Vulnerabilities > CVE-2010-2946 - Improper Input Validation vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an "os2." substring at the beginning of a name.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE9_12672.NASL description This patch updates the SUSE Linux Enterprise Server 9 kernel to fix various security issues and some bugs. The following security issues were fixed : - The hci_uart_tty_open function in the HCI UART driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel did not verify whether the tty has a write operation, which allowed local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth driver. (CVE-2010-4242) - The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel incorrectly expected that a certain name field ends with a last seen 2020-06-01 modified 2020-06-02 plugin id 51953 published 2011-02-11 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51953 title SuSE9 Security Update : the Linux kernel (YOU Patch Number 12672) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(51953); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:40"); script_cve_id("CVE-2010-2946", "CVE-2010-3067", "CVE-2010-3310", "CVE-2010-3442", "CVE-2010-3848", "CVE-2010-3849", "CVE-2010-3850", "CVE-2010-3873", "CVE-2010-4072", "CVE-2010-4073", "CVE-2010-4081", "CVE-2010-4083", "CVE-2010-4157", "CVE-2010-4158", "CVE-2010-4160", "CVE-2010-4164", "CVE-2010-4242", "CVE-2010-4258", "CVE-2010-4342", "CVE-2010-4527", "CVE-2010-4529"); script_name(english:"SuSE9 Security Update : the Linux kernel (YOU Patch Number 12672)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This patch updates the SUSE Linux Enterprise Server 9 kernel to fix various security issues and some bugs. The following security issues were fixed : - The hci_uart_tty_open function in the HCI UART driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel did not verify whether the tty has a write operation, which allowed local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth driver. (CVE-2010-4242) - The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel incorrectly expected that a certain name field ends with a '\0' character, which allowed local users to conduct buffer overflow attacks and gain privileges, or possibly obtain sensitive information from kernel memory, via a SOUND_MIXER_SETLEVELS ioctl call. (CVE-2010-4527) - Integer underflow in the irda_getsockopt function in net/irda/af_irda.c in the Linux kernel on platforms other than x86 allowed local users to obtain potentially sensitive information from kernel heap memory via an IRLMP_ENUMDEVICES getsockopt call. (CVE-2010-4529) - The aun_incoming function in net/econet/af_econet.c in the Linux kernel, when Econet is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending an Acorn Universal Networking (AUN) packet over UDP. (CVE-2010-4342) - fs/jfs/xattr.c in the Linux kernel did not properly handle a certain legacy format for storage of extended attributes, which might have allowed local users by bypass intended xattr namespace restrictions via an 'os2.' substring at the beginning of a name. (CVE-2010-2946) - Stack-based buffer overflow in the econet_sendmsg function in net/econet/af_econet.c in the Linux kernel, when an econet address is configured, allowed local users to gain privileges by providing a large number of iovec structures. (CVE-2010-3848) - The econet_sendmsg function in net/econet/af_econet.c in the Linux kernel, when an econet address is configured, allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a sendmsg call that specifies a NULL value for the remote address field. (CVE-2010-3849) - The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel does not require the CAP_NET_ADMIN capability, which allowed local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call. (CVE-2010-3850) - The do_exit function in kernel/exit.c in the Linux kernel did not properly handle a KERNEL_DS get_fs value, which allowed local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call. (CVE-2010-4258) - Multiple integer overflows in the (1) pppol2tp_sendmsg function in net/l2tp/l2tp_ppp.c, and the (2) l2tp_ip_sendmsg function in net/l2tp/l2tp_ip.c, in the PPPoL2TP and IPoL2TP implementations in the Linux kernel allowed local users to cause a denial of service (heap memory corruption and panic) or possibly gain privileges via a crafted sendto call. (CVE-2010-4160) - Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel on 64-bit platforms allowed local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large argument in an ioctl call. (CVE-2010-4157) - Multiple integer underflows in the x25_parse_facilities function in net/x25/x25_facilities.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data, a different vulnerability than CVE-2010-3873. (CVE-2010-4164) - The sk_run_filter function in net/core/filter.c in the Linux kernel did not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allowed local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter. (CVE-2010-4158) - Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. (CVE-2010-3442) - The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call. (CVE-2010-4081) - The ipc subsystem in the Linux kernel did not initialize certain structures, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c. (CVE-2010-4073) - The copy_shmid_to_user function in ipc/shm.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the 'old shm interface.'. (CVE-2010-4072) - The copy_semid_to_user function in ipc/sem.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call. (CVE-2010-4083) - Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. (CVE-2010-3067) - Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions. (CVE-2010-3310)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-2946.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3067.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3310.