User: Password:
|
|
Subscribe / Log in / New account

Security

Kernel vulnerabilities: old or new?

By Jonathan Corbet
October 19, 2010
A quick search of the CVE database turns up 80 CVE numbers related to kernel vulnerabilities so far this year. At one recent conference or another, while talking with a prominent kernel developer, your editor confessed that he found that number to be discouragingly high. In an era where there is clearly an increasing level of commercial, criminal, and governmental interest in exploiting security holes, it would be hard to be doing enough to avoid the creation of vulnerabilities. But, your editor wondered, could we be doing more than we are? The response your editor got was, in essence, that the bulk of the holes being disclosed were ancient vulnerabilities which were being discovered by new static analysis tools. In other words, we are fixing security problems faster than we are creating them.

That sort of claim requires verification; it is also amenable to being verified by a researcher with sufficient determination and pain resistance. Your editor decided to give it a try. "All" that would be required, after all, was to look at each vulnerability and figure out when it was introduced. How hard could that be?

So, the basic process followed was this: pick a CVE entry, find the patch which closed the hole, then dig through the repository history and other resources in an attempt to figure out just when the problem was first introduced into the kernel. In some cases, the answer was relatively easy to find; others were sufficiently hard that your editor eventually gave up. One especially valuable resource in the search turned out to be the Red Hat bugzilla; the developers there (and Eugene Teo in particular) go out of their way to document the particulars of vulnerabilities. Sometimes, the commit which introduced the bug was simply listed there. The "git gui blame" utility is also quite useful when doing this kind of research.

About 60 of the 80 vulnerabilities listed above were dealt with in this way before your editor's eyes crossed permanently. The results can be seen in the following table. Let it be said from the outset that there will inevitably be some errors in the data below; the most likely mistake will be assigning blame to a commit which actually just moved the vulnerability from somewhere else. That may lead to a bias that makes vulnerabilities look more recent than they really are. That said, a best effort has been made, and things should not be too far off.

CVE # Introduced Fixed
CommitReleaseCommitRelease
CVE-2010-3477 -- <2.6.13 0f04cfd0 2.6.36
CVE-2010-3442 -- <2.6.13 5591bf07 2.6.36
CVE-2010-3437 -- <2.6.13 252a52aa 2.6.36
CVE-2010-3310 -- <2.6.13 9828e6e6 2.6.36
CVE-2010-3301 d4d67150 2.6.27 36d001c7 2.6.36
 
CVE-2010-3298 542f5482 2.6.29 7011e660 2.6.36
CVE-2010-3297 -- <2.6.13 44467187 2.6.36
CVE-2010-3296 4d22de3e 2.6.21 49c37c03 2.6.36
CVE-2010-3084 2d96cf8c 2.6.30 ee9c5cfa 2.6.36
CVE-2010-3081 42908c69 2.6.26 c41d68a5 2.6.36
 
CVE-2010-3080 7034632d 2.6.24 27f7ad53 2.6.36
CVE-2010-3079 5072c59f 2.6.27 9c55cb12 2.6.36
CVE-2010-3078 -- <2.6.13 a122eb2f 2.6.36
CVE-2010-3067 -- <2.6.13 75e1c70f 2.6.36
CVE-2010-3015 unknown 731eb1a0 2.6.34
 
CVE-2010-2960 ee18d64c 2.6.32 3d96406c 2.6.36
CVE-2010-2959 ffd980f9 2.6.25 5b75c497 2.6.36
CVE-2010-2955 3d23e349 2.6.33 42da2f94 2.6.36
CVE-2010-2946 -- <2.6.13 aca0fa34 2.6.36
CVE-2010-2943 -- <2.6.13 7124fe0a 2.6.35
 
CVE-2010-2942 -- 2.6.9 1c40be12 2.6.36
CVE-2010-2803 unknown b9f0aee8 2.6.36
CVE-2010-2798 71b86f56 2.6.19 728a756b 2.6.35
CVE-2010-2653 -- <2.6.13 e74d098c 2.6.34
CVE-2010-2538 e441d54d 2.6.29 2ebc3464 2.6.35
 
CVE-2010-2537 c5c9cd4d 2.6.29 2ebc3464 2.6.35
CVE-2010-2524 6103335d 2.6.25 4c0c03ca 2.6.35
CVE-2010-2521 -- <2.6.13 2bc3c117 2.6.34
CVE-2010-2492 dd2a3b7a 2.6.21 a6f80fb7 2.6.35
CVE-2010-2478 0853ad66 2.6.27 db048b69 2.6.35
 
CVE-2010-2248 -- <2.6.13 6513a81e 2.6.34
CVE-2010-2240 -- <2.6.13 320b2b8d 2.6.35
CVE-2010-2226 f6aa7f21 2.6.25 1817176a 2.6.35
CVE-2010-2071 744f52f9 2.6.29 2f26afba 2.6.35
CVE-2010-2066 748de673 2.6.31 1f5a81e4 2.6.35
 
