8.3 - MDVSA-2011:029

A vulnerability was discovered and corrected in the Linux 2.6 kernel: The X.25 implementation does not properly parse facilities, which allows remote attackers to cause a denial of service (heap memory corruption and panic) or possibly have unspecified other impact via malformed data, a different vulnerability than CVE-2010-4164. (CVE-2010-3873)

The bcm_connect function Broadcast Manager in the Controller Area Network (CAN) implementation in the Linux creates a publicly accessible file with a filename containing a kernel memory address, which allows local users to obtain potentially sensitive information about kernel memory use by listing this filename. (CVE-2010-4565)

The install_special_mapping function in mm/mmap.c does not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application. (CVE-2010-4346)

The sk_run_filter function does not check whether a certain memory location has been initialized before executing a BPF_S_LD_MEM or BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter. (CVE-2010-4158)

Heap-based buffer overflow in the bcm_connect function the Broadcast Manager in the Controller Area Network (CAN)on 64-bit platforms might allow local users to cause a denial of service (memory corruption) via a connect operation. (CVE-2010-3874)

The blk_rq_map_user_iov function in block/blk-map.c allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device. (CVE-2010-4163)

Multiple integer underflows in the x25_parse_facilities function in allow remote attackers to cause a denial of service (system crash) via malformed X.25 (1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4) X25_FAC_CLASS_D facility data. (CVE-2010-4164)

Race condition in the do_setlk function allows local users to cause a denial of service (crash) via vectors resulting in an interrupted RPC call that leads to a stray FL_POSIX lock, related to improper handling of a race between fcntl and close in the EINTR case. (CVE-2009-4307)

Multiple integer overflows in fs/bio.c allow local users to cause a denial of service (system crash) via a crafted device ioctl to a SCSI device. (CVE-2010-4162)

Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation. (CVE-2010-3015)

The do_exit function in kernel/exit.c does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call. (CVE-2010-4258)

The ax25_getname function in net/ax25/af_ax25.c does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. (CVE-2010-3875)

Integer overflow in the do_io_submit function in fs/aio.c allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. (CVE-2010-3067)

Race condition in the __exit_signal function in kernel/exit.c allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c. (CVE-2010-4248)

Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call. (CVE-2010-3437)

The get_name function in net/tipc/socket.c does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. (CVE-2010-3877)

Stack-based buffer overflow in the parse_tag_11_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to not ensuring that the key signature length in a Tag 11 packet is compatible with the key signature buffer size. (CVE-2009-2406)

Multiple integer signedness errors in the TIPC implementation allow local users to gain privileges via a crafted sendmsg call that triggers a heap-based buffer overflow, related to the tipc_msg_build function in net/tipc/msg.c and the verify_iovec function in net/core/iovec.c. (CVE-2010-3859)

The ipc subsystem does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c. (CVE-2010-4073)

The copy_shmid_to_user function does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the old shm interface. (CVE-2010-4072)

The sctp_auth_asoc_get_hmac function in net/sctp/auth.c does not properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array. (CVE-2010-3705)

The do_tcp_setsockopt function in net/ipv4/tcp.c does not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer. (CVE-2010-4165)

Multiple integer signedness errors in net/rose/af_rose.c allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions. (CVE-2010-3310)

The KVM implementation does not properly reload the FS and GS segment registers, which allows host OS users to cause a denial of service (host OS crash) via a KVM_RUN ioctl call in conjunction with a modified Local Descriptor Table (LDT). (CVE-2010-3698)

This update disable the iommu hardware in order to avoid crash with some DELL servers (R510, R710,...)

To update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate