Vulnerabilities > CVE-2012-2136 - Improper Input Validation vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel before 3.4.5 does not properly validate a certain length value, which allows local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1532-1.NASL description An error was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61510 published 2012-08-13 reporter Ubuntu Security Notice (C) 2012 Canonical, Inc. / NASL script (C) 2012-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61510 title USN-1532-1 : linux-ti-omap4 vulnerabilities code # This script was automatically generated from Ubuntu Security # Notice USN-1532-1. It is released under the Nessus Script # Licence. # # Ubuntu Security Notices are (C) Canonical, Inc. # See http://www.ubuntu.com/usn/ # Ubuntu(R) is a registered trademark of Canonical, Inc. if (!defined_func("bn_random")) exit(0); include("compat.inc"); if (description) { script_id(61510); script_version("$Revision: 1.3 $"); script_cvs_date("$Date: 2016/12/01 20:56:51 $"); script_cve_id("CVE-2012-2136", "CVE-2012-2373", "CVE-2012-3375", "CVE-2012-3400"); script_xref(name:"USN", value:"1532-1"); script_name(english:"USN-1532-1 : linux-ti-omap4 vulnerabilities"); script_summary(english:"Checks dpkg output for updated package(s)"); script_set_attribute(attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches."); script_set_attribute(attribute:"description", value: "An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. (CVE-2012-2136) Ulrich Obergfell discovered an error in the Linux kernel's memory management subsystem on 32 bit PAE systems with more than 4GB of memory installed. A local unprivileged user could exploit this flaw to crash the system. (CVE-2012-2373) A flaw was discovered in the Linux kernel's epoll system call. An unprivileged local user could use this flaw to crash the system. (CVE-2012-3375) Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. (CVE-2012-3400)"); script_set_attribute(attribute:"see_also", value:"http://www.ubuntu.com/usn/usn-1532-1/"); script_set_attribute(attribute:"solution", value:"Update the affected package(s)."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"patch_publication_date", value:"2012/08/10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Ubuntu Local Security Checks"); script_copyright("Ubuntu Security Notice (C) 2012 Canonical, Inc. / NASL script (C) 2012-2016 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("ubuntu.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/Ubuntu/release")) exit(0, "The host is not running Ubuntu."); if (!get_kb_item("Host/Debian/dpkg-l")) exit(1, "Could not obtain the list of installed packages."); flag = 0; if (ubuntu_check(osver:"11.10", pkgname:"linux-image-3.0.0-1214-omap4", pkgver:"3.0.0-1214.26")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:ubuntu_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-2020.NASL description Description of changes: * CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. If a process increases permissions using fcaps, all of the dangerous personality flags which are cleared for suid apps are not cleared. This has allowed programs that gained elevated permissions using fcaps to disable the address space randomization of other processes. * CVE-2012-2121: Memory leak in KVM device assignment. KVM uses memory slots to track and map guest regions of memory. When device assignment is used, the pages backing these slots are pinned in memory and mapped into the iommu. The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu. * Memory corruption in KVM device assignment slot handling. A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption. * CVE-2012-2136: Privilege escalation in TUN/TAP virtual device. The length of packet fragments to be sent wasn last seen 2020-06-01 modified 2020-06-02 plugin id 68675 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68675 title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2020) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Oracle Linux Security Advisory ELSA-2012-2020. # include("compat.inc"); if (description) { script_id(68675); script_version("1.11"); script_cvs_date("Date: 2019/09/30 10:58:17"); script_cve_id("CVE-2012-1179", "CVE-2012-2121", "CVE-2012-2123", "CVE-2012-2136", "CVE-2012-2137", "CVE-2012-2373"); script_name(english:"Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2020)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Description of changes: * CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. If a process increases permissions using fcaps, all of the dangerous personality flags which are cleared for suid apps are not cleared. This has allowed programs that gained elevated permissions using fcaps to disable the address space randomization of other processes. * CVE-2012-2121: Memory leak in KVM device assignment. KVM uses memory slots to track and map guest regions of memory. When device assignment is used, the pages backing these slots are pinned in memory and mapped into the iommu. The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu. * Memory corruption in KVM device assignment slot handling. A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption. * CVE-2012-2136: Privilege escalation in TUN/TAP virtual device. The length of packet fragments to be sent wasn't validated before use, leading to heap overflow. A user having access to TUN/TAP virtual device could use this flaw to crash the system or to potentially escalate their privileges. * CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler. A buffer overflow flaw was found in the setup_routing_entry() function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. * CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service. CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem. In some cases, the hugepage subsystem would allocate new PMDs when not expected by the memory management subsystem. A privileged user in the KVM guest can use this flaw to crash the host, an unprivileged local user could use this flaw to crash the system. CVE-2012-2373: Denial of service in PAE page tables. On a PAE system, a non-atomic load could be corrupted by a page fault resulting in a kernel crash, triggerable by an unprivileged user. * Regression in handling of bind() with AF_UNSPEC family sockets. Legacy applications used to bind() with AF_UNSPEC instead of AF_INET. Allow them to continue doing so, but verify that the address is indeed INADDR_ANY. kernel-uek: [2.6.32-300.27.1.el6uek] - net: sock: validate data_len before allocating skb (Jason Wang) [Bugdb: 13966]{CVE-2012-2136} - fcaps: clear the same personality flags as suid when fcaps are used (Eric Paris) [Bugdb: 13966] {CVE-2012-2123} - Revert 'nfs: when attempting to open a directory, fall back on normal lookup (Todd Vierling) [Orabug 14141154] [2.6.32-300.26.1.el6uek] - mptsas: do not call __mptsas_probe in kthread (Maxim Uvarov) [Orabug: 14175509] - mm: check if any page in a pageblock is reserved before marking it MIGRATE_RESERVE (Maxim Uvarov) [Orabug: 14073214] - mm: reduce the amount of work done when updating min_free_kbytes (Mel Gorman) [Orabug: 14073214] - vmxnet3: Updated to el6-u2 (Guangyu Sun) [Orabug: 14027961] - xen: expose host uuid via sysfs. (Zhigang Wang) - sched: Fix cgroup movement of waking process (Daisuke Nishimura) [Orabug: 13946210] - sched: Fix cgroup movement of newly created process (Daisuke Nishimura) [Orabug: 13946210] - sched: Fix cgroup movement of forking process (Daisuke Nishimura) [Orabug: 13946210] - x86, boot: Wait for boot cpu to show up if nr_cpus limit is about to hit (Zhenzhong Duan) [Orabug: 13629087] - smp: Use nr_cpus= to set nr_cpu_ids early (Zhenzhong Duan) [Orabug: 13629087] - net: ipv4: relax AF_INET check in bind() (Maxim Uvarov) [Orabug: 14054411] ofa-2.6.32-300.27.1.el6uek: [1.5.1-4.0.58] - Add Patch 158-169" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2012-June/002870.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2012-June/002871.html" ); script_set_attribute( attribute:"solution", value:"Update the affected unbreakable enterprise kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.27.1.el5uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.27.1.el5uekdebug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.27.1.el6uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mlnx_en-2.6.32-300.27.1.el6uekdebug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ofa-2.6.32-300.27.1.el5uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ofa-2.6.32-300.27.1.el5uekdebug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ofa-2.6.32-300.27.1.el6uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ofa-2.6.32-300.27.1.el6uekdebug"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/17"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5 / 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2012-1179", "CVE-2012-2121", "CVE-2012-2123", "CVE-2012-2136", "CVE-2012-2137", "CVE-2012-2373"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2012-2020"); } else { __rpm_report = ksplice_reporting_text(); } } kernel_major_minor = get_kb_item("Host/uname/major_minor"); if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level."); expected_kernel_major_minor = "2.6"; if (kernel_major_minor != expected_kernel_major_minor) audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor); flag = 0; if (rpm_exists(release:"EL5", rpm:"kernel-uek-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-2.6.32-300.27.1.el5uek")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-uek-debug-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-debug-2.6.32-300.27.1.el5uek")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-uek-debug-devel-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-debug-devel-2.6.32-300.27.1.el5uek")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-uek-devel-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-devel-2.6.32-300.27.1.el5uek")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-uek-doc-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-doc-2.6.32-300.27.1.el5uek")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-uek-firmware-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-firmware-2.6.32-300.27.1.el5uek")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-uek-headers-2.6.32") && rpm_check(release:"EL5", reference:"kernel-uek-headers-2.6.32-300.27.1.el5uek")) flag++; if (rpm_check(release:"EL5", reference:"mlnx_en-2.6.32-300.27.1.el5uek-1.5.7-2")) flag++; if (rpm_check(release:"EL5", reference:"mlnx_en-2.6.32-300.27.1.el5uekdebug-1.5.7-2")) flag++; if (rpm_check(release:"EL5", reference:"ofa-2.6.32-300.27.1.el5uek-1.5.1-4.0.58")) flag++; if (rpm_check(release:"EL5", reference:"ofa-2.6.32-300.27.1.el5uekdebug-1.5.1-4.0.58")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-2.6.32-300.27.