[El-errata] ELSA-2012-0743 Important: Oracle Linux 6 kernel security and bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Jun 21 15:09:45 PDT 2012 

Oracle Linux Security Advisory ELSA-2012-0743

https://rhn.redhat.com/errata/RHSA-2012-0743.html

The following updated rpms for Oracle Linux 6 have been uploaded to the 
Unbreakable Linux Network:

i386:
kernel-2.6.32-220.23.1.el6.i686.rpm
kernel-debug-2.6.32-220.23.1.el6.i686.rpm
kernel-debug-devel-2.6.32-220.23.1.el6.i686.rpm
kernel-devel-2.6.32-220.23.1.el6.i686.rpm
kernel-doc-2.6.32-220.23.1.el6.noarch.rpm
kernel-firmware-2.6.32-220.23.1.el6.noarch.rpm
kernel-headers-2.6.32-220.23.1.el6.i686.rpm

x86_64:
kernel-2.6.32-220.23.1.el6.x86_64.rpm
kernel-debug-2.6.32-220.23.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-220.23.1.el6.x86_64.rpm
kernel-devel-2.6.32-220.23.1.el6.x86_64.rpm
kernel-doc-2.6.32-220.23.1.el6.noarch.rpm
kernel-firmware-2.6.32-220.23.1.el6.noarch.rpm
kernel-headers-2.6.32-220.23.1.el6.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-2.6.32-220.23.1.el6.src.rpm

The following packages were rebuilt to be in sync with the updated
kernel version (no changes other than updating the version number):

Users with Oracle Linux Premier Support can now use Ksplice to patch
against this Security Advisory.

We recommend that all users of  Oracle Linux 6 install these updates.

Users of Ksplice Uptrack can install these updates by running :

# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.

Description of changes:

* CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.

A missing size check in drm_mode_dirtyfb_ioctl allowed an attacker to
overflow num_clips, causing a buffer allocation of an unintended,
small size. Future calls to fb->funcs->dirty could result in memory
corruption beyond that buffer.


* CVE-2012-2119: Stack overflow in KVM macvtap page pinning.

The vector length of pages passed to the host from the guest through
macvtap is not validated before the pages are pinned. A privileged
guest user could use this flaw to induce stack overflow on the
host with attacker non-controlled data but with attacker controlled length.


* CVE-2012-2123: Privilege escalation when assigning permissions using
fcaps.

If a process increases permissions using fcaps, all of the dangerous
personality flags which are cleared for suid apps are not cleared. This has
allowed programs that gained elevated permissions using fcaps to disable
the address space randomization of other processes.


* CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.

The length of packet fragments to be sent wasn't validated before use,
leading to heap overflow. A user having access to TUN/TAP virtual
device could use this flaw to crash the system or to potentially
escalate their privileges.


* CVE-2012-2121: Memory leak in KVM device assignment.

KVM uses memory slots to track and map guest regions of memory.  When device
assignment is used, the pages backing these slots are pinned in memory
and mapped
into the iommu.  The problem is that when a memory slot is destroyed the
pages
for the associated memory slot are neither unpinned nor unmapped from
the iommu.


* CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.

A buffer overflow flaw was found in the setup_routing_entry() function
in the
KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts
(MSI) routing entry was handled. A local, unprivileged user could use
this flaw
to cause a denial of service or, possibly, escalate their privileges.


* CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.

A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS)
protocol implementation. A local, unprivileged user could use this flaw
to cause a denial of service.


* CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.

CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem.

In some cases, the hugepage subsystem would allocate new PMDs when not
expected by the memory management subsystem. A privileged user in the
KVM guest can use this flaw to crash the host, an unprivileged local
user could use this flaw to crash the system.

CVE-2012-2373: Denial of service in PAE page tables.

On a PAE system, a non-atomic load could be corrupted by a page fault
resulting in a kernel crash, triggerable by an unprivileged user.

[2.6.32-220.23.1.el6]
- [net] bond: Make LRO flag follow slave settings (Neil Horman) [831176 
794647]

[2.6.32-220.22.1.el6]
- [net] ipv4/netfilter: TCP and raw fix for ip_route_me_harder (Jiri 
Benc) [824429 812108]

[2.6.32-220.21.1.el6]
- [security] fix compile error in commoncap.c (Eric Paris) [806725 
806726] {CVE-2012-2123}
- [security] fcaps: clear the same personality flags as suid when fcaps 
are used (Eric Paris) [806725 806726] {CVE-2012-2123}
- [net] rds: fix rds-ping inducing kernel panic (Jay Fenlason) [822757 
803936] {CVE-2012-2372}
- [net] sock: validate data_len before allocating skb in 
sock_alloc_send_pskb() (Jason Wang) [816292 814504] {CVE-2012-2136}
- [virt] kvm: Fix buffer overflow in kvm_set_irq() (Avi Kivity) [816154 
816155] {CVE-2012-2137}
- [drm] integer overflow in drm_mode_dirtyfb_ioctl() (Dave Airlie) 
[773249 773250] {CVE-2012-0044}
- [net] netfilter: Fix ip_route_me_harder triggering ip_rt_bug (Jiri 
Benc) [824429 812108]
- [net] netfilter/tproxy: do not assign timewait sockets to skb->sk 
(Jiri Benc) [824429 812108]
- [virt] xenpv: avoid paravirt __pmd in read_pmd_atomic (Andrew Jones) 
[823903 822697]
- [infiniband] mlx4: fix RoCE oops (Doug Ledford) [799946 749059]
- [mm] read_pmd_atomic: fix pmd_populate SMP race condition (Andrea 
Arcangeli) [822824 820762] {CVE-2012-2373}
- [infiniband] mlx4: check return code and bail on error (Doug Ledford) 
[799946 749059]
- [infiniband] mlx4: use locking when walking netdev list (Doug Ledford) 
[799946 749059]
- [mm] thp: fix pmd_bad() triggering in code paths holding mmap_sem read 
mode (Andrea Arcangeli) [803808 800328] {CVE-2012-1179}

[2.6.32-220.20.1.el6]
- [vhost] net: fix possible NULL pointer dereference of vq->bufs (Jason 
Wang) [814286 814288] {CVE-2012-2119}
- [net] macvtap: validate zerocopy vectors before building skb (Jason 
Wang) [814286 814288] {CVE-2012-2119}
- [net] macvtap: set SKBTX_DEV_ZEROCOPY only when skb is built 
successfully (Jason Wang) [814286 814288] {CVE-2012-2119}
- [net] macvtap: put zerocopy page when fail to get all requested user 
pages (Jason Wang) [814286 814288] {CVE-2012-2119}
- [net] macvtap: fix zerocopy offset calculation when building skb 
(Jason Wang) [814286 814288] {CVE-2012-2119}
- [net] bonding: remove entries for master_ip and vlan_ip and query 
devices instead (Andy Gospodarek) [816197 810299]
- [virt] KVM: lock slots_lock around device assignment (Alex Williamson) 
[814154 811653] {CVE-2012-2121}
- [virt] kvm: unmap pages from the iommu when slots are removed (Alex 
Williamson) [814154 811653] {CVE-2012-2121}
- [virt] xenfv: fix hangs when kdumping (Andrew Jones) [812953 811815]
- [s390x] zcrypt: Fix parameter checking for ZSECSENDCPRB ioctl (Hendrik 
Brueckner) [810125 808487]
- [drm] i915: suspend fbdev device around suspend/hibernate (Dave 
Airlie) [818503 746169]
- [fs] tmpfs: fix off-by-one in max_blocks checks (Eric Sandeen) [809399 
783497]
- [net] bonding: Allow Bonding driver to disable/enable LRO on slaves 
(Neil Horman) [818504 772317]
- [virt] xen-blkfront: conditionally drop name and minor adjustments for 
emulated scsi devs (Laszlo Ersek) [818505 729586]
- [virt] xen-blk: plug device number leak on error path in xlblk_init 
(Laszlo Ersek) [818505 729586]

[2.6.32-220.19.1.el6]
- [pci] Fix unbootable HP DL385G6 on 2.6.32-220 by properly disabling 
pcie aspm (Dave Wysochanski) [819614 769626]

[2.6.32-220.18.1.el6]
- [netdrv] iwlwifi: add option to disable 5Ghz band (Stanislaw Gruszka) 
[816226 812259]
- [netdrv] iwlwifi: cancel scan before nulify ctx->vif (Stanislaw 
Gruszka) [816225 801730]
- [netdrv] iwlwifi: do not nulify ctx->vif on reset (Stanislaw Gruszka) 
[816225 801730]
- [net] mac80211: workaround crash at ieee80211_mgd_probe_ap_send 
(Stanislaw Gruszka) [814657 808095]
- [net] bonding: 802.3ad - fix agg_device_up (Veaceslav Falico) [817466 
806081]
- [scsi] st: fix memory leak with 1MB tape I/O (David Milburn) [816271 
811703]

More information about the El-errata mailing list