[Ksplice][Fedora-15-updates] New updates available via Ksplice (FEDORA-2011-11019)

[Anders Kaseorg]

Synopsis: FEDORA-2011-11019 can now be patched using Ksplice
CVEs: CVE-2011-2699 CVE-2011-2707 CVE-2011-2723 CVE-2011-2909

Systems running Fedora 15 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-11019.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 15 install
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-2909: Information leak in comedi driver.

The do_devinfo_ioctl function in the comedi driver incorrectly copied
uninitialized memory beyond the end of a string to user space.


* Fix heap corruption bug in pmcraid driver.

Passing a malformed PMCRAID_PASSTHROUGH_IOCTL ioctl from userspace could 
lead to heap corruption or denial of service.


* CVE-2011-2707: Arbitrary read vulnerability in ptrace.

A missing access control check in the ptrace_setxregs() function in
the xtensa architecture allowed an unprivileged user to read arbitrary
kernel memory.


* CVE-2011-2723: Remote denial of service vulnerability in gro.

The skb_gro_header_slow function in the Linux kernel had a bug which
allowed a remote attacker to put certain gro fields in an inconsistent
state, resulting in a denial of service.


* Double free bug in ipv4 gre protocol.

The error handler function for the ipv4 gre protocol was fully
inapplicable to the gre protocol implementation, resulting in a double
free and kernel crash when handling gre errors.


* NULL pointer deference in iwlang subsystem.

The iwlagn_wait_tx_queue_empty function in the iwlagn subsystem did
not properly check for whether a certain pointer was NULL before
deferencing it.


* Fix divide-by-zero bug in ALSA snd-usb subsystem.

The parse_audio_feature_unit function in the ALSA snd-usb subsystem
did not properly check whether a user-provided size was zero before
dividing by it, resulting in a divide-by-zero exception in the kernel.


* Kernel oops due to race in ext3 filesystem.

The Linux kernel had a race condition between the ext3_xattr_block_set
function and the ext3_get_blocks_handle function, which could both
call into the block reservation system at the same time, resulting in
a kernel oops or a corrupt reservation structure.


* Kernel oops in journal credit accounting for ext3/4.

The ext3_symlink and ext4_symlink functions in the Linux kernel did
not properly count journal credits for long symlinks, which could
result in a failed assertion and kernel oops.


* NULL pointer dereference when mounting with CIFS prefixpath.

The cifs_d_revalidate function in the Linux kernel did not properly
check whether the "nd" pointer was NULL before dereferencing it,
resulting in a NULL pointer dereference and kernel crash.


* Information leak due to race condition in do_io_accounting.

The do_io_accounting function in the proc subsystem of the Linux
kernel did not properly lock task->signal_cred_guard_mutex when
gathering io information, allowing an unprivileged user to gather
sensative io statistics from a privileged process (e.g. ssh/ftp
password length).


* CVE-2011-2699: Predictable ipv6 fragment identification numbers.

The generator for ipv6 fragment identification numbers used a single
generator and thus was highly predictable and thus vulnerable to a
denial of service attack.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.