CVE-2010-1643 -- <2.6.13 731572d3 2.6.28
CVE-2010-1641 71b86f56 2.6.19 7df0e039 2.6.35
CVE-2010-1636 f2eb0a24 2.6.29 5dc64164 2.6.34
CVE-2010-1488 28b83c51 2.6.32 b95c35e7 2.6.34
CVE-2010-1437 -- <2.6.13 cea7daa3 2.6.34
 
CVE-2010-1436 18ec7d5c 2.6.19 7e619bc3 2.6.35
CVE-2010-1188 -- <2.6.13 fb7e2399 2.6.20
CVE-2010-1173 -- <2.6.13 5fa782c2 2.6.34
CVE-2010-1162 -- <2.6.13 6da8d866 2.6.34
CVE-2010-1148 c3b2a0c6 2.6.29 fa588e0c 2.6.35
 
CVE-2010-1146 73422811 2.6.31 cac36f70 2.6.34
CVE-2010-1087 -- <2.6.13 9f557cd8 2.6.33
CVE-2010-1086 -- <2.6.13 29e1fa35 2.6.34
CVE-2010-1085 9ad593f6 2.6.27 fed08d03 2.6.33
CVE-2010-1084 be9d1227 2.6.15 101545f6 2.6.34
 
CVE-2010-1083 -- <2.6.13 d4a4683c 2.6.33
CVE-2010-0622 c87e2837 2.6.18 51246bfd 2.6.33
CVE-2010-0415 742755a1 2.6.18 6f5a55f1 2.6.33
CVE-2010-0410 7672d0b5 2.6.14 f98bfbd7 2.6.33
CVE-2010-0307 unknown 221af7f8 2.6.33

Some other notes relevant to the table:

  • No attempt was made to find the origin of vulnerabilities which were present in the initial commit which began the git era during the 2.6.12 development cycle. Anything which was already present then can certainly be said to be an old bug.

  • Some parts of the code have been changed so many times that it can be truly hard to determine when a vulnerability was introduced; places where your editor give up are marked as "unknown" above. One could maybe come up with a real answer by bisecting and trying exploits, but your editor's dedication to the task was not quite that strong.

  • A couple of these bugs are old in a different way - CVE-2010-1188 was fixed in 2008, but was only understood to be a security issue in 2010. Anybody running a current kernel would not be vulnerable, but bugs like this can be nicely preserved in enterprise kernels for many years.

Looking at when the vulnerabilities were introduced yields a chart like this:

[Kernel vulnerabilities]

So, in a sense, the above-mentioned kernel hacker was correct - an awful lot of the vulnerabilities fixed over the last year predate the git era, and are thus over five years old. It seems that security bugs can lurk in the kernel for a very long time before somebody stumbles across them - or, at least, before somebody reports them.

According to the information above, we have fixed dozens of vulnerabilities since 2.6.33 without introducing any. The latter part of that claim might be charitably described as being unlikely to stand the test of time. There were (at least) 13 vulnerabilities fixed in the 2.6.35 cycle, 21 in the 2.6.36 cycle. We can hope that fewer vulnerabilities were added in that time; it seems certain, though, that (1) the number of vulnerabilities added will not be zero, and (2) it will probably take us five years or more to find many of them.

There may be some comfort in knowing that a large proportion of 2010's known security vulnerabilities are not a product of 2010's development. Indeed, assuming that a fair number of the old vulnerabilities are a bit older yet, one can also claim that they are not a product of the "new" kernel development model adopted in the early 2.6 days. That claim could be tested by extending this research back into the BitKeeper era; that is a task for a future project.

Your editor remains concerned, though, that it is too easy to put insecure code into the kernel and too hard to discover the vulnerabilities that are created. Analysis tools can help, but there really is no substitute for painstaking and meticulous code review when it comes to keeping vulnerabilities out of the kernel. At times, it is clear that the amount of review being done is not what it should be. There may well come a day when we'll wish we had found a way to be a bit more careful.

Comments (36 posted)

Brief items

Security quotes of the week

PinDr0p exploits artifacts left on call audio by the voice networks themselves. For example, VoIP calls tend to experience packet loss-split-second interruptions in audio that are too small for the human ear to detect. Likewise, cellular and public switched telephone networks (PTSNs) leave a distinctive type of noise on calls that pass through them. Phone calls today often pass through multiple VoIP, cellular and PTSN networks, and call data is either not transferred or transferred without verification across the networks.Using the call audio, PinDr0p employs a series of algorithms to detect and analyze call artifacts, then determines a call's provenance (the path it takes to get to a recipient's phone) with at least 90 percent accuracy and, given enough comparative information, even 100 percent accuracy.
-- Georgia Tech reports on recent research

The recent CVE-2010-2961 mountall vulnerability got a nice write-up by xorl today. I've seen a few public exploits for it, but those that I've seen, including the one in xorl's post, miss a rather important point: udev events can be triggered by regular users without any hardware fiddling. While the bug that kept udev from running inotify correctly on the /dev/.udev/rules.d directory during initial boot kept this vulnerability exposure pretty well minimized, the fact that udev events can be triggered at will made it pretty bad too. If udev had already been restarted, an attacker didn't have to wait at all, nor have physical access to the system.

