Articles / SuSE

All articles tagged with SuSE

July 19, 2011 17:51 SuSE: New bind packages fix remote denial of service

0

A remote Denial of Service vulnerability has been fixed in bind. Specially crafted packets could cause bind servers (recursive as well as authoritative) to exit. Updated packages are available from download.opensuse.org.

July 19, 2011 17:49 SuSE: New KVM packages fix denial of service

0

A privileged guest user could cause a buffer overflow in the virtio subsystem of the host, therefore crashing the guest or potentially execute arbitrary code on the host.

July 19, 2011 17:42 SuSE: New IBM Java packages fix remote vulnerabilities

0

IBM Java 1.6.0 SR9-FP2 fixes several security issues. Various unspecified vulnerabilities allow remote untrusted Java Web Start applications and Java applets to affect confidentiality, integrity, and availability via unknown vectors. Updated packages are available from download.opensuse.org.

June 26, 2011 12:55 SuSE: New Linux kernel packages fix remote denial of service

0

This kernel update for the SUSE Linux Enterprise 10 SP4 kernel fixes several security issues and bugs. The code for evaluating LDM partitions contained bugs that could crash the kernel for certain corrupted LDM partitions. Bounds checking was missing in AARESOLVE_OFFSET, which allowed local attackers to overwrite kernel memory and so escalate privileges or crash the kernel. When using a setuid root mount.cifs, local users could hijack password protected mounted CIFS shares of other local users.

Kernel information via the TPM devices could by used by local attackers to read kernel memory. The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions contained a bug that causes a kernel oops on certain corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code. In the IrDA module, length fields provided by a peer for names and attributes may be longer than the destination array sizes and were not checked, this allowed local attackers to potentially corrupt memory.

A system out of memory condition could be triggered with a large socket backlog, exploitable by local users. The Radeon GPU drivers did not properly validate data related to the AA resolve registers, which allowed local users to write to arbitrary memory locations associated with Video RAM or the Graphics Translation Table via crafted values. When parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption.

Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs. The code for evaluating Mac partitions contained a bug that could crash the kernel for certain corrupted Mac partitions. The code for evaluating OSF partitions contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions.

Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation. A information leak in the XFS geometry calls could be used by local attackers to gain access to kernel information.

The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel allowed remote attackers to cause a denial of service via an Out Of The Blue chunk or a chunk of zero length. Updated packages are available from download.opensuse.org.

May 19, 2011 20:25 SuSE: New Postfix packages fix remote code execution

0

A security problem in the Postfix mail transport agent was fixed that could potentially be used by remote attackers to exploit a memory corruption issue in postfix SASL implementation to execute arbitrary code. Updated packages are available from download.opensuse.org.

May 19, 2011 14:30 SuSE: New Mozilla packages fix remote vulnerabilities

0

The Mozilla suite of browsers received security updates. Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Security researcher regenrecht reported several dangling pointer vulnerabilities via TippingPoint’s Zero Day Initiative. Security researcher Paul Stone reported that a Java applet could be used to mimic interaction with form autocomplete controls and steal entries from the form history.

David Remahl of Apple Product Security reported that the Java Embedding Plugin (JEP) shipped with the Mac OS X versions of Firefox could be exploited to obtain elevated access to resources on a user’s system. Security researcher Soroush Dalili reported that the resource: protocol could be exploited to allow directory traversal on Windows and the potential loading of resources from non-permitted locations. The impact would depend on whether interesting files existed in predictable locations in a useful format. Two crashes that could potentially be exploited to run malicious code were found in the WebGL feature and fixed in Firefox 4.0.1. In addition the WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions.

Nils reported that the WebGLES libraries in the Windows version of Firefox were compiled without ASLR protection. Mozilla researcher Christoph Diehl reported a potentially exploitable buffer overflow in the WebGLES library. Yuri Ko reported a potentially exploitable overwrite in the WebGLES library to the Chrome Security Team. We thank them for coordinating with us on this fix.

Updated packages are available from download.opensuse.org.

May 04, 2011 09:07 SuSE: New Linux kernel packages fix remote denial of service

0

The openSUSE 11.4 kernel was updated to 2.6.37.6 fixing lots of bugs and security issues. In the rose networking stack, when parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs. An issue in the core GRO code where an skb belonging to an unknown VLAN is reused could result in a NULL pointer dereference.

Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation. A information leak in the XFS geometry calls could be used by local attackers to gain access to kernel information.

A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed. The dvb_ca_ioctl function did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value. The code for evaluating Mac partitions contained a bug that could crash the kernel for certain corrupted Mac partitions. Multiple buffer overflows in the caiaq Native Instruments USB audio functionality might have allowed attackers to cause a denial of service or possibly have unspecified other impact.

A signedness issue in the drm ioctl handling could be used by local attackers to potentially overflow kernel buffers and execute code. The epoll subsystem did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock). A kernel buffer overflow in the cuse server module was fixed, which might have allowed local privilege escalation. A bug was fixed in the DCCP networking stack where the order of dccp_rcv_state_process() still permitted reception even after closing the socket.

The code for evaluating OSF partitions contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions. The code for evaluating LDM partitions contained a bug that could crash the kernel for certain corrupted LDM partitions. Doing bridging with devices with more than 16 receive queues could crash the kernel. Kernel information via the TPM devices could by used by local attackers to read kernel memory.

The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions contained a bug that causes a kernel oops on certain corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code. In the IrDA module, length fields provided by a peer for names and attributes may be longer than the destination array sizes and were not checked, this allowed local attackers (close to the irda port) to potentially corrupt memory. The Radeon GPU drivers in the Linux kernel did not properly validate data related to the AA resolve registers, which allowed local users to write to arbitrary memory locations associated with Video RAM or the Graphics Translation Table via crafted values.

Updated packages are available from ftp.redhat.com.

May 04, 2011 08:56 SuSE: New Linux kernel packages fix remote denial of service

0

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.36 and fixes various bugs and security issues. When parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. In the rose networking stack, when parsing the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields, a remote host could provide a length of less than 10, resulting in an underflow in a memcpy size, causing a kernel panic due to massive heap corruption. The code for evaluating OSF partitions contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions.

A bug in the order of dccp_rcv_state_process() was fixed that still permitted reception even after closing the socket. A signedness issue in drm_modeset_ctl() could be used by local attackers with access to the drm devices to potentially crash the kernel or escalate privileges. The epoll subsystem in Linux did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock).

Multiple buffer overflows in the caiaq Native Instruments USB audio functionality might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name. Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs.

An issue in the core GRO code where an skb belonging to an unknown VLAN is reused could result in a NULL pointer dereference. Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation.

A information leak in the XFS geometry calls could be used by local attackers to gain access to kernel information. A page allocator issue in NFS v4 ACL handling that could lead to a denial of service (crash) was fixed. The Linux kernel did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements. Fixed a buffer size issue in “usb iowarrior” module, where a malicious device could overflow a kernel buffer.

The dvb_ca_ioctl function did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value. In the IrDA module, length fields provided by a peer for names and attributes may be longer than the destination array sizes and were not checked, this allowed local attackers (close to the irda port) to potentially corrupt memory. A system out of memory condition (denial of service) could be triggered with a large socket backlog, exploitable by local users.

The Radeon GPU drivers in the Linux kernel did not properly validate data related to the AA resolve registers, which allowed local users to write to arbitrary memory locations associated with Video RAM or the Graphics Translation Table via crafted values. Bounds checking was missing in AARESOLVE_OFFSET, which allowed local attackers to overwrite kernel memory and so escalate privileges or crash the kernel. Updated packages are available from download.opensuse.org.

April 20, 2011 08:20 SuSE: New flash-player packages fix remote code execution

0

Specially crafted Flash files as delivered by web sites or as .swf-files could exploit the flash player to execute arbitrary code with the privileges of the user viewing these files. Updated packages are available from download.opensuse.org.

April 20, 2011 08:04 SuSE: New Linux kernel packages fix remote denial of service

0

The openSUSE 11.2 kernel was updated to fix lots of security issues. In the rose networking stack it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs. The epoll subsystem did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock).

The code for evaluating OSF partitions contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions. The code for evaluating LDM partitions contained a bug that could crash the kernel for certain corrupted LDM partitions. The code for evaluating Mac partitions contained a bug that could crash the kernel for certain corrupted Mac partitions.

Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation. A page allocator issue in NFS v4 ACL handling that could lead to a denial of service (crash) was fixed.

net/ipv4/inet_diag.c did not properly audit INET_DIAG bytecode, which allowed local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions. The dvb_ca_ioctl function did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value. The ax25_getname function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.

net/packet/af_packet.c did not properly initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures. The get_name function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. The sctp_auth_asoc_get_hmac function did not properly validate the hmac_ids array of an SCTP peer, which allowed remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array.

