ID CVE-2012-3400
Summary Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.
References
Vulnerable Configurations
  • Linux Kernel 3.4.4
    cpe:2.3:o:linux:linux_kernel:3.4.4
  • Linux Kernel 3.4.3
    cpe:2.3:o:linux:linux_kernel:3.4.3
  • Linux Kernel 3.4.2
    cpe:2.3:o:linux:linux_kernel:3.4.2
  • Linux Kernel 3.4.1
    cpe:2.3:o:linux:linux_kernel:3.4.1
  • Linux Kernel 3.4
    cpe:2.3:o:linux:linux_kernel:3.4
  • Linux Kernel 3.4 release candidate 7
    cpe:2.3:o:linux:linux_kernel:3.4:rc7
  • Linux Kernel 3.4 release candidate 6
    cpe:2.3:o:linux:linux_kernel:3.4:rc6
  • Linux Kernel 3.4 release candidate 5
    cpe:2.3:o:linux:linux_kernel:3.4:rc5
  • Linux Kernel 3.4 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.4:rc4
  • Linux Kernel 3.4 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.4:rc3
  • Linux Kernel 3.4 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.4:rc2
  • Linux Kernel 3.4 release candidate 1
    cpe:2.3:o:linux:linux_kernel:3.4:rc1
  • Linux Kernel 3.3.2
    cpe:2.3:o:linux:linux_kernel:3.3.2
  • Linux Kernel 3.3.4
    cpe:2.3:o:linux:linux_kernel:3.3.4
  • Linux Kernel 3.3.6
    cpe:2.3:o:linux:linux_kernel:3.3.6
  • Linux Kernel 3.3.7
    cpe:2.3:o:linux:linux_kernel:3.3.7
  • Linux Kernel 3.3
    cpe:2.3:o:linux:linux_kernel:3.3
  • Linux Kernel 3.3 release candidate 7
    cpe:2.3:o:linux:linux_kernel:3.3:rc7
  • Linux Kernel 3.3 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.3:rc4
  • Linux Kernel 3.3 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.3:rc3
  • Linux Kernel 3.3 release candidate 6
    cpe:2.3:o:linux:linux_kernel:3.3:rc6
  • Linux Kernel 3.3 release candidate 5
    cpe:2.3:o:linux:linux_kernel:3.3:rc5
  • Linux Kernel 3.3 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.3:rc2
  • Linux Kernel 3.3.8
    cpe:2.3:o:linux:linux_kernel:3.3.8
  • Linux Kernel 3.3 release candidate 1
    cpe:2.3:o:linux:linux_kernel:3.3:rc1
  • Linux Kernel 3.3.5
    cpe:2.3:o:linux:linux_kernel:3.3.5
  • Linux Kernel 3.3.3
    cpe:2.3:o:linux:linux_kernel:3.3.3
  • Linux Kernel 3.3.1
    cpe:2.3:o:linux:linux_kernel:3.3.1
  • Linux Kernel 3.2
    cpe:2.3:o:linux:linux_kernel:3.2
  • Linux Kernel 3.2.1
    cpe:2.3:o:linux:linux_kernel:3.2.1
  • Linux Kernel 3.2.5
    cpe:2.3:o:linux:linux_kernel:3.2.5
  • Linux Kernel 3.2.4
    cpe:2.3:o:linux:linux_kernel:3.2.4
  • Linux Kernel 3.2.3
    cpe:2.3:o:linux:linux_kernel:3.2.3
  • Linux Kernel 3.2.2
    cpe:2.3:o:linux:linux_kernel:3.2.2
  • Linux Kernel 3.2.12
    cpe:2.3:o:linux:linux_kernel:3.2.12
  • Linux Kernel 3.2.13
    cpe:2.3:o:linux:linux_kernel:3.2.13
  • Linux Kernel 3.2.14
    cpe:2.3:o:linux:linux_kernel:3.2.14
  • Linux Kernel 3.2.15
    cpe:2.3:o:linux:linux_kernel:3.2.15
  • Linux Kernel 3.2.16
    cpe:2.3:o:linux:linux_kernel:3.2.16
  • Linux Kernel 3.2.17
    cpe:2.3:o:linux:linux_kernel:3.2.17
  • Linux Kernel 3.2.18
    cpe:2.3:o:linux:linux_kernel:3.2.18
  • Linux Kernel 3.2 release candidate 7
    cpe:2.3:o:linux:linux_kernel:3.2:rc7
  • Linux Kernel 3.2.19
    cpe:2.3:o:linux:linux_kernel:3.2.19
  • Linux Kernel 3.2 release candidate 6
    cpe:2.3:o:linux:linux_kernel:3.2:rc6
  • Linux Kernel 3.2.20
    cpe:2.3:o:linux:linux_kernel:3.2.20
  • Linux Kernel 3.2 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.2:rc3
  • Linux Kernel 3.2 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.2:rc2
  • Linux Kernel 3.2 release candidate 5
    cpe:2.3:o:linux:linux_kernel:3.2:rc5
  • Linux Kernel 3.2 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.2:rc4
  • Linux Kernel 3.2.6
    cpe:2.3:o:linux:linux_kernel:3.2.6
  • Linux Kernel 3.2.7
    cpe:2.3:o:linux:linux_kernel:3.2.7
  • Linux Kernel 3.2.8
    cpe:2.3:o:linux:linux_kernel:3.2.8
  • Linux Kernel 3.2.9
    cpe:2.3:o:linux:linux_kernel:3.2.9
  • Linux Kernel 3.2.10
    cpe:2.3:o:linux:linux_kernel:3.2.10
  • Linux Kernel 3.2.11
    cpe:2.3:o:linux:linux_kernel:3.2.11
  • Linux Kernel 3.1 release candidate 1
    cpe:2.3:o:linux:linux_kernel:3.1:rc1
  • Linux Kernel 3.1 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.1:rc2
  • Linux Kernel 3.1 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.1:rc3
  • Linux Kernel 3.1 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.1:rc4
  • Linux Kernel 3.1
    cpe:2.3:o:linux:linux_kernel:3.1
  • Linux Kernel 3.1.10
    cpe:2.3:o:linux:linux_kernel:3.1.10
  • Linux Kernel 3.1.9
    cpe:2.3:o:linux:linux_kernel:3.1.9
  • Linux Kernel 3.1.8
    cpe:2.3:o:linux:linux_kernel:3.1.8
  • Linux Kernel 3.1.7
    cpe:2.3:o:linux:linux_kernel:3.1.7
  • Linux Kernel 3.1.6
    cpe:2.3:o:linux:linux_kernel:3.1.6
  • Linux Kernel 3.1.5
    cpe:2.3:o:linux:linux_kernel:3.1.5
  • Linux Kernel 3.1.4
    cpe:2.3:o:linux:linux_kernel:3.1.4
  • Linux Kernel 3.1.3
    cpe:2.3:o:linux:linux_kernel:3.1.3
  • Linux Kernel 3.1.2
    cpe:2.3:o:linux:linux_kernel:3.1.2
  • Linux Kernel 3.1.1
    cpe:2.3:o:linux:linux_kernel:3.1.1
  • Linux Kernel 3.0 release candidate 7
    cpe:2.3:o:linux:linux_kernel:3.0:rc7
  • Linux Kernel 3.0 release candidate 4
    cpe:2.3:o:linux:linux_kernel:3.0:rc4
  • Linux Kernel 3.0 release candidate 5
    cpe:2.3:o:linux:linux_kernel:3.0:rc5
  • Linux Kernel 3.0 release candidate 6
    cpe:2.3:o:linux:linux_kernel:3.0:rc6
  • Linux Kernel 3.0.27
    cpe:2.3:o:linux:linux_kernel:3.0.27
  • Linux Kernel 3.0 release candidate 1
    cpe:2.3:o:linux:linux_kernel:3.0:rc1
  • Linux Kernel 3.0.26
    cpe:2.3:o:linux:linux_kernel:3.0.26
  • Linux Kernel 3.0 release candidate 2
    cpe:2.3:o:linux:linux_kernel:3.0:rc2
  • Linux Kernel 3.0.25
    cpe:2.3:o:linux:linux_kernel:3.0.25
  • Linux Kernel 3.0 release candidate 3
    cpe:2.3:o:linux:linux_kernel:3.0:rc3
  • Linux Kernel 3.0.4
    cpe:2.3:o:linux:linux_kernel:3.0.4
  • Linux Kernel 3.0.3
    cpe:2.3:o:linux:linux_kernel:3.0.3
  • Linux Kernel 3.0.2
    cpe:2.3:o:linux:linux_kernel:3.0.2
  • Linux Kernel 3.0.1
    cpe:2.3:o:linux:linux_kernel:3.0.1
  • Linux Kernel 3.0.34
    cpe:2.3:o:linux:linux_kernel:3.0.34
  • Linux Kernel 3.0.5
    cpe:2.3:o:linux:linux_kernel:3.0.5
  • Linux Kernel 3.0.32
    cpe:2.3:o:linux:linux_kernel:3.0.32
  • Linux Kernel 3.0.33
    cpe:2.3:o:linux:linux_kernel:3.0.33
  • Linux Kernel 3.0.7
    cpe:2.3:o:linux:linux_kernel:3.0.7
  • Linux Kernel 3.0.30
    cpe:2.3:o:linux:linux_kernel:3.0.30
  • Linux Kernel 3.0.6
    cpe:2.3:o:linux:linux_kernel:3.0.6
  • Linux Kernel 3.0.31
    cpe:2.3:o:linux:linux_kernel:3.0.31
  • Linux Kernel 3.0.9
    cpe:2.3:o:linux:linux_kernel:3.0.9
  • Linux Kernel 3.0.28
    cpe:2.3:o:linux:linux_kernel:3.0.28
  • Linux Kernel 3.0.8
    cpe:2.3:o:linux:linux_kernel:3.0.8
  • Linux Kernel 3.0.29
    cpe:2.3:o:linux:linux_kernel:3.0.29
  • Linux Kernel 3.0.24
    cpe:2.3:o:linux:linux_kernel:3.0.24
  • Linux Kernel 3.0.22
    cpe:2.3:o:linux:linux_kernel:3.0.22
  • Linux Kernel 3.0.23
    cpe:2.3:o:linux:linux_kernel:3.0.23
  • Linux Kernel 3.0.20
    cpe:2.3:o:linux:linux_kernel:3.0.20
  • Linux Kernel 3.0.21
    cpe:2.3:o:linux:linux_kernel:3.0.21
  • Linux Kernel 3.0.18
    cpe:2.3:o:linux:linux_kernel:3.0.18
  • Linux Kernel 3.0.19
    cpe:2.3:o:linux:linux_kernel:3.0.19
  • Linux Kernel 3.0.16
    cpe:2.3:o:linux:linux_kernel:3.0.16
  • Linux Kernel 3.0.17
    cpe:2.3:o:linux:linux_kernel:3.0.17
  • Linux Kernel 3.0.14
    cpe:2.3:o:linux:linux_kernel:3.0.14
  • Linux Kernel 3.0.15
    cpe:2.3:o:linux:linux_kernel:3.0.15
  • Linux Kernel 3.0.12
    cpe:2.3:o:linux:linux_kernel:3.0.12
  • Linux Kernel 3.0.13
    cpe:2.3:o:linux:linux_kernel:3.0.13
  • Linux Kernel 3.0.10
    cpe:2.3:o:linux:linux_kernel:3.0.10
  • Linux Kernel 3.0.11
    cpe:2.3:o:linux:linux_kernel:3.0.11
CVSS
Base: 7.6 (as of 03-10-2012 - 11:11)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1532-1.NASL
    description An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. (CVE-2012-2136) Ulrich Obergfell discovered an error in the Linux kernel's memory management subsystem on 32 bit PAE systems with more than 4GB of memory installed. A local unprivileged user could exploit this flaw to crash the system. (CVE-2012-2373) A flaw was discovered in the Linux kernel's epoll system call. An unprivileged local user could use this flaw to crash the system. (CVE-2012-3375) Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. (CVE-2012-3400)
    last seen 2019-02-21
    modified 2016-12-01
    plugin id 61510
    published 2012-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61510
    title USN-1532-1 : linux-ti-omap4 vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-2044.NASL
    description Description of changes: [2.6.32-300.39.1.el6uek] - hugepages: fix use after free bug in 'quota' handling [15842385] {CVE-2012-2133} - mm: Hold a file reference in madvise_remove [15842884] {CVE-2012-3511} - udf: Fortify loading of sparing table [15843730] {CVE-2012-3400} - udf: Avoid run away loop when partition table length is corrupt [15843730] {CVE-2012-3400}
    last seen 2018-09-02
    modified 2015-12-01
    plugin id 68688
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68688
