The SUSE Linux Enterprise 11 Service Pack 1 kernel was
updated to 2.6.32.43 and fixes various bugs and security
issues.
The following security issues were fixed:
CVE-2011-2496: The normal mmap paths all avoid
creating a mapping where the pgoff inside the mapping could
wrap around due to overflow. However, an expanding mremap()
can take such a non-wrapping mapping and make it bigger and
cause a wrapping condition.
CVE-2011-2491: A local unprivileged user able to
access a NFS filesystem could use file locking to deadlock
parts of an nfs server under some circumstance.
CVE-2011-2183: Fixed a race between ksmd and other
memory management code, which could result in a NULL ptr
dereference and kernel crash.
CVE-2011-2517: In both trigger_scan and sched_scan
operations, we were checking for the SSID length before
assigning the value correctly. Since the memory was just
kzalloced, the check was always failing and SSID with over
32 characters were allowed to go through. This required
CAP_NET_ADMIN privileges to be exploited.
CVE-2011-2213: A malicious user or buggy application
could inject diagnosing byte code and trigger an infinite
loop in inet_diag_bc_audit().
CVE-2011-1017,CVE-2011-1012,CVE-2011-2182: The code
for evaluating LDM partitions (in fs/partitions/ldm.c)
contained bugs that could crash the kernel for certain
corrupted LDM partitions.
CVE-2011-1593: Multiple integer overflows in the
next_pidmap function in kernel/pid.c in the Linux kernel
allowed local users to cause a denial of service (system
crash) via a crafted (1) getdents or (2) readdir system
call.
CVE-2011-1020: The proc filesystem implementation in
the Linux kernel did not restrict access to the /proc
directory tree of a process after this process performs an
exec of a setuid program, which allowed local users to
obtain sensitive information or cause a denial of service
via open, lseek, read, and write system calls.
CVE-2011-1585: When using a setuid root mount.cifs,
local users could hijack password protected mounted CIFS
shares of other local users.
CVE-2011-1160: Kernel information via the TPM devices
could by used by local attackers to read kernel memory.
CVE-2011-1577: The Linux kernel automatically
evaluated partition tables of storage devices. The code for
evaluating EFI GUID partitions (in fs/partitions/efi.c)
contained a bug that causes a kernel oops on certain
corrupted GUID partition tables, which might be used by
local attackers to crash the kernel or potentially execute
code.
CVE-2011-1078: In a bluetooth ioctl, struct
sco_conninfo has one padding byte in the end. Local
variable cinfo of type sco_conninfo was copied to userspace
with this uninizialized one byte, leading to an old stack
contents leak.
CVE-2011-1079: In a bluetooth ioctl, struct ca is
copied from userspace. It was not checked whether the
"device" field was NULL terminated. This potentially leads
to BUG() inside of alloc_netdev_mqs() and/or information
leak by creating a device with a name made of contents of
kernel stack.
CVE-2011-1080: In ebtables rule loading, struct tmp
is copied from userspace. It was not checked whether the
"name" field is NULL terminated. This may have lead to
buffer overflow and passing contents of kernel stack as a
module name to try_then_request_module() and, consequently,
to modprobe commandline. It would be seen by all userspace
processes.
CVE-2011-1173: The econet_sendmsg function in
net/econet/af_econet.c in the Linux kernel on the x86_64
platform allowed remote attackers to obtain potentially
sensitive information from kernel stack memory by reading
uninitialized data in the ah field of an Acorn Universal
Networking (AUN) packet.
CVE-2011-1170: net/ipv4/netfilter/arp_tables.c in the
IPv4 implementation in the Linux kernel did not place the
expected ‘0’ character at the end of string data in the
values of certain structure members, which allowed local
users to obtain potentially sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability to
issue a crafted request, and then reading the argument to
the resulting modprobe process.
CVE-2011-1171: net/ipv4/netfilter/ip_tables.c in the
IPv4 implementation in the Linux kernel did not place the
expected ‘0’ character at the end of string data in the
values of certain structure members, which allowed local
users to obtain potentially sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability to
issue a crafted request, and then reading the argument to
the resulting modprobe process.
CVE-2011-1172: net/ipv6/netfilter/ip6_tables.c in the
IPv6 implementation in the Linux kernel did not place the
expected ‘0’ character at the end of string data in the
values of certain structure members, which allowed local
users to obtain potentially sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability to
issue a crafted request, and then reading the argument to
the resulting modprobe process.
CVE-2011-1746: Multiple integer overflows in the (1)
agp_allocate_memory and (2) agp_create_user_memory
functions in drivers/char/agp/generic.c in the Linux kernel
before allowed local users to trigger buffer overflows, and
consequently cause a denial of service (system crash) or
possibly have unspecified other impact, via vectors related
to calls that specify a large number of memory pages.
CVE-2011-1745: Integer overflow in the
agp_generic_insert_memory function in
drivers/char/agp/generic.c in the Linux kernel allowed
local users to gain privileges or cause a denial of service
(system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl
call.
CVE-2011-1598: The bcm_release function in
net/can/bcm.c in the Linux kernel did not properly validate
a socket data structure, which allowed local users to cause
a denial of service (NULL pointer dereference) or possibly
have unspecified other impact via a crafted release
operation.
CVE-2011-1748: The raw_release function in
net/can/raw.c in the Linux kernel did not properly validate
a socket data structure, which allows local users to cause
a denial of service (NULL pointer dereference) or possibly
have unspecified other impact via a crafted release
operation.
download.novell.com/patch/finder/?keywords=318b8dd82438317a3b490cab811b1fe6
download.novell.com/patch/finder/?keywords=5d2bd31a57aa1e800811d0c0a4050e35
download.novell.com/patch/finder/?keywords=5d69352e58309ed0c7848b758f17d637
download.novell.com/patch/finder/?keywords=78c869c41b21cba62d748dc435e95d14
download.novell.com/patch/finder/?keywords=919ffb2c0ec1b104bf85557484c3a0b0
download.novell.com/patch/finder/?keywords=9ebb4a91c4cec4344e6dec84220c9fdc
download.novell.com/patch/finder/?keywords=a6c7e8b67f942c75a3f7e6e76641ff63
download.novell.com/patch/finder/?keywords=ab6bc73efff4bb12a70b6df584f7073f
download.novell.com/patch/finder/?keywords=ac5c14d292b933a3acdcbe129e18bfc3
download.novell.com/patch/finder/?keywords=fa5f3b489f8749e53517f2679345ee47
bugzilla.novell.com/466279
bugzilla.novell.com/584493
bugzilla.novell.com/626119
bugzilla.novell.com/638985
bugzilla.novell.com/649000
bugzilla.novell.com/650545
bugzilla.novell.com/653850
bugzilla.novell.com/654501
bugzilla.novell.com/655973
bugzilla.novell.com/662432
bugzilla.novell.com/663513
bugzilla.novell.com/666423
bugzilla.novell.com/667226
bugzilla.novell.com/668483
bugzilla.novell.com/668927
bugzilla.novell.com/669889
bugzilla.novell.com/670465
bugzilla.novell.com/670816
bugzilla.novell.com/670868
bugzilla.novell.com/674648
bugzilla.novell.com/674982
bugzilla.novell.com/676601
bugzilla.novell.com/676602
bugzilla.novell.com/677443
bugzilla.novell.com/677563
bugzilla.novell.com/678728
bugzilla.novell.com/680040
bugzilla.novell.com/680845
bugzilla.novell.com/681180
bugzilla.novell.com/681181
bugzilla.novell.com/681182
bugzilla.novell.com/681185
bugzilla.novell.com/681186
bugzilla.novell.com/681639
bugzilla.novell.com/682076
bugzilla.novell.com/682251
bugzilla.novell.com/682319
bugzilla.novell.com/682482
bugzilla.novell.com/682567
bugzilla.novell.com/683107
bugzilla.novell.com/683282
bugzilla.novell.com/684297
bugzilla.novell.com/684472
bugzilla.novell.com/684852
bugzilla.novell.com/684927
bugzilla.novell.com/685226
bugzilla.novell.com/685276
bugzilla.novell.com/686325
bugzilla.novell.com/686404
bugzilla.novell.com/686412
bugzilla.novell.com/686921
bugzilla.novell.com/686980
bugzilla.novell.com/687113
bugzilla.novell.com/687478
bugzilla.novell.com/687759
bugzilla.novell.com/687760
bugzilla.novell.com/687789
bugzilla.novell.com/688326
bugzilla.novell.com/688432
bugzilla.novell.com/688685
bugzilla.novell.com/689041
bugzilla.novell.com/689290
bugzilla.novell.com/689596
bugzilla.novell.com/689746
bugzilla.novell.com/689797
bugzilla.novell.com/690683
bugzilla.novell.com/691216
bugzilla.novell.com/691269
bugzilla.novell.com/691408
bugzilla.novell.com/691536
bugzilla.novell.com/691538
bugzilla.novell.com/691632
bugzilla.novell.com/691633
bugzilla.novell.com/691693
bugzilla.novell.com/691829
bugzilla.novell.com/692343
bugzilla.novell.com/692454
bugzilla.novell.com/692459
bugzilla.novell.com/692460
bugzilla.novell.com/692502
bugzilla.novell.com/693013
bugzilla.novell.com/693149
bugzilla.novell.com/693374
bugzilla.novell.com/693382
bugzilla.novell.com/693636
bugzilla.novell.com/696107
bugzilla.novell.com/696586
bugzilla.novell.com/697181
bugzilla.novell.com/697901
bugzilla.novell.com/698221
bugzilla.novell.com/698247
bugzilla.novell.com/698604
bugzilla.novell.com/699946
bugzilla.novell.com/700401
bugzilla.novell.com/700879
bugzilla.novell.com/701170
bugzilla.novell.com/701622
bugzilla.novell.com/701977
bugzilla.novell.com/702013
bugzilla.novell.com/702285
bugzilla.novell.com/703013
bugzilla.novell.com/703410
bugzilla.novell.com/703490
bugzilla.novell.com/703786