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3442.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3848.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3849.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3850.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3873.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4072.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4073.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4081.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4083.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4157.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4158.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4160.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4164.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4242.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4258.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4342.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4527.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-4529.html" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12672."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/02/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"kernel-bigsmp-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"kernel-debug-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"kernel-default-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"kernel-smp-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"kernel-source-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"kernel-syms-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"kernel-um-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"kernel-xen-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"kernel-xenpae-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"um-host-install-initrd-1.0-48.38")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"um-host-kernel-2.6.5-7.325")) flag++; if (rpm_check(release:"SUSE9", cpu:"i586", reference:"xen-kmp-3.0.4_2.6.5_7.325-0.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-7257.NASL description This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs. The following security issues were fixed : - Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. (CVE-2010-3442) - Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call. (CVE-2010-3437) - Uninitialized stack memory disclosure in the FBIOGET_VBLANK ioctl in the sis and ivtv drivers could leak kernel memory to userspace. (CVE-2010-4078) - Uninitialized stack memory disclosure in the rme9652 ALSA driver could leak kernel memory to userspace. (CVE-2010-4080 / CVE-2010-4081) - Uninitialized stack memory disclosure in the SystemV IPC handling functions could leak kernel memory to userspace. (CVE-2010-4073 / CVE-2010-4072 / CVE-2010-4083) - Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. (CVE-2010-3067) - Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions. (CVE-2010-3310) - The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel did not properly check the file descriptors passed to the SWAPEXT ioctl, which allowed local users to leverage write access and obtain read access by swapping one file into another file. (CVE-2010-2226) - fs/jfs/xattr.c in the Linux kernel did not properly handle a certain legacy format for storage of extended attributes, which might have allowed local users by bypass intended xattr namespace restrictions via an last seen 2020-06-01 modified 2020-06-02 plugin id 51158 published 2010-12-14 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51158 title SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 7257) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-7261.NASL description This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs. The following security issues were fixed : - Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call. (CVE-2010-3442) - Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call. (CVE-2010-3437) - Uninitialized stack memory disclosure in the FBIOGET_VBLANK ioctl in the sis and ivtv drivers could leak kernel memory to userspace. (CVE-2010-4078) - Uninitialized stack memory disclosure in the rme9652 ALSA driver could leak kernel memory to userspace. (CVE-2010-4080 / CVE-2010-4081) - Uninitialized stack memory disclosure in the SystemV IPC handling functions could leak kernel memory to userspace. (CVE-2010-4073 / CVE-2010-4072 / CVE-2010-4083) - Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel allowed local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. (CVE-2010-3067) - Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions. (CVE-2010-3310) - The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel did not properly check the file descriptors passed to the SWAPEXT ioctl, which allowed local users to leverage write access and obtain read access by swapping one file into another file. (CVE-2010-2226) - fs/jfs/xattr.c in the Linux kernel did not properly handle a certain legacy format for storage of extended attributes, which might have allowed local users by bypass intended xattr namespace restrictions via an last seen 2020-06-01 modified 2020-06-02 plugin id 59153 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59153 title SuSE 10 Security Update : the Linux kernel (ZYPP Patch Number 7261) NASL family SuSE Local Security Checks NASL id SUSE9_12677.NASL description This patch updates the SUSE Linux Enterprise Server 9 kernel to fix various security issues and some bugs. The following security issues were fixed : - The hci_uart_tty_open function in the HCI UART driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel did not verify whether the tty has a write operation, which allowed local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth driver. (CVE-2010-4242) - The load_mixer_volumes function in sound/oss/soundcard.c in the OSS sound subsystem in the Linux kernel incorrectly expected