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2044)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0594.NASL
    description From Red Hat Security Advisory 2013:0594 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) This update also fixes the following bugs : * Previously, race conditions could sometimes occur in interrupt handling on the Emulex BladeEngine 2 (BE2) controllers, causing the network adapter to become unresponsive. This update provides a series of patches for the be2net driver, which prevents the race from occurring. The network cards using BE2 chipsets no longer hang due to incorrectly handled interrupt events. (BZ#884704) * A boot-time memory allocation pool (the DMI heap) is used to keep the list of Desktop Management Interface (DMI) devices during the system boot. Previously, the size of the DMI heap was only 2048 bytes on the AMD64 and Intel 64 architectures and the DMI heap space could become easily depleted on some systems, such as the IBM System x3500 M2. A subsequent OOM failure could, under certain circumstances, lead to a NULL pointer entry being stored in the DMI device list. Consequently, scanning of such a corrupted DMI device list resulted in a kernel panic. The boot-time memory allocation pool for the AMD64 and Intel 64 architectures has been enlarged to 4096 bytes and the routines responsible for populating the DMI device list have been modified to skip entries if their name string is NULL. The kernel no longer panics in this scenario. (BZ#902683) * The size of the buffer used to print the kernel taint output on kernel panic was too small, which resulted in the kernel taint output not being printed completely sometimes. With this update, the size of the buffer has been adjusted and the kernel taint output is now displayed properly. (BZ#905829) * The code to print the kernel taint output contained a typographical error. Consequently, the kernel taint output, which is displayed on kernel panic, could not provide taint error messages for unsupported hardware. This update fixes the typo and the kernel taint output is now displayed correctly. (BZ#885063) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68773
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68773
    title Oracle Linux 5 : kernel (ELSA-2013-0594)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1556-1.NASL
    description Chen Haogang discovered an integer overflow that could result in memory corruption. A local unprivileged user could use this to crash the system. (CVE-2012-0044) A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372) Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. (CVE-2012-3400). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62005
    published 2012-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62005
    title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1556-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2012-142.NASL
    description A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-2133 , Moderate) A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511 , Moderate) It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568 , Low) Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400 , Low)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 69632
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69632
    title Amazon Linux AMI : kernel (ALAS-2012-142)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1562-1.NASL
    description Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62040
    published 2012-09-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62040
    title Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerability (USN-1562-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-8325.NASL
    description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494) - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744) - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. (CVE-2012-3510) - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. (CVE-2011-4110) - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044) - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400) - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136) - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663) The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766) - knfsd: Unexport cache_fresh and fix a small race. (bnc#767766) - knfsd: nfsd: do not drop silently on upcall deferral. (bnc#767766) - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766) - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766) - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766) - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766) - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766) - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766) - knfsd: nfsd: make all exp_finding functions return -errnos on err. (bnc#767766) - Fix kabi breakage in previous nfsd patch series. (bnc#767766) - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766) - nfs: Fix a potential file corruption issue when writing. (bnc#773272) - nfs: Allow sync writes to be multiple pages. (bnc#763526) - nfs: fix reference counting for NFSv4 callback thread. (bnc#767504) - nfs: flush signals before taking down callback thread. (bnc#767504) - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058) - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058) - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400) - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400) - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - mptfusion: fix msgContext in mptctl_hp_hostinfo. (bnc#767939) - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) - x86: powernow-k8: Fix indexing issue. (bnc#758985) - net: Fix race condition about network device name allocation. (bnc#747576) XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen/gntdev: fix multi-page slot allocation. (bnc#760974)
    last seen 2019-02-21
    modified 2012-10-24
    plugin id 62676
    published 2012-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62676
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8325)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1539-1.NASL
    description An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. (CVE-2012-2136) Ulrich Obergfell discovered an error in the Linux kernel's memory management subsystem on 32 bit PAE systems with more than 4GB of memory installed. A local unprivileged user could exploit this flaw to crash the system. (CVE-2012-2373) An error was discovered in the Linux kernel's memory subsystem (hugetlb). An unprivileged local user could exploit this flaw to cause a denial of service (crash the system). (CVE-2012-2390) A flaw was discovered in the Linux kernel's epoll system call. An unprivileged local user could use this flaw to crash the system. (CVE-2012-3375) Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. (CVE-2012-3400) A flaw was discovered in the madvise feature of the Linux kernel's memory subsystem. An unprivileged local use could exploit the flaw to cause a denial of service (crash the system). (CVE-2012-3511). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 61549
    published 2012-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61549
    title Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1539-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2012-1391-1.NASL
    description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). CVE-2012-2744: net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. CVE-2011-1044: The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. CVE-2012-2663: A small denial of service leak in dropping syn+fin messages was fixed. The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code (bnc#767766). - knfsd: Unexport cache_fresh and fix a small race (bnc#767766). - knfsd: nfsd: do not drop silently on upcall deferral (bnc#767766). - knfsd: svcrpc: remove another silent drop from deferral code (bnc#767766). - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked (bnc#767766). - sunrpc/cache: recheck cache validity after cache_defer_req (bnc#767766). - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req (bnc#767766). - sunrpc/cache: avoid variable over-loading in cache_defer_req (bnc#767766). - sunrpc/cache: allow thread to block while waiting for cache update (bnc#767766). - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update (bnc#767766). - sunrpc/cache: Another fix for race problem with sunrpc cache deferal (bnc#767766). - knfsd: nfsd: make all exp_finding functions return -errnos on err (bnc#767766). - Fix kabi breakage in previous nfsd patch series (bnc#767766). - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout (bnc#767766). - nfs: Fix a potential file corruption issue when writing (bnc#773272). - nfs: Allow sync writes to be multiple pages (bnc#763526). - nfs: fix reference counting for NFSv4 callback thread (bnc#767504). - nfs: flush signals before taking down callback thread (bnc#767504). - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return (bnc#783058). drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc (bnc#783058). block: fail SCSI passthrough ioctls on partition devices (bnc#738400). dm: do not forward ioctls from logical volumes to the underlying device (bnc#738400). vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). be2net: Fix EEH error reset before a flash dump completes (bnc#755546). - mptfusion: fix msgContext in mptctl_hp_hostinfo (bnc#767939). - PCI: Fix bus resource assignment on 32 bits with 64b resources. (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) x86: powernow-k8: Fix indexing issue (bnc#758985). net: Fix race condition about network device name allocation (bnc#747576). XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time (bnc#738528). - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53 (bnc#760974). - xen/gntdev: fix multi-page slot allocation (bnc#760974). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-31
