Overview
kernel: security and bugfix update.

The openSUSE 11.4 kernel was updated to 2.6.37.6 fixing
lots of bugs and security issues.

Following security issues have been fixed: CVE-2011-1493:
In the rose networking stack, when parsing the
FAC_NATIONAL_DIGIS facilities field, it was possible for a
remote host to provide more digipeaters than expected,
resulting in heap corruption. Check against ROSE_MAX_DIGIS
to prevent overflows, and abort facilities parsing on
failure.

CVE-2011-1182: Local attackers could send signals to their
programs that looked like coming from the kernel,
potentially gaining privileges in the context of setuid
programs.

CVE-2011-1478: An issue in the core GRO code where an skb
belonging to an unknown VLAN is reused could result in a
NULL pointer dereference.

CVE-2011-1476: Specially crafted requests may be written to
/dev/sequencer resulting in an underflow when calculating a
size for a copy_from_user() operation in the driver for
MIDI interfaces. On x86, this just returns an error, but it
could have caused memory corruption on other architectures.
Other malformed requests could have resulted in the use of
uninitialized variables.

CVE-2011-1477: Due to a failure to validate user-supplied
indexes in the driver for Yamaha YM3812 and OPL-3 chips, a
specially crafted ioctl request could have been sent to
/dev/sequencer, resulting in reading and writing beyond the
bounds of heap buffers, and potentially allowing privilege
escalation.

CVE-2011-0191: A information leak in the XFS geometry calls
could be used by local attackers to gain access to kernel
information.

CVE-2011-0711: A stack memory information leak in the xfs
FSGEOMETRY_V1 ioctl was fixed.

CVE-2011-0521: The dvb_ca_ioctl function in
drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel did
not check the sign of a certain integer field, which
allowed local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact via a
negative value.

CVE-2011-1010: The code for evaluating Mac partitions (in
fs/partitions/mac.c) contained a bug that could crash the
kernel for certain corrupted Mac partitions.

CVE-2011-0712: Multiple buffer overflows in the caiaq
Native Instruments USB audio functionality in the Linux
kernel might have allowed attackers to cause a denial of
service or possibly have unspecified other impact via a
long USB device name, related to (1) the
snd_usb_caiaq_audio_init function in
sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init
function in sound/usb/caiaq/midi.c.

CVE-2011-1013: A signedness issue in the drm ioctl handling
could be used by local attackers to potentially overflow
kernel buffers and execute code.

CVE-2011-1082: The epoll subsystem in Linux did not prevent
users from creating circular epoll file structures,
potentially leading to a denial of service (kernel
deadlock).

CVE-2010-4650: A kernel buffer overflow in the cuse server
module was fixed, which might have allowed local privilege
escalation. However only CUSE servers could exploit it and
/dev/cuse is normally restricted to root.

CVE-2011-1093: A bug was fixed in the DCCP networking stack
where the order of dccp_rcv_state_process() still permitted
reception even after closing the socket. A Reset after
close thus causes a NULL pointer dereference by not
preventing operations on an already torn-down socket.

CVE-2011-1163: The code for evaluating OSF partitions (in
fs/partitions/osf.c) contained a bug that leaks data from
kernel heap memory to userspace for certain corrupted OSF
partitions.

CVE-2011-1012: The code for evaluating LDM partitions (in
fs/partitions/ldm.c) contained a bug that could crash the
kernel for certain corrupted LDM partitions.

CVE-2011-1581: Doing bridging with devices with more than
16 receive queues could crash the kernel.

CVE-2011-1160: Kernel information via the TPM devices could
by used by local attackers to read kernel memory.

CVE-2011-1577: The Linux kernel automatically evaluated
partition tables of storage devices. The code for
evaluating EFI GUID partitions (in fs/partitions/efi.c)
contained a bug that causes a kernel oops on certain
corrupted GUID partition tables, which might be used by
local attackers to crash the kernel or potentially execute
code.

CVE-2011-1180: In the IrDA module, length fields provided
by a peer for names and attributes may be longer than the
destination array sizes and were not checked, this allowed
local attackers (close to the irda port) to potentially
corrupt memory.

CVE-2011-1016: The Radeon GPU drivers in the Linux kernel
did not properly validate data related to the AA resolve
registers, which allowed local users to write to arbitrary
memory locations associated with (1) Video RAM (aka VRAM)
or (2) the Graphics Translation Table (GTT) via crafted
values.