While it is generally understood that udev events are related to hardware, it's important to keep in mind that it also sends events on module loads, and module loads can happen on demand from unprivileged users. For example, say you want to send an X.25 packet, when you call socket(AF_X25, SOCK_STREAM), the kernel will go load net-pf-9, which modules.alias lists as the x25 module. And once loaded, udev sends a "module" event.

-- Kees Cook with a useful reminder

Comments (none posted)

TaintDroid code released

TaintDroid is an Android firmware modification which can track and report on application activity; needless to say, the results with some applications can be surprising. The code is now available for anybody wanting to build their own TaintDroid system. For the time being, though, installing it does not appear to be a simple or straightforward task.

Comments (3 posted)

Two local privilege escalations

There is a local-root kernel vulnerability in the RDS protocol implementation. See this VSR advisory for more information. So far, only Ubuntu has issued an update for this problem.

Tavis Ormandy has reported a flaw in GNU libc that can be exploited by local users to gain root privileges. No distributions (other than the soon-to-be-released Fedora 14) have put out an update as yet.

Comments (11 posted)

New vulnerabilities

ardour: insecure library loading

Package(s):ardour CVE #(s):CVE-2010-3349
Created:October 15, 2010 Updated:October 20, 2010
Description: From the Red Hat bugzilla:

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

Alerts:
Fedora FEDORA-2010-15499 ardour 2010-09-30
Fedora FEDORA-2010-15510 ardour 2010-09-30

Comments (none posted)

gnome-subtitles: code execution

Package(s):gnome-subtitles CVE #(s):CVE-2010-3357
Created:October 14, 2010 Updated:October 20, 2010
Description:

From the Red Hat bugzilla entry:

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

Alerts:
Fedora FEDORA-2010-15711 gnome-subtitles 2010-10-05
Fedora FEDORA-2010-15717 gnome-subtitles 2010-10-05

Comments (none posted)

java-1.6.0-openjdk: multiple vulnerabilities

Package(s):java-1.6.0-openjdk CVE #(s):CVE-2010-3541 CVE-2010-3548 CVE-2010-3549 CVE-2010-3551 CVE-2010-3553 CVE-2010-3554 CVE-2010-3557 CVE-2010-3561 CVE-2010-3562 CVE-2010-3564 CVE-2010-3565 CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3573 CVE-2010-3574 CVE-2010-3566
Created:October 14, 2010 Updated:May 3, 2011
Description:

From the Red Hat advisory:

defaultReadObject of the Serialization API could be tricked into setting a volatile field multiple times, which could allow a remote attacker to execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3569)

Race condition in the way objects were deserialized could allow an untrusted applet or application to misuse the privileges of the user running the applet or application. (CVE-2010-3568)

Miscalculation in the OpenType font rendering implementation caused out-of-bounds memory access, which could allow remote attackers to execute code with the privileges of the user running the java process. (CVE-2010-3567)

JPEGImageWriter.writeImage in the imageio API improperly checked certain image metadata, which could allow a remote attacker to execute arbitrary code in the context of the user running the applet or application. (CVE-2010-3565)

Double free in IndexColorModel could cause an untrusted applet or application to crash or, possibly, execute arbitrary code with the privileges of the user running the applet or application. (CVE-2010-3562)

The privileged accept method of the ServerSocket class in the Common Object Request Broker Architecture (CORBA) implementation in OpenJDK allowed it to receive connections from any host, instead of just the host of the current connection. An attacker could use this flaw to bypass restrictions defined by network permissions. (CVE-2010-3561)

Flaws in the Swing library could allow an untrusted application to modify the behavior and state of certain JDK classes. (CVE-2010-3557)

Flaws in the CORBA implementation could allow an attacker to execute arbitrary code by misusing permissions granted to certain system objects. (CVE-2010-3554)

UIDefault.ProxyLazyValue had unsafe reflection usage, allowing untrusted callers to create objects via ProxyLazyValue values. (CVE-2010-3553)

HttpURLConnection improperly handled the "chunked" transfer encoding method, which could allow remote attackers to conduct HTTP response splitting attacks. (CVE-2010-3549)

HttpURLConnection improperly checked whether the calling code was granted the "allowHttpTrace" permission, allowing untrusted code to create HTTP TRACE requests. (CVE-2010-3574)

HttpURLConnection did not validate request headers set by applets, which could allow remote attackers to trigger actions otherwise restricted to HTTP clients. (CVE-2010-3541, CVE-2010-3573)

The Kerberos implementation improperly checked the sanity of AP-REQ requests, which could cause a denial of service condition in the receiving Java Virtual Machine. (CVE-2010-3564)

