Vulnerabilities > CVE-2012-2123 - Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The cap_bprm_set_creds function in security/commoncap.c in the Linux kernel before 3.3.3 does not properly handle the use of file system capabilities (aka fcaps) for implementing a privileged executable file, which allows local users to bypass intended personality restrictions via a crafted application, as demonstrated by an attack that uses a parent process to disable ASLR.

Vulnerable Configurations

Part Description Count
OS
Linux
1393

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-2020.NASL
    descriptionDescription of changes: * CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. If a process increases permissions using fcaps, all of the dangerous personality flags which are cleared for suid apps are not cleared. This has allowed programs that gained elevated permissions using fcaps to disable the address space randomization of other processes. * CVE-2012-2121: Memory leak in KVM device assignment. KVM uses memory slots to track and map guest regions of memory. When device assignment is used, the pages backing these slots are pinned in memory and mapped into the iommu. The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu. * Memory corruption in KVM device assignment slot handling. A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption. * CVE-2012-2136: Privilege escalation in TUN/TAP virtual device. The length of packet fragments to be sent wasn
    last seen2020-06-01
    modified2020-06-02
    plugin id68675
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68675
    titleOracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2020)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2012-2020.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68675);
      script_version("1.11");
      script_cvs_date("Date: 2019/09/30 10:58:17");
    
      script_cve_id("CVE-2012-1179", "CVE-2012-2121", "CVE-2012-2123", "CVE-2012-2136", "CVE-2012-2137", "CVE-2012-2373");
    
      script_name(english:"Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2020)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    * CVE-2012-2123: Privilege escalation when assigning permissions using 
    fcaps.
    
    If a process increases permissions using fcaps, all of the dangerous
    personality flags which are cleared for suid apps are not cleared. This has
    allowed programs that gained elevated permissions using fcaps to disable
    the address space randomization of other processes.
    
    
    * CVE-2012-2121: Memory leak in KVM device assignment.
    
    KVM uses memory slots to track and map guest regions of memory.  When device
    assignment is used, the pages backing these slots are pinned in memory 
    and mapped
    into the iommu.  The problem is that when a memory slot is destroyed the 
    pages
    for the associated memory slot are neither unpinned nor unmapped from 
    the iommu.
    
    
    * Memory corruption in KVM device assignment slot handling.
    
    A race condition in the KVM device assignment slot handling caused by
    missing locks around the unmapping of memory slots could cause a memory
    corruption.
    
    
    * CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
    
    The length of packet fragments to be sent wasn't validated before use,
    leading to heap overflow. A user having access to TUN/TAP virtual
    device could use this flaw to crash the system or to potentially
    escalate their privileges.
    
    
    * CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.
    
    A buffer overflow flaw was found in the setup_routing_entry() function 
    in the
    KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts
    (MSI) routing entry was handled. A local, unprivileged user could use 
    this flaw
    to cause a denial of service or, possibly, escalate their privileges.
    
    
    * CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.
    
    CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem.
    
    In some cases, the hugepage subsystem would allocate new PMDs when not
    expected by the memory management subsystem. A privileged user in the
    KVM guest can use this flaw to crash the host, an unprivileged local
    user could use this flaw to crash the system.
    
    CVE-2012-2373: Denial of service in PAE page tables.
    
    On a PAE system, a non-atomic load could be corrupted by a page fault
    resulting in a kernel crash, triggerable by an unprivileged user.
    
    
    * Regression in handling of bind() with AF_UNSPEC family sockets.
    
