[Ksplice][Ubuntu 8.04 Updates] New updates available via Ksplice (Ubuntu-2.6.24-28.86)
Tim Abbott
tabbott at ksplice.com
Thu Feb 24 22:08:48 PST 2011
Synopsis: Ubuntu-2.6.24-28.86 can now be patched using Ksplice
CVEs: CVE-2010-0435 CVE-2010-2943 CVE-2010-3296 CVE-2010-3297 CVE-2010-3698 CVE-2010-3848 CVE-2010-3849 CVE-2010-3858 CVE-2010-3859 CVE-2010-3873 CVE-2010-3875 CVE-2010-3876 CVE-2010-3877 CVE-2010-3880 CVE-2010-4072 CVE-2010-4074 CVE-2010-4078 CVE-2010-4079 CVE-2010-4080 CVE-2010-4081 CVE-2010-4083 CVE-2010-4157 CVE-2010-4160 CVE-2010-4248
Systems running Ubuntu 8.04 Hardy can now use Ksplice to patch against the
latest Ubuntu kernel update, Ubuntu-2.6.24-28.86.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Ubuntu 8.04 Hardy users install
these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to take
any additional action.
DESCRIPTION
* CVE-2010-2943: Missing inode validation in XFS.
The xfs implementation in the Linux kernel does not properly validate
inode numbers, which allows remote authenticated users to read unlinked
files, or potentially read or overwrite other files, by accessing a stale
NFS filehandle.
* CVE-2010-3296: Kernel information leak in cxgb driver.
The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4
bytes of uninitialized stack memory, because the "addr" member of the
ch_reg struct declared on the stack in cxgb_extension_ioctl() is not
altered or zeroed before being copied back to the user.
* CVE-2010-3297: Kernel information leak in eql driver.
The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "master_name" member of
the master_config_t struct declared on the stack in eql_g_master_cfg() is
not altered or zeroed before being copied back to the user.
* CVE-2010-3858: Denial of service vulnerability with large argument lists.
Missing sanity checks were found in setup_arg_pages() in the Linux kernel.
When making the size of the argument and environment area on the stack
very large, it could trigger a BUG_ON(), resulting in a local denial of
service. (CVE-2010-3858, Moderate).
* CVE-2010-4072: Information leak in System V IPC
System V IPC leaks uninitialized kernel stack memory to user programs in
unused fields of the shmid_ds structure.
* Improved fix for CVE-2010-3849.
Adopt the upstream fix for CVE-2010-3849, instead of the one originally
applied by Ubuntu, which does not completely fix the problem.
* Improved fix for CVE-2010-3848.
Adopt the upstream fix for CVE-2010-3848, instead of the fix originally
applied by Ubuntu, which contains various bugs.
* CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.
The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory.
* CVE-2010-3698: Denial of service vulnerability in KVM host.
A flaw was found in the way QEMU-KVM handled the reloading of fs and gs
segment registers when they had invalid selectors. A privileged host user
with access to "/dev/kvm" could use this flaw to crash the host (denial of
service).
* CVE-2010-4078: Information leak in SiS framebuffer driver.
The FBIOGET_VBLANK device ioctl in the sisfb driver allows unprivileged
users to read 16 bytes of uninitialized stack memory.
* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.
The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows unprivileged
users to read 16 bytes of uninitialized stack memory.
* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP.
A heap overflow flaw in the Linux kernel's Transparent Inter-Process
Communication protocol (TIPC) implementation could allow a local,
unprivileged user to escalate their privileges.
* CVE-2010-3875: Information leak in AX.25 protocol.
The ax25_getname function sometimes leaks kernel stack memory to userspace
in uninitialized structure members and padding bytes.
* CVE-2010-3873: Memory corruption in X.25 facilities parsing.
The x25_parse_facilities facilities function may cause a memcpy() of
ULONG_MAX size, destroying the kernel heap.
* CVE-2010-3876: Kernel information leak in packet subsystem.
The packet_getname_spkt function doesn't initialize all members of a
sockaddr struct before copying it to userland, which allows unprivileged
users to read uninitialized stack memory.
* CVE-2010-3877: Information leak in TIPC protocol
The TIPC protocol may leak uninitialized padding bytes in a sockaddr_tipc
structure to user programs.
* CVE-2010-0435: Denial of service in KVM on debug register access.
A NULL pointer dereference flaw was found when the host system had a
processor with the Intel VT-x extension enabled. A privileged guest user
could use this flaw to trick the host into emulating a certain
instruction, which could crash the host (denial of service).
* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
An integer overflow in ioc_general() may cause the computation of an
incorrect buffer size, leading to memory corruption.
* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
A race condition in the __exit_signal function in kernel/exit.c allows
local users to cause a denial of service via vectors related to
multithreaded exec, the use of a thread group leader in
kernel/posix-cpu-timers.c, and the selection of a new thread group leader
in the de_thread function in fs/exec.c.
* CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO
ioctls in hdspm.c and hdsp.c allow unprivileged users to read
uninitialized kernel stack memory, because several fields of the
hdsp{m}_config_info structs declared on the stack are not altered or
zeroed before being copied back to the user.
* CVE-2010-4083: Information leak in System V IPC.
A missing initialization flaw was found in System V IPC. A local,
unprivileged user could use this flaw to cause information leaks.
* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
The INET-DIAG subsystem is inconsistent about how it looks up the bytecode
contained in a netlink message, making it possible for a user to cause the
kernel to execute unaudited INET-DIAG bytecode. This can be abused to make
the kernel enter an infinite loop, and possibly other consequences.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ubuntu-8.04-Updates
mailing list