{"cve": [{"lastseen": "2019-05-29T18:10:32", "bulletinFamily": "NVD", "description": "The pipe_fcntl function in fs/pipe.c in the Linux kernel before 2.6.37 does not properly determine whether a file is a named pipe, which allows local users to cause a denial of service via an F_SETPIPE_SZ fcntl call.", "modified": "2012-03-19T04:00:00", "id": "CVE-2010-4256", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4256", "published": "2011-01-25T19:00:00", "title": "CVE-2010-4256", "type": "cve", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2019-11-03T12:30:21", "bulletinFamily": "scanner", "description": "Gleb Napatov discovered that KVM did not correctly check certain\nprivileged operations. A local attacker with access to a guest kernel\ncould exploit this to crash the host system, leading to a denial of\nservice. (CVE-2010-0435)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to gain root privileges. (CVE-2010-3859)\n\nDan Rosenberg discovered that the Linux kernel X.25 implementation\nincorrectly parsed facilities. A remote attacker could exploit this to\ncrash the kernel, leading to a denial of service. (CVE-2010-3873)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did\nnot correctly calculate the size of certain buffers. A local attacker\ncould exploit this to crash the system or possibly execute arbitrary\ncode as the root user. (CVE-2010-3874)\n\nVasiliy Kulikov discovered that kvm did not correctly clear memory. A\nlocal attacker could exploit this to read portions of the kernel\nstack, leading to a loss of privacy. (CVE-2010-3881)\n\nDan Rosenberg discovered that IPC structures were not correctly\ninitialized on 64bit systems. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nDan Rosenberg discovered that the ivtv V4L driver did not correctly\ninitialize certian structures. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4079)\n\nDan Rosenberg discovered that the semctl syscall did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nDan Rosenberg discovered that the socket filters did not correctly\ninitialize structure memory. A local attacker could create malicious\nfilters to read portions of kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4158)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to to crash the kernel, or possibly gain root privileges.\n(CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not\ncalculate page counts correctly. A local attacker could exploit this\nto crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered multiple flaws in the X.25 facilities\nparsing. If a system was using X.25, a remote attacker could exploit\nthis to crash the system, leading to a denial of service.\n(CVE-2010-4164)\n\nSteve Chen discovered that setsockopt did not correctly check MSS\nvalues. A local attacker could make a specially crafted socket call to\ncrash the system, leading to a denial of service. (CVE-2010-4165)\n\nDave Jones discovered that the mprotect system call did not correctly\nhandle merged VMAs. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly check\nioctl arguments. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4175)\n\nBrad Spengler discovered that the kernel did not correctly account for\nuserspace memory allocations during exec() calls. A local attacker\ncould exploit this to consume all system memory, leading to a denial\nof service. (CVE-2010-4243)\n\nVegard Nossum discovered that memory garbage collection was not\nhandled correctly for active sockets. A local attacker could exploit\nthis to allocate all available kernel memory, leading to a denial of\nservice. (CVE-2010-4249)\n\nIt was discovered that named pipes did not correctly handle certain\nfcntl calls. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4256)\n\nNelson Elhage discovered that the kernel did not correctly handle\nprocess cleanup after triggering a recoverable kernel bug. If a local\nattacker were able to trigger certain kinds of kernel bugs, they could\ncreate a specially crafted process to gain root privileges.\n(CVE-2010-4258).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "UBUNTU_USN-1054-1.NASL", "href": "https://www.tenable.com/plugins/nessus/51847", "published": "2011-02-02T00:00:00", "title": "Ubuntu 10.04 LTS / 10.10 : linux, linux-ec2 vulnerabilities (USN-1054-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1054-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51847);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/09/19 12:54:26\");\n\n script_cve_id(\"CVE-2010-0435\", \"CVE-2010-3859\", \"CVE-2010-3873\", \"CVE-2010-3874\", \"CVE-2010-3881\", \"CVE-2010-4073\", \"CVE-2010-4079\", \"CVE-2010-4083\", \"CVE-2010-4158\", \"CVE-2010-4160\", \"CVE-2010-4162\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4243\", \"CVE-2010-4249\", \"CVE-2010-4256\", \"CVE-2010-4258\");\n script_xref(name:\"USN\", value:\"1054-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 10.10 : linux, linux-ec2 vulnerabilities (USN-1054-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Gleb Napatov discovered that KVM did not correctly check certain\nprivileged operations. A local attacker with access to a guest kernel\ncould exploit this to crash the host system, leading to a denial of\nservice. (CVE-2010-0435)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to gain root privileges. (CVE-2010-3859)\n\nDan Rosenberg discovered that the Linux kernel X.25 implementation\nincorrectly parsed facilities. A remote attacker could exploit this to\ncrash the kernel, leading to a denial of service. (CVE-2010-3873)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did\nnot correctly calculate the size of certain buffers. A local attacker\ncould exploit this to crash the system or possibly execute arbitrary\ncode as the root user. (CVE-2010-3874)\n\nVasiliy Kulikov discovered that kvm did not correctly clear memory. A\nlocal attacker could exploit this to read portions of the kernel\nstack, leading to a loss of privacy. (CVE-2010-3881)\n\nDan Rosenberg discovered that IPC structures were not correctly\ninitialized on 64bit systems. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nDan Rosenberg discovered that the ivtv V4L driver did not correctly\ninitialize certian structures. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4079)\n\nDan Rosenberg discovered that the semctl syscall did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nDan Rosenberg discovered that the socket filters did not correctly\ninitialize structure memory. A local attacker could create malicious\nfilters to read portions of kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4158)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to to crash the kernel, or possibly gain root privileges.\n(CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not\ncalculate page counts correctly. A local attacker could exploit this\nto crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered multiple flaws in the X.25 facilities\nparsing. If a system was using X.25, a remote attacker could exploit\nthis to crash the system, leading to a denial of service.\n(CVE-2010-4164)\n\nSteve Chen discovered that setsockopt did not correctly check MSS\nvalues. A local attacker could make a specially crafted socket call to\ncrash the system, leading to a denial of service. (CVE-2010-4165)\n\nDave Jones discovered that the mprotect system call did not correctly\nhandle merged VMAs. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly check\nioctl arguments. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4175)\n\nBrad Spengler discovered that the kernel did not correctly account for\nuserspace memory allocations during exec() calls. A local attacker\ncould exploit this to consume all system memory, leading to a denial\nof service. (CVE-2010-4243)\n\nVegard Nossum discovered that memory garbage collection was not\nhandled correctly for active sockets. A local attacker could exploit\nthis to allocate all available kernel memory, leading to a denial of\nservice. (CVE-2010-4249)\n\nIt was discovered that named pipes did not correctly handle certain\nfcntl calls. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4256)\n\nNelson Elhage discovered that the kernel did not correctly handle\nprocess cleanup after triggering a recoverable kernel bug. If a local\nattacker were able to trigger certain kinds of kernel bugs, they could\ncreate a specially crafted process to gain root privileges.\n(CVE-2010-4258).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1054-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-ec2-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-ec2-source-2.6.32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-lpia\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-preempt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-libc-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-source-2.6.35\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-tools-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/02/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|10\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 10.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-0435\", \"CVE-2010-3859\", \"CVE-2010-3873\", \"CVE-2010-3874\", \"CVE-2010-3881\", \"CVE-2010-4073\", \"CVE-2010-4079\", \"CVE-2010-4083\", \"CVE-2010-4158\", \"CVE-2010-4160\", \"CVE-2010-4162\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4243\", \"CVE-2010-4249\", \"CVE-2010-4256\", \"CVE-2010-4258\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1054-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-doc\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-ec2-doc\", pkgver:\"2.6.32-312.24\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-ec2-source-2.6.32\", pkgver:\"2.6.32-312.24\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-28\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-28-386\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-28-generic\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-28-generic-pae\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-28-preempt\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-28-server\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-312\", pkgver:\"2.6.32-312.24\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.32-312-ec2\", pkgver:\"2.6.32-312.24\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-28-386\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-28-generic\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-28-generic-pae\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-28-lpia\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-28-preempt\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-28-server\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-28-versatile\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-28-virtual\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.32-312-ec2\", pkgver:\"2.6.32-312.24\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-libc-dev\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-source-2.6.32\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-tools-2.6.32-28\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-tools-common\", pkgver:\"2.6.32-28.55\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-doc\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-25\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-25-generic\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-25-generic-pae\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-25-server\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-headers-2.6.35-25-virtual\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-25-generic\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-25-generic-pae\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-25-server\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-25-versatile\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-25-virtual\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-libc-dev\", pkgver:\"2.6.35-1025.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-source-2.6.35\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-tools-2.6.35-25\", pkgver:\"2.6.35-25.44\")) flag++;\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-tools-common\", pkgver:\"2.6.35-25.44\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-doc / linux-ec2-doc / linux-ec2-source-2.6.32 / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-03T12:30:28", "bulletinFamily": "scanner", "description": "Dan Rosenberg discovered that several network ioctls did not clear\nkernel memory correctly. A local user could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-3296,\nCVE-2010-3297)\n\nBrad Spengler discovered that stack memory for new a process was not\ncorrectly calculated. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2010-3858)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to gain root privileges. (CVE-2010-3859)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did\nnot correctly calculate the size of certain buffers. A local attacker\ncould exploit this to crash the system or possibly execute arbitrary\ncode as the root user. (CVE-2010-3874)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation\ndid not properly audit certain bytecodes in netlink messages. A local\nattacker could exploit this to cause the kernel to hang, leading to a\ndenial of service. (CVE-2010-3880)\n\nDan Rosenberg discovered that IPC structures were not correctly\ninitialized on 64bit systems. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nDan Rosenberg discovered that multiple terminal ioctls did not\ncorrectly initialize structure memory. A local attacker could exploit\nthis to read portions of kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n\nDan Rosenberg discovered that the RME Hammerfall DSP audio interface\ndriver did not correctly clear kernel memory. A local attacker could\nexploit this to read kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4080, CVE-2010-4081)\n\nDan Rosenberg discovered that the VIA video driver did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4082)\n\nDan Rosenberg discovered that the semctl syscall did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nJames Bottomley discovered that the ICP vortex storage array\ncontroller driver did not validate certain sizes. A local attacker on\na 64bit system could exploit this to crash the kernel, leading to a\ndenial of service. (CVE-2010-4157)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to to crash the kernel, or possibly gain root\nprivileges. (CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not\ncalculate page counts correctly. A local attacker could exploit this\nto crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered that the SCSI subsystem did not correctly\nvalidate iov segments. A local attacker with access to a SCSI device\ncould send specially crafted requests to crash the system, leading to\na denial of service. (CVE-2010-4163, CVE-2010-4668)\n\nDave Jones discovered that the mprotect system call did not correctly\nhandle merged VMAs. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly\ncheck ioctl arguments. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2010-4175)\n\nAlan Cox discovered that the HCI UART driver did not correctly check\nif a write operation was available. If the mmap_min-addr sysctl was\nchanged from the Ubuntu default to a value of 0, a local attacker\ncould exploit this flaw to gain root privileges. (CVE-2010-4242)\n\nBrad Spengler discovered that the kernel did not correctly account\nfor userspace memory allocations during exec() calls. A local\nattacker could exploit this to consume all system memory, leading to\na denial of service. (CVE-2010-4243)\n\nIt was discovered that multithreaded exec did not handle CPU timers\ncorrectly. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4248)\n\nIt was discovered that named pipes did not correctly handle certain\nfcntl calls. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4256)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel\naddresses into the /proc filesystem. A local attacker could use this\nto increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nDan Carpenter discovered that the Infiniband driver did not correctly\nhandle certain requests. A local user could exploit this to crash the\nsystem or potentially gain root privileges. (CVE-2010-4649,\nCVE-2011-1044)\n\nKees Cook discovered that some ethtool functions did not correctly\nclear heap memory. A local attacker with CAP_NET_ADMIN privileges\ncould exploit this to read portions of kernel heap memory, leading to\na loss of privacy. (CVE-2010-4655)\n\nKees Cook discovered that the IOWarrior USB device driver did not\ncorrectly check certain size fields. A local attacker with physical\naccess could plug in a specially crafted USB device to crash the\nsystem or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check\ncertain values during an ioctl. If the dvb-ttpci module was loaded, a\nlocal attacker could exploit this to crash the system, leading to a\ndenial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race\ncondition. On systems using InfiniBand, a local attacker could send\nspecially crafted requests to crash the system, leading to a denial\nof service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize\nmemory. A local attacker could make crafted ioctl calls to leak\nportions of kernel stack memory, leading to a loss of privacy.\n(CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments\nUSB driver did not correctly validate string lengths. A local\nattacker with physical access could plug in a specially crafted USB\ndevice to crash the system or potentially gain root privileges.\n(CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter\ncertain memory locations. A local attacker could determine the memory\nlayout of processes in an attempt to increase the chances of a\nsuccessful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not\ncorrectly handle a signed comparison. A local attacker could exploit\nthis to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not\ncorrectly validate certain registers. On systems with specific\nhardware, a local attacker could exploit this to write to arbitrary\nvideo memory. (CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did\nnot correctly handle certain values. By inserting a specially crafted\ndisk device, a local attacker could exploit this to gain root\nprivileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not\nneeded to load kernel modules. A local attacker with the\nCAP_NET_ADMIN capability could load existing kernel modules, possibly\nincreasing the attack surface available on the system.\n(CVE-2011-1019)\n\nIt was discovered that the /proc filesystem did not correctly handle\npermission changes when programs executed. A local attacker could\nhold open files to examine details about programs running with higher\nprivileges, potentially increasing the chances of exploiting\nadditional vulnerabilities. (CVE-2011-1020)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel\nstack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss\nof privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not\ncheck that name fields were NULL terminated. A local attacker could\nexploit this to leak contents of kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly\nhandle certain structures. A local attacker could create malicious\nrequests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain\norders of operation with ACL data. A remote attacker with access to\nan NFSv4 mount could exploit this to crash the system, leading to a\ndenial of service. (CVE-2011-1090)\n\nJohan Hovold discovered that the DCCP network stack did not correctly\nhandle certain packet combinations. A remote attacker could send\nspecially crafted network traffic that would crash the system,\nleading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not\ncorrectly clear memory. A local attacker with physical access could\nplug in a specially crafted block device to read kernel memory,\nleading to a loss of privacy. (CVE-2011-1163)\n\nDan Rosenberg discovered that some ALSA drivers did not correctly\ncheck the adapter index during ioctl calls. If this driver was\nloaded, a local attacker could make a specially crafted ioctl call to\ngain root privileges. (CVE-2011-1169)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with\nnetfilter access could exploit this to read kernel memory or crash\nthe system, leading to a denial of service. (CVE-2011-1170,\nCVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate\nthe signal structure from tkill(). A local attacker could exploit\nthis to send signals to arbitrary threads, possibly bypassing\nexpected restrictions. (CVE-2011-1182)\n\nRyan Sweat discovered that the GRO code did not correctly validate\nmemory. In some configurations on systems using VLANs, a remote\nattacker could send specially crafted traffic to crash the system,\nleading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that the X.25 Rose network stack did not\ncorrectly handle certain fields. If a system was running with Rose\nenabled, a remote attacker could send specially crafted traffic to\ngain root privileges. (CVE-2011-1493)\n\nDan Rosenberg discovered that MPT devices did not correctly validate\ncertain values in ioctl calls. If these drivers were loaded, a local\nattacker could exploit this to read arbitrary kernel memory, leading\nto a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTimo Warns discovered that the GUID partition parsing routines did\nnot correctly validate certain structures. A local attacker with\nphysical access could plug in a specially crafted block device to\ncrash the system, leading to a denial of service. (CVE-2011-1577)\n\nTavis Ormandy discovered that the pidmap function did not correctly\nhandle large requests. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver\ndid not correctly validate certain socket structures. If this driver\nwas loaded, a local attacker could crash the system, leading to a\ndenial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain\nioctl values. A local attacker with access to the video subsystem\ncould exploit this to crash the system, leading to a denial of\nservice, or possibly gain root privileges. (CVE-2011-1745,\nCVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size\nof certain memory allocations. A local attacker with access to the\nvideo subsystem could exploit this to run the system out of memory,\nleading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle\ncertain packet structures. A remote attacker could exploit this to\ncrash the system, leading to a denial of service. (CVE-2011-1770)\n\nVasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not\ncorrectly check the origin of mount points. A local attacker could\nexploit this to trick the system into unmounting arbitrary mount\npoints, leading to a denial of service. (CVE-2011-1833)\n\nVasiliy Kulikov discovered that taskstats listeners were not\ncorrectly handled. A local attacker could expoit this to exhaust\nmemory and CPU resources, leading to a denial of service.\n(CVE-2011-2484)\n\nIt was discovered that Bluetooth l2cap and rfcomm did not correctly\ninitialize structures. A local attacker could exploit this to read\nportions of the kernel stack, leading to a loss of privacy.\n(CVE-2011-2492)\n\nFernando Gont discovered that the IPv6 stack used predictable\nfragment identification numbers. A remote attacker could exploit this\nto exhaust network resources, leading to a denial of service.\n(CVE-2011-2699)\n\nThe performance counter subsystem did not correctly handle certain\ncounters. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2011-2918)", "modified": "2019-11-02T00:00:00", "id": "UBUNTU_USN-1202-1.NASL", "href": "https://www.tenable.com/plugins/nessus/56190", "published": "2011-09-14T00:00:00", "title": "USN-1202-1 : linux-ti-omap4 vulnerabilities", "type": "nessus", "sourceData": "# This script was automatically generated from Ubuntu Security\n# Notice USN-1202-1. It is released under the Nessus Script \n# Licence.\n#\n# Ubuntu Security Notices are (C) Canonical, Inc.\n# See http://www.ubuntu.com/usn/\n# Ubuntu(R) is a registered trademark of Canonical, Inc.\n\nif (!defined_func(\"bn_random\")) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(56190);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2016/05/26 16:14:09 $\");\n\n script_cve_id(\"CVE-2010-3296\", \"CVE-2010-3297\", \"CVE-2010-3858\", \"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3880\", \"CVE-2010-4073\", \"CVE-2010-4075\", \"CVE-2010-4076\", \"CVE-2010-4077\", \"CVE-2010-4080\", \"CVE-2010-4081\", \"CVE-2010-4082\", \"CVE-2010-4083\", \"CVE-2010-4157\", \"CVE-2010-4160\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4242\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4256\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2010-4655\", \"CVE-2010-4656\", \"CVE-2010-4668\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1020\", \"CVE-2011-1044\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1478\", \"CVE-2011-1493\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1748\", \"CVE-2011-1770\", \"CVE-2011-1833\", \"CVE-2011-2022\", \"CVE-2011-2484\", \"CVE-2011-2492\", \"CVE-2011-2534\", \"CVE-2011-2699\", \"CVE-2011-2918\");\n script_xref(name:\"USN\", value:\"1202-1\");\n\n script_name(english:\"USN-1202-1 : linux-ti-omap4 vulnerabilities\");\n script_summary(english:\"Checks dpkg output for updated package(s)\");\n\n script_set_attribute(attribute:\"synopsis\", value: \n\"The remote Ubuntu host is missing one or more security-related\npatches.\");\n script_set_attribute(attribute:\"description\", value:\n\"Dan Rosenberg discovered that several network ioctls did not clear\nkernel memory correctly. A local user could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-3296,\nCVE-2010-3297)\n\nBrad Spengler discovered that stack memory for new a process was not\ncorrectly calculated. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2010-3858)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to gain root privileges. (CVE-2010-3859)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did\nnot correctly calculate the size of certain buffers. A local attacker\ncould exploit this to crash the system or possibly execute arbitrary\ncode as the root user. (CVE-2010-3874)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation\ndid not properly audit certain bytecodes in netlink messages. A local\nattacker could exploit this to cause the kernel to hang, leading to a\ndenial of service. (CVE-2010-3880)\n\nDan Rosenberg discovered that IPC structures were not correctly\ninitialized on 64bit systems. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nDan Rosenberg discovered that multiple terminal ioctls did not\ncorrectly initialize structure memory. A local attacker could exploit\nthis to read portions of kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n\nDan Rosenberg discovered that the RME Hammerfall DSP audio interface\ndriver did not correctly clear kernel memory. A local attacker could\nexploit this to read kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4080, CVE-2010-4081)\n\nDan Rosenberg discovered that the VIA video driver did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4082)\n\nDan Rosenberg discovered that the semctl syscall did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nJames Bottomley discovered that the ICP vortex storage array\ncontroller driver did not validate certain sizes. A local attacker on\na 64bit system could exploit this to crash the kernel, leading to a\ndenial of service. (CVE-2010-4157)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to to crash the kernel, or possibly gain root\nprivileges. (CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not\ncalculate page counts correctly. A local attacker could exploit this\nto crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered that the SCSI subsystem did not correctly\nvalidate iov segments. A local attacker with access to a SCSI device\ncould send specially crafted requests to crash the system, leading to\na denial of service. (CVE-2010-4163, CVE-2010-4668)\n\nDave Jones discovered that the mprotect system call did not correctly\nhandle merged VMAs. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly\ncheck ioctl arguments. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2010-4175)\n\nAlan Cox discovered that the HCI UART driver did not correctly check\nif a write operation was available. If the mmap_min-addr sysctl was\nchanged from the Ubuntu default to a value of 0, a local attacker\ncould exploit this flaw to gain root privileges. (CVE-2010-4242)\n\nBrad Spengler discovered that the kernel did not correctly account\nfor userspace memory allocations during exec() calls. A local\nattacker could exploit this to consume all system memory, leading to\na denial of service. (CVE-2010-4243)\n\nIt was discovered that multithreaded exec did not handle CPU timers\ncorrectly. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4248)\n\nIt was discovered that named pipes did not correctly handle certain\nfcntl calls. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4256)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel\naddresses into the /proc filesystem. A local attacker could use this\nto increase the chances of a successful memory corruption exploit.\n(CVE-2010-4565)\n\nDan Carpenter discovered that the Infiniband driver did not correctly\nhandle certain requests. A local user could exploit this to crash the\nsystem or potentially gain root privileges. (CVE-2010-4649,\nCVE-2011-1044)\n\nKees Cook discovered that some ethtool functions did not correctly\nclear heap memory. A local attacker with CAP_NET_ADMIN privileges\ncould exploit this to read portions of kernel heap memory, leading to\na loss of privacy. (CVE-2010-4655)\n\nKees Cook discovered that the IOWarrior USB device driver did not\ncorrectly check certain size fields. A local attacker with physical\naccess could plug in a specially crafted USB device to crash the\nsystem or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check\ncertain values during an ioctl. If the dvb-ttpci module was loaded, a\nlocal attacker could exploit this to crash the system, leading to a\ndenial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race\ncondition. On systems using InfiniBand, a local attacker could send\nspecially crafted requests to crash the system, leading to a denial\nof service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize\nmemory. A local attacker could make crafted ioctl calls to leak\nportions of kernel stack memory, leading to a loss of privacy.\n(CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments\nUSB driver did not correctly validate string lengths. A local\nattacker with physical access could plug in a specially crafted USB\ndevice to crash the system or potentially gain root privileges.\n(CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter\ncertain memory locations. A local attacker could determine the memory\nlayout of processes in an attempt to increase the chances of a\nsuccessful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not\ncorrectly calculate block counts. A local attacker with physical\naccess could plug in a specially crafted block device to crash the\nsystem, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not\ncorrectly handle a signed comparison. A local attacker could exploit\nthis to crash the system or possibly gain root privileges.\n(CVE-2011-1013)\n\nMarek Olsak discovered that the Radeon GPU drivers did not\ncorrectly validate certain registers. On systems with specific\nhardware, a local attacker could exploit this to write to arbitrary\nvideo memory. (CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did\nnot correctly handle certain values. By inserting a specially crafted\ndisk device, a local attacker could exploit this to gain root\nprivileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not\nneeded to load kernel modules. A local attacker with the\nCAP_NET_ADMIN capability could load existing kernel modules, possibly\nincreasing the attack surface available on the system.