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-debug-2.6.32-300.27.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-debug-devel-2.6.32-300.27.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-devel-2.6.32-300.27.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-doc-2.6.32-300.27.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-firmware-2.6.32-300.27.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-headers-2.6.32") && rpm_check(release:"EL6", reference:"kernel-uek-headers-2.6.32-300.27.1.el6uek")) flag++; if (rpm_check(release:"EL6", reference:"mlnx_en-2.6.32-300.27.1.el6uek-1.5.7-0.1")) flag++; if (rpm_check(release:"EL6", reference:"mlnx_en-2.6.32-300.27.1.el6uekdebug-1.5.7-0.1")) flag++; if (rpm_check(release:"EL6", reference:"ofa-2.6.32-300.27.1.el6uek-1.5.1-4.0.58")) flag++; if (rpm_check(release:"EL6", reference:"ofa-2.6.32-300.27.1.el6uekdebug-1.5.1-4.0.58")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-1087.NASL description Updated kernel packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 64048 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64048 title RHEL 5 : kernel (RHSA-2012:1087) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2012:1087. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(64048); script_version("1.14"); script_cvs_date("Date: 2019/10/24 15:35:35"); script_cve_id("CVE-2012-2136"); script_bugtraq_id(53721); script_xref(name:"RHSA", value:"2012:1087"); script_name(english:"RHEL 5 : kernel (RHSA-2012:1087)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note that unprivileged users cannot access TUN/TAP devices until the root user grants them access. (CVE-2012-2136, Important) This update also fixes the following bugs : * An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the described calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances. (BZ#825981, BZ#835449) * Previously, a race condition between the journal_write_metadata_buffer() and jbd_unlock_bh_state() functions could occur. Consequently, another thread could call the get_write_access() function on the buffer head and cause the wrong data to be written into the journal. If the system terminated unexpectedly or was shut down incorrectly, subsequent file system journal replay could result in file system corruption. This update fixes the race condition and the file system corruption no longer occurs in the described scenario. (BZ#833764) * When the kvmclock initialization was used in a guest, it could write to the Time Stamp Counter (TSC) and, under certain circumstances, could cause the kernel to become unresponsive on boot. With this update, TSC synchronization, which is unnecessary due to kvmclock, has been disabled, thus fixing this bug. (BZ#834557) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2012:1087" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-2136" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.6"); script_set_attribute(attribute:"patch_publication_date", value:"2012/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! ereg(pattern:"^5\.6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.6", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2012:1087"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"s390x", reference:"kernel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-PAE-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-PAE-debuginfo-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-PAE-devel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-debug-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"s390x", reference:"kernel-debug-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-debug-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-debug-debuginfo-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-debug-debuginfo-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-debug-devel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"s390x", reference:"kernel-debug-devel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-debug-devel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-debuginfo-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-debuginfo-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-debuginfo-common-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-debuginfo-common-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-devel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"s390x", reference:"kernel-devel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-devel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", reference:"kernel-doc-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i386", reference:"kernel-headers-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"s390x", reference:"kernel-headers-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-headers-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"s390x", reference:"kernel-kdump-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"s390x", reference:"kernel-kdump-devel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-xen-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-xen-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-xen-debuginfo-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-xen-debuginfo-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"i686", reference:"kernel-xen-devel-2.6.18-238.40.1.el5")) flag++; if (rpm_check(release:"RHEL5", sp:"6", cpu:"x86_64", reference:"kernel-xen-devel-2.6.18-238.40.1.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-debuginfo / kernel-PAE-devel / etc"); } }
NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-120620.NASL description The SUSE Linux Enterprise 11 SP2 kernel was updated to 3.0.34, fixing a lot of bugs and security issues. The update from Linux kernel 3.0.31 to 3.0.34 also fixes various bugs not listed here. The following security issues have been fixed : - Local attackers could trigger an overflow in sock_alloc_send_pksb(), potentially crashing the machine or escalate privileges. (CVE-2012-2136) - A memory leak in transparent hugepages on mmap failure could be used by local attacker to run the machine out of memory (local denial of service). (CVE-2012-2390) - A malicious guest driver could overflow the host stack by passing a long descriptor, so potentially crashing the host system or escalating privileges on the host. (CVE-2012-2119) - Malicious NFS server could crash the clients when more than 2 GETATTR bitmap words are returned in response to the FATTR4_ACL attribute requests, only incompletely fixed by CVE-2011-4131. (CVE-2012-2375) The following non-security bugs have been fixed : Hyper-V : - storvsc: Properly handle errors from the host. (bnc#747404) - HID: hid-hyperv: Do not use hid_parse_report() directly. - HID: hyperv: Set the hid drvdata correctly. - drivers/hv: Get rid of an unnecessary check in vmbus_prep_negotiate_resp(). - drivers/hv: util: Properly handle version negotiations. - hv: fix return type of hv_post_message(). - net/hyperv: Add flow control based on hi/low watermark. - usb/net: rndis: break out <1/rndis.h> defines. only net/hyperv part - usb/net: rndis: remove ambiguous status codes. only net/hyperv part - usb/net: rndis: merge command codes. only net/hyperv part - net/hyperv: Adding cancellation to ensure rndis filter is closed. - update hv drivers to 3.4-rc1, requires new hv_kvp_daemon : - drivers: hv: kvp: Add/cleanup connector defines. - drivers: hv: kvp: Move the contents of hv_kvp.h to hyperv.h. - net/hyperv: Convert camel cased variables in rndis_filter.c to lower cases. - net/hyperv: Correct the assignment in netvsc_recv_callback(). - net/hyperv: Remove the unnecessary memset in rndis_filter_send(). - drivers: hv: Cleanup the kvp related state in hyperv.h. - tools: hv: Use hyperv.h to get the KVP definitions. - drivers: hv: kvp: Cleanup the kernel/user protocol. - drivers: hv: Increase the number of VCPUs supported in the guest. - net/hyperv: Fix data corruption in rndis_filter_receive(). - net/hyperv: Add support for vlan trunking from guests. - Drivers: hv: Add new message types to enhance KVP. - Drivers: hv: Support the newly introduced KVP messages in the driver. - Tools: hv: Fully support the new KVP verbs in the user level daemon. - Tools: hv: Support enumeration from all the pools. - net/hyperv: Fix the code handling tx busy. - patches.suse/suse-hv-pata_piix-ignore-disks.patch replace our version of this patch with upstream variant: ata_piix: defer disks to the Hyper-V drivers by default libata: add a host flag to ignore detected ATA devices. Btrfs : - btrfs: more module message prefixes. - vfs: re-implement writeback_inodes_sb(_nr)_if_idle() and rename them - btrfs: flush all the dirty pages if try_to_writeback_inodes_sb_nr() fails - vfs: re-implement writeback_inodes_sb(_nr)_if_idle() and rename them - btrfs: fix locking in btrfs_destroy_delayed_refs - btrfs: wake up transaction waiters when aborting a transaction - btrfs: abort the transaction if the commit fails - btrfs: fix btrfs_destroy_marked_extents - btrfs: unlock everything properly in the error case for nocow - btrfs: fix return code in drop_objectid_items - btrfs: check to see if the inode is in the log before fsyncing - btrfs: pass locked_page into extent_clear_unlock_delalloc if theres an error - btrfs: check the return code of btrfs_save_ino_cache - btrfs: do not update atime for RO snapshots (FATE#306586). - btrfs: convert the inode bit field to use the actual bit operations - btrfs: fix deadlock when the process of delayed refs fails - btrfs: stop defrag the files automatically when doin readonly remount or umount - btrfs: avoid memory leak of extent state in error handling routine - btrfs: make sure that we have made everything in pinned tree clean - btrfs: destroy the items of the delayed inodes in error handling routine - btrfs: ulist realloc bugfix - btrfs: bugfix in btrfs_find_parent_nodes - btrfs: bugfix: ignore the wrong key for indirect tree block backrefs - btrfs: avoid buffer overrun in btrfs_printk - btrfs: fall back to non-inline if we do not have enough space - btrfs: NUL-terminate path buffer in DEV_INFO ioctl result - btrfs: avoid buffer overrun in mount option handling - btrfs: do not do balance in readonly mode - btrfs: fix the same inode id problem when doing auto defragment - btrfs: fix wrong error returned by adding a device - btrfs: use fastpath in extent state ops as much as possible Misc : - tcp: drop SYN+FIN messages. (bnc#765102) - mm: avoid swapping out with swappiness==0 (swappiness). - thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE. (bnc#762991) - paravirt: Split paravirt MMU ops (bnc#556135, bnc#754690, FATE#306453). - paravirt: Only export pv_mmu_ops symbol if PARAVIRT_MMU - parvirt: Stub support KABI for KVM_MMU (bnc#556135, bnc#754690, FATE#306453). - tmpfs: implement NUMA node interleaving. (bnc#764209) - synaptics-hp-clickpad: Fix the detection of LED on the recent HP laptops. (bnc#765524) - supported.conf: mark xt_AUDIT as supported. (bnc#765253) - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition. (bnc#762991 / CVE-2012-2373) - xhci: Do not free endpoints in xhci_mem_cleanup(). (bnc#763307) - xhci: Fix invalid loop check in xhci_free_tt_info(). (bnc#763307) - drm: Skip too big EDID extensions. (bnc#764900) - drm/i915: Add HP EliteBook to LVDS-temporary-disable list. (bnc#763717) - hwmon: (fam15h_power) Increase output resolution. (bnc#759336) - hwmon: (k10temp) Add support for AMD Trinity CPUs. (bnc#759336) - rpm/kernel-binary.spec.in: Own the right -kdump initrd. (bnc#764500) - memcg: prevent from OOM with too many dirty pages. - dasd: re-prioritize partition detection message (bnc#764091,LTC#81617). - kernel: pfault task state race (bnc#764091,LTC#81724). - kernel: clear page table for sw large page emulation (bnc#764091,LTC#81933). - USB: fix bug of device descriptor got from superspeed device. (bnc#761087) - xfrm: take net hdr len into account for esp payload size calculation. (bnc#759545) - st: clean up dev cleanup in st_probe. (bnc#760806) - st: clean up device file creation and removal. (bnc#760806) - st: get rid of scsi_tapes array. (bnc#760806) - st: raise device limit. (bnc#760806) - st: Use static class attributes. (bnc#760806) - mm: Optimize put_mems_allowed() usage (VM performance). - cifs: fix oops while traversing open file list (try #4). (bnc#756050) - scsi: Fix dm-multipath starvation when scsi host is busy. (bnc#763485) - dasd: process all requests in the device tasklet. (bnc#763267) - rt2x00:Add RT539b chipset support. (bnc#760237) - kabi/severities: Ignore changes in drivers/net/wireless/rt2x00, these are just exports used among the rt2x00 modules. - rt2800: radio 3xxx: reprogram only lower bits of RF_R3. (bnc#759805) - rt2800: radio 3xxx: program RF_R1 during channel switch. (bnc#759805) - rt2800: radio 3xxxx: channel switch RX/TX calibration fixes. (bnc#759805) - rt2x00: Avoid unnecessary uncached. (bnc#759805) - rt2x00: Introduce sta_add/remove callbacks. (bnc#759805) - rt2x00: Add WCID to crypto struct. (bnc#759805) - rt2x00: Add WCID to HT TX descriptor. (bnc#759805) - rt2x00: Move bssidx calculation into its own function. (bnc#759805) - rt2x00: Make use of sta_add/remove callbacks in rt2800. (bnc#759805) - rt2x00: Forbid aggregation for STAs not programmed into the hw. (bnc#759805) - rt2x00: handle spurious pci interrupts. (bnc#759805) - rt2800: disable DMA after firmware load. - rt2800: radio 3xxx: add channel switch calibration routines. (bnc#759805) - rpm/kernel-binary.spec.in: Obsolete ath3k, as it is now in the tree. - floppy: remove floppy-specific O_EXCL handling. (bnc#757315) - floppy: convert to delayed work and single-thread wq. (bnc#761245) last seen 2020-06-05 modified 2013-01-25 plugin id 64175 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64175 title SuSE 11.2 Security Update : Linux kernel (SAT Patch Number 6463) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(64175); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2011-4131", "CVE-2012-2119", "CVE-2012-2136", "CVE-2012-2373", "CVE-2012-2375", "CVE-2012-2390"); script_name(english:"SuSE 11.2 Security Update : Linux kernel (SAT Patch Number 6463)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The SUSE Linux Enterprise 11 SP2 kernel was updated to 3.0.34, fixing a lot of bugs and security issues. The update from Linux kernel 3.0.31 to 3.0.34 also fixes various bugs not listed here. The following security issues have been fixed : - Local attackers could trigger an overflow in sock_alloc_send_pksb(), potentially crashing the machine or escalate privileges. (CVE-2012-2136) - A memory leak in transparent hugepages on mmap failure could be used by local attacker to run the machine out of memory (local denial of service). (CVE-2012-2390) - A malicious guest driver could overflow the host stack by passing a long descriptor, so potentially crashing the host system or escalating privileges on the host. (CVE-2012-2119) - Malicious NFS server could crash the clients when more than 2 GETATTR bitmap words are returned in response to the FATTR4_ACL attribute requests, only incompletely fixed by CVE-2011-4131. (CVE-2012-2375) The following non-security bugs have been fixed : Hyper-V : - storvsc: Properly handle errors from the host. (bnc#747404) - HID: hid-hyperv: Do not use hid_parse_report() directly. - HID: hyperv: Set the hid drvdata correctly. - drivers/hv: Get rid of an unnecessary check in vmbus_prep_negotiate_resp(). - drivers/hv: util: Properly handle version negotiations. - hv: fix return type of hv_post_message(). - net/hyperv: Add flow control based on hi/low watermark. - usb/net: rndis: break out <1/rndis.h> defines. only net/hyperv part - usb/net: rndis: remove ambiguous status codes. only net/hyperv part - usb/net: rndis: merge command codes. only net/hyperv part - net/hyperv: Adding cancellation to ensure rndis filter is closed. - update hv drivers to 3.4-rc1, requires new hv_kvp_daemon : - drivers: hv: kvp: Add/cleanup connector defines. - drivers: hv: kvp: Move the contents of hv_kvp.h to hyperv.h. - net/hyperv: Convert camel cased variables in rndis_filter.c to lower cases. - net/hyperv: Correct the assignment in netvsc_recv_callback(). - net/hyperv: Remove the unnecessary memset in rndis_filter_send(). - drivers: hv: Cleanup the kvp related state in hyperv.h. - tools: hv: Use hyperv.h to get the KVP definitions. - drivers: hv: kvp: Cleanup the kernel/user protocol. - drivers: hv: Increase the number of VCPUs supported in the guest. - net/hyperv: Fix data corruption in rndis_filter_receive(). - net/hyperv: Add support for vlan trunking from guests. - Drivers: hv: Add new message types to enhance KVP. - Drivers: hv: Support the newly introduced KVP messages in the driver. - Tools: hv: Fully support the new KVP verbs in the user level daemon. - Tools: hv: Support enumeration from all the pools. - net/hyperv: Fix the code handling tx busy. - patches.suse/suse-hv-pata_piix-ignore-disks.patch replace our version of this patch with upstream variant: ata_piix: defer disks to the Hyper-V drivers by default libata: add a host flag to ignore detected ATA devices. Btrfs : - btrfs: more module message prefixes. - vfs: re-implement writeback_inodes_sb(_nr)_if_idle() and rename them - btrfs: flush all the dirty pages if try_to_writeback_inodes_sb_nr() fails - vfs: re-implement writeback_inodes_sb(_nr)_if_idle() and rename them - btrfs: fix locking in btrfs_destroy_delayed_refs - btrfs: wake up transaction waiters when aborting a transaction - btrfs: abort the transaction if the commit fails - btrfs: fix btrfs_destroy_marked_extents - btrfs: unlock everything properly in the error case for nocow - btrfs: fix return code in drop_objectid_items - btrfs: check to see if the inode is in the log before fsyncing - btrfs: pass locked_page into extent_clear_unlock_delalloc if theres an error - btrfs: check the return code of btrfs_save_ino_cache - btrfs: do not update atime for RO snapshots (FATE#306586). - btrfs: convert the inode bit field to use the actual bit operations - btrfs: fix deadlock when the process of delayed refs fails - btrfs: stop defrag the files automatically when doin readonly remount or umount - btrfs: avoid memory leak of extent state in error handling routine - btrfs: make sure that we have made everything in pinned tree clean - btrfs: destroy the items of the delayed inodes in error handling routine - btrfs: ulist realloc bugfix - btrfs: bugfix in btrfs_find_parent_nodes - btrfs: bugfix: ignore the wrong key for indirect tree block backrefs - btrfs: avoid buffer overrun in btrfs_printk - btrfs: fall back to non-inline if we do not have enough space - btrfs: NUL-terminate path buffer in DEV_INFO ioctl result - btrfs: avoid buffer overrun in mount option handling - btrfs: do not do balance in readonly mode - btrfs: fix the same inode id problem when doing auto defragment - btrfs: fix wrong error returned by adding a device - btrfs: use fastpath in extent state ops as much as possible Misc : - tcp: drop SYN+FIN messages. (bnc#765102) - mm: avoid swapping out with swappiness==0 (swappiness). - thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE. (bnc#762991) - paravirt: Split paravirt MMU ops (bnc#556135, bnc#754690, FATE#306453). - paravirt: Only export pv_mmu_ops symbol if PARAVIRT_MMU - parvirt: Stub support KABI for KVM_MMU (bnc#556135, bnc#754690, FATE#306453). - tmpfs: implement NUMA node interleaving. (bnc#764209) - synaptics-hp-clickpad: Fix the detection of LED on the recent HP laptops. (bnc#765524) - supported.conf: mark xt_AUDIT as supported. (bnc#765253) - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition. (bnc#762991 / CVE-2012-2373) - xhci: Do not free endpoints in xhci_mem_cleanup(). (bnc#763307) - xhci: Fix invalid loop check in xhci_free_tt_info(). (bnc#763307) - drm: Skip too big EDID extensions. (bnc#764900) - drm/i915: Add HP EliteBook to LVDS-temporary-disable list. (bnc#763717) - hwmon: (fam15h_power) Increase output resolution. (bnc#759336) - hwmon: (k10temp) Add support for AMD Trinity CPUs. (bnc#759336) - rpm/kernel-binary.spec.in: Own the right -kdump initrd. (bnc#764500) - memcg: prevent from OOM with too many dirty pages. - dasd: re-prioritize partition detection message (bnc#764091,LTC#81617). - kernel: pfault task state race (bnc#764091,LTC#81724). - kernel: clear page table for sw large page emulation (bnc#764091,LTC#81933). - USB: fix bug of device descriptor got from superspeed device. (bnc#761087) - xfrm: take net hdr len into account for esp payload size calculation. (bnc#759545) - st: clean up dev cleanup in st_probe. (bnc#760806) - st: clean up device file creation and removal. (bnc#760806) - st: get rid of scsi_tapes array. (bnc#760806) - st: raise device limit. (bnc#760806) - st: Use static class attributes. (bnc#760806) - mm: Optimize put_mems_allowed() usage (VM performance). - cifs: fix oops while traversing open file list (try #4). (bnc#756050) - scsi: Fix dm-multipath starvation when scsi host is busy. (bnc#763485) - dasd: process all requests in the device tasklet. (bnc#763267) - rt2x00:Add RT539b chipset support. (bnc#760237) - kabi/severities: Ignore changes in drivers/net/wireless/rt2x00, these are just exports used among the rt2x00 modules. - rt2800: radio 3xxx: reprogram only lower bits of RF_R3. (bnc#759805) - rt2800: radio 3xxx: program RF_R1 during channel switch. (bnc#759805) - rt2800: radio 3xxxx: channel switch RX/TX calibration fixes. (bnc#759805) - rt2x00: Avoid unnecessary uncached. (bnc#759805) - rt2x00: Introduce sta_add/remove callbacks. (bnc#759805) - rt2x00: Add WCID to crypto struct. (bnc#759805) - rt2x00: Add WCID to HT TX descriptor. (bnc#759805) - rt2x00: Move bssidx calculation into its own function. (bnc#759805) - rt2x00: Make use of sta_add/remove callbacks in rt2800. (bnc#759805) - rt2x00: Forbid aggregation for STAs not programmed into the hw. (bnc#759805) - rt2x00: handle spurious pci interrupts. (bnc#759805) - rt2800: disable DMA after firmware load. - rt2800: radio 3xxx: add channel switch calibration routines. (bnc#759805) - rpm/kernel-binary.spec.in: Obsolete ath3k, as it is now in the tree. - floppy: remove floppy-specific O_EXCL handling. (bnc#757315) - floppy: convert to delayed work and single-thread wq. (bnc#761245)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=556135" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=735909" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=743579" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=744404" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=747404" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=754690" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=756050" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=757315" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=758243" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=759336" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=759545" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=759805" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=760237" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=760806" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=761087" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=761245" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=762991" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=762992" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=763267" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=763307" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=763485" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=763717" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=764091" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=764150" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=764209" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=764500" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=764900" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=765102" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=765253" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=765320" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=765524" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-4131.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-2119.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-2136.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-2373.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-2375.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-2390.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 6463."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-extra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace-extra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-extra"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, "SuSE 11.2"); flag = 0; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-default-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-default-base-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-default-devel-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-default-extra-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-source-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-syms-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-trace-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-trace-base-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-trace-devel-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-trace-extra-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-xen-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-xen-base-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-xen-devel-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kernel-xen-extra-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-default-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-default-base-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-default-devel-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-ec2-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-ec2-base-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-ec2-devel-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-source-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-syms-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-trace-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-trace-base-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-trace-devel-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-xen-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-xen-base-3.0.34-0.7.9")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kernel-xen-devel-3.0.34-0.7.9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Scientific Linux Local Security Checks NASL id SL_20120529_KERNEL_ON_SL5_X.NASL description The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : - It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel last seen 2020-03-18 modified 2012-08-01 plugin id 61319 published 2012-08-01 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61319 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20120529) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(61319); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-2136"); script_name(english:"Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20120529)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : - It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note that unprivileged users cannot access TUN/TAP devices until the root user grants them access. (CVE-2012-2136, Important) We have also posted updated kernel-module-* packages corresponding to this kernel version. The system must be rebooted for this update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1205&L=scientific-linux-errata&T=0&P=1880 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ee39966b" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-PAE-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-xen-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 5.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL5", reference:"kernel-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", cpu:"i386", reference:"kernel-PAE-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", cpu:"i386", reference:"kernel-PAE-debuginfo-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-debug-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-debug-debuginfo-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-debug-devel-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-debuginfo-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-debuginfo-common-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-devel-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-doc-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-headers-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-xen-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-xen-debuginfo-2.6.18-308.8.1.el5")) flag++; if (rpm_check(release:"SL5", reference:"kernel-xen-devel-2.6.18-308.8.1.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-debuginfo / kernel-PAE-devel / etc"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-0690-1.NASL description From Red Hat Security Advisory 2012:0690 : Updated kernel packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 68531 published 2013-07-12 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/68531 title Oracle Linux 5 : kernel (ELSA-2012-0690-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2012:0690 and # Oracle Linux Security Advisory ELSA-2012-0690-1 respectively. # include("compat.inc"); if (description) { script_id(68531); script_version("1.5"); script_cvs_date("Date: 2018/08/13 14:32:37"); script_cve_id("CVE-2012-2136"); script_xref(name:"RHSA", value:"2012:0690"); script_name(english:"Oracle Linux 5 : kernel (ELSA-2012-0690-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2012:0690 : Updated kernel packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note that unprivileged users cannot access TUN/TAP devices until the root user grants them access. (CVE-2012-2136, Important) This update also fixes various bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct this issue, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2012-May/002841.html" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !eregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = eregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_exists(release:"EL5", rpm:"kernel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-2.6.18-308.8.1.0.1.el5")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-PAE-2.6.18") && rpm_check(release:"EL5", cpu:"i386", reference:"kernel-PAE-2.6.18-308.8.1.0.1.el5")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-PAE-devel-2.6.18") && rpm_check(release:"EL5", cpu:"i386", reference:"kernel-PAE-devel-2.6.18-308.8.1.0.1.el5")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-debug-2.6.18") && rpm_check(release:"EL5", reference:"kernel-debug-2.6.18-308.8.1.0.1.el5")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-debug-devel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-debug-devel-2.6.18-308.8.1.0.1.el5")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-devel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-devel-2.6.18-308.8.1.0.1.el5")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-doc-2.6.18") && rpm_check(release:"EL5", reference:"kernel-doc-2.6.18-308.8.1.0.1.el5")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-headers-2.6.18") && rpm_check(release:"EL5", reference:"kernel-headers-2.6.18-308.8.1.0.1.el5")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-xen-2.6.18") && rpm_check(release:"EL5", reference:"kernel-xen-2.6.18-308.8.1.0.1.el5")) flag++; if (rpm_exists(release:"EL5", rpm:"kernel-xen-devel-2.6.18") && rpm_check(release:"EL5", reference:"kernel-xen-devel-2.6.18-308.8.1.0.1.el5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel"); }
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2013-0039.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0039 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 79507 published 2014-11-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79507 title OracleVM 2.2 : kernel (OVMSA-2013-0039) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2013-0039. # include("compat.inc"); if (description) { script_id(79507); script_version("1.25"); script_cvs_date("Date: 2020/02/13"); script_cve_id("CVE-2006-6304", "CVE-2007-4567", "CVE-2009-0745", "CVE-2009-0746", "CVE-2009-0747", "CVE-2009-0748", "CVE-2009-1388", "CVE-2009-1389", "CVE-2009-1895", "CVE-2009-2406", "CVE-2009-2407", "CVE-2009-2692", "CVE-2009-2847", "CVE-2009-2848", "CVE-2009-2908", "CVE-2009-3080", "CVE-2009-3286", "CVE-2009-3547", "CVE-2009-3612", "CVE-2009-3620", "CVE-2009-3621", "CVE-2009-3726", "CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4067", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4307", "CVE-2009-4308", "CVE-2009-4536", "CVE-2009-4537", "CVE-2009-4538", "CVE-2010-0007", "CVE-2010-0415", "CVE-2010-0437", "CVE-2010-0622", "CVE-2010-0727", "CVE-2010-1083", "CVE-2010-1084", "CVE-2010-1086", "CVE-2010-1087", "CVE-2010-1088", "CVE-2010-1173", "CVE-2010-1188", "CVE-2010-1436", "CVE-2010-1437", "CVE-2010-1641", "CVE-2010-2226", "CVE-2010-2240", "CVE-2010-2248", "CVE-2010-2521", "CVE-2010-2798", "CVE-2010-2942", "CVE-2010-2963", "CVE-2010-3067", "CVE-2010-3078", "CVE-2010-3086", "CVE-2010-3296", "CVE-2010-3432", "CVE-2010-3442", "CVE-2010-3477", "CVE-2010-3858", "CVE-2010-3859", "CVE-2010-3876", "CVE-2010-3877", "CVE-2010-4073", "CVE-2010-4080", "CVE-2010-4081", "CVE-2010-4083", "CVE-2010-4157", "CVE-2010-4158", "CVE-2010-4242", "CVE-2010-4248", "CVE-2010-4249", "CVE-2010-4258", "CVE-2010-4346", "CVE-2010-4649", "CVE-2010-4655", "CVE-2011-0521", "CVE-2011-0726", "CVE-2011-1010", "CVE-2011-1020", "CVE-2011-1044", "CVE-2011-1078", "CVE-2011-1079", "CVE-2011-1080", "CVE-2011-1083", "CVE-2011-1090", "CVE-2011-1093", "CVE-2011-1160", "CVE-2011-1162", "CVE-2011-1163", "CVE-2011-1182", "CVE-2011-1573", "CVE-2011-1577", "CVE-2011-1585", "CVE-2011-1745", "CVE-2011-1746", "CVE-2011-1776", "CVE-2011-1833", "CVE-2011-2022", "CVE-2011-2203", "CVE-2011-2213", "CVE-2011-2482", "CVE-2011-2484", "CVE-2011-2491", "CVE-2011-2496", "CVE-2011-2525", "CVE-2011-3191", "CVE-2011-3637", "CVE-2011-3638", "CVE-2011-4077", "CVE-2011-4086", "CVE-2011-4110", "CVE-2011-4127", "CVE-2011-4324", "CVE-2011-4330", "CVE-2011-4348", "CVE-2012-1583", "CVE-2012-2136"); script_bugtraq_id(35281, 35647, 35850, 35851, 35930, 36038, 36472, 36639, 36723, 36824, 36827, 36901, 36936, 37068, 37069, 37339, 37519, 37521, 37523, 37762, 37806, 38144, 38165, 38185, 38479, 38898, 39016, 39042, 39044, 39101, 39569, 39715, 39719, 39794, 40356, 40920, 42124, 42242, 42249, 42505, 42529, 43022, 43221, 43353, 43480, 43787, 43809, 44242, 44301, 44354, 44630, 44648, 44754, 44758, 45014, 45028, 45037, 45058, 45063, 45073, 45159, 45323, 45972, 45986, 46073, 46488, 46492, 46567, 46616, 46630, 46766, 46793, 46866, 46878, 47003, 47308, 47321, 47343, 47381, 47534, 47535, 47791, 47796, 47843, 48236, 48333, 48383, 48641, 48687, 49108, 49141, 49295, 49373, 50322, 50370, 50750, 50755, 50764, 50798, 51176, 51361, 51363, 51945, 53139, 53721); script_name(english:"OracleVM 2.2 : kernel (OVMSA-2013-0039)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2013-0039 for details." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2013-May/000153.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel Sendpage Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(16, 20, 119, 189, 200, 264, 362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-ovs-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/14"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "2\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); flag = 0; if (rpm_check(release:"OVS2.2", reference:"kernel-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-PAE-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-PAE-devel-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-devel-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-ovs-2.6.18-128.2.1.5.10.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"kernel-ovs-devel-2.6.18-128.2.1.5.10.el5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-devel / kernel-ovs / etc"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1539-1.NASL description An error was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61549 published 2012-08-15 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61549 title Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1539-1) NASL family Scientific Linux Local Security Checks NASL id SL_20120618_KERNEL_ON_SL6_X.NASL description The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) - A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) - When a set user ID (setuid) application is executed, certain personality flags for controlling the application last seen 2020-03-18 modified 2012-08-01 plugin id 61331 published 2012-08-01 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61331 title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20120618) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-0690.NASL description From Red Hat Security Advisory 2012:0690 : Updated kernel packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 68532 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68532 title Oracle Linux 5 : kernel (ELSA-2012-0690) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1530-1.NASL description Andy Adamson discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61508 published 2012-08-13 reporter Ubuntu Security Notice (C) 2012 Canonical, Inc. / NASL script (C) 2012-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61508 title USN-1530-1 : linux-ti-omap4 vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-756.NASL description The openSUSE 11.4 kernel was updated to fix various bugs and security issues. This is the final update of the 2.6.37 kernel of openSUSE 11.4. last seen 2020-06-05 modified 2014-06-13 plugin id 74801 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74801 title openSUSE Security Update : kernel (openSUSE-SU-2012:1439-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-120714.NASL description The SUSE Linux Enterprise 11 SP1 kernel have been updated to fix various bugs and security issues. The following security issues have been fixed : - Several buffer overread and overwrite errors in the UDF logical volume descriptor code were fixed that might have allowed local attackers able to mount UDF volumes to crash the kernel or potentially gain privileges. (CVE-2012-3400) - A local denial of service in the last epoll fix was fixed. (CVE-2012-3375) - A integer overflow in i915_gem_do_execbuffer() was fixed that might be used by local attackers to crash the kernel or potentially execute code. (CVE-2012-2384) - A integer overflow in i915_gem_execbuffer2() was fixed that might be used by local attackers to crash the kernel or potentially execute code. (CVE-2012-2383) - Memiory leaks in the hugetlbfs map reservation code were fixed that could be used by local attackers to exhaust machine memory. (CVE-2012-2390) - The filesystem capability handling was not fully correct, allowing local users to bypass fscaps related restrictions to disable e.g. address space randomization. (CVE-2012-2123) - Validation of data_len before allocating fragments of skbs was fixed that might have allowed a heap overflow. (CVE-2012-2136) - Fixed potential buffer overflows in the hfsplus filesystem, which might be exploited by local attackers able to mount such filesystems. (CVE-2012-2319) Several leapsecond related bug fixes have been created : - hrtimer: provide clock_was_set_delayed(). (bnc#768632) - time: Fix leapsecond triggered hrtimer/futex load spike issue. (bnc#768632) - ntp: fix leap second hrtimer deadlock. (bnc#768632) - ntp: avoid printk under xtime_lock (bnc#767684). The following non-security issues have been fixed : - tcp: drop SYN+FIN messages to avoid memory leaks. (bnc#765102) - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - REVERT svcrpc: destroy server sockets all at once. (bnc#769210) - sched: Make sure to not re-read variables after validation. (bnc#769685) - audit: Do not send uninitialized data for AUDIT_TTY_GET. (bnc#755513) - dlm: do not depend on sctp. (bnc#729247, bnc#763656) - RPC: killing RPC tasks races fixed. (bnc#765548) - vlan/core: Fix memory leak/corruption on VLAN GRO_DROP. (bnc#758058) - CPU hotplug, cpusets, suspend/resume: Do not modify cpusets during suspend/resume. (bnc#752858) - ioat2: kill pending flag. (bnc#765022) - Fix massive driver induced spin_lock_bh() contention. - ipmi: Fix IPMI errors due to timing problems. (bnc#761988) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen: gntdev: fix multi-page slot allocation. (bnc#760974) - rpm/kernel-binary.spec.in: Own the right -kdump initrd. (bnc#764500) - kernel: pfault task state race (bnc#764098,LTC#81724). - xfrm: take net hdr len into account for esp payload size calculation. (bnc#759545) - bonding: do not dereference NULL pointer to device of VLAN 0. (bnc#763830) - cifs: fix oops while traversing open file list (try #4). (bnc#756050) - nfsd: fix BUG at fs/nfsd/nfsfh.h:199 on unlink. (bnc#769777) - nfs: Ensure we never try to mount an NFS auto-mount dir (bnc748601). - patches.suse/cgroup-disable-memcg-when-low-lowmem.patch: fix typo: use if defined(CONFIG_) rather than if CONFIG_ - patches.suse/pagecache-limit-fix-shmem-deadlock.patch: Fixed the GFP_NOWAIT is zero and not suitable for tests bug. (bnc#755537) - sys_poll: fix incorrect type for timeout parameter. (bnc#754428) - scsi_transport_fc: fix blocked bsg request when fc object deleted. (bnc#761414, bnc#734300) - ehea: fix allmulticast support. (bnc#758013) - scsi: Silence unnecessary warnings about ioctl to partition. (bnc#758104) - sched/x86: Fix overflow in cyc2ns_offset. (bnc#630970, bnc#661605) - sched/rt: Do not throttle when PI boosting. (bnc#754085) - sched/rt: Keep period timer ticking when rt throttling is active. (bnc#754085) - sched,rt: fix isolated CPUs leaving root_task_group indefinitely throttled. (bnc#754085) last seen 2020-06-05 modified 2013-01-25 plugin id 64177 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64177 title SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 6547 / 6548 / 6550) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2012-0743.NASL description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application last seen 2020-06-01 modified 2020-06-02 plugin id 59609 published 2012-06-21 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59609 title CentOS 6 : kernel (CESA-2012:0743) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1534-1.NASL description An error was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61512 published 2012-08-13 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61512 title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1534-1) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-8325.NASL