    plugin id 83563
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83563
    title SUSE SLED10 / SLES10 Security Update : kernel (SUSE-SU-2012:1391-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-1491.NASL
    description Updated kernel-rt packages that fix several security issues and multiple bugs are now available for Red Hat Enterprise MRG 2.2. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A flaw was found in the way Netlink messages without SCM_CREDENTIALS (used for authentication) data set were handled. When not explicitly set, the data was sent but with all values set to 0, including the process ID and user ID, causing the Netlink message to appear as if it were sent with root privileges. A local, unprivileged user could use this flaw to send spoofed Netlink messages to an application, possibly resulting in the application performing privileged operations if it relied on SCM_CREDENTIALS data for the authentication of Netlink messages. (CVE-2012-3520, Important) * A race condition was found in the way asynchronous I/O and fallocate() interacted when using the ext4 file system. A local, unprivileged user could use this flaw to expose random data from an extent whose data blocks have not yet been written, and thus contain data from a deleted file. (CVE-2012-4508, Important) * A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-2133, Moderate) * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) * A divide-by-zero flaw was found in the TCP Illinois congestion control algorithm implementation in the Linux kernel. If the TCP Illinois congestion control algorithm were in use (the sysctl net.ipv4.tcp_congestion_control variable set to 'illinois'), a local, unprivileged user could trigger this flaw and cause a denial of service. (CVE-2012-4565, Moderate) * An information leak flaw was found in the uname() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space by setting the UNAME26 personality and then calling the uname() system call. (CVE-2012-0957, Low) * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) * A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space. (CVE-2012-3430, Low) Red Hat would like to thank Pablo Neira Ayuso for reporting CVE-2012-3520; Theodore Ts'o for reporting CVE-2012-4508; Shachar Raindel for reporting CVE-2012-2133; and Kees Cook for reporting CVE-2012-0957. Upstream acknowledges Dmitry Monakhov as the original reporter of CVE-2012-4508. The CVE-2012-4565 issue was discovered by Rodrigo Freire of Red Hat, and the CVE-2012-3430 issue was discovered by the Red Hat InfiniBand team. This update also fixes multiple bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which upgrade the kernel-rt kernel to version kernel-rt-3.2.33-rt50, and correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 76653
    published 2014-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76653
    title RHEL 6 : MRG (RHSA-2012:1491)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0594.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) This update also fixes the following bugs : * Previously, race conditions could sometimes occur in interrupt handling on the Emulex BladeEngine 2 (BE2) controllers, causing the network adapter to become unresponsive. This update provides a series of patches for the be2net driver, which prevents the race from occurring. The network cards using BE2 chipsets no longer hang due to incorrectly handled interrupt events. (BZ#884704) * A boot-time memory allocation pool (the DMI heap) is used to keep the list of Desktop Management Interface (DMI) devices during the system boot. Previously, the size of the DMI heap was only 2048 bytes on the AMD64 and Intel 64 architectures and the DMI heap space could become easily depleted on some systems, such as the IBM System x3500 M2. A subsequent OOM failure could, under certain circumstances, lead to a NULL pointer entry being stored in the DMI device list. Consequently, scanning of such a corrupted DMI device list resulted in a kernel panic. The boot-time memory allocation pool for the AMD64 and Intel 64 architectures has been enlarged to 4096 bytes and the routines responsible for populating the DMI device list have been modified to skip entries if their name string is NULL. The kernel no longer panics in this scenario. (BZ#902683) * The size of the buffer used to print the kernel taint output on kernel panic was too small, which resulted in the kernel taint output not being printed completely sometimes. With this update, the size of the buffer has been adjusted and the kernel taint output is now displayed properly. (BZ#905829) * The code to print the kernel taint output contained a typographical error. Consequently, the kernel taint output, which is displayed on kernel panic, could not provide taint error messages for unsupported hardware. This update fixes the typo and the kernel taint output is now displayed correctly. (BZ#885063) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 65041
    published 2013-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65041
    title RHEL 5 : kernel (RHSA-2013:0594)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-1426.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-2133, Moderate) * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) * It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low) * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) Red Hat would like to thank Shachar Raindel for reporting CVE-2012-2133. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 62833
    published 2012-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62833
    title RHEL 6 : kernel (RHSA-2012:1426)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KERNEL-120805.NASL
    description The SUSE Linux Enterprise 11 SP2 kernel was updated to 3.0.38, fixing various bugs and security issues. The following security issues have been fixed : - Several buffer overread and overwrite errors in the UDF logical volume descriptor code have been fixed that might have have allowed local attackers able to mount UDF volumes to crash the kernel or potentially gain privileges. (CVE-2012-3400) - A denial of service (crash) in epoll has been fixed. The three NTP leapsecond issues were fixed and are contained in Linux Kernel stable 3.0.38. (CVE-2012-3375) The Libceph/ceph/rbd framework was imported for later Cloud storage usage. Various bug and security fixes were integrated from the Linux stable kernel 3.0.34-3.0.38 upgrade and are not explicitly listed here. The following other non-security issues have been fixed : S/390 - dasd: Use correct queue for aborting requests. - dasd: Abort requests from correct queue. - [S390] Do not clobber personality flags on exec. (bnc#770034) - dasd: Kick tasklet instead of processing the request_queue directly. - s390/kernel: CPU idle vs CPU hotplug (bnc#772407,LTC#83468). - lgr: Make lgr_page static (bnc#772407,LTC#83520). - s390/kernel: incorrect task size after fork of a 31 bit process (bnc#772407,LTC#83674). - dasd: Abort all requests on the request_queue, too. (bnc#768084) - DASD: Add timeout attribute. (bnc#771361) - dasd: Fixup typo in debugging message. - patches.suse/dasd-fail-all-requests-after-timeout.patch: Fixup handling of failfast requests. (bnc#768084) - s390: allow zcrypt to /dev/random feeding to be resumed. (bnc#718910) - s390/hypfs: Missing files and directories (bnc#769407,LTC#82838). - dasd: Fail all requests after timeout. (bnc#768084) - s390/kernel: Add z/VM LGR detection (bnc#767281,LTC#RAS1203). BTRFS fixes (3.3-3.5+) - Btrfs: avoid sleeping in verify_parent_transid while atomic - Btrfs: fix btrfs_release_extent_buffer_page with the right usage of num_extent_pages - Btrfs: do not check delalloc when updating disk_i_size - Btrfs: look into the extent during find_all_leafs - Btrfs: do not set for_cow parameter for tree block functions - Btrfs: fix defrag regression - Btrfs: fix missing inherited flag in rename - Btrfs: do not resize a seeding device - Btrfs: cast devid to unsigned long long for printk %llu - Btrfs: add a missing spin_lock - Btrfs: restore restriper state on all mounts - Btrfs: resume balance on rw (re)mounts properly - Btrfs: fix tree log remove space corner case - Btrfs: hold a ref on the inode during writepages - Btrfs: do not return EINVAL instead of ENOMEM from open_ctree() - Btrfs: do not ignore errors from btrfs_cleanup_fs_roots() when mounting - Btrfs: fix error handling in __add_reloc_root() - Btrfs: return error of btrfs_update_inode() to caller - Btrfs: fix typo in cow_file_range_async and async_cow_submit - Btrfs: fix btrfs_is_free_space_inode to recognize btree inode - Btrfs: kill root from btrfs_is_free_space_inode - Btrfs: zero unused bytes in inode item - disable patches.suse/btrfs-8052-fix-wrong-information-of-the-dir ectory-in-the-.patch. (bnc#757059) XEN - Refresh Xen patches (bnc#772831, add spinlock.nopoll option). - Update Xen patches to 3.0.35. - xen/thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE. (bnc#762991) - Update Xen config files (CONFIG_XEN_SPINLOCK_ACQUIRE_NESTING=1). MD - md: Do not truncate size at 4TB for RAID0 and Linear - md/bitmap: Do not write bitmap while earlier writes might be in-fligh. (bnc#771398) - md: Fixup blktrace information. - md: Abort pending request for RAID10. (bnc#773251) - md: add raid10 tracepoints. (bnc#768084) - md: wakeup thread upon rdev_dec_pending(). (bnc#771398) - md: Correctly register error code on failure. - md: Do not take mddev lock when reading rdev attributes from sysfs. (bnc#772420) - md: unblock SET_DISK_FAULTY ioctl (bnc#768084). Hyper-V - net/hyperv: Use wait_event on outstanding sends during device removal. - Tools: hv: verify origin of netlink connector message. - hyperv: Add support for setting MAC from within guests. - Drivers: hv: Change the hex constant to a decimal constant. - hyperv: Add error handling to rndis_filter_device_add(). - hyperv: Add a check for ring_size value. - Drivers: hv: Cleanup the guest ID computation. - hv: add RNDIS_OID_GEN_RNDIS_CONFIG_PARAMETER. Scheduler - sched: Make sure to not re-read variables after validation. (bnc#769685) - sched: Only queue remote wakeups when crossing cache boundaries part2. (bnc#754690) - sched: really revert latency defaults to SP1 values. (bnc#754690) - sched: optimize latency defaults. (bnc#754690) - sched: Save some hrtick_start_fair cycles. (bnc#754690) - sched: use rt.nr_cpus_allowed to recover select_task_rq() cycles. (bnc#754690) - sched: Set skip_clock_update in yield_task_fair(). (bnc#754690) - sched: Do not call task_group() too many times in set_task_rq(). (bnc#754690) - sched: ratelimit nohz. (bnc#754690) - sched: Wrap scheduler p->cpus_allowed access. (bnc#754690) - sched: Avoid SMT siblings in select_idle_sibling() if possible. (bnc#754690) - sched: Clean up domain traversal in select_idle_sibling(). (bnc#754690) - sched: Remove rcu_read_lock/unlock() from select_idle_sibling(). (bnc#754690) - sched: Fix the sched group node allocation for SD_OVERLAP domains. (bnc#754690) - sched: add SD_SHARE_PKG_RESOURCES domain flags proc handler. (bnc#754690) - sched: fix select_idle_sibling() induced bouncing (bnc#754690). Other fixes - rt2800: add chipset revision RT5390R support. (bnc#772566) - reiserfs: fix deadlocks with quotas. (bnc#774285) - VFS: avoid prepend_path warning about d_obtain_alias aliases. (bnc#773006) - ntp: avoid printk under xtime_lock. (bnc#767684) - kvm: kvmclock: apply kvmclock offset to guest wall clock time. (bnc#766445) - bonding: allow all slave speeds. (bnc#771428) - mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables. - mm: hugetlbfs: Correctly detect if page tables have just been shared. - patches.fixes/mm-hugetlb-decrement-mapcount-under-page_t able_lock.patch: Delete. (Fix bad PMD message displayed while using hugetlbfs (bnc#762366)). - ALSA: hda - Evaluate gpio_led hints at the right moment. (bnc#773878) - proc: stats: Use arch_idle_time for idle and iowait times if available. (bnc#772893) - tcp: perform DMA to userspace only if there is a task waiting for it. (bnc#773606) - rt2x00: fix rt3290 resuming failed. (bnc#771778) - patches.suse/SUSE-bootsplash: Refresh. (Fix wrong vfree() (bnc#773406)) - vhost: do not forget to schedule(). (bnc#767983) - powerpc, kabi: reintroduce __cputime_msec_factor. (bnc#771242) - powerpc: Fix wrong divisor in usecs_to_cputime. (bnc#771242) - mm: use cpu_chill() in spin_trylock_page() and cancel on immediately RT. (bnc#768470) - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - st: Fix adding of tape link from device directory. (bnc#771102) - idr: Fix locking of minor idr during failure-case removal and add freeing of minor idr during device removal. - add firmware update for Atheros 0cf3:311f. (bnc#761775) - Unset CONFIG_WATCHDOG_NOWAYOUT to prevent reboot of openais on service stop. (bnc#756585) - Update config files: Enable CONFIG_RT2800PCI_RT3290. - ida: simplified functions for id allocation. (bnc#749291) - ida: make ida_simple_get/put() IRQ safe. (bnc#749291) - virtio-blk: use ida to allocate disk index. (bnc#749291) - USB: option: Add USB ID for Novatel Ovation MC551. (bnc#770269) - USB: option: add id for Cellient MEN-200. (bnc#770269) - Fix the position of SUSE logo on text screen. (bnc#770238) - enable Atheros 0cf3:311e for firmware upload. (bnc#766733) - scsi_dh_alua: Improve error handling. (bnc#715635) - scsi: remove an unhandled error code message. (bnc#715635) - Add to support Ralink ROMA wifi chip. (bnc#758703) - x86_64, UV: Update NMI handler for UV1000/2000 systems. (bnc#746509, bnc#744655) - kdb: Fix merge error in original kdb x86 patch. (bnc#746509) - udf: Avoid run away loop when partition table length is corrupted. (bnc#769784) - udf: Fortify loading of sparing table. (bnc#769784) - udf: Use ret instead of abusing i in udf_load_logicalvol(). (bnc#769784) - intel_ips: blacklist HP ProBook laptops. (bnc#720946) - drm: edid: Do not add inferred modes with higher resolution. (bnc#753172) - init: mm: Reschedule when initialising large numbers of memory sections. (bnc#755620). - x86/apic: Use x2apic physical mode based on FADT setting. (bnc#768052) - acpiphp: add dmi info to acpiphp module. (bnc#754391) - ntp: fix leap second hrtimer deadlock. (bnc#768632) - ntp: avoid printk under xtime_lock. (bnc#767684) - nohz: Fix update_ts_time_stat idle accounting. (bnc#767469, bnc#705551) - nohz: Make idle/iowait counter update conditional. (bnc#767469, bnc#705551) - bug: introduce BUILD_BUG_ON_INVALID() macro - bug: completely remove code generated by disabled. (VM Performance). - mm: call cond_resched in putback_lru_pages. (bnc#763968) - Update x84-64 Xen config file (CONFIG_ACPI_PROCESSOR_AGGREGATOR=m). - ia64 is odd man out, CONFIG_SCHED_HRTICK is not set, fix build failure due to missing hrtick_enabled() in that case. - drm: Add poll blacklist for Dell Latitude E5420. (bnc#756276) - supported.conf: mark libceph and rbd as unsupported. - drm/i915: Fix eDP blank screen after S3 resume on HP desktops. (bnc#752352) - mm: hugetlb: Decrement mapcount under page table lock (Consistent mapcount decrementing under lock (bnc#762366)). - mm: hugetlb: flush_tlb_range() needs page_table_lock when mmap_sem is not held (Consistent locking for TLB flush of hugetlb pages (bnc#762366)). - mm/hugetlb.c: undo change to page mapcount in fault handler (Handle potential leaks in hugetlbfs error paths (bnc#762366)). - drm/i915: Not all systems expose a firmware or platform mechanism for changing the backlight intensity on i915, so add native driver support. (bnc#752352) - i915: do not setup intel_backlight twice. (bnc#752352) - drm/i915: enable vdd when switching off the eDP panel. (bnc#752352) - Add missing definition blk_queue_dead(). - Backport patches from mainline to fix SCSI crash under heavy load (bnc#738284) : - block: add blk_queue_dead(). (bnc#738284) - block: add missing blk_queue_dead() checks. (bnc#738284) - block: Fix race on request.end_io invocations. (bnc#738284) - fc class: fix scanning when devs are offline. (bnc#738284) - scsi: Fix device removal NULL pointer dereference. (bnc#738284) - fix DID_TARGET_FAILURE and DID_NEXUS_FAILURE host byte settings. (bnc#738284) - scsi: Stop accepting SCSI requests before removing a device. (bnc#738284) - Delete preliminary patch. - Provide obsoleted KMPs (bnc#753353), fix ath3k obsoletes. - mm: filemap: Optimise file-backed page faulting by emulating an adaptive sleeping spinlock. (bnc#762414) - Add yet another product ID for HP cert machines. (bnc#764339) - x86: check for valid irq_cfg pointer in smp_irq_move_cleanup_interrupt. (bnc#763754) - backing-dev: use synchronize_rcu_expedited instead of synchronize_rcu. (bnc#766027) - sysfs: count subdirectories. (bnc#766027) - kABI fix for sysfs-count-subdirectories. (bnc#766027) - block: Introduce blk_set_stacking_limits function. (bnc#763026)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 64178
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64178
    title SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 6641 / 6643 / 6648)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1557-1.NASL
