===================================================================== CERT-Renater Note d'Information No. 2011/VULN043 _____________________________________________________________________ DATE : 20/01/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : SUSE Linux Enterprise. ====================================================================== http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html ______________________________________________________________________ ______________________________________________________________________________ SUSE Security Announcement Package: kernel Announcement ID: SUSE-SA:2011:004 Date: Fri, 14 Jan 2011 13:00:00 +0000 Affected Products: SUSE Linux Enterprise High Availability Extension 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 SUSE Linux Enterprise Server 11 SP1 Vulnerability Type: local privilege escalation CVSS v2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) SUSE Default Package: yes Cross-References: CVE-2010-3437, CVE-2010-3861, CVE-2010-3874 CVE-2010-3881, CVE-2010-4072, CVE-2010-4073 CVE-2010-4082, CVE-2010-4083, CVE-2010-4157 CVE-2010-4158, CVE-2010-4160, CVE-2010-4162 CVE-2010-4163, CVE-2010-4164, CVE-2010-4165 CVE-2010-4169, CVE-2010-4175, CVE-2010-4258 Content of This Advisory: 1) Security Vulnerability Resolved: Linux kernel security problems Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.27 and fixes various bugs and security issues. Following security issues were fixed: CVE-2010-4258: A local attacker could use a Oops (kernel crash) caused by other flaws to write a 0 byte to a attacker controlled address in the kernel. This could lead to privilege escalation together with other issues. CVE-2010-4160: An overflow in sendto() and recvfrom() routines was fixed that could be used by local attackers to potentially crash the kernel using some socket families like L2TP. CVE-2010-4157: A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc could lead to memory corruption in the GDTH driver. CVE-2010-4165: The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel did not properly restrict TCP_MAXSEG (aka MSS) values, which allowed local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer. CVE-2010-4164: A remote (or local) attacker communicating over X.25 could cause a kernel panic by attempting to negotiate malformed facilities. CVE-2010-4175: A local attacker could cause memory overruns in the RDS protocol stack, potentially crashing the kernel. So far it is considered not to be exploitable. CVE-2010-4169: Use-after-free vulnerability in mm/mprotect.c in the Linux kernel allowed local users to cause a denial of service via vectors involving an mprotect system call. CVE-2010-3874: A minor heap overflow in the CAN network module was fixed. Due to nature of the memory allocator it is likely not exploitable. CVE-2010-4158: A memory information leak in Berkeley packet filter rules allowed local attackers to read uninitialized memory of the kernel stack. CVE-2010-4162: A local denial of service in the blockdevice layer was fixed. CVE-2010-4163: By submitting certain I/O requests with 0 length, a local user could have caused a kernel panic. CVE-2010-3861: The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel did not initialize a certain block of heap memory, which allowed local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value. CVE-2010-3881: arch/x86/kvm/x86.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory via read operations on the /dev/kvm device. CVE-2010-3437: A range checking overflow in pktcdvd ioctl was fixed. CVE-2010-4082: The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call. CVE-2010-4073: The ipc subsystem in the Linux kernel did not initialize certain structures, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c. CVE-2010-4072: The copy_shmid_to_user function in ipc/shm.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the "old shm interface." CVE-2010-4083: The copy_semid_to_user function in ipc/sem.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call. 2) Solution or Work-Around There is no known workaround, please install the update packages. 3) Special Instructions and Notes Please reboot the machine after installing the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST "Online Update" module or the "zypper" commandline tool. The package and patch management stack will detect which updates are required and automatically perform the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv to apply the update, replacing with the filename of the downloaded RPM package. Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: SLE 11 SERVER Unsupported Extras http://download.novell.com/patch/finder/?keywords=a5b88975f26bf20b19b4cb348f8532c3 http://download.novell.com/patch/finder/?keywords=6b7fd41bd7226b53d8a5478d21d761ea http://download.novell.com/patch/finder/?keywords=bcb4e168cb163343275c4d62f9c9de15 http://download.novell.com/patch/finder/?keywords=927b9000702886355ba37c627792d5cb http://download.novell.com/patch/finder/?keywords=356fcef510f901c1aa5982e309fb1b70 SUSE Linux Enterprise Server 11 SP1 http://download.novell.com/patch/finder/?keywords=23f8d08c0e40d5d87542968bb0041a81 http://download.novell.com/patch/finder/?keywords=aa169ef3e3233aaf1120bd771f0897dc http://download.novell.com/patch/finder/?keywords=84fa31032843bdcdb6803fdf5c8916e2 http://download.novell.com/patch/finder/?keywords=965b02d89397493aaac6b5e6aa40db68 http://download.novell.com/patch/finder/?keywords=1e884403c52fc77802015c35ce13fbc4 SUSE Linux Enterprise Desktop 11 SP1 http://download.novell.com/patch/finder/?keywords=23f8d08c0e40d5d87542968bb0041a81 http://download.novell.com/patch/finder/?keywords=1e884403c52fc77802015c35ce13fbc4 SUSE Linux Enterprise High Availability Extension 11 SP1 http://download.novell.com/patch/finder/?keywords=23f8d08c0e40d5d87542968bb0041a81 http://download.novell.com/patch/finder/?keywords=aa169ef3e3233aaf1120bd771f0897dc http://download.novell.com/patch/finder/?keywords=84fa31032843bdcdb6803fdf5c8916e2 http://download.novell.com/patch/finder/?keywords=965b02d89397493aaac6b5e6aa40db68 http://download.novell.com/patch/finder/?keywords=1e884403c52fc77802015c35ce13fbc4 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify replacing with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team " where is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig to verify the signature of the package, replacing with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build@suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security@opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to . opensuse-security-announce@opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to . ===================================================================== SUSE's security contact is or . The public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================