that a certain name field ends with a last seen 2020-06-01 modified 2020-06-02 plugin id 58229 published 2012-04-23 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58229 title SuSE9 Security Update : the Linux kernel (YOU Patch Number 12677) NASL family SuSE Local Security Checks NASL id SUSE_11_1_KERNEL-101020.NASL description This security update of the SUSE Linux Enterprise 11 GA kernel updates the kernel to 2.6.27.54 and fixes various security issues and other bugs. Following security issues were fixed: CVE-2010-3310: Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions. CVE-2010-2955: A kernel information leak via the WEXT ioctl was fixed. CVE-2010-3080: A double free in an alsa error path was fixed, which could lead to kernel crashes. CVE-2010-3078: Fixed a kernel information leak in the xfs filesystem. CVE-2010-3296: Fixed a kernel information leak in the cxgb3 driver. CVE-2010-3297: Fixed a kernel information leak in the net/eql driver. CVE-2010-2954: The irda_bind function in net/irda/af_irda.c in the Linux kernel did not properly handle failure of the irda_open_tsap function, which allowed local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket. CVE-2010-2946: The last seen 2020-06-01 modified 2020-06-02 plugin id 53669 published 2011-05-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53669 title openSUSE Security Update : kernel (openSUSE-SU-2010:0895-2) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-100903.NASL description This SUSE Linux Enterprise 11 Service Pack 1 kernel contains various security fixes and lots of other bugfixes. Notable larger bugfixes and changes : - 603464: Fix system freezewhen doing a network crashdump with a netxen_nic driver - 610828: Avoid kernel failure on connects/disconnects to a novell server with Novell Client 2.0 - 612009: Fix Oracle issues due to problems with OCFS - 614332: Fix SMB processes stuck in uninteruptible sleep when using (LVS/ClusteredIP) + CTDB + OCFS2 - 619525: Fix igb driver regression - 626321: Add patch for Apparent OCFS2 corruption after removing a bunch of reflinks - 627518: Avoid System hangs up after failed to copy files from smb server - 629552: Skip Tape rewind during boot or a scsi scan The following security issues were fixed : - insufficient range checks on the ETHTOOL_GRXCLSRLALL command allowed local users to at least crash the kernel. (CVE-2010-2478) - Specially crafted NFS write requests could crash the kernel. (CVE-2010-2521) - a malicious local user could fill the cache used by CIFS do perform dns lookups with chosen data, therefore tricking the kernel into mounting a wrong CIFS server. (CVE-2010-2524) - a local user could overwrite append-only files on a btrfs file system. (CVE-2010-2537) - a local user could read kernel memory of a btrfs file system. (CVE-2010-2538) - local users could trigger a NULL derefence via gfs2 file system. (CVE-2010-2798) - driver specific drm ioctl could leak kernel memory to users with access to dri devices. (CVE-2010-2803) - last seen 2020-06-01 modified 2020-06-02 plugin id 51610 published 2011-01-21 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51610 title SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 3068 / 3069 / 3070) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1000-1.NASL description Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Al Viro discovered a race condition in the TTY driver. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2009-4895) Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly check file permissions. A local attacker could overwrite append-only files, leading to potential data loss. (CVE-2010-2066) Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly check file permissions. A local attacker could exploit this to read from write-only files, leading to a loss of privacy. (CVE-2010-2226) Suresh Jayaraman discovered that CIFS did not correctly validate certain response packats. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-2248) Ben Hutchings discovered that the ethtool interface did not correctly check certain sizes. A local attacker could perform malicious ioctl calls that could crash the system, leading to a denial of service. (CVE-2010-2478, CVE-2010-3084) James Chapman discovered that L2TP did not correctly evaluate checksum capabilities. If an attacker could make malicious routing changes, they could crash the system, leading to a denial of service. (CVE-2010-2495) Neil Brown discovered that NFSv4 did not correctly check certain write requests. A remote attacker could send specially crafted traffic that could crash the system or possibly gain root privileges. (CVE-2010-2521) David Howells discovered that DNS resolution in CIFS could be spoofed. A local attacker could exploit this to control DNS replies, leading to a loss of privacy and possible privilege escalation. (CVE-2010-2524) Dan Rosenberg discovered a flaw in gfs2 file system last seen 2020-06-01 modified 2020-06-02 plugin id 50044 published 2010-10-20 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50044 title Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS / 10.10 : linux, linux-ec2, linux-source-2.6.15 vulnerabilities (USN-1000-1) NASL family SuSE Local Security Checks NASL id SUSE_11_2_KERNEL-100921.NASL description This openSUSE 11.2 kernel was updated to 2.6.31.14, fixing several security issues and bugs. A lot of ext4 filesystem stability fixes were also added. Following security issues have been fixed: CVE-2010-3301: Mismatch between 32bit and 64bit register usage in the system call entry path could be used by local attackers to gain root privileges. This problem only affects x86_64 kernels. CVE-2010-3081: Incorrect buffer handling in the biarch-compat buffer handling could be used by local attackers to gain root privileges. This problem affects foremost x86_64, or potentially other biarch platforms, like PowerPC and S390x. CVE-2010-3084: A buffer overflow in the ETHTOOL_GRXCLSRLALL code could be used to crash the kernel or potentially execute code. CVE-2010-2955: A kernel information leak via the WEXT ioctl was fixed. CVE-2010-2960: The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel expects that a certain parent session keyring exists, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function. CVE-2010-3080: A double free in an alsa error path was fixed, which could lead to kernel crashes. CVE-2010-3079: Fixed a ftrace NULL pointer dereference problem which could lead to kernel crashes. CVE-2010-3298: Fixed a kernel information leak in the net/usb/hso driver. CVE-2010-3296: Fixed a kernel information leak in the cxgb3 driver. CVE-2010-3297: Fixed a kernel information leak in the net/eql driver. CVE-2010-3078: Fixed a kernel information leak in the xfs filesystem. CVE-2010-2942: Fixed a kernel information leak in the net scheduler code. CVE-2010-2954: The irda_bind function in net/irda/af_irda.c in the Linux kernel did not properly handle failure of the irda_open_tsap function, which allowed local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket. CVE-2010-2226: The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel did not properly check the file descriptors passed to the SWAPEXT ioctl, which allowed local users to leverage write access and obtain read access by swapping one file into another file. CVE-2010-2946: The last seen 2020-06-01 modified 2020-06-02 plugin id 49671 published 2010-09-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/49671 title openSUSE Security Update : kernel (openSUSE-SU-2010:0664-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1083-1.NASL description Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904) Nelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850) Ben Hawkes discovered that the Linux kernel did not correctly filter registers on 64bit kernels when performing 32bit system calls. On a 64bit system, a local attacker could manipulate 32bit system calls to gain root privileges. (CVE-2010-3301) Al Viro discovered a race condition in the TTY driver. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2009-4895) Gleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service. (CVE-2010-0435) Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly check file permissions. A local attacker could overwrite append-only files, leading to potential data loss. (CVE-2010-2066) Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly check file permissions. A local attacker could exploit this to read from write-only files, leading to a loss of privacy. (CVE-2010-2226) Suresh Jayaraman discovered that CIFS did not correctly validate certain response packats. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-2248) Ben Hutchings discovered that the ethtool interface did not correctly check certain sizes. A local attacker could perform malicious ioctl calls that could crash the system, leading to a denial of service. (CVE-2010-2478, CVE-2010-3084) James Chapman discovered that L2TP did not correctly evaluate checksum capabilities. If an attacker could make malicious routing changes, they could crash the system, leading to a denial of service. (CVE-2010-2495) Neil Brown discovered that NFSv4 did not correctly check certain write requests. A remote attacker could send specially crafted traffic that could crash the system or possibly gain root privileges. (CVE-2010-2521) David Howells discovered that DNS resolution in CIFS could be spoofed. A local attacker could exploit this to control DNS replies, leading to a loss of privacy and possible privilege escalation. (CVE-2010-2524) Dan Rosenberg discovered that the btrfs filesystem did not correctly validate permissions when using the clone function. A local attacker could overwrite the contents of file handles that were opened for append-only, or potentially read arbitrary contents, leading to a loss of privacy. (CVE-2010-2537, CVE-2010-2538) Bob Peterson discovered that GFS2 rename operations did not correctly validate certain sizes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-2798) Eric Dumazet discovered that many network functions could leak kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2942, CVE-2010-3477) Dave Chinner discovered that the XFS filesystem did not correctly order inode lookups when exported by NFS. A remote attacker could exploit this to read or write disk blocks that had changed file assignment or had become unlinked, leading to a loss of privacy. (CVE-2010-2943) Sergey Vlasov discovered that JFS did not correctly handle certain extended attributes. A local attacker could bypass namespace access rules, leading to a loss of privacy. (CVE-2010-2946) Tavis Ormandy discovered that the IRDA subsystem did not correctly shut down. A local attacker could exploit this to cause the system to crash or possibly gain root privileges. (CVE-2010-2954) Brad Spengler discovered that the wireless extensions did not correctly validate certain request sizes. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2955) Tavis Ormandy discovered that the session keyring did not correctly check for its parent. On systems without a default session keyring, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-2960) Kees Cook discovered that the Intel i915 graphics driver did not correctly validate memory regions. A local attacker with access to the video card could read and write arbitrary kernel memory to gain root privileges. (CVE-2010-2962) Kees Cook discovered that the V4L1 32bit compat interface did not correctly validate certain parameters. A local attacker on a 64bit system with access to a video device could exploit this to gain root privileges. (CVE-2010-2963) Toshiyuki Okajima discovered that ext4 did not correctly check certain parameters. A local attacker could exploit this to crash the system or overwrite the last block of large files. (CVE-2010-3015) Tavis Ormandy discovered that the AIO subsystem did not correctly validate certain parameters. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3067) Dan Rosenberg discovered that certain XFS ioctls leaked kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-3078) Robert Swiecki discovered that ftrace did not correctly handle mutexes. A local attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3079) Tavis Ormandy discovered that the OSS sequencer device did not correctly shut down. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3080) Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297, CVE-2010-3298) Dan Rosenberg discovered that the ROSE driver did not correctly check parameters. A local attacker with access to a ROSE network device could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3310) Thomas Dreibholz discovered that SCTP did not correctly handle appending packet chunks. A remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2010-3432) Dan Rosenberg discovered that the CD driver did not correctly check parameters. A local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2010-3437) Dan Rosenberg discovered that the Sound subsystem did not correctly validate parameters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3442) Dan Rosenberg discovered that SCTP did not correctly handle HMAC calculations. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-3705) Brad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858) Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859) Kees Cook discovered that the ethtool interface did not correctly clear kernel memory. A local attacker could read kernel heap memory, leading to a loss of privacy. (CVE-2010-3861) Dan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874) Kees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4072) Dan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4073) Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081) Dan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082) James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157) Dan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158) Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160) Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162) Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If a system was using X.25, a remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4164) Steve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165) Dave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169) Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175) Alan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242) Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243) Vegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249) It was discovered that named pipes did not correctly handle certain fcntl calls. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4256) Nelson Elhage discovered that the kernel did not correctly handle process cleanup after triggering a recoverable kernel bug. If a local attacker were able to trigger certain kinds of kernel bugs, they could create a specially crafted process to gain root privileges. (CVE-2010-4258) Kees Cook discovered that some ethtool functions did not correctly clear heap memory. A local attacker with CAP_NET_ADMIN privileges could exploit this to read portions of kernel heap memory, leading to a loss of privacy. (CVE-2010-4655) Frank Arnold discovered that the IGMP protocol did not correctly parse certain packets. A remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-0709). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 65101 published 2013-03-09 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65101 title Ubuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1083-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-101020.NASL description This security update of the SUSE Linux Enterprise 11 GA kernel updates the kernel to 2.6.27.54 and fixes various security issues and other bugs. The following security issues were fixed : - Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions. (CVE-2010-3310) - A kernel information leak via the WEXT ioctl was fixed. (CVE-2010-2955) - A double free in an alsa error path was fixed, which could lead to kernel crashes. (CVE-2010-3080) - Fixed a kernel information leak in the xfs filesystem. (CVE-2010-3078) - Fixed a kernel information leak in the cxgb3 driver. (CVE-2010-3296) - Fixed a kernel information leak in the net/eql driver. (CVE-2010-3297) - The irda_bind function in net/irda/af_irda.c in the Linux kernel did not properly handle failure of the irda_open_tsap function, which allowed local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket. (CVE-2010-2954) - The last seen 2020-06-01 modified 2020-06-02 plugin id 50925 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50925 title SuSE 11 Security Update : Linux kernel (SAT Patch Numbers 3358 / 3361 / 3362)
References
- http://secunia.com/advisories/41321
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35.2
- http://www.securityfocus.com/bid/42589
- http://www.openwall.com/lists/oss-security/2010/08/20/1
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27.51
- http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.10
- http://www.openwall.com/lists/oss-security/2010/08/20/11
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00004.html
- http://www.ubuntu.com/usn/USN-1000-1
- http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html
- http://secunia.com/advisories/43291
- http://www.vupen.com/english/advisories/2011/0375
- http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
- http://www.vupen.com/english/advisories/2011/0298
- http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:051
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=aca0fa34bdaba39bfddddba8ca70dba4782e8fe6