Lucene search

K
osvGoogleOSV:DSA-2126-1
HistoryNov 26, 2010 - 12:00 a.m.

linux-2.6 - several issues

2010-11-2600:00:00
Google
osv.dev
20

EPSS

0.063

Percentile

93.7%

Several vulnerabilities have been discovered in the Linux kernel that may lead
to a privilege escalation, denial of service or information leak. The Common
Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2010-2963
    Kees Cook discovered an issue in the v4l 32-bit compatibility layer for
    64-bit systems that allows local users with /dev/video write permission to
    overwrite arbitrary kernel memory, potentially leading to a privilege
    escalation. On Debian systems, access to /dev/video devices is restricted to
    members of the ‘video’ group by default.
  • CVE-2010-3067
    Tavis Ormandy discovered an issue in the io_submit system call. Local users
    can cause an integer overflow resulting in a denial of service.
  • CVE-2010-3296
    Dan Rosenberg discovered an issue in the cxgb network driver that allows
    unprivileged users to obtain the contents of sensitive kernel memory.
  • CVE-2010-3297
    Dan Rosenberg discovered an issue in the eql network driver that allows
    local users to obtain the contents of sensitive kernel memory.
  • CVE-2010-3310
    Dan Rosenberg discovered an issue in the ROSE socket implementation. On
    systems with a rose device, local users can cause a denial of service
    (kernel memory corruption).
  • CVE-2010-3432
    Thomas Dreibholz discovered an issue in the SCTP protocol that permits a
    remote user to cause a denial of service (kernel panic).
  • CVE-2010-3437
    Dan Rosenberg discovered an issue in the pktcdvd driver. Local users with
    permission to open /dev/pktcdvd/control can obtain the contents of sensitive
    kernel memory or cause a denial of service. By default on Debian systems,
    this access is restricted to members of the group ‘cdrom’.
  • CVE-2010-3442
    Dan Rosenberg discovered an issue in the ALSA sound system. Local users with
    permission to open /dev/snd/controlC0 can create an integer overflow
    condition that causes a denial of service. By default on Debian systems,
    this access is restricted to members of the group ‘audio’.
  • CVE-2010-3448
    Dan Jacobson reported an issue in the thinkpad-acpi driver. On certain
    Thinkpad systems, local users can cause a denial of service (X.org crash) by
    reading /proc/acpi/ibm/video.
  • CVE-2010-3477
    Jeff Mahoney discovered an issue in the Traffic Policing (act_police) module
    that allows local users to obtain the contents of sensitive kernel memory.
  • CVE-2010-3705
    Dan Rosenberg reported an issue in the HMAC processing code in the SCTP
    protocol that allows remote users to create a denial of service (memory
    corruption).
  • CVE-2010-3848
    Nelson Elhage discovered an issue in the Econet protocol. Local users can
    cause a stack overflow condition with large msg->msgiovlen values that can
    result in a denial of service or privilege escalation.
  • CVE-2010-3849
    Nelson Elhage discovered an issue in the Econet protocol. Local users can
    cause a denial of service (oops) if a NULL remote addr value is passed as a
    parameter to sendmsg().
  • CVE-2010-3850
    Nelson Elhage discovered an issue in the Econet protocol. Local users can
    assign econet addresses to arbitrary interfaces due to a missing
    capabilities check.
  • CVE-2010-3858
    Brad Spengler reported an issue in the setup_arg_pages() function. Due to a
    bounds-checking failure, local users can create a denial of service (kernel
    oops).
  • CVE-2010-3859
    Dan Rosenberg reported an issue in the TIPC protocol. When the tipc module
    is loaded, local users can gain elevated privileges via the sendmsg() system
    call.
  • CVE-2010-3873
    Dan Rosenberg reported an issue in the X.25 network protocol. Local users
    can cause heap corruption, resulting in a denial of service (kernel panic).
  • CVE-2010-3874
    Dan Rosenberg discovered an issue in the Control Area Network (CAN)
    subsystem on 64-bit systems. Local users may be able to cause a denial of
    service (heap corruption).
  • CVE-2010-3875
    Vasiliy Kulikov discovered an issue in the AX.25 protocol. Local users can
    obtain the contents of sensitive kernel memory.
  • CVE-2010-3876
    Vasiliy Kulikov discovered an issue in the Packet protocol. Local users can
    obtain the contents of sensitive kernel memory.
  • CVE-2010-3877
    Vasiliy Kulikov discovered an issue in the TIPC protocol. Local users can
    obtain the contents of sensitive kernel memory.
  • CVE-2010-3880
    Nelson Elhage discovered an issue in the INET_DIAG subsystem. Local users
    can cause the kernel to execute unaudited INET_DIAG bytecode, resulting in a
    denial of service.
  • CVE-2010-4072
    Kees Cook discovered an issue in the System V shared memory subsystem.
    Local users can obtain the contents of sensitive kernel memory.
  • CVE-2010-4073
    Dan Rosenberg discovered an issue in the System V shared memory subsystem.
    Local users on 64-bit system can obtain the contents of sensitive kernel
    memory via the 32-bit compatible semctl() system call.
  • CVE-2010-4074
    Dan Rosenberg reported issues in the mos7720 and mos7840 drivers for USB
    serial converter devices. Local users with access to these devices can
    obtain the contents of sensitive kernel memory.
  • CVE-2010-4078
    Dan Rosenberg reported an issue in the framebuffer driver for SiS graphics
    chipsets (sisfb). Local users with access to the framebuffer device can
    obtain the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl.
  • CVE-2010-4079
    Dan Rosenberg reported an issue in the ivtvfb driver used for the Hauppauge
    PVR-350 card. Local users with access to the framebuffer device can obtain
    the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl.
  • CVE-2010-4080
    Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP
    audio devices. Local users with access to the audio device can obtain the
    contents of sensitive kernel memory via the SNDRV_HDSP_IOCTL_GET_CONFIG_INFO
    ioctl.
  • CVE-2010-4081
    Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP
    MADI audio devices. Local users with access to the audio device can obtain
    the contents of sensitive kernel memory via the
    SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl.
  • CVE-2010-4083
    Dan Rosenberg discovered an issue in the semctl system call. Local users can
    obtain the contents of sensitive kernel memory through usage of the semid_ds
    structure.
  • CVE-2010-4164
    Dan Rosenberg discovered an issue in the X.25 network protocol. Remote users
    can achieve a denial of service (infinite loop) by taking advantage of an
    integer underflow in the facility parsing code.

For the stable distribution (lenny), this problem has been fixed in version
2.6.26-26lenny1.

We recommend that you upgrade your linux-2.6 and user-mode-linux packages.

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update:

Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+26lenny1