| |||||||||||||||||||
MeeGo alert MeeGo-SA-10:38 (kernel)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= MeeGo-SA-10:38.kernel Security Advisory MeeGo Project Topic: Multiple Vulnerabilities in Webkit Applications Category: Kernel Module: kernel-netbook, kernel-ivi Announced: October 9, 2010 Affects: MeeGo 1.0 Corrected: October 9, 2010 MeeGo BID: 6475, 6571, 6572, 6574, 6578, 6580, 6582, 6585, 6651, 7380, 7382, 7384, 7386, 7388, 8191, 8196, 8199 & 8204 CVE: CVE-2010-2954, CVE-2010-2066, CVE-2010-2492, CVE-2010-2524, CVE-2010-2803, CVE-2010-2955, CVE-2010-2959, CVE-2010-2960, CVE-2010-2798, CVE-2010-2942, CVE-2010-3067, CVE-2010-3078, CVE-2010-3477, CVE-2010-3080, CVE-2010-2537, CVE-2010-2538, CVE-2010-3079, CVE-2010-3296, CVE-2010-3297 & CVE-2010-3298 For general information regarding MeeGo Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.MeeGo.com/>. I. Background - From Wikipedia: "The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software." II. Problem Description CVE-2010-2954: The irda_bind function in net/irda/af_irda.c in the Linux kernel before 2.6.36-rc3-next-20100901 does not properly handle failure of the irda_open_tsap function, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket. CVSS v2 Base: 4.9 (MEDIUM) Access Vector: Locally exploitable CVE-2010-2066: The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor. CVSS v2 Base: 1.9 (LOW) Access Vector: Locally exploitable CVE-2010-2492: Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors. CVSS v2 Base: 7.2 (HIGH) Access Vector: Locally exploitable CVE-2010-2524: The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals. CVSS v2 Base: 4.4 (MEDIUM) Access Vector: Locally exploitable CVE-2010-2803: The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. CVSS v2 Base: 1.9 (LOW) Access Vector: Locally exploitable CVE-2010-2955: The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size. CVSS v2 Base: 3.3 (LOW) Access Vector: Local network exploitable CVE-2010-2959:Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. CVSS v2 Base: 7.2 (HIGH) Access Vector: Locally exploitable CVE-2010-2960: The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel 2.6.35.4 and earlier expects that a certain parent session keyring exists, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function. CVSS v2 Base: 7.2 (HIGH) Access Vector: Locally exploitable CVE-2010-2798: The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. CVSS v2 Base: 7.2 (HIGH) Access Vector: Locally exploitable CVE-2010-2942: The actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc2 does not properly initialize certain structure members when performing dump operations, which allows local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump function in net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in net/sched/act_skbedit.c. CVSS v2 Base: 2.1 (LOW) Access Vector: Locally exploitable CVE-2010-3067: Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. CVSS v2 Base: 4.9 (MEDIUM) Access Vector: Locally exploitable CVE-2010-3078: The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an ioctl call. CVSS v2 Base: 2.1 (LOW) Access Vector: Locally exploitable CVE-2010-3477: The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel memory via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2942. CVSS v2 Base: 2.1 (LOW) Access Vector: Locally exploitable CVE-2010-3080: Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device. CVSS v2 Base: 4.9 (MEDIUM) Access Vector: Locally exploitable CVE-2010-2537: The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a (1) BTRFS_IOC_CLONE or (2) BTRFS_IOC_CLONE_RANGE ioctl call that specifies this file as a donor. CVSS v2 Base: 6.3 (MEDIUM) Access Vector: Locally exploitable CVE-2010-2538: Integer overflow in the btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 might allow local users to obtain sensitive information via a BTRFS_IOC_CLONE_RANGE ioctl call. CVSS v2 Base: 4.7 (MEDIUM) Access Vector: Locally exploitable CVE-2010-3079: kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs is enabled, does not properly handle interaction between mutex possession and llseek operations, which allows local users to cause a denial of service (NULL pointer dereference and outage of all function tracing files) via an lseek call on a file descriptor associated with the set_ftrace_filter file. CVSS v2 Base: 4.7 (MEDIUM) Access Vector: Locally exploitable CVE-2010-3296: The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call. CVSS v2 Base: 4.9 (MEDIUM) Access Vector: Locally exploitable CVE-2010-3297: The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call. CVSS v2 Base: 2.1 (LOW) Access Vector: Locally exploitable CVE-2010-3298: The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. CVSS v2 Base: 4.9 (MEDIUM) Access Vector: Locally exploitable III. Impact CVE-2010-2954: Disruption of service due to resource management error (CWE-399) CVE-2010-2066: Unauthorized modification due to permission, privilege or access control error (CWE-264) CVE-2010-2492: Unauthorized disclosure of information, modification or disruption of service due to buffer error (CWE-119) CVE-2010-2524: Unauthorized disclosure of information, modification or disruption of service due to design error (NVD-CWE-DesignError) CVE-2010-2803: Unauthorized disclosure of information (CWE-200) CVE-2010-2955: Unauthorized disclosure of information due to numeric error (CWE-189) CVE-2010-2959: Unauthorized disclosure of information, modification or disruption of service due to numeric error (CWE-189) CVE-2010-2960: Unauthorized disclosure of information, modification or disruption of service due to other (NVD-CWE-Other) CVE-2010-2798: Unauthorized disclosure of information, modification or disruption of service due to numeric error (CWE-189) CVE-2010-2942: Unauthorized disclosure of information due to resource management error (CWE-399) CVE-2010-3067: Disruption of service due to numeric error (CWE-189) CVE-2010-3078: Unauthorized disclosure of information due to resource management error (CWE-399) CVE-2010-3477: Unauthorized disclosure of information due to resource management error (CWE-399) CVE-2010-3080: Disruption of service due to resource management error (CWE-399) CVE-2010-2537: Unauthorized modification or disruption of service due to permission, privilege or access control error (CWE-264) CVE-2010-2538: Unauthorized disclosure of information due to numeric error (CWE-189) CVE-2010-3079: Disruption of service due to design error (NVD-CWE-DesignError) CVE-2010-3296: Unauthorized disclosure of information (CWE-200) CVE-2010-3297: Unauthorized disclosure of information (CWE-200) CVE-2010-3298: Unauthorized disclosure of information (CWE-200) IV. Workaround None V. Solution Update to package kernel-netbook-2.6.33.5-27.1 or kernel-ivi-2.6.33.5-237.1 or later. VI. References http://bugs.meego.com/show_bug.cgi?id=6475 http://bugs.meego.com/show_bug.cgi?id=6571 http://bugs.meego.com/show_bug.cgi?id=6572 http://bugs.meego.com/show_bug.cgi?id=6574 http://bugs.meego.com/show_bug.cgi?id=6578 http://bugs.meego.com/show_bug.cgi?id=6580 http://bugs.meego.com/show_bug.cgi?id=6582 http://bugs.meego.com/show_bug.cgi?id=6585 http://bugs.meego.com/show_bug.cgi?id=6651 http://bugs.meego.com/show_bug.cgi?id=7380 http://bugs.meego.com/show_bug.cgi?id=7382 http://bugs.meego.com/show_bug.cgi?id=7384 http://bugs.meego.com/show_bug.cgi?id=7386 http://bugs.meego.com/show_bug.cgi?id=7388 http://bugs.meego.com/show_bug.cgi?id=8191 http://bugs.meego.com/show_bug.cgi?id=8196 http://bugs.meego.com/show_bug.cgi?id=8199 http://bugs.meego.com/show_bug.cgi?id=8204 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... https://nvd.nist.gov/cwe.cfm#NVD-CWE-DesignError https://nvd.nist.gov/cwe.cfm#NVD-CWE-Other http://cwe.mitre.org/data/definitions/119.html http://cwe.mitre.org/data/definitions/189.html http://cwe.mitre.org/data/definitions/200.html http://cwe.mitre.org/data/definitions/264.html http://cwe.mitre.org/data/definitions/399.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (Darwin) iQEcBAEBAgAGBQJNOMRlAAoJEEsJm1wYvCMba/4IAMQ6lw8zHfTq8UqP3mVPtqZN LLO5ZukEk6/BhJp0G5ArbsYwUob3FryL48X4NTEIy+QDnAxoydKGEpixFGfq84/b dnK3x0mqWNu1kfZvTuaY/7p9dhgKa4XrCDF1O5X3XlNdnNg6F9aYDgNQMM2ODUsh YrBUP88hNTel8Nfc2BikyJroG156FQ2xbKY0Kri/RlXY07321fJXcWNGiqqOVX6M MTunwWmu2SVCSVNkLCAvo+OJ1IOQdhgYY5aa+PK5rSheomlPxqp7Z+rgRAedqr2Y HGST1+xJkLg5H2if4we52UywHS6VIfmxhUoR0gtKXBFaBwK/MxkcUm4H+MQxejQ= =lBDW -----END PGP SIGNATURE----- _______________________________________________ MeeGo-security mailing list MeeGo-security@meego.com http://lists.meego.com/listinfo/meego-security (Log in to post comments)
|
|||||||||||||||||||