    description Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 62006
    published 2012-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62006
    title Ubuntu 11.04 : linux vulnerability (USN-1557-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-176.NASL
    description The Linux kernel was updated to fix various bugs and security issues : CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. CVE-2013-0160: Avoid a side channel attack on /dev/ptmx (keyboard input timing). CVE-2012-5374: Fixed a local denial of service in the BTRFS hashing code. CVE-2013-0309: arch/x86/include/asm/pgtable.h in the Linux kernel, when transparent huge pages are used, does not properly support PROT_NONE memory regions, which allows local users to cause a denial of service (system crash) via a crafted application. CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. CVE-2012-0957: The override_release function in kernel/sys.c in the Linux kernel allowed local users to obtain sensitive information from kernel stack memory via a uname system call in conjunction with a UNAME26 personality. CVE-2013-0216: The Xen netback functionality in the Linux kernel allowed guest OS users to cause a denial of service (loop) by triggering ring pointer corruption. CVE-2013-0231: The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel allowed guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third-party information. CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-4508: Race condition in fs/ext4/extents.c in the Linux kernel allowed local users to obtain sensitive information from a deleted file by reading an extent that was not properly marked as uninitialized. CVE-2012-3412: The sfc (aka Solarflare Solarstorm) driver in the Linux kernel allowed remote attackers to cause a denial of service (DMA descriptor consumption and network-controller outage) via crafted TCP packets that trigger a small MSS value. CVE-2012-2745: The copy_creds function in kernel/cred.c in the Linux kernel provided an invalid replacement session keyring to a child process, which allowed local users to cause a denial of service (panic) via a crafted application that uses the fork system call. CVE-2012-3375: The epoll_ctl system call in fs/eventpoll.c in the Linux kernel did not properly handle ELOOP errors in EPOLL_CTL_ADD operations, which allowed local users to cause a denial of service (file-descriptor consumption and system crash) via a crafted application that attempts to create a circular epoll dependency. CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74914
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74914
    title openSUSE Security Update : kernel (openSUSE-SU-2013:0396-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0594.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) This update also fixes the following bugs : * Previously, race conditions could sometimes occur in interrupt handling on the Emulex BladeEngine 2 (BE2) controllers, causing the network adapter to become unresponsive. This update provides a series of patches for the be2net driver, which prevents the race from occurring. The network cards using BE2 chipsets no longer hang due to incorrectly handled interrupt events. (BZ#884704) * A boot-time memory allocation pool (the DMI heap) is used to keep the list of Desktop Management Interface (DMI) devices during the system boot. Previously, the size of the DMI heap was only 2048 bytes on the AMD64 and Intel 64 architectures and the DMI heap space could become easily depleted on some systems, such as the IBM System x3500 M2. A subsequent OOM failure could, under certain circumstances, lead to a NULL pointer entry being stored in the DMI device list. Consequently, scanning of such a corrupted DMI device list resulted in a kernel panic. The boot-time memory allocation pool for the AMD64 and Intel 64 architectures has been enlarged to 4096 bytes and the routines responsible for populating the DMI device list have been modified to skip entries if their name string is NULL. The kernel no longer panics in this scenario. (BZ#902683) * The size of the buffer used to print the kernel taint output on kernel panic was too small, which resulted in the kernel taint output not being printed completely sometimes. With this update, the size of the buffer has been adjusted and the kernel taint output is now displayed properly. (BZ#905829) * The code to print the kernel taint output contained a typographical error. Consequently, the kernel taint output, which is displayed on kernel panic, could not provide taint error messages for unsupported hardware. This update fixes the typo and the kernel taint output is now displayed correctly. (BZ#885063) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 65062
    published 2013-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65062
    title CentOS 5 : kernel (CESA-2013:0594)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20121106_KERNEL_ON_SL6_X.NASL
    description * A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-2133, Moderate) * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) * It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low) * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) This update also fixes several bugs. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 62858
    published 2012-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62858
    title Scientific Linux Security Update : kernel on SL6.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-1426.NASL
    description Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-2133, Moderate) * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) * It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low) * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) Red Hat would like to thank Shachar Raindel for reporting CVE-2012-2133. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 62862
    published 2012-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62862
    title CentOS 6 : kernel (CESA-2012:1426)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1529-1.NASL
    description A flaw was discovered in the Linux kernel's macvtap device driver, which is used in KVM (Kernel-based Virtual Machine) to create a network bridge between host and guest. A privleged user in a guest could exploit this flaw to crash the host, if the vhost_net module is loaded with the experimental_zcopytx option enabled. (CVE-2012-2119) An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. (CVE-2012-2136) A flaw was found in how the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem handled MSI (Message Signaled Interrupts). A local unprivileged user could exploit this flaw to cause a denial of service or potentially elevate privileges. (CVE-2012-2137) A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372) Ulrich Obergfell discovered an error in the Linux kernel's memory management subsystem on 32 bit PAE systems with more than 4GB of memory installed. A local unprivileged user could exploit this flaw to crash the system. (CVE-2012-2373) Dan Rosenberg discovered flaws in the Linux kernel's NCI (Near Field Communication Controller Interface). A remote attacker could exploit these flaws to crash the system or potentially execute privileged code. (CVE-2012-3364) A flaw was discovered in the Linux kernel's epoll system call. An unprivileged local user could use this flaw to crash the system. (CVE-2012-3375) Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. (CVE-2012-3400) A flaw was discovered in the madvise feature of the Linux kernel's memory subsystem. An unprivileged local use could exploit the flaw to cause a denial of service (crash the system). (CVE-2012-3511). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 61507
    published 2012-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61507
    title Ubuntu 12.04 LTS : linux vulnerabilities (USN-1529-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-1426.NASL
    description From Red Hat Security Advisory 2012:1426 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-2133, Moderate) * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. (CVE-2012-3511, Moderate) * It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. (CVE-2012-1568, Low) * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) Red Hat would like to thank Shachar Raindel for reporting CVE-2012-2133. This update also fixes several bugs. Documentation for these changes will be available shortly from the Technical Notes document linked to in the References section. Users should upgrade to these updated packages, which contain backported patches to correct these issues, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68651
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68651
    title Oracle Linux 6 : kernel (ELSA-2012-1426)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-2507.NASL
    description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 68847
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68847
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2013-2507)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-8324.NASL
    description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494) - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744) - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. (CVE-2012-3510) - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. (CVE-2011-4110) - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044) - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400) - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136) - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663) The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766) - knfsd: Unexport cache_fresh and fix a small race. (bnc#767766) - knfsd: nfsd: do not drop silently on upcall deferral. (bnc#767766) - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766) - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766) - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766) - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766) - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766) - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766) - knfsd: nfsd: make all exp_finding functions return -errnos on err. (bnc#767766) - Fix kabi breakage in previous nfsd patch series. (bnc#767766) - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766) - nfs: Fix a potential file corruption issue when writing. (bnc#773272) - nfs: Allow sync writes to be multiple pages. (bnc#763526) - nfs: fix reference counting for NFSv4 callback thread. (bnc#767504) - nfs: flush signals before taking down callback thread. (bnc#767504) - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058) - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058) - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400) - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400) - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - mptfusion: fix msgContext in mptctl_hp_hostinfo. (bnc#767939) - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) - x86: powernow-k8: Fix indexing issue. (bnc#758985) - net: Fix race condition about network device name allocation. (bnc#747576) XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen/gntdev: fix multi-page slot allocation. (bnc#760974)
    last seen 2019-02-21
    modified 2012-10-24
    plugin id 62675
    published 2012-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62675
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8324)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0594-1.NASL
    description From Red Hat Security Advisory 2013:0594 : Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) This update also fixes the following bugs : * Previously, race conditions could sometimes occur in interrupt handling on the Emulex BladeEngine 2 (BE2) controllers, causing the network adapter to become unresponsive. This update provides a series of patches for the be2net driver, which prevents the race from occurring. The network cards using BE2 chipsets no longer hang due to incorrectly handled interrupt events. (BZ#884704) * A boot-time memory allocation pool (the DMI heap) is used to keep the list of Desktop Management Interface (DMI) devices during the system boot. Previously, the size of the DMI heap was only 2048 bytes on the AMD64 and Intel 64 architectures and the DMI heap space could become easily depleted on some systems, such as the IBM System x3500 M2. A subsequent OOM failure could, under certain circumstances, lead to a NULL pointer entry being stored in the DMI device list. Consequently, scanning of such a corrupted DMI device list resulted in a kernel panic. The boot-time memory allocation pool for the AMD64 and Intel 64 architectures has been enlarged to 4096 bytes and the routines responsible for populating the DMI device list have been modified to skip entries if their name string is NULL. The kernel no longer panics in this scenario. (BZ#902683) * The size of the buffer used to print the kernel taint output on kernel panic was too small, which resulted in the kernel taint output not being printed completely sometimes. With this update, the size of the buffer has been adjusted and the kernel taint output is now displayed properly. (BZ#905829) * The code to print the kernel taint output contained a typographical error. Consequently, the kernel taint output, which is displayed on kernel panic, could not provide taint error messages for unsupported hardware. This update fixes the typo and the kernel taint output is now displayed correctly. (BZ#885063) Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68772
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68772
    title Oracle Linux 5 : kernel (ELSA-2013-0594-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KERNEL-120714.NASL
    description The SUSE Linux Enterprise 11 SP1 kernel have been updated to fix various bugs and security issues. The following security issues have been fixed : - Several buffer overread and overwrite errors in the UDF logical volume descriptor code were fixed that might have allowed local attackers able to mount UDF volumes to crash the kernel or potentially gain privileges. (CVE-2012-3400) - A local denial of service in the last epoll fix was fixed. (CVE-2012-3375) - A integer overflow in i915_gem_do_execbuffer() was fixed that might be used by local attackers to crash the kernel or potentially execute code. (CVE-2012-2384) - A integer overflow in i915_gem_execbuffer2() was fixed that might be used by local attackers to crash the kernel or potentially execute code. (CVE-2012-2383) - Memiory leaks in the hugetlbfs map reservation code were fixed that could be used by local attackers to exhaust machine memory. (CVE-2012-2390) - The filesystem capability handling was not fully correct, allowing local users to bypass fscaps related restrictions to disable e.g. address space randomization. (CVE-2012-2123) - Validation of data_len before allocating fragments of skbs was fixed that might have allowed a heap overflow. (CVE-2012-2136) - Fixed potential buffer overflows in the hfsplus filesystem, which might be exploited by local attackers able to mount such filesystems. (CVE-2012-2319) Several leapsecond related bug fixes have been created : - hrtimer: provide clock_was_set_delayed(). (bnc#768632) - time: Fix leapsecond triggered hrtimer/futex load spike issue. (bnc#768632) - ntp: fix leap second hrtimer deadlock. (bnc#768632) - ntp: avoid printk under xtime_lock (bnc#767684). The following non-security issues have been fixed : - tcp: drop SYN+FIN messages to avoid memory leaks. (bnc#765102) - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - REVERT svcrpc: destroy server sockets all at once. (bnc#769210) - sched: Make sure to not re-read variables after validation. (bnc#769685) - audit: Do not send uninitialized data for AUDIT_TTY_GET. (bnc#755513) - dlm: do not depend on sctp. (bnc#729247, bnc#763656) - RPC: killing RPC tasks races fixed. (bnc#765548) - vlan/core: Fix memory leak/corruption on VLAN GRO_DROP. (bnc#758058) - CPU hotplug, cpusets, suspend/resume: Do not modify cpusets during suspend/resume. (bnc#752858) - ioat2: kill pending flag. (bnc#765022) - Fix massive driver induced spin_lock_bh() contention. - ipmi: Fix IPMI errors due to timing problems. (bnc#761988) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen: gntdev: fix multi-page slot allocation. (bnc#760974) - rpm/kernel-binary.spec.in: Own the right -kdump initrd. (bnc#764500) - kernel: pfault task state race (bnc#764098,LTC#81724). - xfrm: take net hdr len into account for esp payload size calculation. (bnc#759545) - bonding: do not dereference NULL pointer to device of VLAN 0. (bnc#763830) - cifs: fix oops while traversing open file list (try #4). (bnc#756050) - nfsd: fix BUG at fs/nfsd/nfsfh.h:199 on unlink. (bnc#769777) - nfs: Ensure we never try to mount an NFS auto-mount dir (bnc748601). - patches.suse/cgroup-disable-memcg-when-low-lowmem.patch: fix typo: use if defined(CONFIG_) rather than if CONFIG_ - patches.suse/pagecache-limit-fix-shmem-deadlock.patch: Fixed the GFP_NOWAIT is zero and not suitable for tests bug. (bnc#755537) - sys_poll: fix incorrect type for timeout parameter. (bnc#754428) - scsi_transport_fc: fix blocked bsg request when fc object deleted. (bnc#761414, bnc#734300) - ehea: fix allmulticast support. (bnc#758013) - scsi: Silence unnecessary warnings about ioctl to partition. (bnc#758104) - sched/x86: Fix overflow in cyc2ns_offset. (bnc#630970, bnc#661605) - sched/rt: Do not throttle when PI boosting. (bnc#754085) - sched/rt: Keep period timer ticking when rt throttling is active. (bnc#754085) - sched,rt: fix isolated CPUs leaving root_task_group indefinitely throttled. (bnc#754085)
    last seen 2019-02-21
    modified 2014-09-11
    plugin id 64177
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64177
    title SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 6547 / 6548 / 6550)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1533-1.NASL