\n(CVE-2011-1019)\n\nIt was discovered that the /proc filesystem did not correctly handle\npermission changes when programs executed. A local attacker could\nhold open files to examine details about programs running with higher\nprivileges, potentially increasing the chances of exploiting\nadditional vulnerabilities. (CVE-2011-1020)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel\nstack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss\nof privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not\ncheck that name fields were NULL terminated. A local attacker could\nexploit this to leak contents of kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly\nhandle certain structures. A local attacker could create malicious\nrequests that would hang the system, leading to a denial of service.\n(CVE-2011-1082)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain\norders of operation with ACL data. A remote attacker with access to\nan NFSv4 mount could exploit this to crash the system, leading to a\ndenial of service. (CVE-2011-1090)\n\nJohan Hovold discovered that the DCCP network stack did not correctly\nhandle certain packet combinations. A remote attacker could send\nspecially crafted network traffic that would crash the system,\nleading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not\ncorrectly clear memory. A local attacker with physical access could\nplug in a specially crafted block device to read kernel memory,\nleading to a loss of privacy. (CVE-2011-1163)\n\nDan Rosenberg discovered that some ALSA drivers did not correctly\ncheck the adapter index during ioctl calls. If this driver was\nloaded, a local attacker could make a specially crafted ioctl call to\ngain root privileges. (CVE-2011-1169)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with\nnetfilter access could exploit this to read kernel memory or crash\nthe system, leading to a denial of service. (CVE-2011-1170,\nCVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate\nthe signal structure from tkill(). A local attacker could exploit\nthis to send signals to arbitrary threads, possibly bypassing\nexpected restrictions. (CVE-2011-1182)\n\nRyan Sweat discovered that the GRO code did not correctly validate\nmemory. In some configurations on systems using VLANs, a remote\nattacker could send specially crafted traffic to crash the system,\nleading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that the X.25 Rose network stack did not\ncorrectly handle certain fields. If a system was running with Rose\nenabled, a remote attacker could send specially crafted traffic to\ngain root privileges. (CVE-2011-1493)\n\nDan Rosenberg discovered that MPT devices did not correctly validate\ncertain values in ioctl calls. If these drivers were loaded, a local\nattacker could exploit this to read arbitrary kernel memory, leading\nto a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTimo Warns discovered that the GUID partition parsing routines did\nnot correctly validate certain structures. A local attacker with\nphysical access could plug in a specially crafted block device to\ncrash the system, leading to a denial of service. (CVE-2011-1577)\n\nTavis Ormandy discovered that the pidmap function did not correctly\nhandle large requests. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver\ndid not correctly validate certain socket structures. If this driver\nwas loaded, a local attacker could crash the system, leading to a\ndenial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain\nioctl values. A local attacker with access to the video subsystem\ncould exploit this to crash the system, leading to a denial of\nservice, or possibly gain root privileges. (CVE-2011-1745,\nCVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size\nof certain memory allocations. A local attacker with access to the\nvideo subsystem could exploit this to run the system out of memory,\nleading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle\ncertain packet structures. A remote attacker could exploit this to\ncrash the system, leading to a denial of service. (CVE-2011-1770)\n\nVasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not\ncorrectly check the origin of mount points. A local attacker could\nexploit this to trick the system into unmounting arbitrary mount\npoints, leading to a denial of service. (CVE-2011-1833)\n\nVasiliy Kulikov discovered that taskstats listeners were not\ncorrectly handled. A local attacker could expoit this to exhaust\nmemory and CPU resources, leading to a denial of service.\n(CVE-2011-2484)\n\nIt was discovered that Bluetooth l2cap and rfcomm did not correctly\ninitialize structures. A local attacker could exploit this to read\nportions of the kernel stack, leading to a loss of privacy.\n(CVE-2011-2492)\n\nFernando Gont discovered that the IPv6 stack used predictable\nfragment identification numbers. A remote attacker could exploit this\nto exhaust network resources, leading to a denial of service.\n(CVE-2011-2699)\n\nThe performance counter subsystem did not correctly handle certain\ncounters. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2011-2918)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.ubuntu.com/usn/usn-1202-1/\");\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package(s).\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/13\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2011/09/14\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(\"Ubuntu Security Notice (C) 2011 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude(\"ubuntu.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/Ubuntu/release\")) exit(0, \"The host is not running Ubuntu.\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) exit(1, \"Could not obtain the list of installed packages.\");\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.10\", pkgname:\"linux-image-2.6.35-903-omap4\", pkgver:\"2.6.35-903.24\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:ubuntu_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-03T12:30:26", "bulletinFamily": "scanner", "description": "Aristide Fattori and Roberto Paleari reported a flaw in the Linux\nkernel", "modified": "2019-11-02T00:00:00", "id": "UBUNTU_USN-1167-1.NASL", "href": "https://www.tenable.com/plugins/nessus/55591", "published": "2011-07-14T00:00:00", "title": "Ubuntu 11.04 : linux vulnerabilities (USN-1167-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1167-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55591);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/09/19 12:54:27\");\n\n script_cve_id(\"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4158\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4249\", \"CVE-2010-4250\", \"CVE-2010-4256\", \"CVE-2010-4258\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2010-4668\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-0999\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1076\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1479\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1747\", \"CVE-2011-1748\", \"CVE-2011-1759\", \"CVE-2011-1770\", \"CVE-2011-1771\", \"CVE-2011-1776\", \"CVE-2011-1927\", \"CVE-2011-2022\", \"CVE-2011-2479\", \"CVE-2011-2496\", \"CVE-2011-2498\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-3363\", \"CVE-2011-4913\");\n script_bugtraq_id(44354, 44630, 44661, 44665, 44758, 44793, 44830, 44861, 44921, 45004, 45028, 45037, 45055, 45125, 45159, 45321, 45323, 45556, 45629, 45660, 45986, 46073, 46417, 46419, 46442, 46488, 46492, 46557, 46732, 46839, 47116, 47639, 47791, 47792);\n script_xref(name:\"USN\", value:\"1167-1\");\n\n script_name(english:\"Ubuntu 11.04 : linux vulnerabilities (USN-1167-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Aristide Fattori and Roberto Paleari reported a flaw in the Linux\nkernel's handling of IPv4 icmp packets. A remote user could exploit\nthis to cause a denial of service. (CVE-2011-1927)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not\ncorrectly clear memory when writing certain file holes. A local\nattacker could exploit this to read uninitialized data from the disk,\nleading to a loss of privacy. (CVE-2011-0463)\n\nTimo Warns discovered that the LDM disk partition handling code did\nnot correctly handle certain values. By inserting a specially crafted\ndisk device, a local attacker could exploit this to gain root\nprivileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\nclear memory. A local attacker could exploit this to read kernel stack\nmemory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly\ncheck that device name strings were NULL terminated. A local attacker\ncould exploit this to crash the system, leading to a denial of\nservice, or leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check\nthat name fields were NULL terminated. A local attacker could exploit\nthis to leak contents of kernel stack memory, leading to a loss of\nprivacy. (CVE-2011-1080)\n\nJohan Hovold discovered that the DCCP network stack did not correctly\nhandle certain packet combinations. A remote attacker could send\nspecially crafted network traffic that would crash the system, leading\nto a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly\ninitialize memory. A local attacker could exploit this to read kernel\nheap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nVasiliy Kulikov discovered that the netfilter code did not check\ncertain strings copied from userspace. A local attacker with netfilter\naccess could exploit this to read kernel memory or crash the system,\nleading to a denial of service. (CVE-2011-1170, CVE-2011-1171,\nCVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver\ndid not correctly initialize memory. A remote attacker could send\nspecially crafted traffic to read kernel stack memory, leading to a\nloss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly\ncheck certain field sizes. If a system was using IRDA, a remote\nattacker could send specially crafted traffic to crash the system or\ngain root privileges. (CVE-2011-1180)\n\nDan Rosenberg reported errors in the OSS (Open Sound System) MIDI\ninterface. A local attacker on non-x86 systems might be able to cause\na denial of service. (CVE-2011-1476)\n\nDan Rosenberg reported errors in the kernel's OSS (Open Sound System)\ndriver for Yamaha FM synthesizer chips. A local user can exploit this\nto cause memory corruption, causing a denial of service or privilege\nescalation. (CVE-2011-1477)\n\nIt was discovered that the security fix for CVE-2010-4250 introduced a\nregression. A remote attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2011-1479)\n\nDan Rosenberg discovered that MPT devices did not correctly validate\ncertain values in ioctl calls. If these drivers were loaded, a local\nattacker could exploit this to read arbitrary kernel memory, leading\nto a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTavis Ormandy discovered that the pidmap function did not correctly\nhandle large requests. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver\ndid not correctly validate certain socket structures. If this driver\nwas loaded, a local attacker could crash the system, leading to a\ndenial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain\nioctl values. A local attacker with access to the video subsystem\ncould exploit this to crash the system, leading to a denial of\nservice, or possibly gain root privileges. (CVE-2011-1745,\nCVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size\nof certain memory allocations. A local attacker with access to the\nvideo subsystem could exploit this to run the system out of memory,\nleading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg reported an error in the old ABI compatibility layer of\nARM kernels. A local attacker could exploit this flaw to cause a\ndenial of service or gain root privileges. (CVE-2011-1759)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle\ncertain packet structures. A remote attacker could exploit this to\ncrash the system, leading to a denial of service. (CVE-2011-1770)\n\nBen Greear discovered that CIFS did not correctly handle direct I/O. A\nlocal attacker with access to a CIFS partition could exploit this to\ncrash the system, leading to a denial of service. (CVE-2011-1771)\n\nTimo Warns discovered that the EFI GUID partition table was not\ncorrectly parsed. A physically local attacker that could insert\nmountable devices could exploit this to crash the system or possibly\ngain root privileges. (CVE-2011-1776)\n\nIt was discovered that an mmap() call with the MAP_PRIVATE flag on\n'/dev/zero' was incorrectly handled. A local attacker could exploit\nthis to crash the system, leading to a denial of service.\n(CVE-2011-2479)\n\nRobert Swiecki discovered that mapping extensions were incorrectly\nhandled. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2011-2496)\n\nThe linux kernel did not properly account for PTE pages when deciding\nwhich task to kill in out of memory conditions. A local, unprivileged\ncould exploit this flaw to cause a denial of service. (CVE-2011-2498)\n\nA flaw was found in the b43 driver in the Linux kernel. An attacker\ncould use this flaw to cause a denial of service if the system has an\nactive wireless interface using the b43 driver. (CVE-2011-3359)\n\nYogesh Sharma discovered that CIFS did not correctly handle UNCs that\nhad no prefixpaths. A local attacker with access to a CIFS partition\ncould exploit this to crash the system, leading to a denial of\nservice. (CVE-2011-3363)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used\nby amateur radio. A local user or a remote user on an X.25 network\ncould exploit these flaws to execute arbitrary code as root.\n(CVE-2011-4913).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1167-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-versatile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(11\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 11.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4158\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4249\", \"CVE-2010-4250\", \"CVE-2010-4256\", \"CVE-2010-4258\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2010-4668\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-0999\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1044\", \"CVE-2011-1076\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1476\", \"CVE-2011-1477\", \"CVE-2011-1479\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1745\", \"CVE-2011-1746\", \"CVE-2011-1747\", \"CVE-2011-1748\", \"CVE-2011-1759\", \"CVE-2011-1770\", \"CVE-2011-1771\", \"CVE-2011-1776\", \"CVE-2011-1927\", \"CVE-2011-2022\", \"CVE-2011-2479\", \"CVE-2011-2496\", \"CVE-2011-2498\", \"CVE-2011-2534\", \"CVE-2011-3359\", \"CVE-2011-3363\", \"CVE-2011-4913\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1167-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-generic\", pkgver:\"2.6.38-10.46\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-generic-pae\", pkgver:\"2.6.38-10.46\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-server\", pkgver:\"2.6.38-10.46\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-versatile\", pkgver:\"2.6.38-10.46\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"linux-image-2.6.38-10-virtual\", pkgver:\"2.6.38-10.46\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-2.6-generic / linux-image-2.6-generic-pae / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-03T12:30:22", "bulletinFamily": "scanner", "description": "Dan Rosenberg discovered that the RDS network protocol did not\ncorrectly check certain parameters. A local attacker could exploit\nthis gain root privileges. (CVE-2010-3904)\n\nNelson Elhage discovered several problems with the Acorn Econet\nprotocol driver. A local user could cause a denial of service via a\nNULL pointer dereference, escalate privileges by overflowing the\nkernel stack, and assign Econet addresses to arbitrary interfaces.