description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494) - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744) - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. (CVE-2012-3510) - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. (CVE-2011-4110) - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044) - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400) - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136) - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663) The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766) - knfsd: Unexport cache_fresh and fix a small race. (bnc#767766) - knfsd: nfsd: do not drop silently on upcall deferral. (bnc#767766) - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766) - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766) - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766) - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766) - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766) - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766) - knfsd: nfsd: make all exp_finding functions return -errnos on err. (bnc#767766) - Fix kabi breakage in previous nfsd patch series. (bnc#767766) - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766) - nfs: Fix a potential file corruption issue when writing. (bnc#773272) - nfs: Allow sync writes to be multiple pages. (bnc#763526) - nfs: fix reference counting for NFSv4 callback thread. (bnc#767504) - nfs: flush signals before taking down callback thread. (bnc#767504) - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058) - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058) - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400) - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400) - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - mptfusion: fix msgContext in mptctl_hp_hostinfo. (bnc#767939) - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) - x86: powernow-k8: Fix indexing issue. (bnc#758985) - net: Fix race condition about network device name allocation. (bnc#747576) XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen/gntdev: fix multi-page slot allocation. (bnc#760974) last seen 2020-06-05 modified 2012-10-24 plugin id 62676 published 2012-10-24 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62676 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8325) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1538-1.NASL description An error was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61548 published 2012-08-15 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61548 title Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1538-1) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-8324.NASL description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494) - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744) - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. (CVE-2012-3510) - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. (CVE-2011-4110) - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044) - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400) - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136) - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663) The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766) - knfsd: Unexport cache_fresh and fix a small race. (bnc#767766) - knfsd: nfsd: do not drop silently on upcall deferral. (bnc#767766) - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766) - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766) - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766) - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766) - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766) - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766) - knfsd: nfsd: make all exp_finding functions return -errnos on err. (bnc#767766) - Fix kabi breakage in previous nfsd patch series. (bnc#767766) - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766) - nfs: Fix a potential file corruption issue when writing. (bnc#773272) - nfs: Allow sync writes to be multiple pages. (bnc#763526) - nfs: fix reference counting for NFSv4 callback thread. (bnc#767504) - nfs: flush signals before taking down callback thread. (bnc#767504) - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058) - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058) - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400) - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400) - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - mptfusion: fix msgContext in mptctl_hp_hostinfo. (bnc#767939) - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) - x86: powernow-k8: Fix indexing issue. (bnc#758985) - net: Fix race condition about network device name allocation. (bnc#747576) XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen/gntdev: fix multi-page slot allocation. (bnc#760974) last seen 2020-06-05 modified 2012-10-24 plugin id 62675 published 2012-10-24 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62675 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8324) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2012-0690.NASL description Updated kernel packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 59312 published 2012-05-31 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59312 title CentOS 5 : kernel (CESA-2012:0690) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2012-0042.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix bug number for commit last seen 2020-06-01 modified 2020-06-02 plugin id 79484 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79484 title OracleVM 3.1 : kernel-uek (OVMSA-2012-0042) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-0743.NASL description From Red Hat Security Advisory 2012:0743 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application last seen 2020-06-01 modified 2020-06-02 plugin id 68544 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68544 title Oracle Linux 6 : kernel (ELSA-2012-0743) NASL family SuSE Local Security Checks NASL id SUSE_SU-2012-1391-1.NASL description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). CVE-2012-2744: net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. CVE-2011-1044: The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. CVE-2012-2663: A small denial of service leak in dropping syn+fin messages was fixed. The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code (bnc#767766). - knfsd: Unexport cache_fresh and fix a small race (bnc#767766). - knfsd: nfsd: do not drop silently on upcall deferral (bnc#767766). - knfsd: svcrpc: remove another silent drop from deferral code (bnc#767766). - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked (bnc#767766). - sunrpc/cache: recheck cache validity after cache_defer_req (bnc#767766). - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req (bnc#767766). - sunrpc/cache: avoid variable over-loading in cache_defer_req (bnc#767766). - sunrpc/cache: allow thread to block while waiting for cache update (bnc#767766). - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update (bnc#767766). - sunrpc/cache: Another fix for race problem with sunrpc cache deferal (bnc#767766). - knfsd: nfsd: make all exp_finding functions return -errnos on err (bnc#767766). - Fix kabi breakage in previous nfsd patch series (bnc#767766). - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout (bnc#767766). - nfs: Fix a potential file corruption issue when writing (bnc#773272). - nfs: Allow sync writes to be multiple pages (bnc#763526). - nfs: fix reference counting for NFSv4 callback thread (bnc#767504). - nfs: flush signals before taking down callback thread (bnc#767504). - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return (bnc#783058). drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc (bnc#783058). block: fail SCSI passthrough ioctls on partition devices (bnc#738400). dm: do not forward ioctls from logical volumes to the underlying device (bnc#738400). vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). be2net: Fix EEH error reset before a flash dump completes (bnc#755546). - mptfusion: fix msgContext in mptctl_hp_hostinfo (bnc#767939). - PCI: Fix bus resource assignment on 32 bits with 64b resources. (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) x86: powernow-k8: Fix indexing issue (bnc#758985). net: Fix race condition about network device name allocation (bnc#747576). XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time (bnc#738528). - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53 (bnc#760974). - xen/gntdev: fix multi-page slot allocation (bnc#760974). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-20 plugin id 83563 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83563 title SUSE SLED10 / SLES10 Security Update : kernel (SUSE-SU-2012:1391-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1535-1.NASL description An error was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61513 published 2012-08-13 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61513 title Ubuntu 10.04 LTS : linux vulnerabilities (USN-1535-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-2021.NASL description Description of changes: * CVE-2012-2123: Privilege escalation when assigning permissions using fcaps. If a process increases permissions using fcaps, all of the dangerous personality flags which are cleared for suid apps are not cleared. This has allowed programs that gained elevated permissions using fcaps to disable the address space randomization of other processes. * CVE-2012-2121: Memory leak in KVM device assignment. KVM uses memory slots to track and map guest regions of memory. When device assignment is used, the pages backing these slots are pinned in memory and mapped into the iommu. The problem is that when a memory slot is destroyed the pages for the associated memory slot are neither unpinned nor unmapped from the iommu. * Memory corruption in KVM device assignment slot handling. A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption. * CVE-2012-2136: Privilege escalation in TUN/TAP virtual device. The length of packet fragments to be sent wasn last seen 2020-06-01 modified 2020-06-02 plugin id 68676 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68676 title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2021) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1598-1.NASL description An error was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 62474 published 2012-10-10 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62474 title Ubuntu 8.04 LTS : linux vulnerability (USN-1598-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2013-1832-1.NASL description The SUSE Linux Enterprise Server 10 SP3 LTSS kernel received