Some weaknesses and vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose system information, bypass certain security restrictions, cause a DoS (Denial of Service), and potentially gain escalated privileges and by malicious people with physical access to potentially compromise a vulnerable system and cause a DoS (Denial of Service).

1) An error exists within the "dvb_ca_ioctl()" function in drivers/media/dvb/ttpci/av7110_ca.c, which can be exploited to cause a kernel memory corruption by sending a specially crafted IOCTL.

2) The world-readable "/proc/<pid>/status" file on s390 systems contains the register information of a process, which can be used to disclose system information by reading the file.

This weakness only affects s390 systems.

3) The Radeon GPU drivers did not properly check data passed to the AA resolve registers, which can be exploited to e.g. write to the video RAM or the graphics translation table.

This only affects systems using Radeon GPU drivers with certain graphics hardware.

4) A signedness error within the "drm_modeset_ctl()" function in drivers/gpu/drm/drm_irq.c can be exploited to write outside the boundary of an array via certain modeset parameters.

5) An error exists within the epoll implementation, which can be exploited to cause a deadlock by creating circular epoll structures.

6) Boundary errors within the "nd_usb_caiaq_audio_init()" function in sound/usb/caiaq/audio.c and the "snd_usb_caiaq_midi_init()" function in sound/usb/caiaq/midi.c can be exploited to cause a buffer overflow by e.g. plugging in a malicious USB device.

7) The netdev kernel module loading mechanism is not properly restricted to netdev modules, which can be exploited to bypass the "CAP_SYS_MODULE" capability and load non-netdev modules.

Successful exploitation of this weakness requires "CAP_NET_ADMIN" capabilities.

8) A NULL-pointer dereference error due to the Generic Receive Offload (GRO) functionality not properly resetting a certain pointer when processing packets from an unknown VLAN can be exploited to cause a kernel crash.

Solution
Update to version 2.6.38.
Further details available to Secunia VIM customers

Provided and/or discovered by
1-3) Disclosed in a GIT commits.
4) Matthiew Herrb, OpenBSD X.org team
5) Nelson Elhage
6) Rafael Dominguez Vega, MWR InfoSecurity
7) Vasiliy Kulikov
8) Reported by a customer to Red Hat.

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=cb26a24ee9706473f31d34cc259f4dcf45cd0644
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=261cd298a8c363d7985e3482946edb4bfedacf98
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fff1ce4dc6113b6fdc4e3a815ca5fd229408f8ef
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1922756124ddd53846877416d92ba4a802bc658f
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eaae55dac6b64c0616046436b294e69fc5311581
http://labs.mwrinfosecurity.com/advisories/linux_kernel_caiaq_usb_drivers_buffer_overflow_vulnerability/
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8909c9ad8ff03611c9c96c9a92656213e4bb495b
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=66c46d741e2e60f0e8b625b80edb0ab820c46d7a
http://people.redhat.com/agospoda/rhel5/0251-gro-Reset-dev-pointer-on-reuse.patch

Rafael Dominguez Vega:
http://labs.mwrinfosecurity.com/files/Advisories/mwri_caiaq-usb-drivers-buffer-overflow_2011-03-07.pdf

Deep Links
Links available to Secunia VIM customers