[Ksplice][Virtuozzo 4 Updates] New updates available via Ksplice (CU-2.6.18-028stab070.7)

Tim Abbott tabbott at ksplice.com
Fri Oct 8 16:14:36 PDT 2010 

Synopsis: CU-2.6.18-028stab070.7 can now be patched using Ksplice
CVEs: CVE-2010-1083 CVE-2010-1084 CVE-2010-1173 CVE-2010-2066 CVE-2010-2226 CVE-2010-2240 CVE-2010-2248 CVE-2010-2492 CVE-2010-2521 CVE-2010-2524 CVE-2010-2798 CVE-2010-2942 CVE-2010-3015
Red Hat Security Advisory Severity: Important

Systems running Virtuozzo 4 or the OpenVZ RHEL 5 kernel can now use 
Ksplice to patch against the latest Parallels Virtuozzo Containers kernel 
security update, CU-2.6.18-028stab070.7.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Virtuozzo 4 or OpenVZ on 
RHEL 5 install these updates.  You can install these updates by running:

# uptrack-upgrade -y

DESCRIPTION

* CVE-2010-2066: Missing privilege check in ext4 for append-only files.

A missing check was found in the mext_check_arguments() function in the 
ext4 file system code. A local user could use this flaw to cause the 
MOVE_EXT IOCTL to overwrite the contents of an append-only file on an ext4 
file system, if they have write permissions for that file. (CVE-2010-2066, 
Low)


* CVE-2010-1084: Privilege escalation in Bluetooth subsystem.

Instances of unsafe sprintf() use were found in the Linux kernel Bluetooth 
implementation. Creating a large number of Bluetooth L2CAP, SCO, or RFCOMM 
sockets could result in arbitrary memory pages being overwritten.  A 
local, unprivileged user could use this flaw to cause a kernel panic 
(denial of service) or escalate their privileges. (CVE-2010-1084, 
Important)


* CVE-2010-2248: Remote denial of service in CIFS client.

A flaw was found in the CIFSSMBWrite() function in the Linux kernel Common 
Internet File System (CIFS) implementation. A remote attacker could send a 
specially-crafted SMB response packet to a target CIFS client, resulting 
in a kernel panic (denial of service). (CVE-2010-2248, Important)


* CVE-2010-2524: False CIFS mount via DNS cache poisoning.

A flaw was found in the dns_resolver upcall used by CIFS. A local, 
unprivileged user could redirect a Microsoft Distributed File System link 
to another IP address, tricking the client into mounting the share from a 
server of the user's choosing. (CVE-2010-2524, Moderate)


* CVE-2010-2521: Remote buffer overflow in NFSv4 server.

Buffer overflow flaws were found in the Linux kernel's implementation of 
the server-side External Data Representation (XDR) for the Network File 
System (NFS) version 4. An attacker on the local network could send a 
specially-crafted large compound request to the NFSv4 server, which could 
possibly result in a kernel panic (denial of service) or, potentially, 
code execution. (CVE-2010-2521, Important)


* CVE-2010-2226: Read access to write-only files in XFS filesystem.

A flaw was found in the handling of the SWAPEXT IOCTL in the Linux kernel 
XFS file system implementation. A local user could use this flaw to read 
write-only files, that they do not own, on an XFS file system. This could 
lead to unintended information disclosure. (CVE-2010-2226, Moderate)


* CVE-2010-2240: Privilege escalation vulnerability in memory management.

When an application has a stack overflow, the stack could silently 
overwrite another memory mapped area instead of a segmentation fault 
occurring, which could cause an application to execute arbitrary code, 
possibly leading to privilege escalation. It is known that the X Window 
System server can be used to trigger this flaw. (CVE-2010-2240, Important)


* CVE-2010-2798: Denial of service in GFS2.

Bob Peterson reported an issue in the GFS2 file system. A file system user 
could cause a denial of service (Oops) via certain rename operations. 
(CVE-2010-2798, Important)


* CVE-2010-2492: Privilege Escalation in eCryptfs.

Andre Osterhues discovered that eCryptfs did not correctly calculate hash 
values. A local attacker with certain uids could exploit this to crash the 
system or potentially gain root privileges. (CVE-2010-2492, Important)


* Improved fix to CVE-2010-1173.

The original fix to CVE-2010-1173 didn't properly add an append error 
cause to the error chunks.


* CVE-2010-3015: Integer overflow in ext4 filesystem.

An integer overflow flaw was found in the ext4_ext_get_blocks() function. 
This can trigger a BUG() on certain configurations of ext4 file systems. 
(CVE-2010-3015, Moderate)


* CVE-2010-1083: Information leak in USB implementation.

An information leak flaw was found in the kernel's USB implementation. 
Certain USB errors could result in an uninitialized kernel buffer being 
sent to user-space. An attacker with physical access to a target system 
could use this flaw to cause an information leak. (CVE-2010-1083, Low)


* CVE-2010-2942: Information leaks in traffic control dump structures.

Incorrectly initialized structures in the traffic control dump code may 
allow the disclosure of 32 bits of kernel memory to userspace 
applications.  (CVE-2010-2942, Moderate)

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ksplice-VZ4-Updates mailing list