[Ksplice][Ubuntu 8.04 Updates] New updates available via Ksplice (Ubuntu-2.6.24-28.86)

Tim Abbott tabbott at ksplice.com
Thu Feb 24 22:08:48 PST 2011 

Synopsis: Ubuntu-2.6.24-28.86 can now be patched using Ksplice
CVEs: CVE-2010-0435 CVE-2010-2943 CVE-2010-3296 CVE-2010-3297 CVE-2010-3698 CVE-2010-3848 CVE-2010-3849 CVE-2010-3858 CVE-2010-3859 CVE-2010-3873 CVE-2010-3875 CVE-2010-3876 CVE-2010-3877 CVE-2010-3880 CVE-2010-4072 CVE-2010-4074 CVE-2010-4078 CVE-2010-4079 CVE-2010-4080 CVE-2010-4081 CVE-2010-4083 CVE-2010-4157 CVE-2010-4160 CVE-2010-4248

Systems running Ubuntu 8.04 Hardy can now use Ksplice to patch against the 
latest Ubuntu kernel update, Ubuntu-2.6.24-28.86.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 8.04 Hardy users install 
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, 
these updates will be installed automatically and you do not need to take 
any additional action.


DESCRIPTION

* CVE-2010-2943: Missing inode validation in XFS.

The xfs implementation in the Linux kernel does not properly validate 
inode numbers, which allows remote authenticated users to read unlinked 
files, or potentially read or overwrite other files, by accessing a stale 
NFS filehandle.


* CVE-2010-3296: Kernel information leak in cxgb driver.

The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4 
bytes of uninitialized stack memory, because the "addr" member of the 
ch_reg struct declared on the stack in cxgb_extension_ioctl() is not 
altered or zeroed before being copied back to the user.


* CVE-2010-3297: Kernel information leak in eql driver.

The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16 
bytes of uninitialized stack memory, because the "master_name" member of 
the master_config_t struct declared on the stack in eql_g_master_cfg() is 
not altered or zeroed before being copied back to the user.


* CVE-2010-3858: Denial of service vulnerability with large argument lists.

Missing sanity checks were found in setup_arg_pages() in the Linux kernel.  
When making the size of the argument and environment area on the stack 
very large, it could trigger a BUG_ON(), resulting in a local denial of 
service. (CVE-2010-3858, Moderate).


* CVE-2010-4072: Information leak in System V IPC

System V IPC leaks uninitialized kernel stack memory to user programs in 
unused fields of the shmid_ds structure.


* Improved fix for CVE-2010-3849.

Adopt the upstream fix for CVE-2010-3849, instead of the one originally 
applied by Ubuntu, which does not completely fix the problem.


* Improved fix for CVE-2010-3848.

Adopt the upstream fix for CVE-2010-3848, instead of the fix originally 
applied by Ubuntu, which contains various bugs.


* CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.

The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows 
unprivileged users to read uninitialized stack memory.


* CVE-2010-3698: Denial of service vulnerability in KVM host.

A flaw was found in the way QEMU-KVM handled the reloading of fs and gs 
segment registers when they had invalid selectors. A privileged host user 
with access to "/dev/kvm" could use this flaw to crash the host (denial of 
service).


* CVE-2010-4078: Information leak in SiS framebuffer driver.

The FBIOGET_VBLANK device ioctl in the sisfb driver allows unprivileged 
users to read 16 bytes of uninitialized stack memory.


* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.

The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows unprivileged 
users to read 16 bytes of uninitialized stack memory.


* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP.

A heap overflow flaw in the Linux kernel's Transparent Inter-Process 
Communication protocol (TIPC) implementation could allow a local, 
unprivileged user to escalate their privileges.


* CVE-2010-3875: Information leak in AX.25 protocol.

The ax25_getname function sometimes leaks kernel stack memory to userspace 
in uninitialized structure members and padding bytes.


* CVE-2010-3873: Memory corruption in X.25 facilities parsing.

The x25_parse_facilities facilities function may cause a memcpy() of 
ULONG_MAX size, destroying the kernel heap.


* CVE-2010-3876: Kernel information leak in packet subsystem.

The packet_getname_spkt function doesn't initialize all members of a 
sockaddr struct before copying it to userland, which allows unprivileged 
users to read uninitialized stack memory.


* CVE-2010-3877: Information leak in TIPC protocol

The TIPC protocol may leak uninitialized padding bytes in a sockaddr_tipc 
structure to user programs.


* CVE-2010-0435: Denial of service in KVM on debug register access.

A NULL pointer dereference flaw was found when the host system had a 
processor with the Intel VT-x extension enabled.  A privileged guest user 
could use this flaw to trick the host into emulating a certain 
instruction, which could crash the host (denial of service).


* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.

An integer overflow in ioc_general() may cause the computation of an 
incorrect buffer size, leading to memory corruption.


* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.

A race condition in the __exit_signal function in kernel/exit.c allows 
local users to cause a denial of service via vectors related to 
multithreaded exec, the use of a thread group leader in 
kernel/posix-cpu-timers.c, and the selection of a new thread group leader 
in the de_thread function in fs/exec.c.


* CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.

The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO 
ioctls in hdspm.c and hdsp.c allow unprivileged users to read 
uninitialized kernel stack memory, because several fields of the 
hdsp{m}_config_info structs declared on the stack are not altered or 
zeroed before being copied back to the user.


* CVE-2010-4083: Information leak in System V IPC.

A missing initialization flaw was found in System V IPC.  A local, 
unprivileged user could use this flaw to cause information leaks.


* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.

The INET-DIAG subsystem is inconsistent about how it looks up the bytecode 
contained in a netlink message, making it possible for a user to cause the 
kernel to execute unaudited INET-DIAG bytecode. This can be abused to make 
the kernel enter an infinite loop, and possibly other consequences.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ubuntu-8.04-Updates mailing list