\n(CVE-2010-3848, CVE-2010-3849, CVE-2010-3850)\n\nBen Hawkes discovered that the Linux kernel did not correctly filter\nregisters on 64bit kernels when performing 32bit system calls. On a\n64bit system, a local attacker could manipulate 32bit system calls to\ngain root privileges. (CVE-2010-3301)\n\nAl Viro discovered a race condition in the TTY driver. A local\nattacker could exploit this to crash the system, leading to a denial\nof service. (CVE-2009-4895)\n\nGleb Napatov discovered that KVM did not correctly check certain\nprivileged operations. A local attacker with access to a guest kernel\ncould exploit this to crash the host system, leading to a denial of\nservice. (CVE-2010-0435)\n\nDan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not\ncorrectly check file permissions. A local attacker could overwrite\nappend-only files, leading to potential data loss. (CVE-2010-2066)\n\nDan Rosenberg discovered that the swapexit xfs ioctl did not correctly\ncheck file permissions. A local attacker could exploit this to read\nfrom write-only files, leading to a loss of privacy. (CVE-2010-2226)\n\nSuresh Jayaraman discovered that CIFS did not correctly validate\ncertain response packats. A remote attacker could send specially\ncrafted traffic that would crash the system, leading to a denial of\nservice. (CVE-2010-2248)\n\nBen Hutchings discovered that the ethtool interface did not correctly\ncheck certain sizes. A local attacker could perform malicious ioctl\ncalls that could crash the system, leading to a denial of service.\n(CVE-2010-2478, CVE-2010-3084)\n\nJames Chapman discovered that L2TP did not correctly evaluate checksum\ncapabilities. If an attacker could make malicious routing changes,\nthey could crash the system, leading to a denial of service.\n(CVE-2010-2495)\n\nNeil Brown discovered that NFSv4 did not correctly check certain write\nrequests. A remote attacker could send specially crafted traffic that\ncould crash the system or possibly gain root privileges.\n(CVE-2010-2521)\n\nDavid Howells discovered that DNS resolution in CIFS could be spoofed.\nA local attacker could exploit this to control DNS replies, leading to\na loss of privacy and possible privilege escalation. (CVE-2010-2524)\n\nDan Rosenberg discovered that the btrfs filesystem did not correctly\nvalidate permissions when using the clone function. A local attacker\ncould overwrite the contents of file handles that were opened for\nappend-only, or potentially read arbitrary contents, leading to a loss\nof privacy. (CVE-2010-2537, CVE-2010-2538)\n\nBob Peterson discovered that GFS2 rename operations did not correctly\nvalidate certain sizes. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2010-2798)\n\nEric Dumazet discovered that many network functions could leak kernel\nstack contents. A local attacker could exploit this to read portions\nof kernel memory, leading to a loss of privacy. (CVE-2010-2942,\nCVE-2010-3477)\n\nDave Chinner discovered that the XFS filesystem did not correctly\norder inode lookups when exported by NFS. A remote attacker could\nexploit this to read or write disk blocks that had changed file\nassignment or had become unlinked, leading to a loss of privacy.\n(CVE-2010-2943)\n\nSergey Vlasov discovered that JFS did not correctly handle certain\nextended attributes. A local attacker could bypass namespace access\nrules, leading to a loss of privacy. (CVE-2010-2946)\n\nTavis Ormandy discovered that the IRDA subsystem did not correctly\nshut down. A local attacker could exploit this to cause the system to\ncrash or possibly gain root privileges. (CVE-2010-2954)\n\nBrad Spengler discovered that the wireless extensions did not\ncorrectly validate certain request sizes. A local attacker could\nexploit this to read portions of kernel memory, leading to a loss of\nprivacy. (CVE-2010-2955)\n\nTavis Ormandy discovered that the session keyring did not correctly\ncheck for its parent. On systems without a default session keyring, a\nlocal attacker could exploit this to crash the system, leading to a\ndenial of service. (CVE-2010-2960)\n\nKees Cook discovered that the Intel i915 graphics driver did not\ncorrectly validate memory regions. A local attacker with access to the\nvideo card could read and write arbitrary kernel memory to gain root\nprivileges. (CVE-2010-2962)\n\nKees Cook discovered that the V4L1 32bit compat interface did not\ncorrectly validate certain parameters. A local attacker on a 64bit\nsystem with access to a video device could exploit this to gain root\nprivileges. (CVE-2010-2963)\n\nToshiyuki Okajima discovered that ext4 did not correctly check certain\nparameters. A local attacker could exploit this to crash the system or\noverwrite the last block of large files. (CVE-2010-3015)\n\nTavis Ormandy discovered that the AIO subsystem did not correctly\nvalidate certain parameters. A local attacker could exploit this to\ncrash the system or possibly gain root privileges. (CVE-2010-3067)\n\nDan Rosenberg discovered that certain XFS ioctls leaked kernel stack\ncontents. A local attacker could exploit this to read portions of\nkernel memory, leading to a loss of privacy. (CVE-2010-3078)\n\nRobert Swiecki discovered that ftrace did not correctly handle\nmutexes. A local attacker could exploit this to crash the kernel,\nleading to a denial of service. (CVE-2010-3079)\n\nTavis Ormandy discovered that the OSS sequencer device did not\ncorrectly shut down. A local attacker could exploit this to crash the\nsystem or possibly gain root privileges. (CVE-2010-3080)\n\nDan Rosenberg discovered that several network ioctls did not clear\nkernel memory correctly. A local user could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-3296,\nCVE-2010-3297, CVE-2010-3298)\n\nDan Rosenberg discovered that the ROSE driver did not correctly check\nparameters. A local attacker with access to a ROSE network device\ncould exploit this to crash the system or possibly gain root\nprivileges. (CVE-2010-3310)\n\nThomas Dreibholz discovered that SCTP did not correctly handle\nappending packet chunks. A remote attacker could send specially\ncrafted traffic to crash the system, leading to a denial of service.\n(CVE-2010-3432)\n\nDan Rosenberg discovered that the CD driver did not correctly check\nparameters. A local attacker could exploit this to read arbitrary\nkernel memory, leading to a loss of privacy. (CVE-2010-3437)\n\nDan Rosenberg discovered that the Sound subsystem did not correctly\nvalidate parameters. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-3442)\n\nDan Rosenberg discovered that SCTP did not correctly handle HMAC\ncalculations. A remote attacker could send specially crafted traffic\nthat would crash the system, leading to a denial of service.\n(CVE-2010-3705)\n\nBrad Spengler discovered that stack memory for new a process was not\ncorrectly calculated. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-3858)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to gain root privileges. (CVE-2010-3859)\n\nKees Cook discovered that the ethtool interface did not correctly\nclear kernel memory. A local attacker could read kernel heap memory,\nleading to a loss of privacy. (CVE-2010-3861)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did\nnot correctly calculate the size of certain buffers. A local attacker\ncould exploit this to crash the system or possibly execute arbitrary\ncode as the root user. (CVE-2010-3874)\n\nKees Cook and Vasiliy Kulikov discovered that the shm interface did\nnot clear kernel memory correctly. A local attacker could exploit this\nto read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4072)\n\nDan Rosenberg discovered that IPC structures were not correctly\ninitialized on 64bit systems. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nDan Rosenberg discovered that the RME Hammerfall DSP audio interface\ndriver did not correctly clear kernel memory. A local attacker could\nexploit this to read kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4080, CVE-2010-4081)\n\nDan Rosenberg discovered that the VIA video driver did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4082)\n\nJames Bottomley discovered that the ICP vortex storage array\ncontroller driver did not validate certain sizes. A local attacker on\na 64bit system could exploit this to crash the kernel, leading to a\ndenial of service. (CVE-2010-4157)\n\nDan Rosenberg discovered that the socket filters did not correctly\ninitialize structure memory. A local attacker could create malicious\nfilters to read portions of kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4158)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to to crash the kernel, or possibly gain root privileges.\n(CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not\ncalculate page counts correctly. A local attacker could exploit this\nto crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered multiple flaws in the X.25 facilities\nparsing. If a system was using X.25, a remote attacker could exploit\nthis to crash the system, leading to a denial of service.\n(CVE-2010-4164)\n\nSteve Chen discovered that setsockopt did not correctly check MSS\nvalues. A local attacker could make a specially crafted socket call to\ncrash the system, leading to a denial of service. (CVE-2010-4165)\n\nDave Jones discovered that the mprotect system call did not correctly\nhandle merged VMAs. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly check\nioctl arguments. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4175)\n\nAlan Cox discovered that the HCI UART driver did not correctly check\nif a write operation was available. If the mmap_min-addr sysctl was\nchanged from the Ubuntu default to a value of 0, a local attacker\ncould exploit this flaw to gain root privileges. (CVE-2010-4242)\n\nBrad Spengler discovered that the kernel did not correctly account for\nuserspace memory allocations during exec() calls. A local attacker\ncould exploit this to consume all system memory, leading to a denial\nof service. (CVE-2010-4243)\n\nVegard Nossum discovered that memory garbage collection was not\nhandled correctly for active sockets. A local attacker could exploit\nthis to allocate all available kernel memory, leading to a denial of\nservice. (CVE-2010-4249)\n\nIt was discovered that named pipes did not correctly handle certain\nfcntl calls. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4256)\n\nNelson Elhage discovered that the kernel did not correctly handle\nprocess cleanup after triggering a recoverable kernel bug. If a local\nattacker were able to trigger certain kinds of kernel bugs, they could\ncreate a specially crafted process to gain root privileges.\n(CVE-2010-4258)\n\nKees Cook discovered that some ethtool functions did not correctly\nclear heap memory. A local attacker with CAP_NET_ADMIN privileges\ncould exploit this to read portions of kernel heap memory, leading to\na loss of privacy. (CVE-2010-4655)\n\nFrank Arnold discovered that the IGMP protocol did not correctly parse\ncertain packets. A remote attacker could send specially crafted\ntraffic to crash the system, leading to a denial of service.\n(CVE-2011-0709).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "UBUNTU_USN-1083-1.NASL", "href": "https://www.tenable.com/plugins/nessus/65101", "published": "2013-03-09T00:00:00", "title": "Ubuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1083-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1083-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(65101);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/09/19 12:54:26\");\n\n script_cve_id(\"CVE-2009-4895\", \"CVE-2010-0435\", \"CVE-2010-2066\", \"CVE-2010-2226\", \"CVE-2010-2248\", \"CVE-2010-2478\", \"CVE-2010-2495\", \"CVE-2010-2521\", \"CVE-2010-2524\", \"CVE-2010-2537\", \"CVE-2010-2538\", \"CVE-2010-2798\", \"CVE-2010-2942\", \"CVE-2010-2943\", \"CVE-2010-2946\", \"CVE-2010-2954\", \"CVE-2010-2955\", \"CVE-2010-2960\", \"CVE-2010-2962\", \"CVE-2010-2963\", \"CVE-2010-3015\", \"CVE-2010-3067\", \"CVE-2010-3078\", \"CVE-2010-3079\", \"CVE-2010-3080\", \"CVE-2010-3084\", \"CVE-2010-3296\", \"CVE-2010-3297\", \"CVE-2010-3298\", \"CVE-2010-3301\", \"CVE-2010-3310\", \"CVE-2010-3432\", \"CVE-2010-3437\", \"CVE-2010-3442\", \"CVE-2010-3477\", \"CVE-2010-3705\", \"CVE-2010-3848\", \"CVE-2010-3849\", \"CVE-2010-3850\", \"CVE-2010-3858\", \"CVE-2010-3859\", \"CVE-2010-3861\", \"CVE-2010-3874\", \"CVE-2010-3904\", \"CVE-2010-4072\", \"CVE-2010-4073\", \"CVE-2010-4080\", \"CVE-2010-4081\", \"CVE-2010-4082\", \"CVE-2010-4157\", \"CVE-2010-4158\", \"CVE-2010-4160\", \"CVE-2010-4162\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4242\", \"CVE-2010-4243\", \"CVE-2010-4249\", \"CVE-2010-4256\", \"CVE-2010-4258\", \"CVE-2010-4655\", \"CVE-2011-0709\");\n script_bugtraq_id(40920, 41077, 41223, 41466, 41847, 41854, 41904, 42124, 42242, 42249, 42477, 42527, 42529, 42582, 42589, 42885, 42900, 42932, 43022, 43062, 43098, 43221, 43226, 43229, 43353, 43355, 43368, 43480, 43551, 43684, 43701, 43787, 44067, 44219, 44242, 44301, 44427, 44830, 44861, 45037, 45054, 45072);\n script_xref(name:\"USN\", value:\"1083-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1083-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dan Rosenberg discovered that the RDS network protocol did not\ncorrectly check certain parameters. A local attacker could exploit\nthis gain root privileges. (CVE-2010-3904)\n\nNelson Elhage discovered several problems with the Acorn Econet\nprotocol driver. A local user could cause a denial of service via a\nNULL pointer dereference, escalate privileges by overflowing the\nkernel stack, and assign Econet addresses to arbitrary interfaces.\n(CVE-2010-3848, CVE-2010-3849, CVE-2010-3850)\n\nBen Hawkes discovered that the Linux kernel did not correctly filter\nregisters on 64bit kernels when performing 32bit system calls. On a\n64bit system, a local attacker could manipulate 32bit system calls to\ngain root privileges. (CVE-2010-3301)\n\nAl Viro discovered a race condition in the TTY driver. A local\nattacker could exploit this to crash the system, leading to a denial\nof service. (CVE-2009-4895)\n\nGleb Napatov discovered that KVM did not correctly check certain\nprivileged operations. A local attacker with access to a guest kernel\ncould exploit this to crash the host system, leading to a denial of\nservice. (CVE-2010-0435)\n\nDan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not\ncorrectly check file permissions. A local attacker could overwrite\nappend-only files, leading to potential data loss. (CVE-2010-2066)\n\nDan Rosenberg discovered that the swapexit xfs ioctl did not correctly\ncheck file permissions. A local attacker could exploit this to read\nfrom write-only files, leading to a loss of privacy. (CVE-2010-2226)\n\nSuresh Jayaraman discovered that CIFS did not correctly validate\ncertain response packats. A remote attacker could send specially\ncrafted traffic that would crash the system, leading to a denial of\nservice. (CVE-2010-2248)\n\nBen Hutchings discovered that the ethtool interface did not correctly\ncheck certain sizes. A local attacker could perform malicious ioctl\ncalls that could crash the system, leading to a denial of service.\n(CVE-2010-2478, CVE-2010-3084)\n\nJames Chapman discovered that L2TP did not correctly evaluate checksum\ncapabilities. If an attacker could make malicious routing changes,\nthey could crash the system, leading to a denial of service.\n(CVE-2010-2495)\n\nNeil Brown discovered that NFSv4 did not correctly check certain write\nrequests. A remote attacker could send specially crafted traffic that\ncould crash the system or possibly gain root privileges.\n(CVE-2010-2521)\n\nDavid Howells discovered that DNS resolution in CIFS could be spoofed.\nA local attacker could exploit this to control DNS replies, leading to\na loss of privacy and possible privilege escalation. (CVE-2010-2524)\n\nDan Rosenberg discovered that the btrfs filesystem did not correctly\nvalidate permissions when using the clone function. A local attacker\ncould overwrite the contents of file handles that were opened for\nappend-only, or potentially read arbitrary contents, leading to a loss\nof privacy. (CVE-2010-2537, CVE-2010-2538)\n\nBob Peterson discovered that GFS2 rename operations did not correctly\nvalidate certain sizes. A local attacker could exploit this to crash\nthe system, leading to a denial of service. (CVE-2010-2798)\n\nEric Dumazet discovered that many network functions could leak kernel\nstack contents. A local attacker could exploit this to read portions\nof kernel memory, leading to a loss of privacy. (CVE-2010-2942,\nCVE-2010-3477)\n\nDave Chinner discovered that the XFS filesystem did not correctly\norder inode lookups when exported by NFS. A remote attacker could\nexploit this to read or write disk blocks that had changed file\nassignment or had become unlinked, leading to a loss of privacy.