[Ksplice][Ubuntu 9.10 Updates] New updates available via Ksplice (USN-1073-1)

Tim Abbott tabbott at ksplice.com
Sat Feb 26 08:22:42 PST 2011 

Synopsis: USN-1073-1 can now be patched using Ksplice
CVEs: CVE-2010-0435 CVE-2010-3698 CVE-2010-3859 CVE-2010-3865 CVE-2010-3873 CVE-2010-3875 CVE-2010-3876 CVE-2010-3877 CVE-2010-3880 CVE-2010-4073 CVE-2010-4074 CVE-2010-4078 CVE-2010-4079 CVE-2010-4080 CVE-2010-4081 CVE-2010-4082 CVE-2010-4083 CVE-2010-4157 CVE-2010-4160 CVE-2010-4165 CVE-2010-4169 CVE-2010-4248 CVE-2010-4249

Systems running Ubuntu 9.10 Karmic can now use Ksplice to patch against 
the latest Ubuntu Security Notice, USN-1073-1.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 9.10 Karmic users install 
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, 
these updates will be installed automatically and you do not need to take 
any additional action.


DESCRIPTION

* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.

Several functions in the System V IPC 32-bit compatibility subsystem did 
not properly clear fields before copying data to user space, leaking data 
from uninitialized kernel stack memory to user space.


* CVE-2010-4165: Denial of service in TCP from user MSS.

A user program could cause a division by 0 in tcp_select_initial_window by 
passing in an invalid TCP_MAXSEG, leading to a kernel oops.


* CVE-2010-4169: Use-after-free bug in mprotect system call.

A use-after-free flaw in the mprotect() system call could allow a local, 
unprivileged user to cause a local denial of service.


* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.

A flaw was found in the Linux kernel's garbage collector for AF_UNIX 
sockets.  A local, unprivileged user could use this flaw to trigger a 
denial of service (out-of-memory condition).


* CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.

The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows 
unprivileged users to read uninitialized stack memory.


* CVE-2010-3698: Denial of service vulnerability in KVM host.

A flaw was found in the way QEMU-KVM handled the reloading of fs and gs 
segment registers when they had invalid selectors. A privileged host user 
with access to "/dev/kvm" could use this flaw to crash the host (denial of 
service).


* CVE-2010-4078: Information leak in SiS framebuffer driver.

The FBIOGET_VBLANK device ioctl in the sisfb driver allows unprivileged 
users to read 16 bytes of uninitialized stack memory.


* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.

The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows unprivileged 
users to read 16 bytes of uninitialized stack memory.


* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP.

A heap overflow flaw in the Linux kernel's Transparent Inter-Process 
Communication protocol (TIPC) implementation could allow a local, 
unprivileged user to escalate their privileges.


* CVE-2010-3865: Integer overflow in RDS rdma page counting.

An integer overflow flaw was found in the Linux kernel's Reliable Datagram 
Sockets (RDS) protocol implementation.  A local, unprivileged user could 
use this flaw to cause a denial of service or escalate their privileges.


* CVE-2010-3875: Information leak in AX.25 protocol.

The ax25_getname function sometimes leaks kernel stack memory to
userspace in uninitialized structure members and padding bytes.


* CVE-2010-3873: Memory corruption in X.25 facilities parsing.

The x25_parse_facilities facilities function may cause a memcpy() of 
ULONG_MAX size, destroying the kernel heap.


* CVE-2010-3876: Kernel information leak in packet subsystem.

The packet_getname_spkt function doesn't initialize all members of a 
sockaddr struct before copying it to userland, which allows unprivileged 
users to read uninitialized stack memory.


* CVE-2010-3877: Information leak in TIPC protocol

The TIPC protocol may leak uninitialized padding bytes in a sockaddr_tipc 
structure to user programs.


* CVE-2010-0435: Denial of service in KVM on debug register access.

A NULL pointer dereference flaw was found when the host system had a 
processor with the Intel VT-x extension enabled.  A privileged guest user 
could use this flaw to trick the host into emulating a certain 
instruction, which could crash the host (denial of service).


* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.

An integer overflow in ioc_general() may cause the computation of an
incorrect buffer size, leading to memory corruption.


* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.

A race condition in the __exit_signal function in kernel/exit.c allows 
local users to cause a denial of service via vectors related to 
multithreaded exec, the use of a thread group leader in 
kernel/posix-cpu-timers.c, and the selection of a new thread group leader 
in the de_thread function in fs/exec.c.


* CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.

The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO 
ioctls in hdspm.c and hdsp.c allow unprivileged users to read 
uninitialized kernel stack memory, because several fields of the 
hdsp{m}_config_info structs declared on the stack are not altered or 
zeroed before being copied back to the user.


* CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.

The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246 
bytes of uninitialized stack memory, because the "reserved" member of the 
viafb_ioctl_info struct declared on the stack is not altered or zeroed 
before being copied back to the user.


* CVE-2010-4083: Information leak in System V IPC.

A missing initialization flaw was found in System V IPC.  A local, 
unprivileged user could use this flaw to cause information leaks.


* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.

The INET-DIAG subsystem is inconsistent about how it looks up the bytecode 
contained in a netlink message, making it possible for a user to cause the 
kernel to execute unaudited INET-DIAG bytecode. This can be abused to make 
the kernel enter an infinite loop, and possibly other consequences.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ubuntu-9.10-Updates mailing list