a roll up update to fix lots of moderate security issues and several bugs. The Following security issues have been fixed : CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password. CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. CVE-2013-0160: The Linux kernel allowed local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel did not properly initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3235: net/tipc/socket.c in the Linux kernel did not initialize a certain data structure and a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-1827: net/dccp/ccid.h in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application. CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6546: The ATM implementation in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel memory via a crafted application. CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel had an incorrect return value in certain circumstances, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel did not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. CVE-2011-2492: The bluetooth subsystem in the Linux kernel did not properly initialize certain data structures, which allowed local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel did not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel on unspecified architectures lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and last seen 2020-06-05 modified 2015-05-20 plugin id 83603 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83603 title SUSE SLES10 Security Update : kernel (SUSE-SU-2013:1832-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1514-1.NASL description A flaw was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61506 published 2012-08-13 reporter Ubuntu Security Notice (C) 2012 Canonical, Inc. / NASL script (C) 2012-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61506 title USN-1514-1 : linux-ti-omap4 vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0743.NASL description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A local, unprivileged user could use an integer overflow flaw in drm_mode_dirtyfb_ioctl() to cause a denial of service or escalate their privileges. (CVE-2012-0044, Important) * A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host. Note: This issue only affected hosts that have the vhost_net module loaded with the experimental_zcopytx module option enabled (it is not enabled by default), and that also have macvtap configured for at least one guest. (CVE-2012-2119, Important) * When a set user ID (setuid) application is executed, certain personality flags for controlling the application last seen 2020-06-01 modified 2020-06-02 plugin id 59562 published 2012-06-19 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59562 title RHEL 6 : kernel (RHSA-2012:0743) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-357.NASL description This kernel update of the openSUSE 12.1 kernel brings various bug and security fixes. Following issues were fixed : - tcp: drop SYN+FIN messages (bnc#765102, CVE-2012-2663). - net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136). - thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE (bnc#762991). - be2net: non-member vlan pkts not received in promiscous mode (bnc#732006 CVE-2011-3347). - fcaps: clear the same personality flags as suid when fcaps are used (bnc#758260 CVE-2012-2123). - macvtap: zerocopy: validate vectors before building skb (bnc#758243 CVE-2012-2119). - macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb is built successfully (bnc#758243 CVE-2012-2119). - macvtap: zerocopy: put page when fail to get all requested user pages (bnc#758243 CVE-2012-2119). - macvtap: zerocopy: fix offset calculation when building skb (bnc#758243 CVE-2012-2119). - Avoid reading past buffer when calling GETACL (bnc#762992). - Avoid beyond bounds copy while caching ACL (bnc#762992). - Fix length of buffer copied in __nfs4_get_acl_uncached (bnc#762992). - hfsplus: Fix potential buffer overflows (bnc#760902 CVE-2009-4020). - usb/net: rndis: merge command codes. only net/hyperv part - usb/net: rndis: remove ambiguous status codes. only net/hyperv part - usb/net: rndis: break out <linux/rndis.h> defines. only net/hyperv part - net/hyperv: Add flow control based on hi/low watermark. - hv: fix return type of hv_post_message(). - Drivers: hv: util: Properly handle version negotiations. - Drivers: hv: Get rid of an unnecessary check in vmbus_prep_negotiate_resp(). - HID: hyperv: Set the hid drvdata correctly. - HID: hid-hyperv: Do not use hid_parse_report() directly. - [SCSI] storvsc: Properly handle errors from the host (bnc#747404). - Delete patches.suse/suse-hv-storvsc-ignore-ata_16.patch. - patches.suse/suse-hv-pata_piix-ignore-disks.patch replace our version of this patch with upstream variant: ata_piix: defer disks to the Hyper-V drivers by default libata: add a host flag to ignore detected ATA devices. - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition (bnc#762991 CVE-2012-2373). - xfrm: take net hdr len into account for esp payload size calculation (bnc#759545). - net/hyperv: Adding cancellation to ensure rndis filter is closed. - xfs: Fix oops on IO error during xlog_recover_process_iunlinks() (bnc#761681). - thp: reduce khugepaged freezing latency (bnc#760860). - igb: fix rtnl race in PM resume path (bnc#748859). - ixgbe: add missing rtnl_lock in PM resume path (bnc#748859). - cdc_ether: Ignore bogus union descriptor for RNDIS devices (bnc#735362). Taking the fix from net-next - Fix kABI breakage due to including proc_fs.h in kernel/fork.c modversion changed because of changes in struct proc_dir_entry (became defined) Refresh patches.fixes/procfs-namespace-pid_ns-fix-leakage-on-for k-failure. - Disabled MMC_TEST (bnc#760077). - Input: ALPS - add semi-MT support for v3 protocol (bnc#716996). - Input: ALPS - add support for protocol versions 3 and 4 (bnc#716996). - Input: ALPS - remove assumptions about packet size (bnc#716996). - Input: ALPS - add protocol version field in alps_model_info (bnc#716996). - Input: ALPS - move protocol information to Documentation (bnc#716996). - sysctl/defaults: kernel.hung_task_timeout -> kernel.hung_task_timeout_secs (bnc#700174) - btrfs: partial revert of truncation improvements (FATE#306586 bnc#748463 bnc#760279). - libata: skip old error history when counting probe trials. - procfs, namespace, pid_ns: fix leakage upon fork() failure (bnc#757783). - cdc-wdm: fix race leading leading to memory corruption (bnc#759554). This patch fixes a race whereby a pointer to a buffer would be overwritten while the buffer was in use leading to a double free and a memory leak. This causes crashes. This bug was introduced in 2.6.34 - netfront: delay gARP until backend switches to Connected. - xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. - xenbus: check availability of XS_RESET_WATCHES command. - xenbus_dev: add missing error checks to watch handling. - drivers/xen/: use strlcpy() instead of strncpy(). - blkfront: properly fail packet requests (bnc#745929). - Linux 3.1.10. - Update Xen config files. - Refresh other Xen patches. - tlan: add cast needed for proper 64 bit operation (bnc#756840). - dl2k: Tighten ioctl permissions (bnc#758813). - mqueue: fix a vfsmount longterm reference leak (bnc#757783). - cciss: Add IRQF_SHARED back in for the non-MSI(X) interrupt handler (bnc#757789). - procfs: fix a vfsmount longterm reference leak (bnc#757783). - uwb: fix error handling (bnc#731720). This fixes a kernel error on unplugging an uwb dongle - uwb: fix use of del_timer_sync() in interrupt (bnc#731720). This fixes a kernel warning on plugging in an uwb dongle - acer-wmi: Detect communication hot key number. - acer-wmi: replaced the hard coded bitmap by the communication devices bitmap from SMBIOS. - acer-wmi: add ACER_WMID_v2 interface flag to represent new notebooks. - acer-wmi: No wifi rfkill on Sony machines. - acer-wmi: No wifi rfkill on Lenovo machines. - [media] cx22702: Fix signal strength. - fs: cachefiles: Add support for large files in filesystem caching (bnc#747038). - Drivers: scsi: storvsc: Account for in-transit packets in the RESET path. - CPU hotplug, cpusets, suspend: Don last seen 2020-06-05 modified 2014-06-13 plugin id 74661 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74661 title openSUSE Security Update : Kernel (openSUSE-SU-2012:0812-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0690.NASL description Updated kernel packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issue : * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 59306 published 2012-05-30 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59306 title RHEL 5 : kernel (RHSA-2012:0690) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1533-1.NASL description An error was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61511 published 2012-08-13 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61511 title Ubuntu 11.10 : linux vulnerabilities (USN-1533-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-342.NASL description This kernel update of the openSUSE 12.1 kernel fixes lots of bugs and security issues. Following issues were fixed : - tcp: drop SYN+FIN messages (bnc#765102). - net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136). - fcaps: clear the same personality flags as suid when fcaps are used (bnc#758260 CVE-2012-2123). - macvtap: zerocopy: validate vectors before building skb (bnc#758243 CVE-2012-2119). - hfsplus: Fix potential buffer overflows (bnc#760902 CVE-2009-4020). - xfrm: take net hdr len into account for esp payload size calculation (bnc#759545). - ext4: fix undefined behavior in ext4_fill_flex_info() (bnc#757278). - igb: fix rtnl race in PM resume path (bnc#748859). - ixgbe: add missing rtnl_lock in PM resume path (bnc#748859). - b43: allocate receive buffers big enough for max frame len + offset (bnc#717749). - xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. - xenbus_dev: add missing error checks to watch handling. - hwmon: (coretemp-xen) Fix TjMax detection for older CPUs. - hwmon: (coretemp-xen) Relax target temperature range check. - Refresh other Xen patches. - tlan: add cast needed for proper 64 bit operation (bnc#756840). - dl2k: Tighten ioctl permissions (bnc#758813). - [media] cx22702: Fix signal strength. - fs: cachefiles: Add support for large files in filesystem caching (bnc#747038). - bridge: correct IPv6 checksum after pull (bnc#738644). - bridge: fix a possible use after free (bnc#738644). - bridge: Pseudo-header required for the checksum of ICMPv6 (bnc#738644). - bridge: mcast snooping, fix length check of snooped MLDv1/2 (bnc#738644). - PCI/ACPI: Report ASPM support to BIOS if not disabled from command line (bnc#714455). - ipc/sem.c: fix race with concurrent semtimedop() timeouts and IPC_RMID (bnc#756203). - drm/i915/crt: Remove 0xa0 probe for VGA. - tty_audit: fix tty_audit_add_data live lock on audit disabled (bnc#721366). - drm/i915: suspend fbdev device around suspend/hibernate (bnc#732908). - dlm: Do not allocate a fd for peeloff (bnc#729247). - sctp: Export sctp_do_peeloff (bnc#729247). - i2c-algo-bit: Fix spurious SCL timeouts under heavy load. - patches.fixes/epoll-dont-limit-non-nested.patch: Don last seen 2020-06-05 modified 2014-06-13 plugin id 74658 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74658 title openSUSE Security Update : Kernel (openSUSE-SU-2012:0799-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1531-1.NASL description An error was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61509 published 2012-08-13 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61509 title Ubuntu 11.04 : linux vulnerabilities (USN-1531-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2012-83.NASL description It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 69690 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69690 title Amazon Linux AMI : kernel (ALAS-2012-83) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1529-1.NASL description A flaw was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61507 published 2012-08-13 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61507 title Ubuntu 12.04 LTS : linux vulnerabilities (USN-1529-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-120621.NASL description The SUSE Linux Enterprise 11 SP2 kernel was updated to 3.0.34, fixing a lot of bugs and security issues. The update from Linux kernel 3.0.31 to 3.0.34 also fixes various bugs not listed here. The following security issues have been fixed : - Local attackers could trigger an overflow in sock_alloc_send_pksb(), potentially crashing the machine or escalate privileges. (CVE-2012-2136) - A memory leak in transparent hugepages on mmap failure could be used by local attacker to run the machine out of memory (local denial of service). (CVE-2012-2390) - A malicious guest driver could overflow the host stack by passing a long descriptor, so potentially crashing the host system or escalating privileges on the host. (CVE-2012-2119) - Malicious NFS server could crash the clients when more than 2 GETATTR bitmap words are returned in response to the FATTR4_ACL attribute requests, only incompletely fixed by CVE-2011-4131. (CVE-2012-2375) The following non-security bugs have been fixed : Hyper-V : - storvsc: Properly handle errors from the host. (bnc#747404) - HID: hid-hyperv: Do not use hid_parse_report() directly. - HID: hyperv: Set the hid drvdata correctly. - drivers/hv: Get rid of an unnecessary check in vmbus_prep_negotiate_resp(). - drivers/hv: util: Properly handle version negotiations. - hv: fix return type of hv_post_message(). - net/hyperv: Add flow control based on hi/low watermark. - usb/net: rndis: break out <1/rndis.h> defines. only net/hyperv part - usb/net: rndis: remove ambiguous status codes. only net/hyperv part - usb/net: rndis: merge command codes. only net/hyperv part - net/hyperv: Adding cancellation to ensure rndis filter is closed. - update hv drivers to 3.4-rc1, requires new hv_kvp_daemon : - drivers: hv: kvp: Add/cleanup connector defines. - drivers: hv: kvp: Move the contents of hv_kvp.h to hyperv.h. - net/hyperv: Convert camel cased variables in rndis_filter.c to lower cases. - net/hyperv: Correct the assignment in netvsc_recv_callback(). - net/hyperv: Remove the unnecessary memset in rndis_filter_send(). - drivers: hv: Cleanup the kvp related state in hyperv.h. - tools: hv: Use hyperv.h to get the KVP definitions. - drivers: hv: kvp: Cleanup the kernel/user protocol. - drivers: hv: Increase the number of VCPUs supported in the guest. - net/hyperv: Fix data corruption in rndis_filter_receive(). - net/hyperv: Add support for vlan trunking from guests. - Drivers: hv: Add new message types to enhance KVP. - Drivers: hv: Support the newly introduced KVP messages in the driver. - Tools: hv: Fully support the new KVP verbs in the user level daemon. - Tools: hv: Support enumeration from all the pools. - net/hyperv: Fix the code handling tx busy. - patches.suse/suse-hv-pata_piix-ignore-disks.patch replace our version of this patch with upstream variant: ata_piix: defer disks to the Hyper-V drivers by default libata: add a host flag to ignore detected ATA devices. Btrfs : - btrfs: more module message prefixes. - vfs: re-implement writeback_inodes_sb(_nr)_if_idle() and rename them - btrfs: flush all the dirty pages if try_to_writeback_inodes_sb_nr() fails - vfs: re-implement writeback_inodes_sb(_nr)_if_idle() and rename them - btrfs: fix locking in btrfs_destroy_delayed_refs - btrfs: wake up transaction waiters when aborting a transaction - btrfs: abort the transaction if the commit fails - btrfs: fix btrfs_destroy_marked_extents - btrfs: unlock everything properly in the error case for nocow - btrfs: fix return code in drop_objectid_items - btrfs: check to see if the inode is in the log before fsyncing - btrfs: pass locked_page into extent_clear_unlock_delalloc if theres an error - btrfs: check the return code of btrfs_save_ino_cache - btrfs: do not update atime for RO snapshots (FATE#306586). - btrfs: convert the inode bit field to use the actual bit operations - btrfs: fix deadlock when the process of delayed refs fails - btrfs: stop defrag the files automatically when doin readonly remount or umount - btrfs: avoid memory leak of extent state in error handling routine - btrfs: make sure that we have made everything in pinned tree clean - btrfs: destroy the items of the delayed inodes in error handling routine - btrfs: ulist realloc bugfix - btrfs: bugfix in btrfs_find_parent_nodes - btrfs: bugfix: ignore the wrong key for indirect tree block backrefs - btrfs: avoid buffer overrun in btrfs_printk - btrfs: fall back to non-inline if we do not have enough space - btrfs: NUL-terminate path buffer in DEV_INFO ioctl result - btrfs: avoid buffer overrun in mount option handling - btrfs: do not do balance in readonly mode - btrfs: fix the same inode id problem when doing auto defragment - btrfs: fix wrong error returned by adding a device - btrfs: use fastpath in extent state ops as much as possible Misc : - tcp: drop SYN+FIN messages. (bnc#765102) - mm: avoid swapping out with swappiness==0 (swappiness). - thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE. (bnc#762991) - paravirt: Split paravirt MMU ops (bnc#556135, bnc#754690, FATE#306453). - paravirt: Only export pv_mmu_ops symbol if PARAVIRT_MMU - parvirt: Stub support KABI for KVM_MMU (bnc#556135, bnc#754690, FATE#306453). - tmpfs: implement NUMA node interleaving. (bnc#764209) - synaptics-hp-clickpad: Fix the detection of LED on the recent HP laptops. (bnc#765524) - supported.conf: mark xt_AUDIT as supported. (bnc#765253) - mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition. (bnc#762991 / CVE-2012-2373) - xhci: Do not free endpoints in xhci_mem_cleanup(). (bnc#763307) - xhci: Fix invalid loop check in xhci_free_tt_info(). (bnc#763307) - drm: Skip too big EDID extensions. (bnc#764900) - drm/i915: Add HP EliteBook to LVDS-temporary-disable list. (bnc#763717) - hwmon: (fam15h_power) Increase output resolution. (bnc#759336) - hwmon: (k10temp) Add support for AMD Trinity CPUs. (bnc#759336) - rpm/kernel-binary.spec.in: Own the right -kdump initrd. (bnc#764500) - memcg: prevent from OOM with too many dirty pages. - dasd: re-prioritize partition detection message (bnc#764091,LTC#81617). - kernel: pfault task state race (bnc#764091,LTC#81724). - kernel: clear page table for sw large page emulation (bnc#764091,LTC#81933). - USB: fix bug of device descriptor got from superspeed device. (bnc#761087) - xfrm: take net hdr len into account for esp payload size calculation. (bnc#759545) - st: clean up dev cleanup in st_probe. (bnc#760806) - st: clean up device file creation and removal. (bnc#760806) - st: get rid of scsi_tapes array. (bnc#760806) - st: raise device limit. (bnc#760806) - st: Use static class attributes. (bnc#760806) - mm: Optimize put_mems_allowed() usage (VM performance). - cifs: fix oops while traversing open file list (try #4). (bnc#756050) - scsi: Fix dm-multipath starvation when scsi host is busy. (bnc#763485) - dasd: process all requests in the device tasklet. (bnc#763267) - rt2x00:Add RT539b chipset support. (bnc#760237) - kabi/severities: Ignore changes in drivers/net/wireless/rt2x00, these are just exports used among the rt2x00 modules. - rt2800: radio 3xxx: reprogram only lower bits of RF_R3. (bnc#759805) - rt2800: radio 3xxx: program RF_R1 during channel switch. (bnc#759805) - rt2800: radio 3xxxx: channel switch RX/TX calibration fixes. (bnc#759805) - rt2x00: Avoid unnecessary uncached. (bnc#759805) - rt2x00: Introduce sta_add/remove callbacks. (bnc#759805) - rt2x00: Add WCID to crypto struct. (bnc#759805) - rt2x00: Add WCID to HT TX descriptor. (bnc#759805) - rt2x00: Move bssidx calculation into its own function. (bnc#759805) - rt2x00: Make use of sta_add/remove callbacks in rt2800. (bnc#759805) - rt2x00: Forbid aggregation for STAs not programmed into the hw. (bnc#759805) - rt2x00: handle spurious pci interrupts. (bnc#759805) - rt2800: disable DMA after firmware load. - rt2800: radio 3xxx: add channel switch calibration routines. (bnc#759805) - rpm/kernel-binary.spec.in: Obsolete ath3k, as it is now in the tree. - floppy: remove floppy-specific O_EXCL handling. (bnc#757315) - floppy: convert to delayed work and single-thread wq. (bnc#761245) last seen 2020-06-05 modified 2013-01-25 plugin id 64176 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64176 title SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 6453 / 6457)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 53721 CVE ID: CVE-2012-2136 Linux Kernel是Linux操作系统的内核。 Linux kernel在设置已分配skb的frag之前没有验证sock_alloc_send_pskb()函数的data_len参数,在实现上存在堆缓冲区溢出漏洞,攻击者可利用此漏洞用超级用户权限执行任意代码,完全控制受影响计算机。 0 Linux kernel 2.6.x 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.kernel.org/ |
id | SSV:60169 |
last seen | 2017-11-19 |
modified | 2012-05-30 |
published | 2012-05-30 |
reporter | Root |
title | Linux kernel 2.6.x 'sock_alloc_send_pskb()'函数堆缓冲区溢出漏洞 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=816289
- http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.5
- https://github.com/torvalds/linux/commit/cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc
- http://www.securityfocus.com/bid/53721
- http://www.ubuntu.com/usn/USN-1535-1
- http://rhn.redhat.com/errata/RHSA-2012-1087.html
- http://rhn.redhat.com/errata/RHSA-2012-0743.html
- http://ubuntu.com/usn/usn-1529-1
- http://secunia.com/advisories/50807
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc