Articles / SuSE: New Linux kernel pack...

SuSE: New Linux kernel packages fix security vulnerabilities

The openSUSE 11.3 kernel was updated to fix various bugs and security issues. If root does read() on a specific socket, it’s possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used. A flaw allowed the tc_fill_qdisc() function in the packet scheduler API implementation to be called on built-in qdisc structures. A local, unprivileged user could have used this flaw to trigger a NULL pointer dereference, resulting in a denial of service. Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service.

The inet_diag_bc_audit function did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message. The Generic Receive Offload (GRO) implementation allowed remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to a memory leak or memory corruption. A buffer overflow in the clusterip_proc_write function might have allowed local users to cause a denial of service or have unspecified other impact via a crafted write operation, related to string data that lacks a terminating ‘\0’ character.

An integer underflow in the dccp_parse_options function allowed remote attackers to cause a denial of service via a Datagram Congestion Control Protocol (DCCP) packet with an invalid feature options length, which triggered a buffer over-read. The skb_gro_header_slow function reset certain fields in incorrect situations, which allowed remote attackers to cause a denial of service (system crash) via crafted network traffic.

A kernel information leak in the AF_PACKET protocol was fixed which might have allowed local attackers to read kernel memory. A NULL ptr dereference on mounting corrupt hfs filesystems was fixed which could be used by local attackers to crash the kernel. Using the crypto interface a local user could Oops the kernel by writing to a AF_ALG socket.

Updated packages are available from download.opensuse.org.

  openSUSE Security Update: kernel: security and bugfix update.
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2012:0206-1
Rating:             important
References:         #691052 #692498 #698450 #699709 #700879 #702037 
                   #707288 #709764 #710235 #726788 #728661 #735612 
                   #736149 
Cross-References:   CVE-2011-1576 CVE-2011-1770 CVE-2011-2203
                   CVE-2011-2213 CVE-2011-2525 CVE-2011-2534
                   CVE-2011-2699 CVE-2011-2723 CVE-2011-2898
                   CVE-2011-4081 CVE-2011-4604
Affected Products:
                   openSUSE 11.3
______________________________________________________________________________

  An update that solves 11 vulnerabilities and has two fixes
  is now available. It includes one version update.

Description:

  The openSUSE 11.3 kernel was updated to fix various bugs
  and security issues.

  Following security issues have been fixed: CVE-2011-4604:
  If root does read() on a specific socket, it's possible to
  corrupt (kernel) memory over network, with an ICMP packet,
  if the B.A.T.M.A.N. mesh protocol is used.

  CVE-2011-2525: A flaw allowed the tc_fill_qdisc() function
  in the Linux kernels packet scheduler API implementation to
  be called on built-in qdisc structures. A local,
  unprivileged user could have used this flaw to trigger a
  NULL pointer dereference, resulting in a denial of service.

  CVE-2011-2699: Fernando Gont discovered that the IPv6 stack
  used predictable fragment identification numbers. A remote
  attacker could exploit this to exhaust network resources,
  leading to a denial of service.

  CVE-2011-2213: The inet_diag_bc_audit function in
  net/ipv4/inet_diag.c in the Linux kernel did not properly
  audit INET_DIAG bytecode, which allowed local users to
  cause a denial of service (kernel infinite loop) via
  crafted INET_DIAG_REQ_BYTECODE instructions in a netlink
  message, as demonstrated by an INET_DIAG_BC_JMP instruction
  with a zero yes value, a different vulnerability than
  CVE-2010-3880.

  CVE-2011-1576: The Generic Receive Offload (GRO)
  implementation in the Linux kernel allowed remote attackers
  to cause a denial of service via crafted VLAN packets that
  are processed by the napi_reuse_skb function, leading to
  (1) a memory leak or (2) memory corruption, a different
  vulnerability than CVE-2011-1478.

  CVE-2011-2534: Buffer overflow in the clusterip_proc_write
  function in net/ipv4/netfilter/ipt_CLUSTERIP.c in the Linux
  kernel might have allowed local users to cause a denial of
  service or have unspecified other impact via a crafted
  write operation, related to string data that lacks a
  terminating '\0' character.

  CVE-2011-1770: Integer underflow in the dccp_parse_options
  function (net/dccp/options.c) in the Linux kernel allowed
  remote attackers to cause a denial of service via a
  Datagram Congestion Control Protocol (DCCP) packet with an
  invalid feature options length, which triggered a buffer
  over-read.

  CVE-2011-2723: The skb_gro_header_slow function in
  include/linux/netdevice.h in the Linux kernel, when Generic
  Receive Offload (GRO) is enabled, reset certain fields in
  incorrect situations, which allowed remote attackers to
  cause a denial of service (system crash) via crafted
  network traffic.