Fixed bugs
bnc#681076
openSuSE 11.4: Inserting samsung_laptop kernel module fails on Samsung N130.
bnc#684248
[tumbleweed] hibernation doesnt resume after kernel update (.38.1->.38.2)
bnc#681175
VUL-0: kernel: multiple issues in ROSE
bnc#610598
bnc#680073
kernel bug: reiserfs EIP is at shrink_dcache_for_umount_subtree
bnc#684112
reiserfs Null pointer deref segfault
bnc#680510
sched_setscheduler: Operation not permitted
bnc#680932
openSuSE 11.4: intel_ips causes high load - hangs in d state
bnc#678466
Swap over NFS reserves too much memory on openSUSE-11.4
bnc#678466
Swap over NFS reserves too much memory on openSUSE-11.4
bnc#678466
Swap over NFS reserves too much memory on openSUSE-11.4
bnc#681826
VUL-0: CVE-2011-1182: kernel: SI_TKILL signal spoofing
bnc#682965
VUL-0: kernel: gro: reset dev and skb_iff on skb reuse
bnc#682725
Sound buffer size is smaller on 11.4
bnc#677256
Sound in both headphones and speakers
bnc#669889
bnc#558740
kernel parameter module=ide-generic not passed to installed kernel
bnc#679588
No sound using ALC 889 with onboard audio card
bnc#680816
VUL-0: kernel: AudioScience HPI driver memory corruption
bnc#681999
VUL-0: kernel: two OSS fixes
bnc#672505
VUL-1: CVE-2011-0191: kernel: xfs infoleak
bnc#648742
radeon [9800] Suspend to disk dont work
bnc#554081
bnc#681297
Skycable wireless presenter remote doesnt work
bnc#673992
No more mobile broadband networking support for Nokia phones (at least 5800 XM)
bnc#678123
getdents64() misbehaves in NFS mounted directories
bnc#678123
getdents64() misbehaves in NFS mounted directories
bnc#678497
zone low watermark is not being reported in /proc/zoneinfo
bnc#678472
Swap over NFS deadlocks under memory pressure
bnc#677738
Swap over NFS crashes on openSUSE-11.4
bnc#678970
List corruption by duplicated initialization in net/ipv4/route.c
bnc#679016
Regression: sound worked in openSUSE 11.3, doesnt work any more in openSUSE 11.4
bnc#644807
dvb subsystem crashed when dvb stream start playing on leadtek_winfast usb dongle
bnc#607239
mantis-module does not load automatically on boot
bnc#668101
bnc#668437
Intel® 82579V Gigabit Ethernet Controller
bnc#669394
umount command hangs all system unmounts including at shutdown
bnc#662733
iwlagn: connection drops regularly
bnc#674245
brcm80211 driver does not survive suspend/resume
bnc#674735
USB-audio kernel Oops at disconnection
bnc#667793
bnc#672524
VUL-1: kernel: xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
bnc#674691
VUL-1: kernel: drm_modeset_ctl signedness issue
bnc#676202
VUL-0: kernel: epoll DoS via circular struct
bnc#662945
VUL-1: kernel: fuse: verify ioctl retries, buffer overflow exploitable by CUSE server
bnc#677676
VUL-0: kernel: dccp: fix oops on Reset after close
bnc#674254
VUL-1: kernel: Corrupted LDM partition table issues
bnc#680510
sched_setscheduler: Operation not permitted
bnc#685469
Network fails when bridge is on top of bond using 802.3ad
bnc#668880
cannot mount secure nfs exports (kerberized nfs / rpc.gssd crashes)
bnc#669937
KMS with ATi radeon X1950 XTX fails to detect screen on DVI ports (driver=radeon):
bnc#679898
kernel OOPS while writing to ext4 loop
bnc#679898
kernel OOPS while writing to ext4 loop
bnc#679143
DVD-RW drive is not recognized with "failed to set xfermode (err_mask=0x4)" boot message
bnc#687116
VUL-1: kernel: bonding: Incorrect TX queue offset
bnc#680040
VUL-0: kernel: tpm infoleaks
bnc#687113
VUL-0: kernel: fs/partitions: Corrupted GUID partition tables cause oops
bnc#673934
VUL-1: kernel: a collection of world-writable debugfs bugs
bnc#681497
VUL-0: kernel: irda peer name and attribute stack overflow
bnc#674693
VUL-1: kernel: drm/radeon/kms: check AA resolve registers on r300
CVE#CVE-2011-1493
CVE#CVE-2011-1182
CVE#CVE-2011-1478
CVE#CVE-2011-1476
CVE#CVE-2011-1477
CVE#CVE-2011-0191
CVE#CVE-2011-0711
CVE#CVE-2011-0521
CVE#CVE-2011-1010
CVE#CVE-2011-0712
CVE#CVE-2011-1013
CVE#CVE-2011-1082
CVE#CVE-2010-4650
CVE#CVE-2011-1093
CVE#CVE-2011-1163
CVE#CVE-2011-1012
CVE#CVE-2011-1581
CVE#CVE-2011-1160
CVE#CVE-2011-1577
CVE#CVE-2011-1180
CVE#CVE-2011-1016
Selected Binaries
openSUSE Build Service is sponsored by
Places