Redhat Enterprise Linux Desktop vulnerabilities

CVE-2011-2213 [MEDIUM] CVE-2011-2213: The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel before 2.6.39.3 does not The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel before 2.6.39.3 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a di

CVE-2011-2689 [MEDIUM] CWE-400 CVE-2011-2689: The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure tha The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space.

CVE-2011-2492 [LOW] CWE-200 CVE-2011-2492: The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockop

CVE-2011-1093 [HIGH] CWE-476 CVE-2011-1093: The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP

CVE-2011-1745 [MEDIUM] CWE-190 CVE-2011-1745: Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linu Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call.

CVE-2011-2022 [MEDIUM] CVE-2011-2022: The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6. The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does not validate a certain start parameter, which allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than CVE-2011-1745.

CVE-2011-1746 [MEDIUM] CWE-189 CVE-2011-1746: Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions i Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allow local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specif

CVE-2011-1593 [MEDIUM] CWE-190 CVE-2011-1593: Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel before 2. Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel before 2.6.38.4 allow local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call.

CVE-2011-1163 [LOW] CWE-20 CVE-2011-1163: The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properl The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing.

CVE-2011-1083 [MEDIUM] CWE-400 CVE-2011-1083: The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.

CVE-2011-0695 [MEDIUM] CWE-362 CVE-2011-0695: Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference.

CVE-2011-0711 [LOW] CWE-200 CVE-2011-0711: The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does n The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call.

CVE-2010-4649 [MEDIUM] CWE-190 CVE-2010-4649: Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Li Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member.

CVE-2011-1044 [LOW] CVE-2011-1044: The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2. The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649.

CVE-2010-4494 [HIGH] CWE-415 CVE-2010-4494: Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.5 Double free vulnerability in libxml2 2.7.8 and other versions, as used in Google Chrome before 8.0.552.215 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.

CVE-2010-4008 [MEDIUM] CWE-119 CVE-2010-4008: libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, an libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document.

CVE-2010-4203 [CRITICAL] CWE-190 CVE-2010-4203: WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames.

CVE-2010-2941 [CRITICAL] CWE-416 CVE-2010-2941: ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with invalid string data types, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted IPP request.

CVE-2010-3702 [HIGH] CWE-476 CVE-2010-3702: The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference.

CVE-2010-1637 [MEDIUM] CWE-918 CVE-2010-1637: The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number.