[Ksplice][Virtuozzo 4 Updates] New updates available via Ksplice (CU-2.6.18-028stab070.14)

Fri Nov 19 13:36:35 PST 2010

Synopsis: CU-2.6.18-028stab070.14 can now be patched using Ksplice
CVEs: CVE-2010-2963 CVE-2010-3066 CVE-2010-3067 CVE-2010-3078 CVE-2010-3086 CVE-2010-3477 CVE-2010-3904
Red Hat Security Advisory Severity: Important

Systems running Virtuozzo 4 or the OpenVZ RHEL 5 kernel can now use 
Ksplice to patch against the latest Parallels Virtuozzo Containers kernel 
security update, CU-2.6.18-028stab070.14.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Virtuozzo 4 or
OpenVZ on RHEL 5 install these updates.  You can install these updates
by running:

# uptrack-upgrade -y

DESCRIPTION

* CVE-2010-3066: NULL pointer dereference in io_submit_one.

A NULL pointer dereference flaw was found in the io_submit_one() function 
in the Linux kernel asynchronous I/O implementation. A local, unprivileged 
user could use this flaw to cause a denial of service. (CVE-2010-3066, 
Moderate)

* CVE-2010-3067: Information leak in sys_io_submit.

A missing upper bound integer check was found in the sys_io_submit() 
function in the Linux kernel asynchronous I/O implementation. A local, 
unprivileged user could use this flaw to cause an information leak. 
(CVE-2010-3067, Low)

* CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.

A flaw was found in the xfs_ioc_fsgetxattr() function in the Linux kernel 
XFS file system implementation. A data structure in xfs_ioc_fsgetxattr() 
was not initialized properly before being copied to user-space. A local, 
unprivileged user could use this flaw to cause an information leak.  
(CVE-2010-3078, Moderate)

* CVE-2010-3086: Denial of Service in futex atomic operations.

The exception fixup code for the __futex_atomic_op1, __futex_atomic_op2, 
and futex_atomic_cmpxchg_inatomic() macros replaced the LOCK prefix with a 
NOP instruction. A local, unprivileged user could use this flaw to cause a 
denial of service. (CVE-2010-3086, Moderate)

* CVE-2010-3477: Information leak in tcf_act_police_dump.

A flaw was found in the tcf_act_police_dump() function in the Linux kernel 
network traffic policing implementation. A data structure in 
tcf_act_police_dump() was not initialized properly before being copied to 
user-space. A local, unprivileged user could use this flaw to cause an 
information leak. (CVE-2010-3477, Moderate)

* CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.

The ioctl32 v4l1 compat code for VIDIOCSMICROCODE does not check the 
destination buffer for a copy_from_user() call, which allows anyone with 
access to a v4l device to write to arbitrary kernel memory locations.

* Buffer overflow in icmpmsg_put.

Reading from the /proc/net/snmp file could cause a buffer overflow when 
the number of different MIBs messages overran the internal buffer.

* CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.

The rds_page_copy_user function did not perform any access checks on 
user-provided pointers before using unchecked __copy_*_user_inatomic 
functions, which can be exploited by a local user to write to arbitrary 
kernel memory and escalate privileges.

* Fix broken networking for host-routed containers.

The stab070.12 kernel introduced a bug in the venet device (for 
host-routed containers) where the kernel didn't ARP properly for container 
IP addresses.  This resulted in containers not being accessible on the 
network.  Please note that this issue only affects machines booted with 
stab070.12 kernel.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.