The NetworkInterface class improperly checked the network "connect" permissions for local network addresses, which could allow remote attackers to read local network addresses. (CVE-2010-3551)

Information leak flaw in the Java Naming and Directory Interface (JNDI) could allow a remote attacker to access information about otherwise-protected internal network names. (CVE-2010-3548)

Alerts:
Gentoo 201406-32 icedtea-bin 2014-06-29
Gentoo 201111-02 sun-jdk 2011-11-05
SUSE SUSE-SR:2011:008 java-1_6_0-ibm, java-1_5_0-ibm, java-1_4_2-ibm, postfix, dhcp6, dhcpcd, mono-addon-bytefx-data-mysql/bytefx-data-mysql, dbus-1, libtiff/libtiff-devel, cifs-mount/libnetapi-devel, rubygem-sqlite3, gnutls, libpolkit0, udisks 2011-05-03
SUSE SUSE-SA:2011:014 java-1_6_0-ibm,java-1_5_0-ibm,java-1_4_2-ibm 2011-03-22
SUSE SUSE-SA:2011:006 java-1_6_0-ibm 2011-01-25
Red Hat RHSA-2011:0169-01 java-1.5.0-ibm 2011-01-20
Red Hat RHSA-2011:0152-01 java-1.4.2-ibm 2011-01-17
SUSE SUSE-SA:2010:061 java-1_4_2-ibm,IBMJava2-JRE 2010-12-17
Red Hat RHSA-2010:0987-01 java-1.6.0-ibm 2010-12-15
Red Hat RHSA-2010:0935-01 java-1.4.2-ibm 2010-12-01
openSUSE openSUSE-SU-2010:0957-1 java-1_6_0-openjdk 2010-11-17
Red Hat RHSA-2010:0873-02 java-1.5.0-ibm 2010-11-10
Red Hat RHSA-2010:0865-02 java-1.6.0-openjdk 2010-11-10
Ubuntu USN-1010-1 openjdk-6, openjdk-6b18 2010-10-28
Red Hat RHSA-2010:0807-01 java-1.5.0-ibm 2010-10-27
openSUSE openSUSE-SU-2010:0754-1 java-1_6_0-sun 2010-10-22
Fedora FEDORA-2010-16294 java-1.6.0-openjdk 2010-10-14
Red Hat RHSA-2010:0770-01 java-1.6.0-sun 2010-10-14
Red Hat RHSA-2010:0768-01 java-1.6.0-openjdk 2010-10-13
Fedora FEDORA-2010-16240 java-1.6.0-openjdk 2010-10-14
Red Hat RHSA-2010:0786-01 java-1.4.2-ibm 2010-10-20
CentOS CESA-2010:0768 java-1.6.0-openjdk 2010-10-14
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25

Comments (none posted)

java-1.6.0-sun: multiple unspecified vulnerabilities

Package(s):java-1.6.0-sun CVE #(s):CVE-2010-3550 CVE-2010-3552 CVE-2010-3555 CVE-2010-3556 CVE-2010-3558 CVE-2010-3559 CVE-2010-3560 CVE-2010-3563 CVE-2010-3570 CVE-2010-3571 CVE-2010-3572
Created:October 14, 2010 Updated:March 22, 2011
Description:

From the Red Hat advisory:

CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component

CVE-2010-3552 JDK unspecified vulnerability in New Java Plugin component

CVE-2010-3555 JDK unspecified vulnerability in Deployment component

CVE-2010-3556 JDK unspecified vulnerability in 2D component

CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component

CVE-2010-3559 JDK unspecified vulnerability in Sound component

CVE-2010-3560 JDK unspecified vulnerability in Networking component

CVE-2010-3563 JDK unspecified vulnerability in Deployment component

CVE-2010-3570 JDK unspecified vulnerability in Deployment Toolkit

CVE-2010-3571 JDK unspecified vulnerability in 2D component

CVE-2010-3572 JDK unspecified vulnerability in Sound component

Alerts:
Gentoo 201111-02 sun-jdk 2011-11-05
SUSE SUSE-SA:2011:014 java-1_6_0-ibm,java-1_5_0-ibm,java-1_4_2-ibm 2011-03-22
SUSE SUSE-SA:2011:006 java-1_6_0-ibm 2011-01-25
Red Hat RHSA-2011:0169-01 java-1.5.0-ibm 2011-01-20
SUSE SUSE-SA:2010:061 java-1_4_2-ibm,IBMJava2-JRE 2010-12-17
Red Hat RHSA-2010:0987-01 java-1.6.0-ibm 2010-12-15
Red Hat RHSA-2010:0873-02 java-1.5.0-ibm 2010-11-10
Red Hat RHSA-2010:0807-01 java-1.5.0-ibm 2010-10-27
openSUSE openSUSE-SU-2010:0754-1 java-1_6_0-sun 2010-10-22
Red Hat RHSA-2010:0786-01 java-1.4.2-ibm 2010-10-20
Red Hat RHSA-2010:0770-01 java-1.6.0-sun 2010-10-14
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25

