[Ksplice][Ubuntu 9.10 Updates] New updates available via Ksplice (2.6.31-22.70)

[Nelson Elhage]

Synopsis: 2.6.31-22.70 can now be patched using Ksplice
CVEs: CVE-2010-2537 CVE-2010-2538 CVE-2010-2943 CVE-2010-2962 CVE-2010-3079
      CVE-2010-3296 CVE-2010-3297 CVE-2010-3298 CVE-2010-3848 CVE-2010-3849
      CVE-2010-3858 CVE-2010-3861 CVE-2010-4072

Systems running Ubuntu 9.10 Karmic can now use Ksplice to patch against the
latest Ubuntu kernel, 2.6.31-22.70.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 9.10 Karmic users install
these updates.  You can install these updates by running:

# uptrack-upgrade -y


DESCRIPTION

* CVE-2010-2537 and CVE-2010-2538: Missing checks in BTRFS_IOC_CLONE_RANGE.

- The BTRFS_IOC_CLONE ioctl did not check for an append-only file, potentially
  allowing an attacker to inappropriately write to a file opened for append
  only.

- An integer overflow in the BTRFS_IOC_CLONE_RANGE ioctl potentially allowed an
  attacker to inappropriately read from kernel memory.


* CVE-2010-2943: Missing inode validation in XFS.

The xfs implementation in the Linux kernel does properly validate inode numbers,
which allows remote authenticated users to read unlinked files, or potentially
read or overwrite other files, by accessing a stale NFS filehandle.


* CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.

The i915 driver's pread and pwrite ioctls had several bugs in their
access control checks that could be used to achieve privilege
escalation.


* CVE-2010-3079: Denial of service in set_ftrace_filter.

The set_ftrace_filter special file did not correctly handle the lseek()
operation, potentially allowing a local user to trigger a denial of service
(kernel oops).


* CVE-2010-3296: Kernel information leak in cxgb driver.

The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to
read 4 bytes of uninitialized stack memory, because the "addr" member
of the ch_reg struct declared on the stack in cxgb_extension_ioctl()
is not altered or zeroed before being copied back to the user.


* CVE-2010-3297: Kernel information leak in eql driver.

The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "master_name" member
of the master_config_t struct declared on the stack in
eql_g_master_cfg() is not altered or zeroed before being copied back
to the user.


* CVE-2010-3298: Information leak in hso_get_count().

The TIOCGICOUNT device ioctl allowed unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack in
hso_get_count() was not altered or zeroed before being copied back to
the user.


* CVE-2010-3858: Denial of service with excessive argument size

Creating a process with a very large argument list or environment may
trigger a kernel BUG in the setup_arg_pages function.


* CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.

The ethtool_get_rxnfc function did not initialize a block of heap memory, which
allowed local users to obtain potentially sensitive information via an
ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value.


* CVE-2010-4072: Information leak in System V IPC

System V IPC leaks uninitialized kernel stack memory to user programs
in unused fields of the shmid_ds structure.


* Improved fix for CVE-2010-3849.

Adopt the upstream fix for CVE-2010-3849, instead of the one originally applied
by Ubuntu, which does not completely fix the problem.


* Improved fix for CVE-2010-3848.

Adopt the upstream fix for CVE-2010-3848, instead of the fix originally applied
by Ubuntu, which contains various bugs.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.