Security update for the Linux kernel (important)

This kernel update for the SUSE Linux Enterprise 10 SP3
kernel fixes several security issues and bugs.

The following security issues have been fixed:

CVE-2011-3191: A signedness issue in CIFS could
possibly have lead to to memory corruption, if a malicious
server could send crafted replies to the host.

CVE-2011-1776: Timo Warns reported an issue in the
Linux implementation for GUID partitions. Users with
physical access could gain access to sensitive kernel
memory by adding a storage device with a specially crafted
corrupted invalid partition table.

CVE-2011-1093: The dccp_rcv_state_process function in
net/dccp/input.c in the Datagram Congestion Control
Protocol (DCCP) implementation in the Linux kernel did not
properly handle packets for a CLOSED endpoint, which
allowed remote attackers to cause a denial of service (NULL
pointer dereference and OOPS) by sending a DCCP-Close
packet followed by a DCCP-Reset packet.

CVE-2011-1745: Integer overflow in the
agp_generic_insert_memory function in
drivers/char/agp/generic.c in the Linux kernel allowed
local users to gain privileges or cause a denial of service
(system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl
call.

CVE-2011-1746: Multiple integer overflows in the (1)
agp_allocate_memory and (2) agp_create_user_memory
functions in drivers/char/agp/generic.c in the Linux kernel
allowed local users to trigger buffer overflows, and
consequently cause a denial of service (system crash) or
possibly have unspecified other impact, via vectors related
to calls that specify a large number of memory pages.

CVE-2011-2022: The agp_generic_remove_memory function
in drivers/char/agp/generic.c in the Linux kernel before
2.6.38.5 did not validate a certain start parameter, which
allowed local users to gain privileges or cause a denial of
service (system crash) via a crafted AGPIOC_UNBIND
agp_ioctl ioctl call, a different vulnerability than
CVE-2011-1745.

CVE-2011-0726: The do_task_stat function in
fs/proc/array.c in the Linux kernel did not perform an
expected uid check, which made it easier for local users to
defeat the ASLR protection mechanism by reading the
start_code and end_code fields in the /proc/#####/stat file
for a process executing a PIE binary.

CVE-2011-2496: The normal mmap paths all avoid
creating a mapping where the pgoff inside the mapping could
wrap around due to overflow. However, an expanding mremap()
can take such a non-wrapping mapping and make it bigger and
cause a wrapping condition.

CVE-2011-2491: A local unprivileged user able to
access a NFS filesystem could use file locking to deadlock
parts of an nfs server under some circumstance.

CVE-2011-1017,CVE-2011-2182: The code for evaluating
LDM partitions (in fs/partitions/ldm.c) contained bugs that
could crash the kernel for certain corrupted LDM partitions.

CVE-2011-1585: When using a setuid root mount.cifs,
local users could hijack password protected mounted CIFS
shares of other local users.

Also following non-security bugs were fixed:

patches.suse/fs-proc-vmcorec-add-hook-to-read_from_oldmem-to
-check-for-non-ram-pages.patch: fs/proc/vmcore.c: add hook
to read_from_oldmem() to check for non-ram pages
(bnc#684297).

• patches.xen/1062-xenbus-dev-leak.patch: xenbus: Fix
  memory leak on release.
• patches.xen/1074-xenbus_conn-type.patch: xenbus: fix
  type inconsistency with xenbus_conn().
• patches.xen/1080-blkfront-xenbus-gather-format.patch:
  blkfront: fix data size for xenbus_gather in connect().

patches.xen/1081-blkback-resize-transaction-end.patch:
xenbus: fix xenbus_transaction_start() hang caused by
double xenbus_transaction_end().

• patches.xen/1089-blkback-barrier-check.patch:
  blkback: dont fail empty barrier requests.
• patches.xen/1091-xenbus-dev-no-BUG.patch: xenbus:
  dont BUG() on user mode induced conditions (bnc#696107).
• patches.xen/1098-blkfront-cdrom-ioctl-check.patch:
  blkfront: avoid NULL de-reference in CDROM ioctl handling
  (bnc#701355).
• patches.xen/1102-x86-max-contig-order.patch: x86: use
  dynamically adjusted upper bound for contiguous regions
  (bnc#635880).

patches.xen/xen3-x86-sanitize-user-specified-e820-memmap-val
ues.patch: x86: sanitize user specified e820 memmap values
(bnc#665543).
*
patches.fixes/libiscsi-dont-run-scsi-eh-if-iscsi-task-is-mak
ing-progress: Fix typo, which was uncovered in debug mode.

• patches.fixes/pacct-fix-sighand-siglock-usage.patch:
  Fix sighand->siglock usage in kernel/acct.c (bnc#705463).