Comments (none posted)

kernel: information leak

Package(s):kernel CVE #(s):CVE-2010-3477
Created:October 20, 2010 Updated:March 28, 2011
Description: The kernel's networking code fails to fully initialize a structure which is then passed back to user space, thus leaking a few bytes of data.
Alerts:
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Red Hat RHSA-2011:0330-01 kernel-rt 2011-03-10
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
Red Hat RHSA-2011:0007-01 kernel 2011-01-11
MeeGo MeeGo-SA-10:38 kernel 2010-10-09
Debian DSA-2126-1 linux-2.6 2010-11-26
CentOS CESA-2010:0839 kernel 2010-11-09
Red Hat RHSA-2010:0839-01 kernel 2010-11-09
Red Hat RHSA-2010:0779-01 kernel 2010-10-19
CentOS CESA-2010:0779 kernel 2010-10-25
Ubuntu USN-1000-1 kernel 2010-10-19

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2010-2963
Created:October 20, 2010 Updated:May 10, 2011
Description: A failure to properly validate parameters in the Video4Linux1 compatibility interface can enable a local user to obtain root privileges. This vulnerability apparently only affects 64-bit systems.
Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
Ubuntu USN-1119-1 linux-ti-omap4 2011-04-20
Fedora FEDORA-2010-18983 kernel 2010-12-17
Mandriva MDVSA-2010:257 kernel 2010-10-29
openSUSE openSUSE-SU-2010:1047-1 kernel 2010-12-10
Red Hat RHSA-2010:0958-01 kernel-rt 2010-12-08
Debian DSA-2126-1 linux-2.6 2010-11-26
SUSE SUSE-SA:2010:057 kernel 2010-11-11
Red Hat RHSA-2010:0842-01 kernel 2010-11-10
openSUSE openSUSE-SU-2010:0933-1 kernel 2010-11-11
CentOS CESA-2010:0839 kernel 2010-11-09
Red Hat RHSA-2010:0839-01 kernel 2010-11-09
openSUSE SUSE-SA:2010:053 kernel 2010-10-28
openSUSE openSUSE-SU-2010:0902-1 kernel 2010-10-27
Ubuntu USN-1000-1 kernel 2010-10-19

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2010-3432
Created:October 20, 2010 Updated:March 28, 2011
Description: The SCTP networking code fails to properly handle the appending of packet chunks, leading to a remotely-triggerable system crash (at least).
Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Red Hat RHSA-2011:1321-01 kernel 2011-09-20
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
SUSE SUSE-SA:2011:007 kernel-rt 2011-02-07
CentOS CESA-2010:0936 kernel 2011-01-27
CentOS CESA-2011:0004 kernel 2011-01-06
Red Hat RHSA-2011:0004-01 kernel 2011-01-04
openSUSE openSUSE-SU-2011:0004-1 kernel 2011-01-03
Fedora FEDORA-2010-18983 kernel 2010-12-17
Red Hat RHSA-2010:0958-01 kernel-rt 2010-12-08
Red Hat RHSA-2010:0936-01 kernel 2010-12-01
Debian DSA-2126-1 linux-2.6 2010-11-26
Red Hat RHSA-2010:0842-01 kernel 2010-11-10
Ubuntu USN-1000-1 kernel 2010-10-19

Comments (none posted)

kernel: information leak

Package(s):kernel CVE #(s):CVE-2010-3437
Created:October 20, 2010 Updated:April 21, 2011
Description: The CD driver fails to check parameters properly, allowing a local attacker to read arbitrary kernel memory.
Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Mandriva MDVSA-2011:051 kernel 2011-03-18
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1119-1 linux-ti-omap4 2011-04-20
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
Mandriva MDVSA-2011:029 kernel 2011-02-17
SUSE SUSE-SA:2011:007 kernel-rt 2011-02-07
SUSE SUSE-SA:2011:004 kernel 2011-01-14
openSUSE openSUSE-SU-2011:0048-1 SLE11 2011-01-19
openSUSE openSUSE-SU-2011:0003-1 kernel 2011-01-03
openSUSE openSUSE-SU-2011:0004-1 kernel 2011-01-03
SUSE SUSE-SA:2010:060 kernel 2010-12-14
openSUSE openSUSE-SU-2010:1047-1 kernel 2010-12-10
Debian DSA-2126-1 linux-2.6 2010-11-26
Red Hat RHSA-2010:0842-01 kernel 2010-11-10
Ubuntu USN-1000-1 kernel 2010-10-19