\n(CVE-2010-2943)\n\nSergey Vlasov discovered that JFS did not correctly handle certain\nextended attributes. A local attacker could bypass namespace access\nrules, leading to a loss of privacy. (CVE-2010-2946)\n\nTavis Ormandy discovered that the IRDA subsystem did not correctly\nshut down. A local attacker could exploit this to cause the system to\ncrash or possibly gain root privileges. (CVE-2010-2954)\n\nBrad Spengler discovered that the wireless extensions did not\ncorrectly validate certain request sizes. A local attacker could\nexploit this to read portions of kernel memory, leading to a loss of\nprivacy. (CVE-2010-2955)\n\nTavis Ormandy discovered that the session keyring did not correctly\ncheck for its parent. On systems without a default session keyring, a\nlocal attacker could exploit this to crash the system, leading to a\ndenial of service. (CVE-2010-2960)\n\nKees Cook discovered that the Intel i915 graphics driver did not\ncorrectly validate memory regions. A local attacker with access to the\nvideo card could read and write arbitrary kernel memory to gain root\nprivileges. (CVE-2010-2962)\n\nKees Cook discovered that the V4L1 32bit compat interface did not\ncorrectly validate certain parameters. A local attacker on a 64bit\nsystem with access to a video device could exploit this to gain root\nprivileges. (CVE-2010-2963)\n\nToshiyuki Okajima discovered that ext4 did not correctly check certain\nparameters. A local attacker could exploit this to crash the system or\noverwrite the last block of large files. (CVE-2010-3015)\n\nTavis Ormandy discovered that the AIO subsystem did not correctly\nvalidate certain parameters. A local attacker could exploit this to\ncrash the system or possibly gain root privileges. (CVE-2010-3067)\n\nDan Rosenberg discovered that certain XFS ioctls leaked kernel stack\ncontents. A local attacker could exploit this to read portions of\nkernel memory, leading to a loss of privacy. (CVE-2010-3078)\n\nRobert Swiecki discovered that ftrace did not correctly handle\nmutexes. A local attacker could exploit this to crash the kernel,\nleading to a denial of service. (CVE-2010-3079)\n\nTavis Ormandy discovered that the OSS sequencer device did not\ncorrectly shut down. A local attacker could exploit this to crash the\nsystem or possibly gain root privileges. (CVE-2010-3080)\n\nDan Rosenberg discovered that several network ioctls did not clear\nkernel memory correctly. A local user could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-3296,\nCVE-2010-3297, CVE-2010-3298)\n\nDan Rosenberg discovered that the ROSE driver did not correctly check\nparameters. A local attacker with access to a ROSE network device\ncould exploit this to crash the system or possibly gain root\nprivileges. (CVE-2010-3310)\n\nThomas Dreibholz discovered that SCTP did not correctly handle\nappending packet chunks. A remote attacker could send specially\ncrafted traffic to crash the system, leading to a denial of service.\n(CVE-2010-3432)\n\nDan Rosenberg discovered that the CD driver did not correctly check\nparameters. A local attacker could exploit this to read arbitrary\nkernel memory, leading to a loss of privacy. (CVE-2010-3437)\n\nDan Rosenberg discovered that the Sound subsystem did not correctly\nvalidate parameters. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-3442)\n\nDan Rosenberg discovered that SCTP did not correctly handle HMAC\ncalculations. A remote attacker could send specially crafted traffic\nthat would crash the system, leading to a denial of service.\n(CVE-2010-3705)\n\nBrad Spengler discovered that stack memory for new a process was not\ncorrectly calculated. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-3858)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to gain root privileges. (CVE-2010-3859)\n\nKees Cook discovered that the ethtool interface did not correctly\nclear kernel memory. A local attacker could read kernel heap memory,\nleading to a loss of privacy. (CVE-2010-3861)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did\nnot correctly calculate the size of certain buffers. A local attacker\ncould exploit this to crash the system or possibly execute arbitrary\ncode as the root user. (CVE-2010-3874)\n\nKees Cook and Vasiliy Kulikov discovered that the shm interface did\nnot clear kernel memory correctly. A local attacker could exploit this\nto read kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4072)\n\nDan Rosenberg discovered that IPC structures were not correctly\ninitialized on 64bit systems. A local attacker could exploit this to\nread kernel stack memory, leading to a loss of privacy.\n(CVE-2010-4073)\n\nDan Rosenberg discovered that the RME Hammerfall DSP audio interface\ndriver did not correctly clear kernel memory. A local attacker could\nexploit this to read kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4080, CVE-2010-4081)\n\nDan Rosenberg discovered that the VIA video driver did not correctly\nclear kernel memory. A local attacker could exploit this to read\nkernel stack memory, leading to a loss of privacy. (CVE-2010-4082)\n\nJames Bottomley discovered that the ICP vortex storage array\ncontroller driver did not validate certain sizes. A local attacker on\na 64bit system could exploit this to crash the kernel, leading to a\ndenial of service. (CVE-2010-4157)\n\nDan Rosenberg discovered that the socket filters did not correctly\ninitialize structure memory. A local attacker could create malicious\nfilters to read portions of kernel stack memory, leading to a loss of\nprivacy. (CVE-2010-4158)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation\ncontained multiple integer signedness errors. A local attacker could\nexploit this to to crash the kernel, or possibly gain root privileges.\n(CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not\ncalculate page counts correctly. A local attacker could exploit this\nto crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered multiple flaws in the X.25 facilities\nparsing. If a system was using X.25, a remote attacker could exploit\nthis to crash the system, leading to a denial of service.\n(CVE-2010-4164)\n\nSteve Chen discovered that setsockopt did not correctly check MSS\nvalues. A local attacker could make a specially crafted socket call to\ncrash the system, leading to a denial of service. (CVE-2010-4165)\n\nDave Jones discovered that the mprotect system call did not correctly\nhandle merged VMAs. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly check\nioctl arguments. A local attacker could exploit this to crash the\nsystem, leading to a denial of service. (CVE-2010-4175)\n\nAlan Cox discovered that the HCI UART driver did not correctly check\nif a write operation was available. If the mmap_min-addr sysctl was\nchanged from the Ubuntu default to a value of 0, a local attacker\ncould exploit this flaw to gain root privileges. (CVE-2010-4242)\n\nBrad Spengler discovered that the kernel did not correctly account for\nuserspace memory allocations during exec() calls. A local attacker\ncould exploit this to consume all system memory, leading to a denial\nof service. (CVE-2010-4243)\n\nVegard Nossum discovered that memory garbage collection was not\nhandled correctly for active sockets. A local attacker could exploit\nthis to allocate all available kernel memory, leading to a denial of\nservice. (CVE-2010-4249)\n\nIt was discovered that named pipes did not correctly handle certain\nfcntl calls. A local attacker could exploit this to crash the system,\nleading to a denial of service. (CVE-2010-4256)\n\nNelson Elhage discovered that the kernel did not correctly handle\nprocess cleanup after triggering a recoverable kernel bug. If a local\nattacker were able to trigger certain kinds of kernel bugs, they could\ncreate a specially crafted process to gain root privileges.\n(CVE-2010-4258)\n\nKees Cook discovered that some ethtool functions did not correctly\nclear heap memory. A local attacker with CAP_NET_ADMIN privileges\ncould exploit this to read portions of kernel heap memory, leading to\na loss of privacy. (CVE-2010-4655)\n\nFrank Arnold discovered that the IGMP protocol did not correctly parse\ncertain packets. A remote attacker could send specially crafted\ntraffic to crash the system, leading to a denial of service.\n(CVE-2011-0709).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1083-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Reliable Datagram Sockets (RDS) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-headers-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-2.6-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/08/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2009-4895\", \"CVE-2010-0435\", \"CVE-2010-2066\", \"CVE-2010-2226\", \"CVE-2010-2248\", \"CVE-2010-2478\", \"CVE-2010-2495\", \"CVE-2010-2521\", \"CVE-2010-2524\", \"CVE-2010-2537\", \"CVE-2010-2538\", \"CVE-2010-2798\", \"CVE-2010-2942\", \"CVE-2010-2943\", \"CVE-2010-2946\", \"CVE-2010-2954\", \"CVE-2010-2955\", \"CVE-2010-2960\", \"CVE-2010-2962\", \"CVE-2010-2963\", \"CVE-2010-3015\", \"CVE-2010-3067\", \"CVE-2010-3078\", \"CVE-2010-3079\", \"CVE-2010-3080\", \"CVE-2010-3084\", \"CVE-2010-3296\", \"CVE-2010-3297\", \"CVE-2010-3298\", \"CVE-2010-3301\", \"CVE-2010-3310\", \"CVE-2010-3432\", \"CVE-2010-3437\", \"CVE-2010-3442\", \"CVE-2010-3477\", \"CVE-2010-3705\", \"CVE-2010-3848\", \"CVE-2010-3849\", \"CVE-2010-3850\", \"CVE-2010-3858\", \"CVE-2010-3859\", \"CVE-2010-3861\", \"CVE-2010-3874\", \"CVE-2010-3904\", \"CVE-2010-4072\", \"CVE-2010-4073\", \"CVE-2010-4080\", \"CVE-2010-4081\", \"CVE-2010-4082\", \"CVE-2010-4157\", \"CVE-2010-4158\", \"CVE-2010-4160\", \"CVE-2010-4162\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4242\", \"CVE-2010-4243\", \"CVE-2010-4249\", \"CVE-2010-4256\", \"CVE-2010-4258\", \"CVE-2010-4655\", \"CVE-2011-0709\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-1083-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.35-25\", pkgver:\"2.6.35-25.44~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.35-25-generic\", pkgver:\"2.6.35-25.44~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.35-25-generic-pae\", pkgver:\"2.6.35-25.44~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.35-25-server\", pkgver:\"2.6.35-25.44~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-headers-2.6.35-25-virtual\", pkgver:\"2.6.35-25.44~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.35-25-generic\", pkgver:\"2.6.35-25.44~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.35-25-generic-pae\", pkgver:\"2.6.35-25.44~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.35-25-server\", pkgver:\"2.6.35-25.44~lucid1\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"linux-image-2.6.35-25-virtual\", pkgver:\"2.6.35-25.44~lucid1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-headers-2.6 / linux-headers-2.6-generic / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2019-05-29T17:21:58", "bulletinFamily": "unix", "description": "Gleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service. (CVE-2010-0435)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)\n\nDan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874)\n\nVasiliy Kulikov discovered that kvm did not correctly clear memory. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2010-3881)\n\nDan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4073)\n\nDan Rosenberg discovered that the ivtv V4L driver did not correctly initialize certian structures. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4079)\n\nDan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nDan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If a system was using X.25, a remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4164)\n\nSteve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165)\n\nDave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175)\n\nBrad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243)\n\nVegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249)\n\nIt was discovered that named pipes did not correctly handle certain fcntl calls. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4256)\n\nNelson Elhage discovered that the kernel did not correctly handle process cleanup after triggering a recoverable kernel bug. If a local attacker were able to trigger certain kinds of kernel bugs, they could create a specially crafted process to gain root privileges. (CVE-2010-4258)", "modified": "2011-02-01T00:00:00", "published": "2011-02-01T00:00:00", "id": "USN-1054-1", "href": "https://usn.ubuntu.com/1054-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T17:22:15", "bulletinFamily": "unix", "description": "Dan Rosenberg discovered that the RDS network protocol did not correctly check certain parameters. A local attacker could exploit this gain root privileges. (CVE-2010-3904)\n\nNelson Elhage discovered several problems with the Acorn Econet protocol driver. A local user could cause a denial of service via a NULL pointer dereference, escalate privileges by overflowing the kernel stack, and assign Econet addresses to arbitrary interfaces. (CVE-2010-3848, CVE-2010-3849, CVE-2010-3850)\n\nBen Hawkes discovered that the Linux kernel did not correctly filter registers on 64bit kernels when performing 32bit system calls. On a 64bit system, a local attacker could manipulate 32bit system calls to gain root privileges. (CVE-2010-3301)\n\nAl Viro discovered a race condition in the TTY driver. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2009-4895)\n\nGleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service. (CVE-2010-0435)\n\nDan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly check file permissions. A local attacker could overwrite append-only files, leading to potential data loss. (CVE-2010-2066)\n\nDan Rosenberg discovered that the swapexit xfs ioctl did not correctly check file permissions. A local attacker could exploit this to read from write-only files, leading to a loss of privacy. (CVE-2010-2226)\n\nSuresh Jayaraman discovered that CIFS did not correctly validate certain response packats. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-2248)\n\nBen Hutchings discovered that the ethtool interface did not correctly check certain sizes. A local attacker could perform malicious ioctl calls that could crash the system, leading to a denial of service. (CVE-2010-2478, CVE-2010-3084)\n\nJames Chapman discovered that L2TP did not correctly evaluate checksum capabilities. If an attacker could make malicious routing changes, they could crash the system, leading to a denial of service. (CVE-2010-2495)\n\nNeil Brown discovered that NFSv4 did not correctly check certain write requests. A remote attacker could send specially crafted traffic that could crash the system or possibly gain root privileges. (CVE-2010-2521)\n\nDavid Howells discovered that DNS resolution in CIFS could be spoofed. A local attacker could exploit this to control DNS replies, leading to a loss of privacy and possible privilege escalation. (CVE-2010-2524)\n\nDan Rosenberg discovered that the btrfs filesystem did not correctly validate permissions when using the clone function. A local attacker could overwrite the contents of file handles that were opened for append-only, or potentially read arbitrary contents, leading to a loss of privacy. (CVE-2010-2537, CVE-2010-2538)\n\nBob Peterson discovered that GFS2 rename operations did not correctly validate certain sizes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-2798)\n\nEric Dumazet discovered that many network functions could leak kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2942, CVE-2010-3477)\n\nDave Chinner discovered that the XFS filesystem did not correctly order inode lookups when exported by NFS. A remote attacker could exploit this to read or write disk blocks that had changed file assignment or had become unlinked, leading to a loss of privacy. (CVE-2010-2943)\n\nSergey Vlasov discovered that JFS did not correctly handle certain extended attributes. A local attacker could bypass namespace access rules, leading to a loss of privacy. (CVE-2010-2946)\n\nTavis Ormandy discovered that the IRDA subsystem did not correctly shut down. A local attacker could exploit this to cause the system to crash or possibly gain root privileges. (CVE-2010-2954)\n\nBrad Spengler discovered that the wireless extensions did not correctly validate certain request sizes. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2955)\n\nTavis Ormandy discovered that the session keyring did not correctly check for its parent. On systems without a default session keyring, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-2960)\n\nKees Cook discovered that the Intel i915 graphics driver did not correctly validate memory regions. A local attacker with access to the video card could read and write arbitrary kernel memory to gain root privileges. (CVE-2010-2962)\n\nKees Cook discovered that the V4L1 32bit compat interface did not correctly validate certain parameters. A local attacker on a 64bit system with access to a video device could exploit this to gain root privileges. (CVE-2010-2963)\n\nToshiyuki Okajima discovered that ext4 did not correctly check certain parameters. A local attacker could exploit this to crash the system or overwrite the last block of large files. (CVE-2010-3015)\n\nTavis Ormandy discovered that the AIO subsystem did not correctly validate certain parameters. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3067)\n\nDan Rosenberg discovered that certain XFS ioctls leaked kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-3078)\n\nRobert Swiecki discovered that ftrace did not correctly handle mutexes. A local attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3079)\n\nTavis Ormandy discovered that the OSS sequencer device did not correctly shut down. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3080)\n\nDan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297, CVE-2010-3298)\n\nDan Rosenberg discovered that the ROSE driver did not correctly check parameters. A local attacker with access to a ROSE network device could exploit this to crash the system or possibly gain root privileges. (CVE-2010-3310)\n\nThomas Dreibholz discovered that SCTP did not correctly handle appending packet chunks. A remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2010-3432)\n\nDan Rosenberg discovered that the CD driver did not correctly check parameters. A local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2010-3437)\n\nDan Rosenberg discovered that the Sound subsystem did not correctly validate parameters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3442)\n\nDan Rosenberg discovered that SCTP did not correctly handle HMAC calculations. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-3705)\n\nBrad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)\n\nKees Cook discovered that the ethtool interface did not correctly clear kernel memory. A local attacker could read kernel heap memory, leading to a loss of privacy. (CVE-2010-3861)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874)\n\nKees Cook and Vasiliy Kulikov discovered that the shm interface did not clear kernel memory correctly. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4072)\n\nDan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4073)\n\nDan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081)\n\nDan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082)\n\nJames Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157)\n\nDan Rosenberg discovered that the socket filters did not correctly initialize structure memory. A local attacker could create malicious filters to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4158)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If a system was using X.25, a remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4164)\n\nSteve Chen discovered that setsockopt did not correctly check MSS values. A local attacker could make a specially crafted socket call to crash the system, leading to a denial of service. (CVE-2010-4165)\n\nDave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175)\n\nAlan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242)\n\nBrad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243)\n\nVegard Nossum discovered that memory garbage collection was not handled correctly for active sockets. A local attacker could exploit this to allocate all available kernel memory, leading to a denial of service. (CVE-2010-4249)\n\nIt was discovered that named pipes did not correctly handle certain fcntl calls. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4256)\n\nNelson Elhage discovered that the kernel did not correctly handle process cleanup after triggering a recoverable kernel bug. If a local attacker were able to trigger certain kinds of kernel bugs, they could create a specially crafted process to gain root privileges. (CVE-2010-4258)\n\nKees Cook discovered that some ethtool functions did not correctly clear heap memory. A local attacker with CAP_NET_ADMIN privileges could exploit this to read portions of kernel heap memory, leading to a loss of privacy. (CVE-2010-4655)\n\nFrank Arnold discovered that the IGMP protocol did not correctly parse certain packets. A remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-0709)", "modified": "2011-03-03T00:00:00", "published": "2011-03-03T00:00:00", "id": "USN-1083-1", "href": "https://usn.ubuntu.com/1083-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:22:37", "bulletinFamily": "unix", "description": "Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297)\n\nBrad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858)\n\nDan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859)\n\nDan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874)\n\nNelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880)\n\nDan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4073)\n\nDan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss of privacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n\nDan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081)\n\nDan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082)\n\nDan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083)\n\nJames Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157)\n\nDan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160)\n\nDan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162)\n\nDan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668)\n\nDave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169)\n\nDan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4175)\n\nAlan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242)\n\nBrad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243)\n\nIt was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248)\n\nIt was discovered that named pipes did not correctly handle certain fcntl calls. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4256)\n\nDan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit. (CVE-2010-4565)\n\nDan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)\n\nKees Cook discovered that some ethtool functions did not correctly clear heap memory. A local attacker with CAP_NET_ADMIN privileges could exploit this to read portions of kernel heap memory, leading to a loss of privacy. (CVE-2010-4655)\n\nKees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2010-4656)\n\nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized data from the disk, leading to a loss of privacy. (CVE-2011-0463)\n\nDan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-0521)\n\nJens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695)\n\nDan Rosenberg discovered that XFS did not correctly initialize memory. A local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711)\n\nRafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2011-0712)\n\nKees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726)\n\nTimo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010)\n\nTimo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012)\n\nMatthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1013)\n\nMarek Ol\u0161\u00e1k discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory. (CVE-2011-1016)\n\nTimo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017)\n\nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. (CVE-2011-1019)\n\nIt was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078)\n\nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079)\n\nVasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080)\n\nNelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service. (CVE-2011-1082)\n\nNeil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090)\n\nJohan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093)\n\nPeter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160)\n\nTimo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163)\n\nDan Rosenberg discovered that some ALSA drivers did not correctly check the adapter index during ioctl calls. If this driver was loaded, a local attacker could make a specially crafted ioctl call to gain root privileges. (CVE-2011-1169)\n\nVasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)\n\nVasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173)\n\nDan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180)\n\nJulien Tinnes discovered that the kernel did not correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182)\n\nRyan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478)\n\nDan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493)\n\nDan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495)\n\nTimo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577)\n\nTavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593)\n\nOliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748)\n\nVasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022)\n\nVasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746)\n\nDan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770)\n\nVasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833)\n\nVasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could expoit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484)\n\nIt was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2011-2492)\n\nFernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699)\n\nThe performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918)\n\nA flaw was found in the Linux kernel\u2019s /proc/*/_map_ interface. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-3637)\n\nDan Rosenberg discovered flaws in the linux Rose (X.25 PLP) layer used by amateur radio. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root. (CVE-2011-4913)\n\nBen Hutchings discovered several flaws in the Linux Rose (X.25 PLP) layer. A local user or a remote user on an X.25 network could exploit these flaws to execute arbitrary code as root. (CVE-2011-4914)", "modified": "2011-09-13T00:00:00", "published": "2011-09-13T00:00:00", "id": "USN-1202-1", "href": "https://usn.ubuntu.com/1202-1/", "title": "Linux kernel (OMAP4) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:39:54", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1202-1", "modified": "2019-03-13T00:00:00", "published": "2011-09-16T00:00:00", "id": "OPENVAS:1361412562310840745", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840745", "title": "Ubuntu Update for linux-ti-omap4 USN-1202-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1202_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for linux-ti-omap4 USN-1202-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1202-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840745\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-09-16 17:22:17 +0200 (Fri, 16 Sep 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_xref(name:\"USN\", value:\"1202-1\");\n script_cve_id(\"CVE-2010-3296\", \"CVE-2010-3297\", \"CVE-2010-3858\", \"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3880\", \"CVE-2010-4073\", \"CVE-2010-4075\", \"CVE-2010-4076\", \"CVE-2010-4077\", \"CVE-2010-4080\", \"CVE-2010-4081\", \"CVE-2010-4082\", \"CVE-2010-4083\", \"CVE-2010-4157\", \"CVE-2010-4160\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4668\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4242\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4256\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2011-1044\", \"CVE-2010-4655\", \"CVE-2010-4656\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1020\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-2534\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1478\", \"CVE-2011-1493\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1748\", \"CVE-2011-1745\", \"CVE-2011-2022\", \"CVE-2011-1746\", \"CVE-2011-1770\", \"CVE-2011-1833\", \"CVE-2011-2484\", \"CVE-2011-2492\", \"CVE-2011-2699\", \"CVE-2011-2918\");\n script_name(\"Ubuntu Update for linux-ti-omap4 USN-1202-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU10\\.10\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1202-1\");\n script_tag(name:\"affected\", value:\"linux-ti-omap4 on Ubuntu 10.10\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Dan Rosenberg discovered that several network ioctls did not clear kernel\n memory correctly. A local user could exploit this to read kernel stack\n memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297)\n\n Brad Spengler discovered that stack memory for new a process was not\n correctly calculated. A local attacker could exploit this to crash the\n system, leading to a denial of service. (CVE-2010-3858)\n\n Dan Rosenberg discovered that the Linux kernel TIPC implementation\n contained multiple integer signedness errors. A local attacker could\n exploit this to gain root privileges. (CVE-2010-3859)\n\n Dan Rosenberg discovered that the CAN protocol on 64bit systems did not\n correctly calculate the size of certain buffers. A local attacker could\n exploit this to crash the system or possibly execute arbitrary code as the\n root user. (CVE-2010-3874)\n\n Nelson Elhage discovered that the Linux kernel IPv4 implementation did not\n properly audit certain bytecodes in netlink messages. A local attacker\n could exploit this to cause the kernel to hang, leading to a denial of\n service. (CVE-2010-3880)\n\n Dan Rosenberg discovered that IPC structures were not correctly initialized\n on 64bit systems. A local attacker could exploit this to read kernel stack\n memory, leading to a loss of privacy. (CVE-2010-4073)\n\n Dan Rosenberg discovered that multiple terminal ioctls did not correctly\n initialize structure memory. A local attacker could exploit this to read\n portions of kernel stack memory, leading to a loss of privacy.\n (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n\n Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver\n did not correctly clear kernel memory. A local attacker could exploit this\n to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080,\n CVE-2010-4081)\n\n Dan Rosenberg discovered that the VIA video driver did not correctly clear\n kernel memory. A local attacker could exploit this to read kernel stack\n memory, leading to a loss of privacy. (CVE-2010-4082)\n\n Dan Rosenberg discovered that the semctl syscall did not correctly clear\n kernel memory. A local attacker could exploit this to read kernel stack\n memory, leading to a loss of privacy. (CVE-2010-4083)\n\n James Bottomley discovered that the ICP vortex storage array controller\n driver did not validate certain sizes. A local attacker on a 64bit system\n could exploit this to crash the kernel, leading to a denial of service.\n (CVE-2010-4157)\n\n Dan Rosenberg discovered that the Linux kernel L2TP implementation\n contained multiple integer sign ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.35-903-omap4\", ver:\"2.6.35-903.24\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2017-12-04T11:26:35", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1202-1", "modified": "2017-12-01T00:00:00", "published": "2011-09-16T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=840745", "id": "OPENVAS:840745", "title": "Ubuntu Update for linux-ti-omap4 USN-1202-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1202_1.nasl 7964 2017-12-01 07:32:11Z santu $\n#\n# Ubuntu Update for linux-ti-omap4 USN-1202-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Dan Rosenberg discovered that several network ioctls did not clear kernel\n memory correctly. A local user could exploit this to read kernel stack\n memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297)\n\n Brad Spengler discovered that stack memory for new a process was not\n correctly calculated. A local attacker could exploit this to crash the\n system, leading to a denial of service. (CVE-2010-3858)\n \n Dan Rosenberg discovered that the Linux kernel TIPC implementation\n contained multiple integer signedness errors. A local attacker could\n exploit this to gain root privileges. (CVE-2010-3859)\n \n Dan Rosenberg discovered that the CAN protocol on 64bit systems did not\n correctly calculate the size of certain buffers. A local attacker could\n exploit this to crash the system or possibly execute arbitrary code as the\n root user. (CVE-2010-3874)\n \n Nelson Elhage discovered that the Linux kernel IPv4 implementation did not\n properly audit certain bytecodes in netlink messages. A local attacker\n could exploit this to cause the kernel to hang, leading to a denial of\n service. (CVE-2010-3880)\n \n Dan Rosenberg discovered that IPC structures were not correctly initialized\n on 64bit systems. A local attacker could exploit this to read kernel stack\n memory, leading to a loss of privacy. (CVE-2010-4073)\n \n Dan Rosenberg discovered that multiple terminal ioctls did not correctly\n initialize structure memory. A local attacker could exploit this to read\n portions of kernel stack memory, leading to a loss of privacy.\n (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077)\n \n Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver\n did not correctly clear kernel memory. A local attacker could exploit this\n to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080,\n CVE-2010-4081)\n \n Dan Rosenberg discovered that the VIA video driver did not correctly clear\n kernel memory. A local attacker could exploit this to read kernel stack\n memory, leading to a loss of privacy. (CVE-2010-4082)\n \n Dan Rosenberg discovered that the semctl syscall did not correctly clear\n kernel memory. A local attacker could exploit this to read kernel stack\n memory, leading to a loss of privacy. (CVE-2010-4083)\n \n James Bottomley discovered that the ICP vortex storage array controller\n driver did not validate certain sizes. A local attacker on a 64bit system\n could exploit this to crash the kernel, leading to a denial of service.\n (CVE-2010-4157)\n \n Dan Rosenberg discovered that the Linux kernel L2TP implementation\n contained multiple integer sign ... \n\n Description truncated, for more information please check the Reference URL\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1202-1\";\ntag_affected = \"linux-ti-omap4 on Ubuntu 10.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1202-1/\");\n script_id(840745);\n script_version(\"$Revision: 7964 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 08:32:11 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-09-16 17:22:17 +0200 (Fri, 16 Sep 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_xref(name: \"USN\", value: \"1202-1\");\n script_cve_id(\"CVE-2010-3296\", \"CVE-2010-3297\", \"CVE-2010-3858\", \"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3880\", \"CVE-2010-4073\", \"CVE-2010-4075\", \"CVE-2010-4076\", \"CVE-2010-4077\", \"CVE-2010-4080\", \"CVE-2010-4081\", \"CVE-2010-4082\", \"CVE-2010-4083\", \"CVE-2010-4157\", \"CVE-2010-4160\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4668\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4242\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4256\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2011-1044\", \"CVE-2010-4655\", \"CVE-2010-4656\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1020\", \"CVE-2011-1078\", \"CVE-2011-1079\", \"CVE-2011-1080\", \"CVE-2011-1082\", \"CVE-2011-1090\", \"CVE-2011-1093\", \"CVE-2011-1160\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-2534\", \"CVE-2011-1173\", \"CVE-2011-1180\", \"CVE-2011-1182\", \"CVE-2011-1478\", \"CVE-2011-1493\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1577\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1748\", \"CVE-2011-1745\", \"CVE-2011-2022\", \"CVE-2011-1746\", \"CVE-2011-1770\", \"CVE-2011-1833\", \"CVE-2011-2484\", \"CVE-2011-2492\", \"CVE-2011-2699\", \"CVE-2011-2918\");\n script_name(\"Ubuntu Update for linux-ti-omap4 USN-1202-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.35-903-omap4\", ver:\"2.6.35-903.24\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:27:37", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1167-1", "modified": "2017-12-01T00:00:00", "published": "2011-07-18T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=840699", "id": "OPENVAS:840699", "title": "Ubuntu Update for linux USN-1167-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1167_1.nasl 7964 2017-12-01 07:32:11Z santu $\n#\n# Ubuntu Update for linux USN-1167-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Dan Rosenberg discovered that the Linux kernel TIPC implementation\n contained multiple integer signedness errors. A local attacker could\n exploit this to gain root privileges. (CVE-2010-3859)\n\n Dan Rosenberg discovered that the CAN protocol on 64bit systems did not\n correctly calculate the size of certain buffers. A local attacker could\n exploit this to crash the system or possibly execute arbitrary code as the\n root user. (CVE-2010-3874)\n \n Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did\n not correctly clear kernel memory. A local attacker could exploit this to\n read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)\n \n Vasiliy Kulikov discovered that the Linux kernel sockets implementation did\n not properly initialize certain structures. A local attacker could exploit\n this to read kernel stack memory, leading to a loss of privacy.\n (CVE-2010-3876)\n \n Vasiliy Kulikov discovered that the TIPC interface did not correctly\n initialize certain structures. A local attacker could exploit this to read\n kernel stack memory, leading to a loss of privacy. (CVE-2010-3877)\n \n Nelson Elhage discovered that the Linux kernel IPv4 implementation did not\n properly audit certain bytecodes in netlink messages. A local attacker\n could exploit this to cause the kernel to hang, leading to a denial of\n service. (CVE-2010-3880)\n \n Dan Rosenberg discovered that the socket filters did not correctly\n initialize structure memory. A local attacker could create malicious\n filters to read portions of kernel stack memory, leading to a loss of\n privacy. (CVE-2010-4158)\n \n Dan Rosenberg discovered that certain iovec operations did not calculate\n page counts correctly. A local attacker could exploit this to crash the\n system, leading to a denial of service. (CVE-2010-4162)\n \n Dan Rosenberg discovered that the SCSI subsystem did not correctly validate\n iov segments. A local attacker with access to a SCSI device could send\n specially crafted requests to crash the system, leading to a denial of\n service. (CVE-2010-4163, CVE-2010-4668)\n \n Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If\n a system was using X.25, a remote attacker could exploit this to crash the\n system, leading to a denial of service. (CVE-2010-4164)\n \n Steve Chen discovered that setsockopt did not correctly check MSS values. A\n local attacker could make a specially crafted socket call to crash the\n system, leading to a denial of service. (CVE-2010-4165)\n \n Dave Jones discovered that the mprotect system call did not correctly\n handle merged VMAs. A ... \n\n Description truncated, for more information please check the Reference URL\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1167-1\";\ntag_affected = \"linux on Ubuntu 11.04\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1167-1/\");\n script_id(840699);\n script_version(\"$Revision: 7964 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 08:32:11 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-07-18 15:23:56 +0200 (Mon, 18 Jul 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_xref(name: \"USN\", value: \"1167-1\");\n script_cve_id(\"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4158\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4668\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4249\", \"CVE-2010-4256\", \"CVE-2010-4258\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2011-1044\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-0999\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1076\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1090\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-2534\", \"CVE-2011-1173\", \"CVE-2011-1182\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1748\", \"CVE-2011-1745\", \"CVE-2011-2022\", \"CVE-2011-1746\", \"CVE-2011-1747\", \"CVE-2011-1770\");\n script_name(\"Ubuntu Update for linux USN-1167-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-generic\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-generic-pae\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-omap\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-powerpc\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-powerpc-smp\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-powerpc64-smp\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-server\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-versatile\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-virtual\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:59", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1167-1", "modified": "2019-03-13T00:00:00", "published": "2011-07-18T00:00:00", "id": "OPENVAS:1361412562310840699", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840699", "title": "Ubuntu Update for linux USN-1167-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1167_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for linux USN-1167-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1167-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840699\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-07-18 15:23:56 +0200 (Mon, 18 Jul 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_xref(name:\"USN\", value:\"1167-1\");\n script_cve_id(\"CVE-2010-3859\", \"CVE-2010-3874\", \"CVE-2010-3875\", \"CVE-2010-3876\", \"CVE-2010-3877\", \"CVE-2010-3880\", \"CVE-2010-4158\", \"CVE-2010-4162\", \"CVE-2010-4163\", \"CVE-2010-4668\", \"CVE-2010-4164\", \"CVE-2010-4165\", \"CVE-2010-4169\", \"CVE-2010-4175\", \"CVE-2010-4243\", \"CVE-2010-4248\", \"CVE-2010-4249\", \"CVE-2010-4256\", \"CVE-2010-4258\", \"CVE-2010-4342\", \"CVE-2010-4346\", \"CVE-2010-4527\", \"CVE-2010-4529\", \"CVE-2010-4565\", \"CVE-2010-4649\", \"CVE-2011-1044\", \"CVE-2011-0463\", \"CVE-2011-0521\", \"CVE-2011-0695\", \"CVE-2011-0711\", \"CVE-2011-0712\", \"CVE-2011-0726\", \"CVE-2011-0999\", \"CVE-2011-1010\", \"CVE-2011-1012\", \"CVE-2011-1013\", \"CVE-2011-1016\", \"CVE-2011-1017\", \"CVE-2011-1019\", \"CVE-2011-1076\", \"CVE-2011-1082\", \"CVE-2011-1083\", \"CVE-2011-1090\", \"CVE-2011-1163\", \"CVE-2011-1169\", \"CVE-2011-1170\", \"CVE-2011-1171\", \"CVE-2011-1172\", \"CVE-2011-2534\", \"CVE-2011-1173\", \"CVE-2011-1182\", \"CVE-2011-1494\", \"CVE-2011-1495\", \"CVE-2011-1593\", \"CVE-2011-1598\", \"CVE-2011-1748\", \"CVE-2011-1745\", \"CVE-2011-2022\", \"CVE-2011-1746\", \"CVE-2011-1747\", \"CVE-2011-1770\");\n script_name(\"Ubuntu Update for linux USN-1167-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU11\\.04\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1167-1\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 11.04\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Dan Rosenberg discovered that the Linux kernel TIPC implementation\n contained multiple integer signedness errors. A local attacker could\n exploit this to gain root privileges. (CVE-2010-3859)\n\n Dan Rosenberg discovered that the CAN protocol on 64bit systems did not\n correctly calculate the size of certain buffers. A local attacker could\n exploit this to crash the system or possibly execute arbitrary code as the\n root user. (CVE-2010-3874)\n\n Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did\n not correctly clear kernel memory. A local attacker could exploit this to\n read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)\n\n Vasiliy Kulikov discovered that the Linux kernel sockets implementation did\n not properly initialize certain structures. A local attacker could exploit\n this to read kernel stack memory, leading to a loss of privacy.\n (CVE-2010-3876)\n\n Vasiliy Kulikov discovered that the TIPC interface did not correctly\n initialize certain structures. A local attacker could exploit this to read\n kernel stack memory, leading to a loss of privacy. (CVE-2010-3877)\n\n Nelson Elhage discovered that the Linux kernel IPv4 implementation did not\n properly audit certain bytecodes in netlink messages. A local attacker\n could exploit this to cause the kernel to hang, leading to a denial of\n service. (CVE-2010-3880)\n\n Dan Rosenberg discovered that the socket filters did not correctly\n initialize structure memory. A local attacker could create malicious\n filters to read portions of kernel stack memory, leading to a loss of\n privacy. (CVE-2010-4158)\n\n Dan Rosenberg discovered that certain iovec operations did not calculate\n page counts correctly. A local attacker could exploit this to crash the\n system, leading to a denial of service. (CVE-2010-4162)\n\n Dan Rosenberg discovered that the SCSI subsystem did not correctly validate\n iov segments. A local attacker with access to a SCSI device could send\n specially crafted requests to crash the system, leading to a denial of\n service. (CVE-2010-4163, CVE-2010-4668)\n\n Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If\n a system was using X.25, a remote attacker could exploit this to crash the\n system, leading to a denial of service. (CVE-2010-4164)\n\n Steve Chen discovered that setsockopt did not correctly check MSS values. A\n local attacker could make a specially crafted socket call to crash the\n system, leading to a denial of service. (CVE-2010-4165)\n\n Dave Jones discovered that the mprotect system call did not correctly\n handle merged VMAs. A ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-generic\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-generic-pae\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-omap\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-powerpc\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-powerpc-smp\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-powerpc64-smp\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-server\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-versatile\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-2.6.38-10-virtual\", ver:\"2.6.38-10.46\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:16:15", "bulletinFamily": "exploit", "description": "", "modified": "2011-09-14T00:00:00", "published": "2011-09-14T00:00:00", "href": "https://packetstormsecurity.com/files/105078/Ubuntu-Security-Notice-USN-1202-1.html", "id": "PACKETSTORM:105078", "type": "packetstorm", "title": "Ubuntu Security Notice USN-1202-1", "sourceData": "`========================================================================== \nUbuntu Security Notice USN-1202-1 \nSeptember 13, 2011 \n \nlinux-ti-omap4 vulnerabilities \n========================================================================== \n \nA security issue affects these releases of Ubuntu and its derivatives: \n \n- Ubuntu 10.10 \n \nSummary: \n \nMultiple kernel flaws have been fixed. \n \nSoftware Description: \n- linux-ti-omap4: Linux kernel for OMAP4 \n \nDetails: \n \nDan Rosenberg discovered that several network ioctls did not clear kernel \nmemory correctly. A local user could exploit this to read kernel stack \nmemory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297) \n \nBrad Spengler discovered that stack memory for new a process was not \ncorrectly calculated. A local attacker could exploit this to crash the \nsystem, leading to a denial of service. (CVE-2010-3858) \n \nDan Rosenberg discovered that the Linux kernel TIPC implementation \ncontained multiple integer signedness errors. A local attacker could \nexploit this to gain root privileges. (CVE-2010-3859) \n \nDan Rosenberg discovered that the CAN protocol on 64bit systems did not \ncorrectly calculate the size of certain buffers. A local attacker could \nexploit this to crash the system or possibly execute arbitrary code as the \nroot user. (CVE-2010-3874) \n \nNelson Elhage discovered that the Linux kernel IPv4 implementation did not \nproperly audit certain bytecodes in netlink messages. A local attacker \ncould exploit this to cause the kernel to hang, leading to a denial of \nservice. (CVE-2010-3880) \n \nDan Rosenberg discovered that IPC structures were not correctly initialized \non 64bit systems. A local attacker could exploit this to read kernel stack \nmemory, leading to a loss of privacy. (CVE-2010-4073) \n \nDan Rosenberg discovered that multiple terminal ioctls did not correctly \ninitialize structure memory. A local attacker could exploit this to read \nportions of kernel stack memory, leading to a loss of privacy. \n(CVE-2010-4075, CVE-2010-4076, CVE-2010-4077) \n \nDan Rosenberg discovered that the RME Hammerfall DSP audio interface driver \ndid not correctly clear kernel memory. A local attacker could exploit this \nto read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, \nCVE-2010-4081) \n \nDan Rosenberg discovered that the VIA video driver did not correctly clear \nkernel memory. A local attacker could exploit this to read kernel stack \nmemory, leading to a loss of privacy. (CVE-2010-4082) \n \nDan Rosenberg discovered that the semctl syscall did not correctly clear \nkernel memory. A local attacker could exploit this to read kernel stack \nmemory, leading to a loss of privacy. (CVE-2010-4083) \n \nJames Bottomley discovered that the ICP vortex storage array controller \ndriver did not validate certain sizes. A local attacker on a 64bit system \ncould exploit this to crash the kernel, leading to a denial of service. \n(CVE-2010-4157) \n \nDan Rosenberg discovered that the Linux kernel L2TP implementation \ncontained multiple integer signedness errors. A local attacker could \nexploit this to to crash the kernel, or possibly gain root privileges. \n(CVE-2010-4160) \n \nDan Rosenberg discovered that certain iovec operations did not calculate \npage counts correctly. A local attacker could exploit this to crash the \nsystem, leading to a denial of service. (CVE-2010-4162) \n \nDan Rosenberg discovered that the SCSI subsystem did not correctly validate \niov segments. A local attacker with access to a SCSI device could send \nspecially crafted requests to crash the system, leading to a denial of \nservice. (CVE-2010-4163, CVE-2010-4668) \n \nDave Jones discovered that the mprotect system call did not correctly \nhandle merged VMAs. A local attacker could exploit this to crash the \nsystem, leading to a denial of service. (CVE-2010-4169) \n \nDan Rosenberg discovered that the RDS protocol did not correctly check \nioctl arguments. A local attacker could exploit this to crash the system, \nleading to a denial of service. (CVE-2010-4175) \n \nAlan Cox discovered that the HCI UART driver did not correctly check if a \nwrite operation was available. If the mmap_min-addr sysctl was changed from \nthe Ubuntu default to a value of 0, a local attacker could exploit this \nflaw to gain root privileges. (CVE-2010-4242) \n \nBrad Spengler discovered that the kernel did not correctly account for \nuserspace memory allocations during exec() calls. A local attacker could \nexploit this to consume all system memory, leading to a denial of service. \n(CVE-2010-4243) \n \nIt was discovered that multithreaded exec did not handle CPU timers \ncorrectly. A local attacker could exploit this to crash the system, leading \nto a denial of service. (CVE-2010-4248) \n \nIt was discovered that named pipes did not correctly handle certain fcntl \ncalls. A local attacker could exploit this to crash the system, leading to \na denial of service. (CVE-2010-4256) \n \nDan Rosenburg discovered that the CAN subsystem leaked kernel addresses \ninto the /proc filesystem. A local attacker could use this to increase the \nchances of a successful memory corruption exploit. (CVE-2010-4565) \n \nDan Carpenter discovered that the Infiniband driver did not correctly \nhandle certain requests. A local user could exploit this to crash the \nsystem or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044) \n \nKees Cook discovered that some ethtool functions did not correctly clear \nheap memory. A local attacker with CAP_NET_ADMIN privileges could exploit \nthis to read portions of kernel heap memory, leading to a loss of privacy. \n(CVE-2010-4655) \n \nKees Cook discovered that the IOWarrior USB device driver did not correctly \ncheck certain size fields. A local attacker with physical access could plug \nin a specially crafted USB device to crash the system or potentially gain \nroot privileges. (CVE-2010-4656) \n \nGoldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly \nclear memory when writing certain file holes. A local attacker could \nexploit this to read uninitialized data from the disk, leading to a loss of \nprivacy. (CVE-2011-0463) \n \nDan Carpenter discovered that the TTPCI DVB driver did not check certain \nvalues during an ioctl. If the dvb-ttpci module was loaded, a local \nattacker could exploit this to crash the system, leading to a denial of \nservice, or possibly gain root privileges. (CVE-2011-0521) \n \nJens Kuehnel discovered that the InfiniBand driver contained a race \ncondition. On systems using InfiniBand, a local attacker could send \nspecially crafted requests to crash the system, leading to a denial of \nservice. (CVE-2011-0695) \n \nDan Rosenberg discovered that XFS did not correctly initialize memory. A \nlocal attacker could make crafted ioctl calls to leak portions of kernel \nstack memory, leading to a loss of privacy. (CVE-2011-0711) \n \nRafael Dominguez Vega discovered that the caiaq Native Instruments USB \ndriver did not correctly validate string lengths. A local attacker with \nphysical access could plug in a specially crafted USB device to crash the \nsystem or potentially gain root privileges. (CVE-2011-0712) \n \nKees Cook reported that /proc/pid/stat did not correctly filter certain \nmemory locations. A local attacker could determine the memory layout of \nprocesses in an attempt to increase the chances of a successful memory \ncorruption exploit. (CVE-2011-0726) \n \nTimo Warns discovered that MAC partition parsing routines did not correctly \ncalculate block counts. A local attacker with physical access could plug in \na specially crafted block device to crash the system or potentially gain \nroot privileges. (CVE-2011-1010) \n \nTimo Warns discovered that LDM partition parsing routines did not correctly \ncalculate block counts. A local attacker with physical access could plug in \na specially crafted block device to crash the system, leading to a denial \nof service. (CVE-2011-1012) \n \nMatthiew Herrb discovered that the drm modeset interface did not correctly \nhandle a signed comparison. A local attacker could exploit this to crash \nthe system or possibly gain root privileges. (CVE-2011-1013) \n \nMarek Ol\u0161\u00e1k discovered that the Radeon GPU drivers did not correctly \nvalidate certain registers. On systems with specific hardware, a local \nattacker could exploit this to write to arbitrary video memory. \n(CVE-2011-1016) \n \nTimo Warns discovered that the LDM disk partition handling code did not \ncorrectly handle certain values. By inserting a specially crafted disk \ndevice, a local attacker could exploit this to gain root privileges. \n(CVE-2011-1017) \n \nVasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not \nneeded to load kernel modules. A local attacker with the CAP_NET_ADMIN \ncapability could load existing kernel modules, possibly increasing the \nattack surface available on the system. (CVE-2011-1019) \n \nIt was discovered that the /proc filesystem did not correctly handle \npermission changes when programs executed. A local attacker could hold open \nfiles to examine details about programs running with higher privileges, \npotentially increasing the chances of exploiting additional \nvulnerabilities. (CVE-2011-1020) \n \nVasiliy Kulikov discovered that the Bluetooth stack did not correctly clear \nmemory. A local attacker could exploit this to read kernel stack memory, \nleading to a loss of privacy. (CVE-2011-1078) \n \nVasiliy Kulikov discovered that the Bluetooth stack did not correctly check \nthat device name strings were NULL terminated. A local attacker could \nexploit this to crash the system, leading to a denial of service, or leak \ncontents of kernel stack memory, leading to a loss of privacy. \n(CVE-2011-1079) \n \nVasiliy Kulikov discovered that bridge network filtering did not check that \nname fields were NULL terminated. A local attacker could exploit this to \nleak contents of kernel stack memory, leading to a loss of privacy. \n(CVE-2011-1080) \n \nNelson Elhage discovered that the epoll subsystem did not correctly handle \ncertain structures. A local attacker could create malicious requests that \nwould hang the system, leading to a denial of service. (CVE-2011-1082) \n \nNeil Horman discovered that NFSv4 did not correctly handle certain orders \nof operation with ACL data. A remote attacker with access to an NFSv4 mount \ncould exploit this to crash the system, leading to a denial of service. \n(CVE-2011-1090) \n \nJohan Hovold discovered that the DCCP network stack did not correctly \nhandle certain packet combinations. A remote attacker could send specially \ncrafted network traffic that would crash the system, leading to a denial of \nservice. (CVE-2011-1093) \n \nPeter Huewe discovered that the TPM device did not correctly initialize \nmemory. A local attacker could exploit this to read kernel heap memory \ncontents, leading to a loss of privacy. (CVE-2011-1160) \n \nTimo Warns discovered that OSF partition parsing routines did not correctly \nclear memory. A local attacker with physical access could plug in a \nspecially crafted block device to read kernel memory, leading to a loss of \nprivacy. (CVE-2011-1163) \n \nDan Rosenberg discovered that some ALSA drivers did not correctly check the \nadapter index during ioctl calls. If this driver was loaded, a local \nattacker could make a specially crafted ioctl call to gain root privileges. \n(CVE-2011-1169) \n \nVasiliy Kulikov discovered that the netfilter code did not check certain \nstrings copied from userspace. A local attacker with netfilter access could \nexploit this to read kernel memory or crash the system, leading to a denial \nof service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534) \n \nVasiliy Kulikov discovered that the Acorn Universal Networking driver did \nnot correctly initialize memory. A remote attacker could send specially \ncrafted traffic to read kernel stack memory, leading to a loss of privacy. \n(CVE-2011-1173) \n \nDan Rosenberg discovered that the IRDA subsystem did not correctly check \ncertain field sizes. If a system was using IRDA, a remote attacker could \nsend specially crafted traffic to crash the system or gain root privileges. \n(CVE-2011-1180) \n \nJulien Tinnes discovered that the kernel did not correctly validate the \nsignal structure from tkill(). A local attacker could exploit this to send \nsignals to arbitrary threads, possibly bypassing expected restrictions. \n(CVE-2011-1182) \n \nRyan Sweat discovered that the GRO code did not correctly validate memory. \nIn some configurations on systems using VLANs, a remote attacker could send \nspecially crafted traffic to crash the system, leading to a denial of \nservice. (CVE-2011-1478) \n \nDan Rosenberg discovered that the X.25 Rose network stack did not correctly \nhandle certain fields. If a system was running with Rose enabled, a remote \nattacker could send specially crafted traffic to gain root privileges. \n(CVE-2011-1493) \n \nDan Rosenberg discovered that MPT devices did not correctly validate \ncertain values in ioctl calls. If these drivers were loaded, a local \nattacker could exploit this to read arbitrary kernel memory, leading to a \nloss of privacy. (CVE-2011-1494, CVE-2011-1495) \n \nTimo Warns discovered that the GUID partition parsing routines did not \ncorrectly validate certain structures. A local attacker with physical \naccess could plug in a specially crafted block device to crash the system, \nleading to a denial of service. (CVE-2011-1577) \n \nTavis Ormandy discovered that the pidmap function did not correctly handle \nlarge requests. A local attacker could exploit this to crash the system, \nleading to a denial of service. (CVE-2011-1593) \n \nOliver Hartkopp and Dave Jones discovered that the CAN network driver did \nnot correctly validate certain socket structures. If this driver was \nloaded, a local attacker could crash the system, leading to a denial of \nservice. (CVE-2011-1598, CVE-2011-1748) \n \nVasiliy Kulikov discovered that the AGP driver did not check certain ioctl \nvalues. A local attacker with access to the video subsystem could exploit \nthis to crash the system, leading to a denial of service, or possibly gain \nroot privileges. (CVE-2011-1745, CVE-2011-2022) \n \nVasiliy Kulikov discovered that the AGP driver did not check the size of \ncertain memory allocations. A local attacker with access to the video \nsubsystem could exploit this to run the system out of memory, leading to a \ndenial of service. (CVE-2011-1746) \n \nDan Rosenberg discovered that the DCCP stack did not correctly handle \ncertain packet structures. A remote attacker could exploit this to crash \nthe system, leading to a denial of service. (CVE-2011-1770) \n \nVasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not \ncorrectly check the origin of mount points. A local attacker could exploit \nthis to trick the system into unmounting arbitrary mount points, leading to \na denial of service. (CVE-2011-1833) \n \nVasiliy Kulikov discovered that taskstats listeners were not correctly \nhandled. A local attacker could expoit this to exhaust memory and CPU \nresources, leading to a denial of service. (CVE-2011-2484) \n \nIt was discovered that Bluetooth l2cap and rfcomm did not correctly \ninitialize structures. A local attacker could exploit this to read portions \nof the kernel stack, leading to a loss of privacy. (CVE-2011-2492) \n \nFernando Gont discovered that the IPv6 stack used predictable fragment \nidentification numbers. A remote attacker could exploit this to exhaust \nnetwork resources, leading to a denial of service. (CVE-2011-2699) \n \nThe performance counter subsystem did not correctly handle certain \ncounters. A local attacker could exploit this to crash the system, leading \nto a denial of service. (CVE-2011-2918) \n \nUpdate instructions: \n \nThe problem can be corrected by updating your system to the following \npackage versions: \n \nUbuntu 10.10: \nlinux-image-2.6.35-903-omap4 2.6.35-903.24 \n \nAfter a standard system update you need to reboot your computer to make \nall the necessary changes. \n \nReferences: \nhttp://www.ubuntu.com/usn/usn-1202-1 \nCVE-2010-3296, CVE-2010-3297, CVE-2010-3858, CVE-2010-3859, \nCVE-2010-3874, CVE-2010-3880, CVE-2010-4073, CVE-2010-4075, \nCVE-2010-4076, CVE-2010-4077, CVE-2010-4080, CVE-2010-4081, \nCVE-2010-4082, CVE-2010-4083, CVE-2010-4157, CVE-2010-4160, \nCVE-2010-4162, CVE-2010-4163, CVE-2010-4169, CVE-2010-4175, \nCVE-2010-4242, CVE-2010-4243, CVE-2010-4248, CVE-2010-4256, \nCVE-2010-4565, CVE-2010-4649, CVE-2010-4655, CVE-2010-4656, \nCVE-2010-4668, CVE-2011-0463, CVE-2011-0521, CVE-2011-0695, \nCVE-2011-0711, CVE-2011-0712, CVE-2011-0726, CVE-2011-1010, \nCVE-2011-1012, CVE-2011-1013, CVE-2011-1016, CVE-2011-1017, \n \nPackage Information: \nhttps://launchpad.net/ubuntu/+source/linux-ti-omap4/2.6.35-903.24 \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/105078/USN-1202-1.txt", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}]}