MDVSA-2011:051

The do_anonymous_page function in mm/memory.c in the Linux kernel does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. (CVE-2010-2240)

The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel does not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer. (CVE-2010-4165)

The copy_shmid_to_user function in ipc/shm.c in the Linux kernel does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the old shm interface. (CVE-2010-4072)

The ipc subsystem in the Linux kernel does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c. (CVE-2010-4073)

The copy_semid_to_user function in ipc/sem.c in the Linux kernel does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call. (CVE-2010-4083)

The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call. (CVE-2010-4078)

The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call. (CVE-2010-3297)

Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call. (CVE-2010-3437)

fs/jfs/xattr.c in the Linux kernel does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an os2. substring at the beginning of a name. (CVE-2010-2946)

Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions. (CVE-2010-3310)

Integer overflow in the do_io_submit function in fs/aio.c in the Linux allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call. (CVE-2010-3067)

net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application. (CVE-2010-0007)

The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure. (CVE-2010-3875)

fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248)

The personality subsystem in the Linux kernel has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR). (CVE-2009-1895)

The load_flat_shared_library function in fs/binfmt_flat.c in the flat subsystem in the Linux kernel allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by executing a shared flat binary. (CVE-2009-2768)

The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state. (CVE-2009-3726)

The UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket. (CVE-2009-2698)

Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. (CVE-2009-3080)

Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. (CVE-2010-2521)

net/ipv6/tcp_ipv6.c in Linux kernel inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double-free by opening a listeing IPv6 socket, attaching a flow label, and connecting to that socket. (CVE-2007-1592)

The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel does not require the CAP_NET_ADMIN capability, which allows local users to bypass intended access restrictions and configure econet addresses via an SIOCSIFADDR ioctl call. (CVE-2010-3850)

All these problems have been corrected, to update your kernel, please follow the directions located at:

http://www.mandriva.com/en/security/kernelupdate