgi?id=620929

https://bugzilla.novell.com/show_bug.cgi?id=622597

https://bugzilla.novell.com/show_bug.cgi?id=622868

https://bugzilla.novell.com/show_bug.cgi?id=629170

https://bugzilla.novell.com/show_bug.cgi?id=632317

https://bugzilla.novell.com/show_bug.cgi?id=637377

https://bugzilla.novell.com/show_bug.cgi?id=643266

https://bugzilla.novell.com/show_bug.cgi?id=644630

https://bugzilla.novell.com/show_bug.cgi?id=649473

https://bugzilla.novell.com/show_bug.cgi?id=650545

https://bugzilla.novell.com/show_bug.cgi?id=651599

https://bugzilla.novell.com/show_bug.cgi?id=654169

https://bugzilla.novell.com/show_bug.cgi?id=655973

https://bugzilla.novell.com/show_bug.cgi?id=656219

https://bugzilla.novell.com/show_bug.cgi?id=656587

https://bugzilla.novell.com/show_bug.cgi?id=658413

https://bugzilla.novell.com/show_bug.cgi?id=660507

https://bugzilla.novell.com/show_bug.cgi?id=663313

https://bugzilla.novell.com/show_bug.cgi?id=663513

https://bugzilla.novell.com/show_bug.cgi?id=666836

https://bugzilla.novell.com/show_bug.cgi?id=666842

https://bugzilla.novell.com/show_bug.cgi?id=667766

https://bugzilla.novell.com/show_bug.cgi?id=668101

https://bugzilla.novell.com/show_bug.cgi?id=668895

https://bugzilla.novell.com/show_bug.cgi?id=668896

https://bugzilla.novell.com/show_bug.cgi?id=668898

https://bugzilla.novell.com/show_bug.cgi?id=669058

https://bugzilla.novell.com/show_bug.cgi?id=669571

https://bugzilla.novell.com/show_bug.cgi?id=669889

https://bugzilla.novell.com/show_bug.cgi?id=670154

https://bugzilla.novell.com/show_bug.cgi?id=670615

https://bugzilla.novell.com/show_bug.cgi?id=670979

https://bugzilla.novell.com/show_bug.cgi?id=671296

https://bugzilla.novell.com/show_bug.cgi?id=671943

https://bugzilla.novell.com/show_bug.cgi?id=672453

https://bugzilla.novell.com/show_bug.cgi?id=672499

https://bugzilla.novell.com/show_bug.cgi?id=672505

https://bugzilla.novell.com/show_bug.cgi?id=673516

https://bugzilla.novell.com/show_bug.cgi?id=673934

https://bugzilla.novell.com/show_bug.cgi?id=674549

https://bugzilla.novell.com/show_bug.cgi?id=674691

https://bugzilla.novell.com/show_bug.cgi?id=674693

https://bugzilla.novell.com/show_bug.cgi?id=675115

https://bugzilla.novell.com/show_bug.cgi?id=675963

https://bugzilla.novell.com/show_bug.cgi?id=676202

https://bugzilla.novell.com/show_bug.cgi?id=676419

https://bugzilla.novell.com/show_bug.cgi?id=677286

https://bugzilla.novell.com/show_bug.cgi?id=677391

https://bugzilla.novell.com/show_bug.cgi?id=677398

https://bugzilla.novell.com/show_bug.cgi?id=677563

https://bugzilla.novell.com/show_bug.cgi?id=677676

https://bugzilla.novell.com/show_bug.cgi?id=677783

https://bugzilla.novell.com/show_bug.cgi?id=678466

https://bugzilla.novell.com/show_bug.cgi?id=679545

https://bugzilla.novell.com/show_bug.cgi?id=679588

https://bugzilla.novell.com/show_bug.cgi?id=679812

https://bugzilla.novell.com/show_bug.cgi?id=680845

https://bugzilla.novell.com/show_bug.cgi?id=681175

https://bugzilla.novell.com/show_bug.cgi?id=681497

https://bugzilla.novell.com/show_bug.cgi?id=681826

https://bugzilla.novell.com/show_bug.cgi?id=68199

https://bugzilla.novell.com/show_bug.cgi?id=682333

https://bugzilla.novell.com/show_bug.cgi?id=682940

https://bugzilla.novell.com/show_bug.cgi?id=682941

https://bugzilla.novell.com/show_bug.cgi?id=682965

https://bugzilla.novell.com/show_bug.cgi?id=683569

https://bugzilla.novell.com/show_bug.cgi?id=684085

https://bugzilla.novell.com/show_bug.cgi?id=684248

https://bugzilla.novell.com/show_bug.cgi?id=686813

http://support.novell.com/security/cve/CVE-2010-3880.html

http://support.novell.com/security/cve/CVE-2010-4251.html

http://support.novell.com/security/cve/CVE-2010-4656.html

http://support.novell.com/security/cve/CVE-2011-0191.html

http://support.novell.com/security/cve/CVE-2011-0521.html

http://support.novell.com/security/cve/CVE-2011-0712.html

http://support.novell.com/security/cve/CVE-2011-1013.html

http://support.novell.com/security/cve/CVE-2011-1016.html

http://support.novell.com/security/cve/CVE-2011-1082.html

http://support.novell.com/security/cve/CVE-2011-1090.html

http://support.novell.com/security/cve/CVE-2011-1093.html

http://support.novell.com/security/cve/CVE-2011-1163.html

http://support.novell.com/security/cve/CVE-2011-1180.html

http://support.novell.com/security/cve/CVE-2011-1182.html

http://support.novell.com/security/cve/CVE-2011-1476.html

http://support.novell.com/security/cve/CVE-2011-1477.html

http://support.novell.com/security/cve/CVE-2011-1478.html

http://support.novell.com/security/cve/CVE-2011-1493.html

http://support.novell.com/security/cve/CVE-2011-1573.html

Plugin Details

Severity: High

ID: 53571

File Name: suse_11_kernel-110415.nasl

Version: 1.6

Type: local

Agent: unix

Published: 4/28/2011

Updated: 1/19/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: High

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:kernel-xen-devel, p-cpe:/a:novell:suse_linux:11:kernel-syms, p-cpe:/a:novell:suse_linux:11:kernel-default-extra, p-cpe:/a:novell:suse_linux:11:kernel-default, p-cpe:/a:novell:suse_linux:11:kernel-xen-extra, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-default, p-cpe:/a:novell:suse_linux:11:kernel-source, cpe:/o:novell:suse_linux:11, p-cpe:/a:novell:suse_linux:11:kernel-xen, p-cpe:/a:novell:suse_linux:11:kernel-trace, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-default, p-cpe:/a:novell:suse_linux:11:kernel-ec2, p-cpe:/a:novell:suse_linux:11:kernel-default-base, p-cpe:/a:novell:suse_linux:11:kernel-ec2-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-devel, p-cpe:/a:novell:suse_linux:11:btrfs-kmp-xen, p-cpe:/a:novell:suse_linux:11:kernel-default-devel, p-cpe:/a:novell:suse_linux:11:kernel-desktop-devel, p-cpe:/a:novell:suse_linux:11:kernel-xen-base, p-cpe:/a:novell:suse_linux:11:kernel-trace-base, p-cpe:/a:novell:suse_linux:11:ext4dev-kmp-xen, p-cpe:/a:novell:suse_linux:11:hyper-v-kmp-default

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 4/15/2011

Reference Information

CVE: CVE-2010-3880, CVE-2010-4251, CVE-2010-4656, CVE-2011-0191, CVE-2011-0521, CVE-2011-0712, CVE-2011-1013, CVE-2011-1016, CVE-2011-1082, CVE-2011-1090, CVE-2011-1093, CVE-2011-1163, CVE-2011-1180, CVE-2011-1182, CVE-2011-1476, CVE-2011-1477, CVE-2011-1478, CVE-2011-1493, CVE-2011-1573