[Ksplice][Virtuozzo 4 Updates] New updates available via Ksplice (CU-2.6.18-028stab070.2)

[Tim Abbott]

Synopsis: CU-2.6.18-028stab070.2 can now be patched using Ksplice
CVEs: CVE-2010-0291 CVE-2010-0622 CVE-2010-1087 CVE-2010-1088 CVE-2010-1173 CVE-2010-1187 CVE-2010-1436 CVE-2010-1437 CVE-2010-1641
Red Hat Security Advisory Severity: Important

Systems running Virtuozzo 4 or the OpenVZ RHEL 5 kernel can now use
Ksplice to patch against the latest Parallels Virtuozzo Containers kernel
security update, CU-2.6.18-028stab070.2.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Virtuozzo 4 or
OpenVZ on RHEL 5 install these updates.  You can install these updates
by running:

# uptrack-upgrade -y

DESCRIPTION

* CVE-2010-1436: Privilege escalation in GFS2 server

A buffer overflow flaw was found in the Linux kernel Global File System
2 (GFS2) implementation. In certain cases, a quota could be written past
the end of a memory page, causing memory corruption, leaving the quota
stored on disk in an invalid state. A user with write access to a GFS2
file system could trigger this flaw to cause a kernel crash (denial of
service) or escalate their privileges on the GFS2 server. This issue can
only be triggered if the GFS2 file system is mounted with the "quota=on"
or "quota=account" mount option. (CVE-2010-1436, Important)


* CVE-2010-1087: Oops when truncating a file in NFS

A NULL pointer dereference flaw was found in the Linux kernel Network
File System (NFS) implementation. A local user on a system that has an
NFS-mounted file system could use this flaw to cause a denial of service
or escalate their privileges on that system. (CVE-2010-1087, Important)


* CVE-2010-1088: Privilege escalation with automount symlinks

A flaw was found in the link_path_walk() function in the Linux kernel.
Using the file descriptor returned by the open() function with the
O_NOFOLLOW flag on a subordinate NFS-mounted file system, could result
in a NULL pointer dereference, causing a denial of service or privilege
escalation. (CVE-2010-1088, Moderate)


* CVE-2010-1187: Denial of service in TIPC

A flaw was found in the Linux kernel Transparent Inter-Process
Communication protocol (TIPC) implementation. If a client application,
on a local system where the tipc module is not yet in network mode,
attempted to send a message to a remote TIPC node, it would dereference
a NULL pointer on the local system, causing a kernel panic (denial of
service). (CVE-2010-1187, Important)


* CVE-2010-0291: Multiple denial of service bugs in mmap and mremap

Multiple flaws were found in the mmap and mremap implementations. A
local user could use these flaws to cause a local denial of service or
escalate their privileges. (CVE-2010-0291, Important)


* CVE-2010-1173: Remote denial of service in SCTP

A flaw was found in the sctp_process_unk_param() function in the Linux
kernel Stream Control Transmission Protocol (SCTP) implementation. A
remote attacker could send a specially-crafted SCTP packet to an SCTP
listening port on a target system, causing a kernel panic (denial of
service). (CVE-2010-1173, Important)


* CVE-2010-0622: Privilege escalation by futex corruption

A NULL pointer dereference flaw was found in the Fast Userspace Mutexes
(futexes) implementation. The unlock code path did not check if the
futex value associated with pi_state->owner had been modified. A local
user could use this flaw to modify the futex value, possibly leading to
a denial of service or privilege escalation when the pi_state->owner
pointer is dereferenced. (CVE-2010-0622, Important)


* CVE-2010-1437: Privilege escalation in key management

A race condition between finding a keyring by name and destroying a
freed keyring was found in the Linux kernel key management facility. A
local user could use this flaw to cause a kernel panic (denial of
service) or escalate their privileges. (CVE-2010-1437, Important)


* CVE-2010-1641: Permission check bypass in GFS2

A missing permission check was found in the gfs2_set_flags() function in
the Linux kernel GFS2 implementation. A local user could use this flaw
to change certain file attributes of files, on a GFS2 file system, that
they do not own. (CVE-2010-1641, Low)

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.