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2010-3442
Created:October 20, 2010 Updated:March 28, 2011
Description: The sound subsystem fails to properly validate system call parameters, enabling local attackers to crash the system (at least). Only 32-bit systems are affected by this bug.
Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
SUSE SUSE-SA:2011:008 kernel 2011-02-11
SUSE SUSE-SA:2011:007 kernel-rt 2011-02-07
CentOS CESA-2010:0936 kernel 2011-01-27
CentOS CESA-2011:0004 kernel 2011-01-06
Red Hat RHSA-2011:0004-01 kernel 2011-01-04
openSUSE openSUSE-SU-2011:0003-1 kernel 2011-01-03
openSUSE openSUSE-SU-2011:0004-1 kernel 2011-01-03
Fedora FEDORA-2010-18983 kernel 2010-12-17
Mandriva MDVSA-2010:257 kernel 2010-10-29
SUSE SUSE-SA:2010:060 kernel 2010-12-14
openSUSE openSUSE-SU-2010:1047-1 kernel 2010-12-10
Red Hat RHSA-2010:0958-01 kernel-rt 2010-12-08
Red Hat RHSA-2010:0936-01 kernel 2010-12-01
Debian DSA-2126-1 linux-2.6 2010-11-26
Red Hat RHSA-2010:0842-01 kernel 2010-11-10
Ubuntu USN-1000-1 kernel 2010-10-19

Comments (none posted)

kernel: remote denial of service

Package(s):kernel CVE #(s):CVE-2010-3705
Created:October 20, 2010 Updated:April 28, 2011
Description: The SCTP networking code does not properly handle HMAC calculations, enabling a remote attacker to crash the system (or worse) through specially-crafted traffic.
Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
SUSE SUSE-SA:2011:017 kernel 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 kernel 2011-04-18
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Ubuntu USN-1119-1 linux-ti-omap4 2011-04-20
SUSE SUSE-SA:2011:012 kernel 2011-03-08
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
Mandriva MDVSA-2011:029 kernel 2011-02-17
openSUSE openSUSE-SU-2011:0399-1 kernel 2011-04-28
Fedora FEDORA-2010-18983 kernel 2010-12-17
Red Hat RHSA-2010:0958-01 kernel-rt 2010-12-08
Debian DSA-2126-1 linux-2.6 2010-11-26
Red Hat RHSA-2010:0842-01 kernel 2010-11-10
Ubuntu USN-1000-1 kernel 2010-10-19

Comments (none posted)

kernel: local privilege escalation

Package(s):kernel CVE #(s):CVE-2010-3904
Created:October 20, 2010 Updated:May 10, 2011
Description: The RDS network protocol fails to validate user-space addresses, allowing a local attacker to write arbitrary values into kernel memory. See this advisory for more information.
Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1119-1 linux-ti-omap4 2011-04-20
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
SUSE SUSE-SA:2011:007 kernel-rt 2011-02-07
Fedora FEDORA-2010-18983 kernel 2010-12-17
SUSE SUSE-SA:2010:057 kernel 2010-11-11
Red Hat RHSA-2010:0842-01 kernel 2010-11-10
openSUSE openSUSE-SU-2010:0933-1 kernel 2010-11-11
openSUSE SUSE-SA:2010:053 kernel 2010-10-28
openSUSE openSUSE-SU-2010:0902-1 kernel 2010-10-27
CentOS CESA-2010:0792 kernel 2010-10-26
Red Hat RHSA-2010:0792-01 kernel 2010-10-25
Ubuntu USN-1000-1 kernel 2010-10-19

Comments (none posted)

