[Ksplice][Ubuntu 9.10 Updates] New updates available via Ksplice (USN-1073-1)
Tim Abbott
tabbott at ksplice.com
Sat Feb 26 08:22:42 PST 2011
Synopsis: USN-1073-1 can now be patched using Ksplice
CVEs: CVE-2010-0435 CVE-2010-3698 CVE-2010-3859 CVE-2010-3865 CVE-2010-3873 CVE-2010-3875 CVE-2010-3876 CVE-2010-3877 CVE-2010-3880 CVE-2010-4073 CVE-2010-4074 CVE-2010-4078 CVE-2010-4079 CVE-2010-4080 CVE-2010-4081 CVE-2010-4082 CVE-2010-4083 CVE-2010-4157 CVE-2010-4160 CVE-2010-4165 CVE-2010-4169 CVE-2010-4248 CVE-2010-4249
Systems running Ubuntu 9.10 Karmic can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-1073-1.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Ubuntu 9.10 Karmic users install
these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to take
any additional action.
DESCRIPTION
* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Several functions in the System V IPC 32-bit compatibility subsystem did
not properly clear fields before copying data to user space, leaking data
from uninitialized kernel stack memory to user space.
* CVE-2010-4165: Denial of service in TCP from user MSS.
A user program could cause a division by 0 in tcp_select_initial_window by
passing in an invalid TCP_MAXSEG, leading to a kernel oops.
* CVE-2010-4169: Use-after-free bug in mprotect system call.
A use-after-free flaw in the mprotect() system call could allow a local,
unprivileged user to cause a local denial of service.
* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.
A flaw was found in the Linux kernel's garbage collector for AF_UNIX
sockets. A local, unprivileged user could use this flaw to trigger a
denial of service (out-of-memory condition).
* CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.
The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory.
* CVE-2010-3698: Denial of service vulnerability in KVM host.
A flaw was found in the way QEMU-KVM handled the reloading of fs and gs
segment registers when they had invalid selectors. A privileged host user
with access to "/dev/kvm" could use this flaw to crash the host (denial of
service).
* CVE-2010-4078: Information leak in SiS framebuffer driver.
The FBIOGET_VBLANK device ioctl in the sisfb driver allows unprivileged
users to read 16 bytes of uninitialized stack memory.
* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.
The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows unprivileged
users to read 16 bytes of uninitialized stack memory.
* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP.
A heap overflow flaw in the Linux kernel's Transparent Inter-Process
Communication protocol (TIPC) implementation could allow a local,
unprivileged user to escalate their privileges.
* CVE-2010-3865: Integer overflow in RDS rdma page counting.
An integer overflow flaw was found in the Linux kernel's Reliable Datagram
Sockets (RDS) protocol implementation. A local, unprivileged user could
use this flaw to cause a denial of service or escalate their privileges.
* CVE-2010-3875: Information leak in AX.25 protocol.
The ax25_getname function sometimes leaks kernel stack memory to
userspace in uninitialized structure members and padding bytes.
* CVE-2010-3873: Memory corruption in X.25 facilities parsing.
The x25_parse_facilities facilities function may cause a memcpy() of
ULONG_MAX size, destroying the kernel heap.
* CVE-2010-3876: Kernel information leak in packet subsystem.
The packet_getname_spkt function doesn't initialize all members of a
sockaddr struct before copying it to userland, which allows unprivileged
users to read uninitialized stack memory.
* CVE-2010-3877: Information leak in TIPC protocol
The TIPC protocol may leak uninitialized padding bytes in a sockaddr_tipc
structure to user programs.
* CVE-2010-0435: Denial of service in KVM on debug register access.
A NULL pointer dereference flaw was found when the host system had a
processor with the Intel VT-x extension enabled. A privileged guest user
could use this flaw to trick the host into emulating a certain
instruction, which could crash the host (denial of service).
* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
An integer overflow in ioc_general() may cause the computation of an
incorrect buffer size, leading to memory corruption.
* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
A race condition in the __exit_signal function in kernel/exit.c allows
local users to cause a denial of service via vectors related to
multithreaded exec, the use of a thread group leader in
kernel/posix-cpu-timers.c, and the selection of a new thread group leader
in the de_thread function in fs/exec.c.
* CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO
ioctls in hdspm.c and hdsp.c allow unprivileged users to read
uninitialized kernel stack memory, because several fields of the
hdsp{m}_config_info structs declared on the stack are not altered or
zeroed before being copied back to the user.
* CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.
The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of the
viafb_ioctl_info struct declared on the stack is not altered or zeroed
before being copied back to the user.
* CVE-2010-4083: Information leak in System V IPC.
A missing initialization flaw was found in System V IPC. A local,
unprivileged user could use this flaw to cause information leaks.
* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
The INET-DIAG subsystem is inconsistent about how it looks up the bytecode
contained in a netlink message, making it possible for a user to cause the
kernel to execute unaudited INET-DIAG bytecode. This can be abused to make
the kernel enter an infinite loop, and possibly other consequences.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ubuntu-9.10-Updates
mailing list