Pardus: 2010-112: Kernel: Multiple Vulnerabilities
Posted by Benjamin D. Thomas   
Multiple vulnerabilities have been fixed in kernel
------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-112           security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-08-12
  Severity: 4
      Type: Remote
------------------------------------------------------------------------

Summary
======
Multiple vulnerabilities have been fixed in kernel


Description
==========
CVE-2010-2226:

A flaw was found in the handling of the  SWAPEXT  IOCTL  in  the  Linux
kernel XFS file system implementation. A local user could use this flaw
to read write-only files, that they do not own, on an XFS file  system.
This could lead to unintended information disclosure.



CVE-2010-2248:

A flaw was found in the CIFSSMBWrite() function  in  the  Linux  kernel
Common Internet File System (CIFS) implementation.  A  remote  attacker
could send a specially-crafted SMB response packet  to  a  target  CIFS
client, resulting in a kernel panic (denial of service)



CVE-2010-2495:

A flaw was found in the pppol2tp_xmit() function in  the  Linux  kernel
l2tp implementation. When transmitting L2TP frames, outgoing interface's
UDP checksum hardware assist capabilities can  be  NULL,  causing  NULL
pointer dereference.



CVE-2010-2521:

A buffer overflow flaws were found in the Linux kernel's implementation
of the server-side External Data Representation (XDR) for  the  Network
File System (NFS) version 4. An attacker on the local network could send
a specially-crafted large compound request to the NFSv4  server,  which
could possibly result  in  a  kernel  panic  (denial  of  service)  or,
potentially, code execution.



CVE-2010-2537:

The  BTRFS_IOC_CLONE and  BTRFS_IOC_CLONE_RANGE  ioctls  should  check
whether the donor file is append-only before writing to it.



CVE-2010-2538:

The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer overflow that
allows a user to specify an out-of-bounds range to copy from the source
file (if off + len wraps around).



CVE-2010-2798:

The problem was in the way the gfs2 directory code was trying to re-use
sentinel directory entries. A local, unprivileged user on a gfs2 mounted
directory  can trigger  this  issue,  resulting  in  a  NULL   pointer
dereference.


Affected packages:

  Pardus 2009:
    kernel, all before 2.6.31.13-131-47
    kernel-pae, all before 2.6.31.13-131-28



Resolution
=========
There are update(s) for kernel, kernel-pae. You  can  update  them  via
Package Manager or with a single command from console:

    pisi up kernel kernel-pae

References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id528
  * http://bugs.pardus.org.tr/show_bug.cgi?id648
  * http://bugs.pardus.org.tr/show_bug.cgi?id750
  * http://bugs.pardus.org.tr/show_bug.cgi?id753
  * http://bugs.pardus.org.tr/show_bug.cgi?id895
  * http://bugs.pardus.org.tr/show_bug.cgi?id903

------------------------------------------------------------------------