[Ksplice][Fedora-14-Updates] New updates available via Ksplice (FEDORA-2011-4613)

[Nelson Elhage]

Synopsis: FEDORA-2011-4613 can now be patched using Ksplice
CVEs: CVE-2010-3705 CVE-2010-4656 CVE-2011-0712 CVE-2011-0726 CVE-2011-1010
      CVE-2011-1013 CVE-2011-1082 CVE-2011-1182 CVE-2011-1477

Systems running Fedora 14 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-4613.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Fedora 14 users install these
updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* Reference count leak in netlink messaging.

The netlink subsystem did not properly clean up 'struct scm_cookie' structs
created when sending messages, resulting in a memory leak or other consequences.


* Kernel BUG in NFS.

An incorrect return value in the NFS code could result in an IO request being
incorrectly processed multipled times, resulting in a user-after-free condition
leading to a denial of service (kernel BUG).


* CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.

The SCTP subsystem's sctp_asoc_get_hmac function did not correctly
check for an out of range value for the last id in the hmac_ids array,
potentially resulting in kernel memory corrptuon.


* Incorrect error handling in credential allocation.

Several pieces of the kernel credential management subsystem did not properly
handle memory allocation failures, resulting in various potential
denial-of-service conditions.


* CVE-2011-1010: Denial of service in Mac OS partition table handling.

A buffer overflow in the mac_partition function could allow a local
attacker to cause a denial of service or possibly unspecified other
impact via a malformed Mac OS partition table.


* CVE-2011-0712: Buffer overflows in caiaq driver.

An attacker with physical access could gain elevated privileges via
pathways relating to buffer overflows in the caiaq audio driver.


* CVE-2011-1082: Denial of service in epoll.

The epoll subsystem did not prevent an unprivileged local user from
creating a cycle of epoll file descriptors, which would lead to a
denial of service.


* Denial of service in corrupted LDM partition.

Insufficient checks in parsing a corrupted LDM partition table could result in a
kernel denial of service (crash) or potentially other consequences.


* CVE-2011-1013: Signedness error in drm.

The drm_modeset_ctl() function incorrectly treated an unsigned
integer as signed, leading to a local denial of service or possible
privilege escalation.


* Remote denial of service in DCCP.

A logic error in DCCP could result in a denial of service (NULL pointer
dereference) if a remote peer sends a Reset packet after closing a socket.


* CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.

Kees Cook reported an issue in the driver for I/O-Warrior USB devices.
Local users with access to these devices may be able to overrun kernel
buffers, resulting in a denial of service or privilege escalation.


* CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.

A userspace process could queue a signal for another process with a
siginfo.si_code field appearing to originate from a kernel. This could allow a
process to generate a fake tgkill signal to a thread it is not privileged to
signal.


* CVE-2011-0726: Address space leakage through /proc/pid/stat.

The /proc/pid/stat file allowed unprivileged users to read the start and end
address of other processes' text segments, potentially enabled an attacker to
bypass address space layout randomization (ASLR) protection.


* Lost commands in CCISS driver.

Under certain workloads, the CCISS driver could mark commands as completed even
though they were never processed, leading to disk corruption, system instability
or potentially other consequences.


* CVE-2011-1477: Missing validation in OPL-3 driver.

Missing validation of user data in the OPL-3 driver could could allow
a user to corrupt kernel memory and potentially escalate privileges.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.