[Ksplice][Virtuozzo 3 Updates] New updates available via Ksplice (CU-2.6.9-023stab052.4)

Nelson Elhage nelhage at ksplice.com
Tue Jun 1 14:02:09 PDT 2010 

Synopsis: CU-2.6.9-023stab052.4 can now be patched using Ksplice
CVEs: CVE-2005-4881 CVE-2009-1895 CVE-2009-2847 CVE-2009-2848
      CVE-2009-3080 CVE-2009-3228 CVE-2009-3613 CVE-2009-3620
      CVE-2009-3621 CVE-2009-4005 CVE-2009-4020 CVE-2009-4271
      CVE-2009-4536 CVE-2009-4537 CVE-2009-4538 CVE-2010-0007
      CVE-2010-0307
Red Hat Security Advisory Severity: Important

Systems running Virtuozzo 3 can now use Ksplice to patch against the
latest Parallels Virtuozzo Containers kernel security update,
CU-2.6.9-023stab052.4.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Virtuozzo 3 install
these updates.  You can install these updates by running:

# uptrack-upgrade -y

ENABLING THE 'mmap_min_addr' SYSCTL

This update adds support for the 'mmap_min_addr' sysctl. This option
is not enabled by default. For information on enabling mmap_min_addr
in order to mitigate kernel NULL pointer dereferences, please see
http://kbase.redhat.com/faq/docs/DOC-20536

DESCRIPTION

* CVE-2009-1895: Loophole in ASLR and mmap_min_addr security mechanisms.

The ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when
a setuid or setgid program was executed. A local, unprivileged user
could use this flaw to bypass the mmap_min_addr protection mechanism
and perform a NULL pointer dereference attack, or bypass the Address
Space Layout Randomization (ASLR) security feature.


* CVE-2009-2847: Information leak in do_sigaltstack().

Ulrich Drepper noticed an issue in the do_sigaltstack function.  On
64-bit machines the function does not clear certain padding bytes from
a structure, which allows local users to obtain potentially sensitive
information from the kernel stack.


* CVE-2009-2848: Memory corruption in new process through clear_child_tid.

It was discovered that, when executing a new process, the clear_child_tid
pointer in the Linux kernel is not cleared. If this pointer points to a
writable portion of the memory of the new program, the kernel could corrupt
four bytes of memory, possibly leading to a local denial of service or
privilege escalation.


* CVE-2005-4881: Uninitialized memory leaks in network code.

Missing initialization flaws were found in the Linux kernel.  Padding
data in several core network structures was not initialized properly
before being sent to user-space.  These flaws could lead to
information leaks.


* CVE-2009-3228: Uninitialized memory leak in network code.

A missing initialization flaw was found in the Linux kernel's network
scheduler.  Padding data in a network data structure was not
initialized properly before being sent to user-space.  This flaw could
lead to an information leak.


* CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.

The ATI Rage 128 (aka r128) driver in the Linux kernel does not
properly verify Concurrent Command Engine (CCE) state initialization,
which allows local users to cause a denial of service or privilege
escalation.


* CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.

Local users can cause a denial of service (system hang) by creating an
abstract-namespace AF_UNIX listening socket, performing a shutdown
operation on this socket, and then performing a series of connect
operations to this socket.


* ipv4: make ip_append_data() handle NULL routing table.

A check has been added to the IPv4 code to make sure that the routing
table data structure, rt, is not NULL, to help prevent future bugs in
functions that call ip_append_data() from being exploitable.


* CVE-2009-3613: Remote denial of service in r8169 driver.

A programming error in the r8169 driver could result in the Linux
kernel leaking PCI device resources, leading to a denial of service
attack.


* CVE-2009-4536: Denial of service in e1000 driver.

The e1000 driver did not properly handle packets which span multiple
receive buffers, which could be potentially be exploited by a remote
attacker to lead to memory corruption and denial of service.


* CVE-2009-4538: Denial of service in e1000e driver.

The e1000e driver did not properly handle packets which span multiple
receive buffers, which could be potentially be exploited by a remote
attacker to lead to memory corruption and denial of service.


* CVE-2009-3080: Privilege Escalation in GDT driver.

An array index error in the GDT SCSI driver in the Linux kernel before
2.6.32-rc8 allows local users to cause a denial of service or possibly
gain privileges via a negative event index in an IOCTL request.


* CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.

A buffer overflow flaw was found in the hfs_bnode_read() function in
the HFS file system implementation.  This could lead to a denial of
service if a user browsed a specially-crafted HFS file system, for
example, by running "ls".


* CVE-2009-4005: Buffer overflow in HDLC driver.

The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the
Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified
impact via a crafted HDLC packet that arrives over ISDN and triggers a
buffer under-read.


* ptrace() leaking zombie processes.

A bug in the ptrace() implementation could have, in some cases, caused
ptrace_detach() to create a zombie process if the process being traced
was terminated with a SIGKILL signal.


* Process hang in ptrace() on multi-threaded process.

If a process was using ptrace() to trace a multi-threaded process, and
that multi-threaded process dumped its core, the process performing
the trace could hang in wait4(). This issue could be triggered by
running "strace -f" on a multi-threaded process that was dumping its
core, resulting in the strace command hanging.


* CVE-2009-4271: Kernel panic in coredump of 32-bit programs on 64-bit systems.

A NULL pointer dereference flaw was found in the Linux kernel.
During a core dump, the kernel did not check if the Virtual
Dynamically-linked Shared Object page was accessible.  On x86_64
systems, a local, unprivileged user could use this flaw to cause a
kernel panic and denial of service by running a crafted 32-bit program.


* CVE-2010-0007: Missing capabilities check in ebtables module.

The ebtables module in the netfilter framework in the Linux kernel did
not require the CAP_NET_ADMIN capability for setting or modifying
rules, which allows local users to bypass intended access restrictions
and configure arbitrary network-traffic filtering via a modified
ebtables application.


* CVE-2010-0307: Denial of service on x86_64 due to load_elf_binary.

Mathias Krause discovered that the load_elf_binary function in
fs/binfmt_elf.c did not ensure that the ELF interpreter is available
before a call to the SET_PERSONALITY macro, in a flaw related to the
flush_old_exec function.  This flaw allows local users to cause a
denial of service (system crash) via a 32-bit application that
attempts to execute a 64-bit application, which fails, and then
triggers a segmentation fault.  The issue is demonstrated by
"amd64_killer".


* Enable mmap_min_addr hardening against privilege escalation attacks.

The mmap_min_addr sysctl prevents userspace processes from mapping the
very bottom of memory, as mitigation against userspace exploiting NULL
pointer dereference bugs in the kernel. Enable it on all kernel
configurations, not just CONFIG_SECURITY.


* CVE-2009-4537: Buffer underflow in r8169 driver.

The r8169 driver did not correctly handle certain large packets, which
could potentially be exploited to lead to remote arbitrary code
execution.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the VZ3-Updates mailing list