Mozilla products: multiple vulnerabilities

Package(s):firefox seamonkey thunderbird xulrunner CVE #(s):CVE-2010-3170 CVE-2010-3173 CVE-2010-3175 CVE-2010-3176 CVE-2010-3177 CVE-2010-3178 CVE-2010-3179 CVE-2010-3180 CVE-2010-3182 CVE-2010-3183
Created:October 20, 2010 Updated:December 24, 2010
Description: The firefox 3.6.11/3.5.14 and thunderbird 3.1.5/3.0.9 releases fix the usual set of security vulnerabilities.
Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
Fedora FEDORA-2010-18920 seamonkey 2010-12-15
Fedora FEDORA-2010-18890 seamonkey 2010-12-15
Slackware SSA:2010-344-01 seamonkey 2010-12-13
Red Hat RHSA-2010:0896-01 thunderbird 2010-11-17
Slackware SSA:2010-317-01 thunderbird 2010-11-15
Red Hat RHSA-2010:0862-02 nss 2010-11-10
Red Hat RHSA-2010:0861-02 firefox 2010-11-10
Fedora FEDORA-2010-17084 seamonkey 2010-11-02
Fedora FEDORA-2010-17145 seamonkey 2010-11-02
SUSE SUSE-SA:2010:056 MozillaFirefox,seamonkey,MozillaThunderbird 2010-11-08
Fedora FEDORA-2010-15989 nss-softokn 2010-10-08
Fedora FEDORA-2010-15989 nss-util 2010-10-08
Fedora FEDORA-2010-15989 nss 2010-10-08
SUSE SUSE-SR:2010:020 NetworkManager, bind, clamav, dovecot12, festival, gpg2, libfreebl3, php5-pear-mail, postgresql 2010-11-03
Fedora FEDORA-2010-17105 seamonkey 2010-11-02
openSUSE openSUSE-SU-2010:0925-1 seamonkey 2010-11-02
openSUSE openSUSE-SU-2010:0924-1 mozilla-xulrunner191 2010-11-02
Fedora FEDORA-2010-16941 thunderbird 2010-10-29
Fedora FEDORA-2010-16939 thunderbird 2010-10-29
Fedora FEDORA-2010-16926 thunderbird 2010-10-29
Fedora FEDORA-2010-16941 sunbird 2010-10-29
Fedora FEDORA-2010-16939 sunbird 2010-10-29
Fedora FEDORA-2010-16926 sunbird 2010-10-29
Debian DSA-2124-1 xulrunner 2010-11-01
Debian DSA-2123-1 nss 2010-11-01
Slackware SSA:2010-305-01 seamonkey 2010-11-01
Fedora FEDORA-2010-16885 mozvoikko 2010-10-28
Fedora FEDORA-2010-16885 gnome-web-photo 2010-10-28
Fedora FEDORA-2010-16885 perl-Gtk2-MozEmbed 2010-10-28
Fedora FEDORA-2010-16885 xulrunner 2010-10-28
Fedora FEDORA-2010-16885 gnome-python2-extras 2010-10-28
Fedora FEDORA-2010-16885 galeon 2010-10-28
Fedora FEDORA-2010-16885 firefox 2010-10-28
Fedora FEDORA-2010-16593 mozvoikko 2010-10-21
Fedora FEDORA-2010-16593 gnome-python2-extras 2010-10-21
Fedora FEDORA-2010-16593 galeon 2010-10-21
Fedora FEDORA-2010-16593 gnome-web-photo 2010-10-21
Fedora FEDORA-2010-16593 firefox 2010-10-21
Fedora FEDORA-2010-16593 perl-Gtk2-MozEmbed 2010-10-21
Fedora FEDORA-2010-16593 xulrunner 2010-10-21
Fedora FEDORA-2010-15520 nss 2010-09-30
Fedora FEDORA-2010-15520 nss-softokn 2010-09-30
Fedora FEDORA-2010-15520 nss-util 2010-09-30
Slackware SSA:2010-300-01 seamonkey 2010-10-28
openSUSE openSUSE-SU-2010:0906-1 seamonkey thunderbird 2010-10-28
openSUSE openSUSE-SU-2010:0904-1 mozilla-nss 2010-10-27
Mandriva MDVSA-2010:210 firefox 2010-10-22
Ubuntu USN-998-1 thunderbird 2010-10-20
Ubuntu USN-997-1 firefox, firefox-3.0, firefox-3.5, xulrunner-1.9.1, xulrunner-1.9.2 2010-10-20
Ubuntu USN-1007-1 nss 2010-10-20
CentOS CESA-2010:0782 firefox 2010-10-20
Red Hat RHSA-2010:0780-01 thunderbird 2010-10-19
Red Hat RHSA-2010:0782-01 firefox 2010-10-19
CentOS CESA-2010:0782 firefox 2010-10-25
CentOS CESA-2010:0781 seamonkey 2010-10-25
CentOS CESA-2010:0780 thunderbird 2010-10-25
CentOS CESA-2010:0780 thunderbird 2010-10-20
Red Hat RHSA-2010:0781-01 seamonkey 2010-10-19
CentOS CESA-2010:0781 seamonkey 2010-10-25
Mandriva MDVSA-2010:211 mozilla-thunderbird 2010-10-22

Comments (none posted)

MRG Messaging: multiple vulnerabilities

Package(s):MRG Messaging CVE #(s):CVE-2009-5005 CVE-2009-5006
Created:October 14, 2010 Updated:October 20, 2010
Description:

From the Red Hat advisory:

A flaw was found in the way Apache Qpid handled the receipt of invalid AMQP data. A remote user could send invalid AMQP data to the server, causing it to crash, resulting in the cluster shutting down. (CVE-2009-5005)

A flaw was found in the way Apache Qpid handled a request to redeclare an existing exchange while adding a new alternate exchange. If a remote, authenticated user issued such a request, the server would crash, resulting in the cluster shutting down. (CVE-2009-5006)

Alerts:
Red Hat RHSA-2010:0774-01 MRG messaging 2010-10-14
Red Hat RHSA-2010:0773-01 MRG Messaging 2010-10-14

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):
Created:October 15, 2010 Updated:October 20, 2010
Description: Opera 10.63 is a recommended upgrade offering security and stability enhancements. See the Opera release notes for details.
Alerts:
openSUSE openSUSE-SU-2010:0728-1 opera 2010-10-15