    description An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. (CVE-2012-2136) Ulrich Obergfell discovered an error in the Linux kernel's memory management subsystem on 32 bit PAE systems with more than 4GB of memory installed. A local unprivileged user could exploit this flaw to crash the system. (CVE-2012-2373) An error was discovered in the Linux kernel's memory subsystem (hugetlb). An unprivileged local user could exploit this flaw to cause a denial of service (crash the system). (CVE-2012-2390) A flaw was discovered in the Linux kernel's epoll system call. An unprivileged local user could use this flaw to crash the system. (CVE-2012-3375) Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. (CVE-2012-3400) A flaw was discovered in the madvise feature of the Linux kernel's memory subsystem. An unprivileged local use could exploit the flaw to cause a denial of service (crash the system). (CVE-2012-3511). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 61511
    published 2012-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61511
    title Ubuntu 11.10 : linux vulnerabilities (USN-1533-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1514-1.NASL
    description A flaw was discovered in the Linux kernel's macvtap device driver, which is used in KVM (Kernel-based Virtual Machine) to create a network bridge between host and guest. A privleged user in a guest could exploit this flaw to crash the host, if the vhost_net module is loaded with the experimental_zcopytx option enabled. (CVE-2012-2119) An error was discovered in the Linux kernel's network TUN/TAP device implementation. A local user with access to the TUN/TAP interface (which is not available to unprivileged users until granted by a root user) could exploit this flaw to crash the system or potential gain administrative privileges. (CVE-2012-2136) A flaw was found in how the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem handled MSI (Message Signaled Interrupts). A local unprivileged user could exploit this flaw to cause a denial of service or potentially elevate privileges. (CVE-2012-2137) A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372) Ulrich Obergfell discovered an error in the Linux kernel's memory management subsystem on 32 bit PAE systems with more than 4GB of memory installed. A local unprivileged user could exploit this flaw to crash the system. (CVE-2012-2373) Dan Rosenberg discovered flaws in the Linux kernel's NCI (Near Field Communication Controller Interface). A remote attacker could exploit these flaws to crash the system or potentially execute privileged code. (CVE-2012-3364) A flaw was discovered in the Linux kernel's epoll system call. An unprivileged local user could use this flaw to crash the system. (CVE-2012-3375) Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. (CVE-2012-3400)
    last seen 2019-02-21
    modified 2016-12-01
    plugin id 61506
    published 2012-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61506
    title USN-1514-1 : linux-ti-omap4 vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0812-1.NASL
    description The SUSE Linux Enterprise 10 SP4 LTSS kernel was updated to receive various security and bugfixes. The following security bugs have been fixed : CVE-2015-2041: A information leak in the llc2_timeout_table was fixed (bnc#919007). CVE-2014-9322: arch/x86/kernel/entry_64.S in the Linux kernel did not properly handle faults associated with the Stack Segment (SS) segment register, which allowed local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space (bnc#910251). CVE-2014-9090: The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel did not properly handle faults associated with the Stack Segment (SS) segment register, which allowed local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the 1-clock-tests test suite (bnc#907818). CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel did not properly manage a certain backlog value, which allowed remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet (bnc#885422). CVE-2014-3673: The SCTP implementation in the Linux kernel allowed remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c (bnc#902346). CVE-2014-3185: Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel allowed physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response (bnc#896391). CVE-2014-3184: The report_fixup functions in the HID subsystem in the Linux kernel might have allowed physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c (bnc#896390). CVE-2014-1874: The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel allowed local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context (bnc#863335). CVE-2014-0181: The Netlink implementation in the Linux kernel did not provide a mechanism for authorizing socket operations based on the opener of a socket, which allowed local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program (bnc#875051). CVE-2013-4299: Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel allowed remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device (bnc#846404). CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c (bnc#823260). CVE-2012-6657: The sock_setsockopt function in net/core/sock.c in the Linux kernel did not ensure that a keepalive action is associated with a stream socket, which allowed local users to cause a denial of service (system crash) by leveraging the ability to create a raw socket (bnc#896779). CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem (bnc#769784). CVE-2012-2319: Multiple buffer overflows in the hfsplus filesystem implementation in the Linux kernel allowed local users to gain privileges via a crafted HFS plus filesystem, a related issue to CVE-2009-4020 (bnc#760902). CVE-2012-2313: The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel did not restrict access to the SIOCSMIIREG command, which allowed local users to write data to an Ethernet adapter via an ioctl call (bnc#758813). CVE-2011-4132: The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel 2.6 allowed local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an 'invalid log first block value' (bnc#730118). CVE-2011-4127: The Linux kernel did not properly restrict SG_IO ioctl calls, which allowed local users to bypass intended restrictions on disk read and write operations by sending a SCSI command to (1) a partition block device or (2) an LVM volume (bnc#738400). CVE-2011-1585: The cifs_find_smb_ses function in fs/cifs/connect.c in the Linux kernel did not properly determine the associations between users and sessions, which allowed local users to bypass CIFS share authentication by leveraging a mount of a share by a different user (bnc#687812). CVE-2011-1494: Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel might have allowed local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow (bnc#685402). CVE-2011-1495: drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel did not validate (1) length and (2) offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions (bnc#685402). CVE-2011-1493: Array index error in the rose_parse_national function in net/rose/rose_subr.c in the Linux kernel allowed remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by composing FAC_NATIONAL_DIGIS data that specifies a large number of digipeaters, and then sending this data to a ROSE socket (bnc#681175). CVE-2011-4913: The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux kernel did not validate the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP fields, which allowed remote attackers to (1) cause a denial of service (integer underflow, heap memory corruption, and panic) via a small length value in data sent to a ROSE socket, or (2) conduct stack-based buffer overflow attacks via a large length value in data sent to a ROSE socket (bnc#681175). CVE-2011-4914: The ROSE protocol implementation in the Linux kernel did not verify that certain data-length values are consistent with the amount of data sent, which might allow remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via crafted data to a ROSE socket (bnc#681175). CVE-2011-1476: Integer underflow in the Open Sound System (OSS) subsystem in the Linux kernel on unspecified non-x86 platforms allowed local users to cause a denial of service (memory corruption) by leveraging write access to /dev/sequencer (bnc#681999). CVE-2011-1477: Multiple array index errors in sound/oss/opl3.c in the Linux kernel allowed local users to cause a denial of service (heap memory corruption) or possibly gain privileges by leveraging write access to /dev/sequencer (bnc#681999). CVE-2011-1163: The osf_partition function in fs/partitions/osf.c in the Linux kernel did not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing (bnc#679812). CVE-2011-1090: The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux kernel stored NFSv4 ACL data in memory that is allocated by kmalloc but not properly freed, which allowed local users to cause a denial of service (panic) via a crafted attempt to set an ACL (bnc#677286). CVE-2014-9584: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel did not validate a length value in the Extensions Reference (ER) System Use Field, which allowed local users to obtain sensitive information from kernel memory via a crafted iso9660 image (bnc#912654). CVE-2014-9420: The rock_continue function in fs/isofs/rock.c in the Linux kernel did not restrict the number of Rock Ridge continuation entries, which allowed local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image (bnc#911325). CVE-2014-5471: Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry (bnc#892490). CVE-2014-5472: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry (bnc#892490). CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number (bnc#880484). CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access (bnc#883795). CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call (bnc#883795). CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not properly maintain the user_ctl_count value, which allowed local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls (bnc#883795). CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel did not ensure possession of a read/write lock, which allowed local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access (bnc#883795). CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function (bnc#883795). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 83723
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83723
    title SUSE SLES10 Security Update : kernel (SUSE-SU-2015:0812-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-2043.NASL
    description Description of changes: [2.6.39-300.17.2.el6uek] - hugepages: fix use after free bug in 'quota' handling [Orabug: 15845276] {CVE-2012-2133} - udf: Fortify loading of sparing table [Orabug: 15845302] {CVE-2012-3400} - udf: Avoid run away loop when partition table length is corrupt [Orabug: 15845302] {CVE-2012-3400} - mm: Hold a file reference in madvise_remove [Orabug: 15846025] {CVE-2012-3511}
    last seen 2018-09-02
    modified 2015-12-01
    plugin id 68687
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68687
    title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2012-2043)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130305_KERNEL_ON_SL5_X.NASL
    description This update fixes the following security issues : - Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. (CVE-2012-3400, Low) This update also fixes the following bugs : - Previously, race conditions could sometimes occur in interrupt handling on the Emulex BladeEngine 2 (BE2) controllers, causing the network adapter to become unresponsive. This update provides a series of patches for the be2net driver, which prevents the race from occurring. The network cards using BE2 chipsets no longer hang due to incorrectly handled interrupt events. - A boot-time memory allocation pool (the DMI heap) is used to keep the list of Desktop Management Interface (DMI) devices during the system boot. Previously, the size of the DMI heap was only 2048 bytes on the AMD64 and Intel 64 architectures and the DMI heap space could become easily depleted on some systems, such as the IBM System x3500 M2. A subsequent OOM failure could, under certain circumstances, lead to a NULL pointer entry being stored in the DMI device list. Consequently, scanning of such a corrupted DMI device list resulted in a kernel panic. The boot-time memory allocation pool for the AMD64 and Intel 64 architectures has been enlarged to 4096 bytes and the routines responsible for populating the DMI device list have been modified to skip entries if their name string is NULL. The kernel no longer panics in this scenario. - The size of the buffer used to print the kernel taint output on kernel panic was too small, which resulted in the kernel taint output not being printed completely sometimes. With this update, the size of the buffer has been adjusted and the kernel taint output is now displayed properly. - The code to print the kernel taint output contained a typographical error. Consequently, the kernel taint output, which is displayed on kernel panic, could not provide taint error messages for unsupported hardware. This update fixes the typo and the kernel taint output is now displayed correctly. The system must be rebooted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 65076
    published 2013-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65076
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1555-1.NASL
    description Chen Haogang discovered an integer overflow that could result in memory corruption. A local unprivileged user could use this to crash the system. (CVE-2012-0044) A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2012-2372) Some errors where discovered in the Linux kernel's UDF file system, which is used to mount some CD-ROMs and DVDs. An unprivileged local user could use these flaws to crash the system. (CVE-2012-3400). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 61788
    published 2012-09-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61788
    title Ubuntu 10.04 LTS : linux vulnerabilities (USN-1555-1)
redhat via4
advisories
bugzilla
id 843139
title CVE-2012-3400 kernel: udf: buffer overflow when parsing sparing table
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhba:tst:20070331001
  • OR
    • AND
      • comment kernel is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594002
      • comment kernel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314003
    • AND
      • comment kernel-PAE is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594020
      • comment kernel-PAE is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314021
    • AND
      • comment kernel-PAE-devel is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594022
      • comment kernel-PAE-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314023
    • AND
      • comment kernel-debug is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594014
      • comment kernel-debug is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314015
    • AND
      • comment kernel-debug-devel is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594010
      • comment kernel-debug-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314009
    • AND
      • comment kernel-devel is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594012
      • comment kernel-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314007
    • AND
      • comment kernel-doc is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594024
      • comment kernel-doc is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314025
    • AND
      • comment kernel-headers is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594004
      • comment kernel-headers is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314005
    • AND
      • comment kernel-kdump is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594016
      • comment kernel-kdump is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314017
    • AND
      • comment kernel-kdump-devel is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594018
      • comment kernel-kdump-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314019
    • AND
      • comment kernel-xen is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594008
      • comment kernel-xen is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314011
    • AND
      • comment kernel-xen-devel is earlier than 0:2.6.18-348.2.1.el5
        oval oval:com.redhat.rhsa:tst:20130594006
      • comment kernel-xen-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314013
rhsa
id RHSA-2013:0594
released 2013-03-05
severity Low
title RHSA-2013:0594: kernel security and bug fix update (Low)
rpms
  • kernel-0:2.6.32-279.14.1.el6
  • kernel-bootwrapper-0:2.6.32-279.14.1.el6
  • kernel-debug-0:2.6.32-279.14.1.el6
  • kernel-debug-devel-0:2.6.32-279.14.1.el6
  • kernel-devel-0:2.6.32-279.14.1.el6
  • kernel-doc-0:2.6.32-279.14.1.el6
  • kernel-firmware-0:2.6.32-279.14.1.el6
  • kernel-headers-0:2.6.32-279.14.1.el6
  • kernel-kdump-0:2.6.32-279.14.1.el6
  • kernel-kdump-devel-0:2.6.32-279.14.1.el6
  • perf-0:2.6.32-279.14.1.el6
  • python-perf-0:2.6.32-279.14.1.el6
  • kernel-0:2.6.18-348.2.1.el5
  • kernel-PAE-0:2.6.18-348.2.1.el5
  • kernel-PAE-devel-0:2.6.18-348.2.1.el5
  • kernel-debug-0:2.6.18-348.2.1.el5
  • kernel-debug-devel-0:2.6.18-348.2.1.el5
  • kernel-devel-0:2.6.18-348.2.1.el5
  • kernel-doc-0:2.6.18-348.2.1.el5
  • kernel-headers-0:2.6.18-348.2.1.el5
  • kernel-kdump-0:2.6.18-348.2.1.el5
  • kernel-kdump-devel-0:2.6.18-348.2.1.el5
  • kernel-xen-0:2.6.18-348.2.1.el5
  • kernel-xen-devel-0:2.6.18-348.2.1.el5
refmap via4
confirm
mlist [oss-security] 20120709 Re: CVE Request: Stability fixes in UDF Logical Volume Descriptor handling
secunia 50506
suse SUSE-SU-2015:0812
ubuntu
  • USN-1529-1
  • USN-1555-1
  • USN-1556-1
  • USN-1557-1
Last major update 07-12-2016 - 22:02
Published 03-10-2012 - 07:02
Back to Top