CVE-2010-4346 – kernel: install_special_mapping skips security_file_mmap check
https://notcve.org/view.php?id=CVE-2010-4346
The install_special_mapping function in mm/mmap.c in the Linux kernel before 2.6.37-rc6 does not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application. función install_special_mapping en mm/mmap.c en el kernel de Linux anterior v2.6.37-rc6 no crea una llamada a la función security_file_mmap esperada, lo que permite a usuarios locales superar las restricciones mmap_min_addr establecidas y probablemente conducir ataques referencia a puntero NULO a través de una aplicación con lenguaje ensamblador manipulado. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=462e635e5b73ba9a4c03913b77138cd57ce4b050 http://openwall.com/lists/oss-security/2010/12/09/12 http://openwall.com/lists/oss-security/2010/12/09/13 http://openwall.com/lists/oss-security/2010/12/10/2 http://openwall.com/lists/oss-security/2010/12/10/3 http://secunia.com/advisories/42570 http://secunia.com/advisories/46397 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog- • CWE-476: NULL Pointer Dereference •
CVE-2010-4347 – Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2010-4347
The ACPI subsystem in the Linux kernel before 2.6.36.2 uses 0222 permissions for the debugfs custom_method file, which allows local users to gain privileges by placing a custom ACPI method in the ACPI interpreter tables, related to the acpi_debugfs_init function in drivers/acpi/debugfs.c. subsistema ACPI en el kernel de Linux anterior v2.6.36.2 usa permisos 0222 para el fichero debugfs custom_method, lo que permite a usuarios locales obtener privilegios por remplazamiento de cliente de método ACPI en la tabla de intérprete ACPI, relacionado con la función acpi_debugfs_init function en drivers/acpi/debugfs.c. • https://www.exploit-db.com/exploits/15774 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ed3aada1bf34c5a9e98af167f125f8a740fc726a http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html http://openwall.com/lists/oss-security/2010/12/15/3 http://openwall.com/lists/oss-security/2010/12/15/7 http://secunia.com/advisories/42778 http://www.exploit-db.com/explo • CWE-269: Improper Privilege Management •
CVE-2010-4157 – kernel: gdth: integer overflow in ioc_general()
https://notcve.org/view.php?id=CVE-2010-4157
Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel before 2.6.36.1 on 64-bit platforms allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large argument in an ioctl call. Desbordamiento de entero en la función ioc_general en drivers/scsi/gdth.c en el kernel Linux, en versiones anteriores a la 2.6.36.1 en plataformas de 64-bit, permite a atacantes locales provocar una denegación de servicio (corrupción de memoria) o posiblemente tener otro impacto no especificado a través de un argumento largo en una llamada ioctl. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=f63ae56e4e97fb12053590e41a4fa59e7daa74a4 http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052513.html http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html http://l • CWE-190: Integer Overflow or Wraparound •
CVE-2010-3861 – kernel: heap contents leak from ETHTOOL_GRXCLSRLALL
https://notcve.org/view.php?id=CVE-2010-3861
The ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize a certain block of heap memory, which allows local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value, a different vulnerability than CVE-2010-2478. La función ethtool_get_rxnfc en net/core/ethtool.c en el kernel Linux, en versiones anteriores a la 2.6.36 no inicializa un cierto bloque de memoria dinámica, lo que permite a usuarios locales obtener información potencialmente sensible a través de un comando ethtool ETHTOOL_GRXCLSRLALL con un valor info.rule_cnt de gran tamaño, una vulnerabilidad diferente a CVE-2010-2478. • http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ae6df5f96a51818d6376da5307d773baeece4014 http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html http://openwall.com/lists/oss-security/2010/10/25/4 http://openwall.com/lists/os • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2010-4258 – Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2010-4258
The do_exit function in kernel/exit.c in the Linux kernel before 2.6.36.2 does not properly handle a KERNEL_DS get_fs value, which allows local users to bypass intended access_ok restrictions, overwrite arbitrary kernel memory locations, and gain privileges by leveraging a (1) BUG, (2) NULL pointer dereference, or (3) page fault, as demonstrated by vectors involving the clear_child_tid feature and the splice system call. La función do_exit en kernel/exit.c en el kernel de Linux anteriores a v2.6.36.2 no gestiona de forma adecuada el KERNEL_DS y el valor get_fs, lo que permite a usuarios locales saltarse las restricciones access_ok, sobrescribiendo posiciones de memoria del kernel, y obtener privilegios mediante el aprovechamiento de un (1) ERROR, (2) desreferencia a un puntero NULL, o (3) error de página, como lo demuestró por vectores que implican la característica clear_child_tid en las llamadas al sistema de unión. • https://www.exploit-db.com/exploits/15704 http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0086.html http://blog.nelhage.com/2010/12/cve-2010-4258-from-dos-to-privesc http://code.google.com/p/chromium-os/issues/detail?id=10234 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 http://googlechromereleases.blogspot.com/2011/01/chrome-os-beta-channel-update.html http://lists.fedoraproject.org/pipermail/package-annou • CWE-269: Improper Privilege Management •