A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed. Multiple buffer overflows in the caiaq Native Instruments USB audio functionality might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name. The sctp_process_unk_param function allowed remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. The uart_get_count function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

The rs_ioctl function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. The ntty_ioctl_tiocgicount function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. A race condition in the __exit_signal function allowed local users to cause a denial of service via vectors related to multi threaded exec, the use of a thread group leader, and the selection of a new thread group leader in the de_thread function.

fs/exec.c did not enable the OOM Killer to assess use of stack memory by arrays representing the arguments and environment, which allows local users to cause a denial of service via a crafted exec system call. Fixed cryptographic weakness potentially leaking information to remote users in the Orinoco wireless driver. The OSS sound subsystem incorrectly expected that a certain name field ends with a ‘\0’ character, which allowed local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory. The blk_rq_map_user_iov function allowed local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device. A kernel buffer overflow in the cuse server module was fixed, which might have allowed local privilege escalation.

An integer overflow in the ib_uverbs_poll_cq function allowed local users to cause a denial of service or possibly have unspecified other impact via a large value of a certain structure member. The install_special_mapping function did not make an expected security_file_mmap function call, which allowed local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application. An integer underflow in the irda_getsockopt function allowed local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call.

The aun_incoming function allowed remote attackers to cause a denial of service by sending an Acorn Universal Networking (AUN) packet over UDP. The econet_sendmsg function allowed local users to cause a denial of service via a sendmsg call that specifies a NULL value for the remote address field. A stack-based buffer overflow in the econet_sendmsg function allowed local users to gain privileges by providing a large number of iovec structures. The ec_dev_ioctl function did not require the CAP_NET_ADMIN capability, which allowed local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call.

The backend driver in Xen 3.x allows guest OS users to cause a denial of service via a kernel thread leak, which prevents the device and guest OS from being shut down or create a zombie domain, causes a hang in zenwatch, or prevents unspecified xm commands from working properly. The ipc subsystem did not initialize certain structures, which allowed local users to obtain potentially sensitive information from kernel stack memory via certain vectors. The copy_shmid_to_user function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the “old shm interface.”

The copy_semid_to_user function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory. Updated packages are available from download.opensuse.org.

April 20, 2011 08:00 SuSE: New xorg-x11 packages fix remote code execution

0

The xrdb helper program of the xorg-x11 package passes untrusted input such as hostnames retrieved via DHCP or client hostnames of XDMCP sessions to popen() without sanitization. Therefore, remote attackers could execute arbitrary commands as root by assigning specially crafted hostnames to X11 servers or to XDMCP clients. Updated packages are available from download.opensuse.org.

March 30, 2011 11:24 SuSE: New Linux kernel packages fix remote denial of service

0

This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs. A memory leak in the ethtool ioctl was fixed that could disclose kernel memory to local attackers with CAP_NET_ADMIN privileges. The dvb_ca_ioctl function did not check the sign of a certain integer field, which allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value. The ax25_getname function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.

The Linux kernel did not properly initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures. The get_name function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed.

The task_show_regs function allowed local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/. The sctp_process_unk_param function allowed remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. The uart_get_count function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

The rs_ioctl function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. The ntty_ioctl_tiocgicount function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. The OSS sound subsystem incorrectly expected that a certain name field ends with a ‘0’ character, which allowed local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory.

A race condition in the __exit_signal function allowed local users to cause a denial of service via vectors related to multi threaded exec. The blk_rq_map_user_iov function allowed local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. The hci_uart_tty_open function in the HCI UART driver did not verify whether the tty has a write operation, which allowed local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth driver. An integer underflow in the irda_getsockopt function allowed local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call.

The aun_incoming function allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP. A race condition in the sctp_icmp_proto_unreachable function allowed remote attackers to cause a denial of service (panic).

Updated packages are available from download.opensuse.org.

March 30, 2011 11:18 SuSE: New IBM Java packages fix remote code execution

0

IBM Java 6 was updated to SR9 FP1 was updated to fix a critical security bug in float number handling and also contains other security bugfixes. IBM Java 5 was updated to SR 12 FP 3 to also fix the floating-point number issue and other security issues. IBM Java 1.4.2 was updated to SR 13 FP8 to fix the floating point and other security issues. Updated packages are available from download.opensuse.org.

March 09, 2011 20:18 SuSE: New Linux kernel packages fix remote code execution

0

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.29 and fixes various bugs and security issues. The ax25_getname function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. The Linux kernel did not properly initialize certain structure members, which allowed local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures. The get_name function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.

The sctp_auth_asoc_get_hmac function did not properly validate the hmac_ids array of an SCTP peer, which allowed remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array. A stack memory information leak in the xfs FSGEOMETRY_V1 ioctl was fixed. Multiple buffer overflows in the caiaq Native Instruments USB audio functionality might have allowed attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name.

The task_show_regs function on the s390 platform allowed local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/. The xfs implementation did not look up inode allocation btrees before reading inode buffers, which allowed remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS file handle. The uart_get_count function in did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

The rs_ioctl function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. The ntty_ioctl_tiocgicount function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. The Linux kernel did not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an OOM dodging issue.

The blk_rq_map_user_iov function allowed local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. An integer underflow in the irda_getsockopt function on platforms other than x86 allowed local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call. The aun_incoming function, when Econet is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP.

The backend driver in Xen 3.x allowed guest OS users to cause a denial of service via a kernel thread leak, which prevented the device and guest OS from being shut down or create a zombie domain, causing a hang in zenwatch, or preventing unspecified xm commands from working properly. The install_special_mapping function did not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application. Fixed a verify_ioctl overflow in “cuse” in the fuse filesystem.

Race condition in the sctp_icmp_proto_unreachable function allowed remote attackers to cause a denial of service (panic) via an ICMP unreachable message to a socket that is already locked by a user. The load_mixer_volumes function in the OSS sound subsystem incorrectly expected that a certain name field ends with a ‘0’ character, which allowed local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory.

Updated packages are available from download.opensuse.org.

March 09, 2011 20:12 SuSE: New acroread packages fix remote code execution

0

Specially crafted PDF documents could crash acroread or lead to execution of arbitrary code. acroread was updated to version 9.4.2 to address the issues. Updated packages are available from download.opensuse.org.

February 23, 2011 08:48 SuSE: New Sun Java 1.6 packages fix remote code execution

0

Sun Java 1.6 was updated to Update 24 fixing various bugs and security issues. Updated packages are available from download.opensuse.org.

January 28, 2011 13:36 SuSE: New kernel packages fix local privilege escalation

0

This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs. A local attacker could use a Oops (kernel crash) caused by other flaws to write a 0 byte to a attacker controlled address in the kernel. The backend driver in Xen 3.x allows guest OS users to cause a denial of service via a kernel thread leak. The econet_sendmsg function allowed local users to cause a denial of service. The ec_dev_ioctl function did not require the CAP_NET_ADMIN capability, which allowed local users to bypass intended access restrictions and configure econet addresses. An overflow in sendto() and recvfrom() routines was fixed that could be used by local attackers to potentially crash the kernel using some socket families like L2TP. Updated packages are available from download.novell.com.

January 20, 2011 05:10 SuSE: New kernel packages fix local privilege escalation

0

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.27 and fixes various bugs and security issues. A local attacker could use a Oops (kernel crash) caused by other flaws to write a 0 byte to a attacker controlled address in the kernel. An overflow in sendto() and recvfrom() routines was fixed that could be used by local attackers to potentially crash the kernel using some socket families like L2TP. A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc could lead to memory corruption in the GDTH driver. The do_tcp_setsockopt function did not properly restrict TCP_MAXSEG (aka MSS) values, which allowed local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer. A remote (or local) attacker communicating over X.25 could cause a kernel panic by attempting to negotiate malformed facilities. A local attacker could cause memory overruns in the RDS protocol stack, potentially crashing the kernel. A use-after-free vulnerability allowed local users to cause a denial of service via vectors involving an mprotect system call.

A minor heap overflow in the CAN network module was fixed. A memory information leak in Berkeley packet filter rules allowed local attackers to read uninitialized memory of the kernel stack. A local denial of service in the blockdevice layer was fixed. By submitting certain I/O requests with 0 length, a local user could have caused a kernel panic. The ethtool_get_rxnfc function did not initialize a certain block of heap memory, which allowed local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value. A range checking overflow in pktcdvd ioctl was fixed. The viafb_ioctl_get_viafb_info function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call. The ipc subsystem did not initialize certain structures, which allowed local users to obtain potentially sensitive information from kernel stack memory. The copy_shmid_to_user function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory. The copy_semid_to_user function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory. Updated packages are available from download.opensuse.org.

January 05, 2011 11:25 SuSE: New Firefox, Thunderbird, and Seamonkey packages fi...

0

Mozilla Firefox was updated to update 3.6.13 to fix several security issues. Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Dirk Heinrich reported that on Windows platforms when document.write() was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Security researcher echo reported that a web page could open a window with an about:blank location and then inject an <isindex> element into that page which upon submission would redirect to a chrome: document. Security researcher wushi of team509 reported that when a XUL tree had an HTML <div> element nested inside a <treechildren> element then code attempting to display content in the XUL tree would incorrectly treat the <div> element as a parent node to tree content underneath it resulting in incorrect indexes being calculated for the child content.

Mozilla added the OTS font sanitizing library to prevent downloadable fonts from exposing vulnerabilities in the underlying OS font code. Security researcher Gregory Fleischer reported that when a Java LiveConnect script was loaded via a data: URL which redirects via a meta refresh, then the resulting plugin object was created with the wrong security principal and thus received elevated privileges such as the abilities to read local files, launch processes, and create network connections. Security researcher regenrecht reported that a nsDOMAttribute node can be modified without informing the iterator object responsible for various DOM traversals. Security researcher regenrecht reported that JavaScript arrays were vulnerable to an integer overflow vulnerability. Google security researcher Michal Zalewski reported that when a window was opened to a site resulting in a network or certificate error page, the opening site could access the document inside the opened window and inject arbitrary content. Security researchers Yosuke Hasegawa and Masatoshi Kimura reported that the x-mac-arabic, x-mac-farsi and x-mac-hebrew character encodings are vulnerable to XSS attacks due to some characters being converted to angle brackets when displayed by the rendering engine.

Updated packages are available from download.opensuse.org.

January 05, 2011 11:05 SuSE: New kernel packages fix local privilege escalation

0

This update of the openSUSE 11.2 kernel fixes various bugs and lots of security issues. A local attacker could use a Oops (kernel crash) caused by other flaws to write a 0 byte to a attacker controlled address in the kernel. A overflow in sendto() and recvfrom() routines was fixed that could be used by local attackers to potentially crash the kernel using some socket families like L2TP. A 32bit vs 64bit integer mismatch in gdth_ioctl_alloc could lead to memory corruption in the GDTH driver. The do_tcp_setsockopt function did not properly restrict TCP_MAXSEG values, which allows local users to cause a denial of service (OOPS). A remote (or local) attacker communicating over X.25 could cause a kernel panic by attempting to negotiate malformed facilities. A local attacker could cause memory overruns in the RDS protocol stack, potentially crashing the kernel. A minor heap overflow in the CAN network module was fixed.

A memory information leak in Berkeley packet filter rules allowed local attackers to read uninitialized memory of the kernel stack. A local denial of service in the blockdevice layer was fixed. By submitting certain I/O requests with 0 length, a local user could have caused a kernel panic. The ethtool_get_rxnfc function did not initialize a certain block of heap memory, which allowed local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command. Multiple integer overflows in the snd_ctl_new function allowed local users to cause a denial of service. A range checking overflow in pktcdvd ioctl was fixed. The sisfb_ioctl function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call. The snd_hdsp_hwdep_ioctl function did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory.

The viafb_ioctl_get_viafb_info function did not properly initialize a certain structure member, which allowed local users to obtain potentially sensitive information from kernel stack memory. An integer overflow in the do_io_submit function allowed local users to cause a denial of service. A iovec integer overflow in RDS sockets was fixed which could lead to local attackers gaining kernel privileges. Updated packages are available from download.opensuse.org.

December 22, 2010 04:57 SuSE: New IBM Java 1.4.2 packages fix remote code execution

0

IBM Java 1.4.2 was updated to Service Release 13 Fix Pack 6 to fix various bugs and security issues. Updated packages are available from download.opensuse.org.

December 15, 2010 20:48 SuSE: New kernel packages fix remote denial of service

0

This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs. Multiple integer overflows in the snd_ctl_new function allow local users to cause a denial of service. An integer signedness error in the pkt_find_dev_from_minor function allows local users to obtain sensitive information from kernel memory. Uninitialized stack memory disclosure in the FBIOGET_VBLANK ioctl in the sis and ivtv drivers could leak kernel memory to userspace. An uninitialized stack memory disclosure in the rme9652 ALSA driver and the SystemV IPC handling functions could leak kernel memory to userspace. An integer overflow in the do_io_submit function allowed local users to cause a denial of service. Multiple integer signedness errors allowed local users to cause a denial of service. Updated packages are available from download.opensuse.org.

December 15, 2010 17:33 SuSE: New exim packages fix remote code execution

0

The unprivileged user exim is running as could tell the exim daemon to read a different config file and leverage that to escalate privileges to root. A buffer overflow in exim allowed remote attackers to execute arbitrary code. Updated packages are available from download.opensuse.org.

December 15, 2010 17:15 SuSE: New acroread packages fix remote code execution

0

Specially crafted PDF documents could crash acroread or lead to execution of arbitrary code. acroread was updated to version 9.4.1 which addresses the issues. Updated packages are available from download.opensuse.org.

November 17, 2010 08:29 SuSE: New kernel packages fix local privilege escalation

0

This update of the SUSE Linux Enterprise 11 SP1 fixes three critical security issues and some bugs. A local privilege escalation in RDS sockets allowed local attackers to gain root privileges. A problem in the compat ioctl handling in video4linux allowed local attackers with a video device plugged in to gain root privileges on x86_64 systems. A problem in the compat ioctl handling in video4linux allowed local attackers with a video device plugged in to gain privileges on x86_64 systems. Updated packages are available from download.opensuse.org.

November 10, 2010 05:36 SuSE: New Mozilla packages fix remote code execution

0

Various Mozilla suite components, including Firefox, were updated to fix various security issues. Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Alexander Miller reported that passing an excessively long string to document.write could cause text rendering routines to end up in an inconsistent state with sections of stack memory being overwritten with the string data. Sergey Glazunov reported that it was possible to access the locationbar property of a window object after it had been closed. regenrecht reported that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Robert Swiecki reported that functions used by the Gopher parser to convert text to HTML tags could be exploited to turn text into executable JavaScript. Eduardo Vela Nava reported that if a web page opened a new window and used a javascript: URL to make a modal call, such as alert(), then subsequently navigated the page to a different domain, once the modal call returned the opener of the window could get access to objects in the navigated window. Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. Morten Kråkvik reported an exploit targeting particular versions of Firefox 3.6 on Windows XP that Telenor found while investigating an intrusion attempt on a customer network. Updated packages are available from download.opensuse.org.

November 10, 2010 05:35 SuSE: New flash-player packages fix remote code execution

0

Adobe Flash Player was updated to version 10.1.102.64 to fix a critical security issue. Updated packages are available from download.opensuse.org.

November 10, 2010 05:23 SuSE: New kernel packages fix local privilege escalation

0

A security update of the SUSE Linux Enterprise 11 GA and openSUSE 11.1 kernel updates the kernel to 2.6.27.54 and fixes various security issues. Multiple integer signedness errors allowed local users to cause a denial of service or possibly have unspecified other impact via a rose_getname function call. A double free in an alsa error path was fixed, which could lead to kernel crashes. Kernel information leaks in the WEXT ioctl, the xfs filesystem, the cxgb3 driver, the net/eql driver, and in the net scheduler code have been fixed. The irda_bind function did not properly handle failure of the irda_open_tsap function, which allowed local users to cause a denial of service and possibly have unspecified other impact. The ‘os2’ xattr namespace on the jfs filesystem could be used to bypass xattr namespace rules. An integer overflow in the ext4_ext_get_blocks function allowed local users to cause a denial of service via a write operation on the last block of a large file, followed by a sync operation. The Direct Rendering Manager (DRM) subsystem allowed local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. The gfs2_dirent_find_space function used an incorrect size value in calculations associated with sentinel directory entries, which allowed local users to cause a denial of service and possibly have unspecified other impact. Updated packages are available from download.opensuse.org.

November 03, 2010 09:40 SuSE: New kernel packages fix local privilege escalation

0

The openSUSE 11.2 and 11.3 kernels were updated to fix 2 critical security issues and some small bugs. A local privilege escalation in RDS sockets allowed local attackers to gain root privileges. A problem in the compat ioctl handling in video4linux allowed local attackers with a video device plugged in to gain root privileges on x86_64 systems. Updated packages are available from download.opensuse.org.

November 03, 2010 09:37 SuSE: New glibc packages fix local privilege escalation

0

The Linux C library glibc was updated to fix critical security issues and several bugs. Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab. Updated packages are available from download.opensuse.org.

Screenshot

Project Spotlight

milter manager

A flexible and low administrative cost anti-spam system.

Screenshot

Project Spotlight

PyQt

Python bindings for the Qt GUI toolkit