From tabbott at ksplice.com Sat Feb 26 08:22:42 2011 From: tabbott at ksplice.com (Tim Abbott) Date: Sat, 26 Feb 2011 11:22:42 -0500 (EST) Subject: [Ksplice][Ubuntu 9.10 Updates] New updates available via Ksplice (USN-1073-1) Message-ID: Synopsis: USN-1073-1 can now be patched using Ksplice CVEs: CVE-2010-0435 CVE-2010-3698 CVE-2010-3859 CVE-2010-3865 CVE-2010-3873 CVE-2010-3875 CVE-2010-3876 CVE-2010-3877 CVE-2010-3880 CVE-2010-4073 CVE-2010-4074 CVE-2010-4078 CVE-2010-4079 CVE-2010-4080 CVE-2010-4081 CVE-2010-4082 CVE-2010-4083 CVE-2010-4157 CVE-2010-4160 CVE-2010-4165 CVE-2010-4169 CVE-2010-4248 CVE-2010-4249 Systems running Ubuntu 9.10 Karmic can now use Ksplice to patch against the latest Ubuntu Security Notice, USN-1073-1. INSTALLING THE UPDATES We recommend that all Ksplice Uptrack Ubuntu 9.10 Karmic users install these updates. You can install these updates by running: # /usr/sbin/uptrack-upgrade -y On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any additional action. DESCRIPTION * CVE-2010-4073: Kernel information leaks in ipc compat subsystem. Several functions in the System V IPC 32-bit compatibility subsystem did not properly clear fields before copying data to user space, leaking data from uninitialized kernel stack memory to user space. * CVE-2010-4165: Denial of service in TCP from user MSS. A user program could cause a division by 0 in tcp_select_initial_window by passing in an invalid TCP_MAXSEG, leading to a kernel oops. * CVE-2010-4169: Use-after-free bug in mprotect system call. A use-after-free flaw in the mprotect() system call could allow a local, unprivileged user to cause a local denial of service. * CVE-2010-4249: Denial of service in UNIX sockets garbage collector. A flaw was found in the Linux kernel's garbage collector for AF_UNIX sockets. A local, unprivileged user could use this flaw to trigger a denial of service (out-of-memory condition). * CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers. The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows unprivileged users to read uninitialized stack memory. * CVE-2010-3698: Denial of service vulnerability in KVM host. A flaw was found in the way QEMU-KVM handled the reloading of fs and gs segment registers when they had invalid selectors. A privileged host user with access to "/dev/kvm" could use this flaw to crash the host (denial of service). * CVE-2010-4078: Information leak in SiS framebuffer driver. The FBIOGET_VBLANK device ioctl in the sisfb driver allows unprivileged users to read 16 bytes of uninitialized stack memory. * CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver. The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows unprivileged users to read 16 bytes of uninitialized stack memory. * CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP. A heap overflow flaw in the Linux kernel's Transparent Inter-Process Communication protocol (TIPC) implementation could allow a local, unprivileged user to escalate their privileges. * CVE-2010-3865: Integer overflow in RDS rdma page counting. An integer overflow flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. * CVE-2010-3875: Information leak in AX.25 protocol. The ax25_getname function sometimes leaks kernel stack memory to userspace in uninitialized structure members and padding bytes. * CVE-2010-3873: Memory corruption in X.25 facilities parsing. The x25_parse_facilities facilities function may cause a memcpy() of ULONG_MAX size, destroying the kernel heap. * CVE-2010-3876: Kernel information leak in packet subsystem. The packet_getname_spkt function doesn't initialize all members of a sockaddr struct before copying it to userland, which allows unprivileged users to read uninitialized stack memory. * CVE-2010-3877: Information leak in TIPC protocol The TIPC protocol may leak uninitialized padding bytes in a sockaddr_tipc structure to user programs. * CVE-2010-0435: Denial of service in KVM on debug register access. A NULL pointer dereference flaw was found when the host system had a processor with the Intel VT-x extension enabled. A privileged guest user could use this flaw to trick the host into emulating a certain instruction, which could crash the host (denial of service). * CVE-2010-4157: Memory corruption in Intel/ICP RAID driver. An integer overflow in ioc_general() may cause the computation of an incorrect buffer size, leading to memory corruption. * CVE-2010-4248: Race condition in __exit_signal with multithreaded exec. A race condition in the __exit_signal function in kernel/exit.c allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c. * CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers. The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow unprivileged users to read uninitialized kernel stack memory, because several fields of the hdsp{m}_config_info structs declared on the stack are not altered or zeroed before being copied back to the user. * CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO. The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246 bytes of uninitialized stack memory, because the "reserved" member of the viafb_ioctl_info struct declared on the stack is not altered or zeroed before being copied back to the user. * CVE-2010-4083: Information leak in System V IPC. A missing initialization flaw was found in System V IPC. A local, unprivileged user could use this flaw to cause information leaks. * CVE-2010-3880: Logic error in INET_DIAG bytecode auditing. The INET-DIAG subsystem is inconsistent about how it looks up the bytecode contained in a netlink message, making it possible for a user to cause the kernel to execute unaudited INET-DIAG bytecode. This can be abused to make the kernel enter an infinite loop, and possibly other consequences. SUPPORT Ksplice support is available at support at ksplice.com or +1 765-577-5423.