[Ksplice][Ubuntu 9.10 Updates] New updates available via Ksplice (USN-1000-1)

[Tim Abbott]

Synopsis: USN-1000-1 can now be patched using Ksplice
CVEs: CVE-2009-4895 CVE-2010-2066 CVE-2010-2226 CVE-2010-2240 CVE-2010-2248 CVE-2010-2478 CVE-2010-2495 CVE-2010-2521 CVE-2010-2524 CVE-2010-2798 CVE-2010-2942 CVE-2010-2946 CVE-2010-2954 CVE-2010-2955 CVE-2010-2963 CVE-2010-3015 CVE-2010-3067 CVE-2010-3078 CVE-2010-3080 CVE-2010-3084 CVE-2010-3310 CVE-2010-3432 CVE-2010-3437 CVE-2010-3442 CVE-2010-3477 CVE-2010-3705 CVE-2010-3904

Systems running Ubuntu 9.10 Karmic can now use Ksplice to patch against 
the latest Ubuntu Security Notice, USN-1000-1.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 9.10 Karmic users install 
these updates.  You can install these updates by running:

# uptrack-upgrade -y


DESCRIPTION

* CVE-2009-4895: NULL pointer dereference in tty_fasync.

A Race condition in the tty_fasync function allows local users to cause a 
NULL pointer dereference.


* CVE-2010-2066: Missing privilege check in ext4 for append-only files.

A missing check was found in the mext_check_arguments() function in the 
ext4 file system code.  A local user could use this flaw to cause the 
MOVE_EXT IOCTL to overwrite the contents of an append-only file on an ext4 
file system, if they have write permissions for that file.


* CVE-2010-2226: Read access to write-only files in XFS filesystem.

A flaw was found in the handling of the SWAPEXT IOCTL in the Linux kernel 
XFS file system implementation.  A local user could use this flaw to read 
write-only files, that they do not own, on an XFS file system.  This could 
lead to unintended information disclosure.


* CVE-2010-2248: Denial of service in CIFS with remote OS/2 server.

When writing to a remote OS/2 server with the CIFS network filesystem, 
invalid data returned from the server may trigger a kernel BUG, leading to 
denial of service.


* CVE-2010-2478: Buffer overflow in ethtool.

An integer overflow in the implementation of the unprivileged 
ETHTOOL_GRXCLSRLALL command may lead to a buffer overflow in the kernel, 
resulting in denial of service or privilege escalation.


* CVE-2010-2495: Denial of Service in L2TP.

The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP 
implementation in the Linux kernel before 2.6.34 does not properly 
validate certain values associated with an interface, which allows 
attackers to cause a denial of service (NULL pointer dereference and OOPS) 
or possibly have unspecified other impact via vectors related to a routing 
change.


* CVE-2010-2521: Remote buffer overflow in NFSv4 server.

Buffer overflow flaws were found in the Linux kernel's implementation of 
the server-side External Data Representation (XDR) for the Network File 
System (NFS) version 4.  An attacker on the local network could send a 
specially-crafted large compound request to the NFSv4 server, which could 
possibly result in a kernel panic (denial of service) or arbitrary code 
execution (CVE-2010-2521).


* CVE-2010-2524: False CIFS mount via DNS cache poisoning.

A flaw was found in the dns_resolver upcall used by CIFS.  A local, 
unprivileged user could redirect a Microsoft Distributed File System link 
to another IP address, tricking the client into mounting the share from a 
server of the user's choosing.  (CVE-2010-2524, Moderate)


* CVE-2010-2798: Denial of service in GFS2.

Bob Peterson reported an issue in the GFS2 file system. A file system user 
could cause a denial of service (Oops) via certain rename operations.


* CVE-2010-2942: Information leaks in traffic control dump structures.

Incorrectly initialized structures in the traffic control dump code may 
allow the disclosure of 32 bits of kernel memory to userspace 
applications.


* CVE-2010-2946: Access control bypass in JFS filesystem.

Extended attribute namespace access rules may be bypassed by using the 
legacy-format os2 namespace.


* CVE-2010-2954: NULL pointer dereference in irda subsystem.

The irda_bind function in net/irda/af_irda.c in the Linux kernel did not 
properly handle a failure in the irda_open_tsap function.  This allows 
local users to cause a denial of service (NULL pointer dereference and 
panic) via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) 
socket.


* CVE-2010-2955: Information leak in wireless extensions.

The cfg80211_wext_giwessid function in does not properly initialize 
certain structure members.  A local user could leverage an off-by-one 
error in the ioctl_standard_iw_point function to obtain potentially 
sensitive information from kernel heap memory using an SIOCGIWESSID ioctl 
call that specifies a large buffer size.


* CVE-2010-3015: Integer overflow in ext4 filesystem.

An integer overflow flaw was found in the ext4_ext_get_blocks() function. 
This can trigger a BUG() on certain configurations of ext4 file systems.


* CVE-2010-3067: Information leak in do_io_submit()

An integer overflow error in the do_io_submit function could be used by 
userspace processes to read kernel memory.


* CVE-2010-3078: Information leak in XFS_IOC_FSGETXATTR ioctl.

The XFS_IOC_FSGETXATTR ioctl allowed unprivileged users to read 12 bytes 
of uninitialized stack memory, because the fsxattr struct declared on the 
stack in xfs_ioc_fsgetxattr() did not alter (or zero) the 12-byte fsx_pad 
member before copying it back to the user.


* CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.

Tavis Ormandy reported an issue in the ALSA sequencer OSS emulation layer.  
Local users with sufficient privileges to open /dev/sequencer can cause a 
denial of service or privilege escalation via a NULL pointer dereference.


* CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.

The niu_get_ethtool_tcam_all does not check the user-provided output 
buffer size before copying that many bytes into the output buffer, 
resulting in a buffer overflow.


* CVE-2010-3310: Integer signedness errors in rose driver.

Multiple integer signedness errors in the rose driver allow local users to 
cause a denial of service (heap memory corruption) or possibly have 
unspecified other impact by calling rose_bind or rose_connect with a 
negative destination digis count.


* CVE-2010-3432: Remote denial of service vulnerability in SCTP.

The sctp_outq_flush() funcy.  An attacker who could cause the system to 
mount a malicious filesystem image could use this vulnerability to copy 
too much data by providing a fast symlink data string that is not 
NULL-terminated.


* CVE-2010-2963: Privilege escalation in V4L 32-bit compat support.

Kees Cook discovered that the V4L1 32bit compat interface did not 
correctly validate certain parameters.  A local attacker on a 64bit system 
with access to a video device could exploit this to gain root privileges.


* CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.

The rds_page_copy_user function did not perform any access checks on 
user-provided pointers before using unchecked __copy_*_user_inatomic 
functions, which can be exploited by a local user to write to arbitrary 
kernel memory and escalate privileges.


* Fix mlock regression introduced by CVE-2010-2240 fix.

The upstream patch for CVE-2010-2240 introduced a possible kernel crash 
when privileged applications use mlock on portions of the kernel stack.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.