Comments (none posted)

php-pear-CAS: multiple vulnerabilities

Package(s):php-pear-CAS CVE #(s):CVE-2010-3690 CVE-2010-3691 CVE-2010-3692
Created:October 19, 2010 Updated:February 23, 2011
Description: From the CVE entries:

Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls. (CVE-2010-3690)

PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is enabled, allows local users to overwrite arbitrary files via a symlink attack on an unspecified file. (CVE-2010-3691)

Directory traversal vulnerability in the callback function in client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows remote attackers to create or overwrite arbitrary files via directory traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter. (CVE-2010-3692)

Alerts:
Debian DSA-2172-1 moodle 2011-02-22
Fedora FEDORA-2010-16905 glpi 2010-10-28
Fedora FEDORA-2010-16912 glpi 2010-10-28
Fedora FEDORA-2010-15943 php-pear-CAS 2010-10-08
Fedora FEDORA-2010-15970 php-pear-CAS 2010-10-08

Comments (none posted)

poppler: memory corruption

Package(s):poppler CVE #(s):CVE-2010-3703
Created:October 19, 2010 Updated:December 24, 2010
Description: From the Red Hat bugzilla:

poppler git commit bf2055088a corrects a possible use of an uninitialized pointer in PostScriptFunction, which can cause crash or memory corruption.

Alerts:
Gentoo 201310-03 poppler 2013-10-06
SUSE SUSE-SR:2010:024 clamav, subversion, python, krb5, otrs, moonlight, OpenOffice_org, kdenetwork4, zope, xpdf, gnutls, and opera 2010-12-23
openSUSE openSUSE-SU-2010:1091-1 xpdf 2010-12-23
openSUSE openSUSE-SU-2010:0976-1 poppler 2010-11-25
Slackware SSA:2010-324-02 poppler 2010-11-22
Slackware SSA:2010-324-01 xpdf 2010-11-22
Mandriva MDVSA-2010:231 poppler 2010-11-12
Red Hat RHSA-2010:0859-03 poppler 2010-11-10
Fedora FEDORA-2010-15911 poppler 2010-10-08
Ubuntu USN-1005-1 poppler 2010-10-19
Fedora FEDORA-2010-15981 poppler 2010-10-08

Comments (none posted)

typo3: multiple vulnerabilities

Package(s):typo3 CVE #(s):CVE-2010-3714 CVE-2010-3715 CVE-2010-3716 CVE-2010-3717
Created:October 20, 2010 Updated:October 20, 2010
Description: The typo3 content management system suffers from multiple vulnerabilities, including remote file disclosure (CVE-2010-3714), cross-site scripting (CVE-2010-3715), privilege escalation (CVE-2010-3716), and denial of service (CVE-2010-3717).
Alerts:
Debian DSA-2121-1 typo3-src 2010-10-19

Comments (none posted)

webkitgtk: multiple vulnerabilities

Package(s):webkitgtk CVE #(s):CVE-2010-3113 CVE-2010-1814 CVE-2010-1812 CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114 CVE-2010-3116 CVE-2010-3257 CVE-2010-3259
Created:October 19, 2010 Updated:March 2, 2011
Description: From the Fedora advisory:

Bug #628032 - CVE-2010-3113 webkit: memory corruption when handling SVG documents

Bug #631946 - CVE-2010-1814 webkit: memory corruption flaw when handling form menus

Bug #631939 - CVE-2010-1812 webkit: use-after-free flaw in handling of selections

Bug #631948 - CVE-2010-1815 webkit: use-after-free flaw when handling scrollbars

Bug #628071 - CVE-2010-3115 webkit: address bar spoofing with history bug

Bug #627703 - CVE-2010-1807 webkit: input validation error when parsing certain NaN values

Bug #628035 - CVE-2010-3114 webkit: bad cast with text editing

Bug #640353 - CVE-2010-3116 webkit: memory corruption with MIME types

Bug #640357 - CVE-2010-3257 webkit: stale pointer issue with focusing

Bug #640360 - CVE-2010-3259 webkit: cross-origin image theft

Alerts:
Gentoo 201412-09 racer-bin, fmod, PEAR-Mail, lvm2, gnucash, xine-lib, lastfmplayer, webkit-gtk, shadow, PEAR-PEAR, unixODBC, resource-agents, mrouted, rsync, xmlsec, xrdb, vino, oprofile, syslog-ng, sflowtool, gdm, libsoup, ca-certificates, gitolite, qt-creator 2014-12-11
Mandriva MDVSA-2011:039 webkit 2011-03-02
Red Hat RHSA-2011:0177-01 webkitgtk 2011-01-25
MeeGo MeeGo-SA-10:37 webkit 2010-10-09
openSUSE openSUSE-SU-2011:0024-1 webkit 2011-01-12
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
Ubuntu USN-1006-1 webkit 2010-10-19
Fedora FEDORA-2010-15957 webkitgtk 2010-10-08
Fedora FEDORA-2010-15982 webkitgtk 2010-10-08

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds