Suse Linux Enterprise Real Time Extension vulnerabilities

CVE-2010-4083 [LOW] CWE-909 CVE-2010-4083: The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call.

CVE-2010-4078 [LOW] CWE-909 CVE-2010-4078: The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call.

CVE-2010-4073 [LOW] CWE-200 CVE-2010-4073: The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, whic The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) c

CVE-2010-4072 [LOW] CWE-200 CVE-2010-4072: The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initiali The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the "old shm interface."

CVE-2010-2962 [HIGH] CWE-20 CVE-2010-2962: drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via crafted use

CVE-2010-3432 [HIGH] CWE-20 CVE-2010-3432: The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs ex The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.

CVE-2010-4165 [MEDIUM] CWE-369 CVE-2010-4165: The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel before 2.6.37-rc2 does not prop The do_tcp_setsockopt function in net/ipv4/tcp.c in the Linux kernel before 2.6.37-rc2 does not properly restrict TCP_MAXSEG (aka MSS) values, which allows local users to cause a denial of service (OOPS) via a setsockopt call that specifies a small value, leading to a divide-by-zero error or incorrect use of a signed integer.

CVE-2010-4169 [MEDIUM] CWE-416 CVE-2010-4169: Use-after-free vulnerability in mm/mprotect.c in the Linux kernel before 2.6.37-rc2 allows local use Use-after-free vulnerability in mm/mprotect.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors involving an mprotect system call.

CVE-2010-3442 [MEDIUM] CWE-190 CVE-2010-3442: Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel b Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.

CVE-2010-3437 [MEDIUM] CWE-476 CVE-2010-3437: Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the L Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.

CVE-2010-3297 [LOW] CWE-909 CVE-2010-3297: The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not pr The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call.

CVE-2010-3296 [LOW] CWE-200 CVE-2010-3296: The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.3 The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call.

CVE-2010-3298 [LOW] CWE-200 CVE-2010-3298: The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not p The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

CVE-2010-3301 [HIGH] CVE-2010-3301: The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE:

CVE-2010-3080 [HIGH] CWE-415 CVE-2010-3080: Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in t Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device.

CVE-2010-3067 [MEDIUM] CWE-190 CVE-2010-3067: Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.

CVE-2010-2955 [LOW] CWE-193 CVE-2010-2955: The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36- The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel

CVE-2007-6206 [LOW] CWE-200 CVE-2007-6206: The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly The do_coredump function in fs/exec.c in Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, does not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which might allow local users to obtain sensitive information.