    Legacy applications used to bind() with AF_UNSPEC instead of AF_INET. Allow
    them to continue doing so, but verify that the address is indeed INADDR_ANY.
    
    kernel-uek:
    
    [2.6.32-300.27.1.el6uek]
    - net: sock: validate data_len before allocating skb (Jason Wang) 
    [Bugdb: 13966]{CVE-2012-2136}
    - fcaps: clear the same personality flags as suid when fcaps are used 
    (Eric Paris) [Bugdb: 13966] {CVE-2012-2123}
    - Revert 'nfs: when attempting to open a directory, fall back on normal 
    lookup (Todd Vierling) [Orabug 14141154]
    
    [2.6.32-300.26.1.el6uek]
    - mptsas: do not call __mptsas_probe in kthread (Maxim Uvarov) [Orabug:
       14175509]
    - mm: check if any page in a pageblock is reserved before marking it
       MIGRATE_RESERVE (Maxim Uvarov) [Orabug: 14073214]
    - mm: reduce the amount of work done when updating min_free_kbytes (Mel 
    Gorman)
       [Orabug: 14073214]
    - vmxnet3: Updated to el6-u2 (Guangyu Sun) [Orabug: 14027961]
    - xen: expose host uuid via sysfs. (Zhigang Wang)
    - sched: Fix cgroup movement of waking process (Daisuke Nishimura) [Orabug:
       13946210]
    - sched: Fix cgroup movement of newly created process (Daisuke Nishimura)
       [Orabug: 13946210]
    - sched: Fix cgroup movement of forking process (Daisuke Nishimura) [Orabug:
       13946210]
    - x86, boot: Wait for boot cpu to show up if nr_cpus limit is about to hit
       (Zhenzhong Duan) [Orabug: 13629087]
    - smp: Use nr_cpus= to set nr_cpu_ids early (Zhenzhong Duan) [Orabug: 
    13629087]
    - net: ipv4: relax AF_INET check in bind() (Maxim Uvarov) [Orabug: 14054411]
    
    ofa-2.6.32-300.27.1.el6uek:
    
    [1.5.1-4.0.58]
    - Add Patch 158-169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2012-June/002870.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2012-June/002871.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.27.1.el5uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.27.1.el5uekdebug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.27.1.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.27.1.el6uekdebug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ofa-2.6.32-300.27.1.el5uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ofa-2.6.32-300.27.1.el5uekdebug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ofa-2.6.32-300.27.1.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ofa-2.6.32-300.27.1.el6uekdebug");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/06/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5 / 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2012-1179", "CVE-2012-2121", "CVE-2012-2123", "CVE-2012-2136", "CVE-2012-2137", "CVE-2012-2373");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2012-2020");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "2.6";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL5", rpm:"kernel-uek-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-2.6.32-300.27.1.el5uek")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-uek-debug-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-debug-2.6.32-300.27.1.el5uek")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-uek-debug-devel-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-debug-devel-2.6.32-300.27.1.el5uek")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-uek-devel-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-devel-2.6.32-300.27.1.el5uek")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-uek-doc-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-doc-2.6.32-300.27.1.el5uek")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-uek-firmware-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-firmware-2.6.32-300.27.1.el5uek")) flag++;
    if (rpm_exists(release:"EL5", rpm:"kernel-uek-headers-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-headers-2.6.32-300.27.1.el5uek")) flag++;
    if (rpm_check(release:"EL5", reference:"mlnx_en-2.6.32-300.27.1.el5uek-1.5.7-2")) flag++;
    if (rpm_check(release:"EL5", reference:"mlnx_en-2.6.32-300.27.1.el5uekdebug-1.5.7-2")) flag++;
    if (rpm_check(release:"EL5", reference:"ofa-2.6.32-300.27.1.el5uek-1.5.1-4.0.58")) flag++;
    if (rpm_check(release:"EL5", reference:"ofa-2.6.32-300.27.1.el5uekdebug-1.5.1-4.0.58")) flag++;
    