  CVE-2011-2898: A kernel information leak in the AF_PACKET
  protocol was fixed which might have allowed local attackers
  to read kernel memory.

  CVE-2011-2203: A NULL ptr dereference on mounting corrupt
  hfs filesystems was fixed which could be used by local
  attackers to crash the kernel.

  CVE-2011-4081: Using the crypto interface a local user
  could Oops the kernel by writing to a AF_ALG socket.


Special Instructions and Notes:

  Please reboot the system after installing this update.

Patch Instructions:

  To install this openSUSE Security Update use YaST online_update.
  Alternatively you can run the command listed for your product:

  - openSUSE 11.3:

     zypper in -t patch kernel-5605

  To bring your system up-to-date, use "zypper patch".


Package List:

  - openSUSE 11.3 (i586 x86_64) [New Version: 2.6.34.10]:

     kernel-debug-2.6.34.10-0.6.1
     kernel-debug-base-2.6.34.10-0.6.1
     kernel-debug-devel-2.6.34.10-0.6.1
     kernel-default-2.6.34.10-0.6.1
     kernel-default-base-2.6.34.10-0.6.1
     kernel-default-devel-2.6.34.10-0.6.1
     kernel-desktop-2.6.34.10-0.6.1
     kernel-desktop-base-2.6.34.10-0.6.1
     kernel-desktop-devel-2.6.34.10-0.6.1
     kernel-ec2-2.6.34.10-0.6.1
     kernel-ec2-base-2.6.34.10-0.6.1
     kernel-ec2-devel-2.6.34.10-0.6.1
     kernel-ec2-extra-2.6.34.10-0.6.1
     kernel-syms-2.6.34.10-0.6.1
     kernel-trace-2.6.34.10-0.6.1
     kernel-trace-base-2.6.34.10-0.6.1
     kernel-trace-devel-2.6.34.10-0.6.1
     kernel-vanilla-2.6.34.10-0.6.1
     kernel-vanilla-base-2.6.34.10-0.6.1
     kernel-vanilla-devel-2.6.34.10-0.6.1
     kernel-xen-2.6.34.10-0.6.1
     kernel-xen-base-2.6.34.10-0.6.1
     kernel-xen-devel-2.6.34.10-0.6.1
     preload-kmp-default-1.1_k2.6.34.10_0.6-19.1.37
     preload-kmp-desktop-1.1_k2.6.34.10_0.6-19.1.37

  - openSUSE 11.3 (noarch) [New Version: 2.6.34.10]:

     kernel-devel-2.6.34.10-0.6.1
     kernel-source-2.6.34.10-0.6.1
     kernel-source-vanilla-2.6.34.10-0.6.1

  - openSUSE 11.3 (i586) [New Version: 2.6.34.10]:

     kernel-pae-2.6.34.10-0.6.1
     kernel-pae-base-2.6.34.10-0.6.1
     kernel-pae-devel-2.6.34.10-0.6.1
     kernel-vmi-2.6.34.10-0.6.1
     kernel-vmi-base-2.6.34.10-0.6.1
     kernel-vmi-devel-2.6.34.10-0.6.1


References:

  http://support.novell.com/security/cve/CVE-2011-1576.html
  http://support.novell.com/security/cve/CVE-2011-1770.html
  http://support.novell.com/security/cve/CVE-2011-2203.html
  http://support.novell.com/security/cve/CVE-2011-2213.html
  http://support.novell.com/security/cve/CVE-2011-2525.html
  http://support.novell.com/security/cve/CVE-2011-2534.html
  http://support.novell.com/security/cve/CVE-2011-2699.html
  http://support.novell.com/security/cve/CVE-2011-2723.html
  http://support.novell.com/security/cve/CVE-2011-2898.html
  http://support.novell.com/security/cve/CVE-2011-4081.html
  http://support.novell.com/security/cve/CVE-2011-4604.html
  https://bugzilla.novell.com/691052
  https://bugzilla.novell.com/692498
  https://bugzilla.novell.com/698450
  https://bugzilla.novell.com/699709
  https://bugzilla.novell.com/700879
  https://bugzilla.novell.com/702037
  https://bugzilla.novell.com/707288
  https://bugzilla.novell.com/709764
  https://bugzilla.novell.com/710235
  https://bugzilla.novell.com/726788
  https://bugzilla.novell.com/728661
  https://bugzilla.novell.com/735612
  https://bugzilla.novell.com/736149
Screenshot

Project Spotlight

patool

A portable archive file manager.

Screenshot

Project Spotlight

Polipo

A lightweight caching Web proxy.