[Ksplice][Fedora-14-Updates] New updates available via Ksplice (FEDORA-2011-1138)

[Keegan McAllister]

Synopsis: FEDORA-2011-1138 can now be patched using Ksplice
CVEs: CVE-2010-3875 CVE-2010-3876 CVE-2010-4165 CVE-2010-4249
CVE-2010-4346 CVE-2010-4648 CVE-2010-4649 CVE-2010-4650 CVE-2010-4668
CVE-2011-0006 CVE-2011-0521

Systems running Fedora 14 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-1138.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Fedora 14 users install these
updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2010-4650: Integer overflow in FUSE_IOCTL_RETRY.

The iovec arguments to the FUSE_IOCTL_RETRY ioctl could have a combined
length larger than the maximum FUSE request size.


* Use-after-free bug in sunrpc xprt.

A race condition in the sunrpc protocol implementation can cause the kernel to
process garbage data.


* CVE-2010-4649: Buffer overflow in InfiniBand uverb handling.

Dan Carpenter reported an issue in the uverb handling of the InfiniBand
subsystem.  A potential buffer overflow may allow local users to cause a
denial of service (memory corruption) by passing in a large cmd.ne value.


* CVE-2010-4165: Denial of service in TCP from user MSS.

A user program could cause a division by 0 in tcp_select_initial_window by
passing in an invalid TCP_MAXSEG, leading to a kernel oops.


* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.

A flaw was found in the Linux kernel's garbage collector for AF_UNIX
sockets.  A local, unprivileged user could use this flaw to trigger a
denial of service (out-of-memory condition).


* CVE-2010-3875: Information leak in AX.25 protocol.

The ax25_getname function sometimes leaks kernel stack memory to
userspace in uninitialized structure members and padding bytes.


* CVE-2010-3876: Kernel information leak in packet subsystem.

The packet_getname_spkt function doesn't initiatilize all members of a
sockaddr struct before copying it to userland, which allows unprivileged
users to read uninitialized stack memory.


* Reference count leak in inotify failure path.

The inotify subsystem can leak a reference count when it fails to create a new
special file.  An unprivileged process can force this failure by setting the
RLIMIT_NOFILE resource limit.  This could lead to denial of service
(out-of-memory condition) or a refcount overflow and subsequent use-after-free.


* CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.

The driver for Orinoco wireless cards fails to respond effectively to certain
attacks on WPA encryption.


* Data corruption on RAID recovery to hot-added device.

Linux software RAID arrays (md subsystem) with v1.x metadata can forget the
state of partial recovery onto a hot-added storage device, erroneously treating
the device as fully recovered.  This could lead to data corruption.


* CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.

Tavis Ormandy discovered an issue in the install_special_mapping
routine which allows local users to bypass the mmap_min_addr security
restriction. Combined with an otherwise low severity local denial of
service vulnerability (NULL pointer dereference), a local user could
obtain elevated privileges.


* CVE-2011-0006: Unhandled error condition when adding security rules.

When a security rule is added on a system with a disabled Linux Security
Module, the kernel fails to detect an error condition, causing default security
rules to be disabled.


* Remote denial of service in 802.11 mesh networking drivers.

Under low-memory conditions, forwarding an 802.11 mesh networking packet can
cause a NULL pointer dereference.


* Denial of service in 802.11 transmit buffer handling.

The transmit buffer code in the mac80211 subsystem fails to handle shared
buffers correctly, resulting in a BUG or other kernel misbehavior.


* File size corruption in btrfs.

A logic error in the btrfs filesystem implementation can cause a file to be
written with the wrong size, introducing trailing garbage data or possibly
other corruption.


* CVE-2010-4668: Kernel panic in block subsystem.

By submitting certain I/O requests with 0 length, a local user could cause
a denial of service (kernel panic).


* CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.

Dan Carpenter reported an issue in the DVB driver for AV7110 cards. Local
users can pass a negative info->num value, corrupting kernel memory and
causing a denial of service.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.