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-2.6.32-300.27.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-debug-2.6.32-300.27.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-debug-devel-2.6.32-300.27.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-devel-2.6.32-300.27.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-doc-2.6.32-300.27.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-firmware-2.6.32-300.27.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-headers-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-headers-2.6.32-300.27.1.el6uek")) flag++;
    if (rpm_check(release:"EL6", reference:"mlnx_en-2.6.32-300.27.1.el6uek-1.5.7-0.1")) flag++;
    if (rpm_check(release:"EL6", reference:"mlnx_en-2.6.32-300.27.1.el6uekdebug-1.5.7-0.1")) flag++;
    if (rpm_check(release:"EL6", reference:"ofa-2.6.32-300.27.1.el6uek-1.5.1-4.0.58")) flag++;
    if (rpm_check(release:"EL6", reference:"ofa-2.6.32-300.27.1.el6uekdebug-1.5.1-4.0.58")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-6406.NASL
    descriptionFixes CVEs : CVE-2012-2123 CVE-2012-2121 CVE-2012-2119 Also fixes a boot regression on some Dell machines Linux 3.3.2 There was a regression at the DVB core, affecting applications that require the DVB status before having a lock. In order to allow a broader test (including my environment). All new patches from the upstream media tree up to Apr, 10 got backported plus the fix patches, in order to have, among other things, the az6007 and af9035 drivers backported. Various bugfixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-04-26
    plugin id58881
    published2012-04-26
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58881
    titleFedora 15 : kernel-2.6.43.2-6.fc15 (2012-6406)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2012-6406.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(58881);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2012-2119", "CVE-2012-2121", "CVE-2012-2123");
      script_xref(name:"FEDORA", value:"2012-6406");
    
      script_name(english:"Fedora 15 : kernel-2.6.43.2-6.fc15 (2012-6406)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Fixes CVEs :
    
    CVE-2012-2123 CVE-2012-2121 CVE-2012-2119
    
    Also fixes a boot regression on some Dell machines Linux 3.3.2
    
    There was a regression at the DVB core, affecting applications that
    require the DVB status before having a lock. In order to allow a
    broader test (including my environment).
    
    All new patches from the upstream media tree up to Apr, 10 got
    backported plus the fix patches, in order to have, among other things,
    the az6007 and af9035 drivers backported.
    
    Various bugfixes.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=806722"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=814149"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=814278"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2012-April/079111.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?be6eb799"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/04/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^15([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC15", reference:"kernel-2.6.43.2-6.fc15")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20120618_KERNEL_ON_SL6_X.NASL
    descriptionThe kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) - A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) - When a set user ID (setuid) application is executed, certain personality flags for controlling the application
    last seen2020-03-18
    modified2012-08-01
    plugin id61331
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/61331
    titleScientific Linux Security Update : kernel on SL6.x i386/x86_64 (20120618)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1530-1.NASL
    descriptionAndy Adamson discovered a flaw in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id61508
    published2012-08-13
    reporterUbuntu Security Notice (C) 2012 Canonical, Inc. / NASL script (C) 2012-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/61508
    titleUSN-1530-1 : linux-ti-omap4 vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-756.NASL
    descriptionThe openSUSE 11.4 kernel was updated to fix various bugs and security issues. This is the final update of the 2.6.37 kernel of openSUSE 11.4.
    last seen2020-06-05
    modified2014-06-13
    plugin id74801
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74801
    titleopenSUSE Security Update : kernel (openSUSE-SU-2012:1439-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_KERNEL-120714.NASL
    descriptionThe SUSE Linux Enterprise 11 SP1 kernel have been updated to fix various bugs and security issues. The following security issues have been fixed : - Several buffer overread and overwrite errors in the UDF logical volume descriptor code were fixed that might have allowed local attackers able to mount UDF volumes to crash the kernel or potentially gain privileges. (CVE-2012-3400) - A local denial of service in the last epoll fix was fixed. (CVE-2012-3375) - A integer overflow in i915_gem_do_execbuffer() was fixed that might be used by local attackers to crash the kernel or potentially execute code. (CVE-2012-2384) - A integer overflow in i915_gem_execbuffer2() was fixed that might be used by local attackers to crash the kernel or potentially execute code. (CVE-2012-2383) - Memiory leaks in the hugetlbfs map reservation code were fixed that could be used by local attackers to exhaust machine memory. (CVE-2012-2390) - The filesystem capability handling was not fully correct, allowing local users to bypass fscaps related restrictions to disable e.g. address space randomization. (CVE-2012-2123) - Validation of data_len before allocating fragments of skbs was fixed that might have allowed a heap overflow. (CVE-2012-2136) - Fixed potential buffer overflows in the hfsplus filesystem, which might be exploited by local attackers able to mount such filesystems. (CVE-2012-2319) Several leapsecond related bug fixes have been created : - hrtimer: provide clock_was_set_delayed(). (bnc#768632) - time: Fix leapsecond triggered hrtimer/futex load spike issue. (bnc#768632) - ntp: fix leap second hrtimer deadlock. (bnc#768632) - ntp: avoid printk under xtime_lock (bnc#767684). The following non-security issues have been fixed : - tcp: drop SYN+FIN messages to avoid memory leaks. (bnc#765102) - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - REVERT svcrpc: destroy server sockets all at once. (bnc#769210) - sched: Make sure to not re-read variables after validation. (bnc#769685) - audit: Do not send uninitialized data for AUDIT_TTY_GET. (bnc#755513) - dlm: do not depend on sctp. (bnc#729247, bnc#763656) - RPC: killing RPC tasks races fixed. (bnc#765548) - vlan/core: Fix memory leak/corruption on VLAN GRO_DROP. (bnc#758058) - CPU hotplug, cpusets, suspend/resume: Do not modify cpusets during suspend/resume. (bnc#752858) - ioat2: kill pending flag. (bnc#765022) - Fix massive driver induced spin_lock_bh() contention. - ipmi: Fix IPMI errors due to timing problems. (bnc#761988) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen: gntdev: fix multi-page slot allocation. (bnc#760974) - rpm/kernel-binary.spec.in: Own the right -kdump initrd. (bnc#764500) - kernel: pfault task state race (bnc#764098,LTC#81724). - xfrm: take net hdr len into account for esp payload size calculation. (bnc#759545) - bonding: do not dereference NULL pointer to device of VLAN 0. (bnc#763830) - cifs: fix oops while traversing open file list (try #4). (bnc#756050) - nfsd: fix BUG at fs/nfsd/nfsfh.h:199 on unlink. (bnc#769777) - nfs: Ensure we never try to mount an NFS auto-mount dir (bnc748601). - patches.suse/cgroup-disable-memcg-when-low-lowmem.patch: fix typo: use if defined(CONFIG_) rather than if CONFIG_ - patches.suse/pagecache-limit-fix-shmem-deadlock.patch: Fixed the GFP_NOWAIT is zero and not suitable for tests bug. (bnc#755537) - sys_poll: fix incorrect type for timeout parameter. (bnc#754428) - scsi_transport_fc: fix blocked bsg request when fc object deleted. (bnc#761414, bnc#734300) - ehea: fix allmulticast support. (bnc#758013) - scsi: Silence unnecessary warnings about ioctl to partition. (bnc#758104) - sched/x86: Fix overflow in cyc2ns_offset. (bnc#630970, bnc#661605) - sched/rt: Do not throttle when PI boosting. (bnc#754085) - sched/rt: Keep period timer ticking when rt throttling is active. (bnc#754085) - sched,rt: fix isolated CPUs leaving root_task_group indefinitely throttled. (bnc#754085)
