CVE-2011-2213 – kernel: inet_diag: insufficient validation
https://notcve.org/view.php?id=CVE-2011-2213
The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel before 2.6.39.3 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880. La función net_diag_bc_audit en net/ipv4/inet_diag.c en el Kernel de Linux anterior a v2.6.39.3 no audita adecuadamente bytecode INET_DIAG, lo que permite a usuarios locales provocar una denegación de servicio a través de instrucciones manipuladas INET_DIAG_REQ_BYTECODE en un mensaje netlink, como se demostró por una instrucción INET_DIAG_BC_JMP con un valor zero yes, una vulnerabilidad diferente que CVE-2010-3880. • http://article.gmane.org/gmane.linux.network/197206 http://article.gmane.org/gmane.linux.network/197208 http://article.gmane.org/gmane.linux.network/197386 http://article.gmane.org/gmane.linux.network/198809 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=eeb1497277d6b1a0a34ed36b97e18f2bd7d6de0d http://marc.info/?l=bugtraq&m=139447903326211&w=2 http://patchwork.ozlabs.org/patch/100857 http://rhn.redhat.com/errata/RHSA-2011-0927.html http://www.kern • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2011-2492 – kernel: bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace
https://notcve.org/view.php?id=CVE-2011-2492
The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. El subsistema de bluetooth en el kernel de Linux anteriores a v3.0-rc4 no inicializa correctamente algunas estructuras de datos, lo que permite a usuarios locales obtener información sensible de la memoria del kernel a través de una llamada getsockopt manipulada, en relación con (1) la función l2cap_sock_getsockopt_old en net/bluetooth/l2cap_sock.c y (2) la función rfcomm_sock_getsockopt_old en net/bluetooth/rfcomm/sock.c. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8d03e971cf403305217b8e62db3a2e5ad2d6263f http://marc.info/?l=bugtraq&m=139447903326211&w=2 http://permalink.gmane.org/gmane.linux.bluez.kernel/12909 http://rhn.redhat.com/errata/RHSA-2011-0927.html http://securitytracker.com/id?1025778 http://www.kernel.org/pub/linux/kernel/v3.0/testing/ChangeLog-3.0-rc4 http://www.openwall.com/lists/oss-security/2011/06/24/2 http://www.openwall.com/lists/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2011-1093 – kernel: dccp: fix oops on Reset after close
https://notcve.org/view.php?id=CVE-2011-1093
The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet. Función dccp_rcv_state_process en net/dccp/input.c en la implementación de Datagram Congestion Control Protocol(DCCP)en el kernel de linux antes de v2.6.38 no maneja adecuadamente paquetes para un extremo cerrado, que permite a atacantes remotos provocar una denegación de servicio ( puntero a NULO y OOPS ) mediante el envío de un paquete DCCP-Close seguido por un paquete DCCP-Reset. • http://downloads.avaya.com/css/P8/documents/100145416 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=720dc34bbbe9493c7bd48b2243058b4e447a929d http://openwall.com/lists/oss-security/2011/03/08/19 http://openwall.com/lists/oss-security/2011/03/08/4 http://rhn.redhat.com/errata/RHSA-2011-0833.html http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38 http://www.securityfocus.com/bid/46793 https://bugzilla.redhat.com/show_bug.cgi • CWE-476: NULL Pointer Dereference •
CVE-2011-1182 – kernel signal spoofing issue
https://notcve.org/view.php?id=CVE-2011-1182
kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call. kernel/signal.c en Linux kernel anterior a v2.6.39 permite a usuarios locales falsear el "uid" y el "pid" a través de un envío de señal de una llamada del sistema "sigqueueinfo". • http://ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=da48524eb20662618854bb3df2db01fc65f3070c http://rhn.redhat.com/errata/RHSA-2011-0927.html http://www.openwall.com/lists/oss-security/2011/03/23/2 https://bugzilla.redhat.com/show_bug.cgi?id=690028 https://github.com/torvalds/linux/commit/da48524eb20662618854bb3df2db01fc65f3070c https://access.redhat.com/security/cve/CVE-2011-1182 •
CVE-2011-1746 – kernel: agp: insufficient page_count parameter checking in agp_allocate_memory()
https://notcve.org/view.php?id=CVE-2011-1746
Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allow local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages. Multiples desbordamientos de enteros en las funciones agp_allocate_memory y agp_create_user_memory en los drivers /char/agp/generic.c del kernel de Linux con anterioridad a v2.6.38.5 permite a los usuarios locales provocar desbordamientos de búfer, y causar en consecuencia, una denegación de servicio ( caída del sistema ) o, posiblemente, tener un impacto no especificado, a través de vectores relacionados con las llamadas que especifican un amplio número de páginas de memoria. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=b522f02184b413955f3bc952e3776ce41edc6355 http://openwall.com/lists/oss-security/2011/04/21/4 http://openwall.com/lists/oss-security/2011/04/22/7 http://rhn.redhat.com/errata/RHSA-2011-0927.html http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.38.5 http://www.securityfocus.com/bid/47535 https://bugzilla.redhat.com/show_bug.cgi?id=698998 https://lkml.org/lkml/2011/4/14 • CWE-189: Numeric Errors •