    last seen2020-06-05
    modified2013-01-25
    plugin id64177
    published2013-01-25
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64177
    titleSuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 6547 / 6548 / 6550)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1459-1.NASL
    descriptionA flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id59323
    published2012-06-01
    reporterUbuntu Security Notice (C) 2012 Canonical, Inc. / NASL script (C) 2012-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59323
    titleUSN-1459-1 : linux-ti-omap4 vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-6386.NASL
    descriptionFixes CVEs : CVE-2012-2123 CVE-2012-2121 CVE-2012-2119 Also fixes a boot regression on some Dell machines. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-04-25
    plugin id58862
    published2012-04-25
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58862
    titleFedora 16 : kernel-3.3.2-6.fc16 (2012-6386)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2469.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2011-4086 Eric Sandeen reported an issue in the journaling layer for ext4 filesystems (jbd2). Local users can cause buffers to be accessed after they have been torn down, resulting in a denial of service (DoS) due to a system crash. - CVE-2012-0879 Louis Rilling reported two reference counting issues in the CLONE_IO feature of the kernel. Local users can prevent io context structures from being freed, resulting in a denial of service. - CVE-2012-1601 Michael Ellerman reported an issue in the KVM subsystem. Local users could cause a denial of service (NULL pointer dereference) by creating VCPUs before a call to KVM_CREATE_IRQCHIP. - CVE-2012-2123 Steve Grubb reported an issue in fcaps, a filesystem-based capabilities system. Personality flags set using this mechanism, such as the disabling of address space randomization, may persist across suid calls. - CVE-2012-2133 Shachar Raindel discovered a use-after-free bug in the hugepages quota implementation. Local users with permission to use hugepages via the hugetlbfs implementation may be able to cause a denial of service (system crash).
    last seen2020-03-17
    modified2012-05-11
    plugin id59070
    published2012-05-11
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59070
    titleDebian DSA-2469-1 : linux-2.6 - privilege escalation/denial of service
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2012-0743.NASL
    descriptionUpdated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application
    last seen2020-06-01
    modified2020-06-02
    plugin id59609
    published2012-06-21
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59609
    titleCentOS 6 : kernel (CESA-2012:0743)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1457-1.NASL
    descriptionAndy Adamson discovered a flaw in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id59321
    published2012-06-01
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59321
    titleUbuntu 11.04 : linux vulnerabilities (USN-1457-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2012-0042.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix bug number for commit
    last seen2020-06-01
    modified2020-06-02
    plugin id79484
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79484
    titleOracleVM 3.1 : kernel-uek (OVMSA-2012-0042)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-0743.NASL
    descriptionFrom Red Hat Security Advisory 2012:0743 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application
    last seen2020-06-01
    modified2020-06-02
    plugin id68544
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68544
    titleOracle Linux 6 : kernel (ELSA-2012-0743)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1455-1.NASL
    descriptionA flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id59309
    published2012-05-30
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59309
    titleUbuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1455-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1445-1.NASL
    descriptionA flaw was found in the Linux
    last seen2020-06-01
    modified2020-06-02
    plugin id59188
    published2012-05-18
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59188
    titleUbuntu 10.04 LTS : linux vulnerabilities (USN-1445-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1452-1.NASL
    descriptionA flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id59290
    published2012-05-29
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59290
    titleUbuntu 11.10 : linux vulnerabilities (USN-1452-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-2021.NASL
    descriptionDescription of changes: * CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. If a process increases permissions using fcaps, all of the dangerous personality flags which are cleared for suid apps are not cleared. This has allowed programs that gained elevated permissions using fcaps to disable the address space randomization of other processes. * CVE-2012-2121: Memory leak in KVM device assignment. KVM uses memory slots to track and map guest regions of memory. When device assignment is used, the pages backing these slots are pinned in memory and mapped into the iommu. The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu. * Memory corruption in KVM device assignment slot handling. A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption. * CVE-2012-2136: Privilege escalation in TUN/TAP virtual device. The length of packet fragments to be sent wasn
    last seen2020-06-01
    modified2020-06-02
    plugin id68676
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68676
    titleOracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2021)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-6344.NASL
    descriptionFixes CVEs : CVE-2012-2119 CVE-2012-2123 CVE-2012-2121 Also fixes some fail to boot issues on various Dell machines. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-04-24
    plugin id58836
    published2012-04-24
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58836
    titleFedora 17 : kernel-3.3.2-8.fc17 (2012-6344)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1448-1.NASL
    descriptionA flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id59226
    published2012-05-22
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59226
    titleUbuntu 12.04 LTS : linux vulnerabilities (USN-1448-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1460-1.NASL
    descriptionA flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id59324
    published2012-06-01
    reporterUbuntu Security Notice (C) 2012 Canonical, Inc. / NASL script (C) 2012-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59324
    titleUSN-1460-1 : linux-ti-omap4 vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1453-1.NASL
    descriptionA flaw was found in the Linux
    last seen2020-06-01
    modified2020-06-02
    plugin id59291
    published2012-05-29
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59291
    titleUbuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1453-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-0743.NASL
    descriptionUpdated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application
    last seen2020-06-01
    modified2020-06-02
    plugin id59562
    published2012-06-19
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59562
    titleRHEL 6 : kernel (RHSA-2012:0743)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-357.NASL
    descriptionThis kernel update of the openSUSE 12.1 kernel brings various bug and security fixes. Following issues were fixed : - tcp: drop SYN+FIN messages (bnc#765102, CVE-2012-2663). - net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136). - thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE (bnc#762991). - be2net: non-member vlan pkts not received in promiscous mode (bnc#732006 CVE-2011-3347). - fcaps: clear the same personality flags as suid when fcaps are used (bnc#758260 CVE-2012-2123). - macvtap: zerocopy: validate vectors before building skb (bnc#758243 CVE-2012-2119). - macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb is built successfully (bnc#758243 CVE-2012-2119). - macvtap: zerocopy: put page when fail to get all requested user pages (bnc#758243 CVE-2012-2119). - macvtap: zerocopy: fix offset calculation when building skb (bnc#758243 CVE-2012-2119). - Avoid reading past buffer when calling GETACL (bnc#762992). - Avoid beyond bounds copy while caching ACL (bnc#762992). - Fix length of buffer copied in __nfs4_get_acl_uncached (bnc#762992). - hfsplus: Fix potential buffer overflows (bnc#760902 CVE-2009-4020). - usb/net: rndis: merge command codes. only net/hyperv part - usb/net: rndis: remove ambiguous status codes. only net/hyperv part - usb/net: rndis: break out <linux/rndis.h> defines. only net/hyperv part - net/hyperv: Add flow control based on hi/low watermark. - hv: fix return type of hv_post_message(). - Drivers: hv: util: Properly handle version negotiations. - Drivers: hv: Get rid of an unnecessary check in vmbus_prep_negotiate_resp(). - HID: hyperv: Set the hid drvdata correctly. - HID: hid-hyperv: Do not use hid_parse_report() directly. - [SCSI] storvsc: Properly handle errors from the host (bnc#747404). - Delete patches.suse/suse-hv-storvsc-ignore-ata_16.patch. - patches.suse/suse-hv-pata_piix-ignore-disks.patch replace our version of this patch with upstream variant: ata_piix: defer disks to the Hyper-V drivers by default libata: add a host flag to ignore detected ATA devices. - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition (bnc#762991 CVE-2012-2373). - xfrm: take net hdr len into account for esp payload size calculation (bnc#759545). - net/hyperv: Adding cancellation to ensure rndis filter is closed. - xfs: Fix oops on IO error during xlog_recover_process_iunlinks() (bnc#761681). - thp: reduce khugepaged freezing latency (bnc#760860). - igb: fix rtnl race in PM resume path (bnc#748859). - ixgbe: add missing rtnl_lock in PM resume path (bnc#748859). - cdc_ether: Ignore bogus union descriptor for RNDIS devices (bnc#735362). Taking the fix from net-next - Fix kABI breakage due to including proc_fs.h in kernel/fork.c modversion changed because of changes in struct proc_dir_entry (became defined) Refresh patches.fixes/procfs-namespace-pid_ns-fix-leakage-on-for k-failure. - Disabled MMC_TEST (bnc#760077). - Input: ALPS - add semi-MT support for v3 protocol (bnc#716996). - Input: ALPS - add support for protocol versions 3 and 4 (bnc#716996). - Input: ALPS - remove assumptions about packet size (bnc#716996). - Input: ALPS - add protocol version field in alps_model_info (bnc#716996). - Input: ALPS - move protocol information to Documentation (bnc#716996). - sysctl/defaults: kernel.hung_task_timeout -> kernel.hung_task_timeout_secs (bnc#700174) - btrfs: partial revert of truncation improvements (FATE#306586 bnc#748463 bnc#760279). - libata: skip old error history when counting probe trials. - procfs, namespace, pid_ns: fix leakage upon fork() failure (bnc#757783). - cdc-wdm: fix race leading leading to memory corruption (bnc#759554). This patch fixes a race whereby a pointer to a buffer would be overwritten while the buffer was in use leading to a double free and a memory leak. This causes crashes. This bug was introduced in 2.6.34 - netfront: delay gARP until backend switches to Connected. - xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. - xenbus: check availability of XS_RESET_WATCHES command. - xenbus_dev: add missing error checks to watch handling. - drivers/xen/: use strlcpy() instead of strncpy(). - blkfront: properly fail packet requests (bnc#745929). - Linux 3.1.10. - Update Xen config files. - Refresh other Xen patches. - tlan: add cast needed for proper 64 bit operation (bnc#756840). - dl2k: Tighten ioctl permissions (bnc#758813). - mqueue: fix a vfsmount longterm reference leak (bnc#757783). - cciss: Add IRQF_SHARED back in for the non-MSI(X) interrupt handler (bnc#757789). - procfs: fix a vfsmount longterm reference leak (bnc#757783). - uwb: fix error handling (bnc#731720). This fixes a kernel error on unplugging an uwb dongle - uwb: fix use of del_timer_sync() in interrupt (bnc#731720). This fixes a kernel warning on plugging in an uwb dongle - acer-wmi: Detect communication hot key number. - acer-wmi: replaced the hard coded bitmap by the communication devices bitmap from SMBIOS. - acer-wmi: add ACER_WMID_v2 interface flag to represent new notebooks. - acer-wmi: No wifi rfkill on Sony machines. - acer-wmi: No wifi rfkill on Lenovo machines. - [media] cx22702: Fix signal strength. - fs: cachefiles: Add support for large files in filesystem caching (bnc#747038). - Drivers: scsi: storvsc: Account for in-transit packets in the RESET path. - CPU hotplug, cpusets, suspend: Don
    last seen2020-06-05
    modified2014-06-13
    plugin id74661
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74661
    titleopenSUSE Security Update : Kernel (openSUSE-SU-2012:0812-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-0670.NASL
    descriptionUpdated kernel-rt packages that fix two security issues and various bugs are now available for Red Hat Enterprise MRG 2.1. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * When a set user ID (setuid) application is executed, certain personality flags for controlling the application
    last seen2020-06-01
    modified2020-06-02
    plugin id76644
    published2014-07-22
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76644
    titleRHEL 6 : MRG (RHSA-2012:0670)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1470-1.NASL
    descriptionAndy Adamson discovered a flaw in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id59474
    published2012-06-13
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59474
    titleUbuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1470-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-342.NASL
    descriptionThis kernel update of the openSUSE 12.1 kernel fixes lots of bugs and security issues. Following issues were fixed : - tcp: drop SYN+FIN messages (bnc#765102). - net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136). - fcaps: clear the same personality flags as suid when fcaps are used (bnc#758260 CVE-2012-2123). - macvtap: zerocopy: validate vectors before building skb (bnc#758243 CVE-2012-2119). - hfsplus: Fix potential buffer overflows (bnc#760902 CVE-2009-4020). - xfrm: take net hdr len into account for esp payload size calculation (bnc#759545). - ext4: fix undefined behavior in ext4_fill_flex_info() (bnc#757278). - igb: fix rtnl race in PM resume path (bnc#748859). - ixgbe: add missing rtnl_lock in PM resume path (bnc#748859). - b43: allocate receive buffers big enough for max frame len + offset (bnc#717749). - xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. - xenbus_dev: add missing error checks to watch handling. - hwmon: (coretemp-xen) Fix TjMax detection for older CPUs. - hwmon: (coretemp-xen) Relax target temperature range check. - Refresh other Xen patches. - tlan: add cast needed for proper 64 bit operation (bnc#756840). - dl2k: Tighten ioctl permissions (bnc#758813). - [media] cx22702: Fix signal strength. - fs: cachefiles: Add support for large files in filesystem caching (bnc#747038). - bridge: correct IPv6 checksum after pull (bnc#738644). - bridge: fix a possible use after free (bnc#738644). - bridge: Pseudo-header required for the checksum of ICMPv6 (bnc#738644). - bridge: mcast snooping, fix length check of snooped MLDv1/2 (bnc#738644). - PCI/ACPI: Report ASPM support to BIOS if not disabled from command line (bnc#714455). - ipc/sem.c: fix race with concurrent semtimedop() timeouts and IPC_RMID (bnc#756203). - drm/i915/crt: Remove 0xa0 probe for VGA. - tty_audit: fix tty_audit_add_data live lock on audit disabled (bnc#721366). - drm/i915: suspend fbdev device around suspend/hibernate (bnc#732908). - dlm: Do not allocate a fd for peeloff (bnc#729247). - sctp: Export sctp_do_peeloff (bnc#729247). - i2c-algo-bit: Fix spurious SCL timeouts under heavy load. - patches.fixes/epoll-dont-limit-non-nested.patch: Don
    last seen2020-06-05
    modified2014-06-13
    plugin id74658
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74658
    titleopenSUSE Security Update : Kernel (openSUSE-SU-2012:0799-1)

Redhat

advisories
  • rhsa
    idRHSA-2012:0670
  • rhsa
    idRHSA-2012:0743
rpms
  • kernel-rt-0:3.0.30-rt50.62.el6rt
  • kernel-rt-debug-0:3.0.30-rt50.62.el6rt
  • kernel-rt-debug-debuginfo-0:3.0.30-rt50.62.el6rt
  • kernel-rt-debug-devel-0:3.0.30-rt50.62.el6rt
  • kernel-rt-debuginfo-0:3.0.30-rt50.62.el6rt
  • kernel-rt-debuginfo-common-x86_64-0:3.0.30-rt50.62.el6rt
  • kernel-rt-devel-0:3.0.30-rt50.62.el6rt
  • kernel-rt-doc-0:3.0.30-rt50.62.el6rt
  • kernel-rt-firmware-0:3.0.30-rt50.62.el6rt
  • kernel-rt-trace-0:3.0.30-rt50.62.el6rt
  • kernel-rt-trace-debuginfo-0:3.0.30-rt50.62.el6rt
  • kernel-rt-trace-devel-0:3.0.30-rt50.62.el6rt
  • kernel-rt-vanilla-0:3.0.30-rt50.62.el6rt
  • kernel-rt-vanilla-debuginfo-0:3.0.30-rt50.62.el6rt
  • kernel-rt-vanilla-devel-0:3.0.30-rt50.62.el6rt
  • kernel-0:2.6.32-220.23.1.el6
  • kernel-bootwrapper-0:2.6.32-220.23.1.el6
  • kernel-debug-0:2.6.32-220.23.1.el6
  • kernel-debug-debuginfo-0:2.6.32-220.23.1.el6
  • kernel-debug-devel-0:2.6.32-220.23.1.el6
  • kernel-debuginfo-0:2.6.32-220.23.1.el6
  • kernel-debuginfo-common-i686-0:2.6.32-220.23.1.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-220.23.1.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-220.23.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-220.23.1.el6
  • kernel-devel-0:2.6.32-220.23.1.el6
  • kernel-doc-0:2.6.32-220.23.1.el6
  • kernel-firmware-0:2.6.32-220.23.1.el6
  • kernel-headers-0:2.6.32-220.23.1.el6
  • kernel-kdump-0:2.6.32-220.23.1.el6
  • kernel-kdump-debuginfo-0:2.6.32-220.23.1.el6
  • kernel-kdump-devel-0:2.6.32-220.23.1.el6
  • perf-0:2.6.32-220.23.1.el6
  • perf-debuginfo-0:2.6.32-220.23.1.el6
  • python-perf-0:2.6.32-220.23.1.el6
  • python-perf-debuginfo-0:2.6.32-220.23.1.el6

Seebug

bulletinFamilyexploit
descriptionBugtraq ID: 53166 CVE ID:CVE-2012-2123 Linux是一款开放源代码的操作系统。 当使用fcaps存在安全漏洞,允许本地攻击者绕过安全限制(如地址控件随机化)进行攻击。 0 Linux kernel 3.x Linux kernel 2.6.x 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d52fc5dde171f030170a6cb78034d166b13c9445
idSSV:60078
last seen2017-11-19
modified2012-04-23
published2012-04-23
reporterRoot
titleLinux kernel fcaps本地安全绕过漏洞