[El-errata] ELSA-2012-0350 Moderate: Oracle Linux 6 kernel security and bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Mon Mar 12 10:17:14 PDT 2012 

Oracle Linux Security Advisory ELSA-2012-0350

https://rhn.redhat.com/errata/RHSA-2012-0350.html

The following updated rpms for Oracle Linux 6 have been uploaded to the 
Unbreakable Linux Network:

i386:
kernel-2.6.32-220.7.1.el6.i686.rpm
kernel-debug-2.6.32-220.7.1.el6.i686.rpm
kernel-debug-devel-2.6.32-220.7.1.el6.i686.rpm
kernel-devel-2.6.32-220.7.1.el6.i686.rpm
kernel-doc-2.6.32-220.7.1.el6.noarch.rpm
kernel-firmware-2.6.32-220.7.1.el6.noarch.rpm
kernel-headers-2.6.32-220.7.1.el6.i686.rpm
perf-2.6.32-220.7.1.el6.i686.rpm
python-perf-2.6.32-220.7.1.el6.i686.rpm

x86_64:
kernel-2.6.32-220.7.1.el6.x86_64.rpm
kernel-debug-2.6.32-220.7.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-220.7.1.el6.x86_64.rpm
kernel-devel-2.6.32-220.7.1.el6.x86_64.rpm
kernel-doc-2.6.32-220.7.1.el6.noarch.rpm
kernel-firmware-2.6.32-220.7.1.el6.noarch.rpm
kernel-headers-2.6.32-220.7.1.el6.x86_64.rpm
perf-2.6.32-220.7.1.el6.x86_64.rpm
python-perf-2.6.32-220.7.1.el6.x86_64.rpm

SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-2.6.32-220.7.1.el6.src.rpm

Users with Oracle Linux Premier Support can now use Ksplice to patch 
against this Security Advisory.

We recommend that all users of Oracle Linux 6 install these updates.

Users of Ksplice Uptrack can install these updates by running :

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, 
these updates will be installed automatically and you do not need to 
take any additional action.

Description of changes:

* CVE-2011-4077: Buffer overflow in xfs_readlink.

A flaw in the way the XFS filesystem implementation handled links with
pathnames larger than MAXPATHLEN allowed an attacker to mount a
malicious XFS image that could crash the system or result in privilege
escalation.


* CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.

Nick Bowler reported an issue in the GHASH message digest
algorithm. ghash_update can pass a NULL pointer to gf128mul_4k_lle in some
cases, leading to a NULL pointer dereference (kernel OOPS).


* CVE-2011-4132: Denial of service in Journaling Block Device layer.

A flaw in the way the Journaling Block Device (JBD) layer handled an
invalid log first block value allowed an attacker to mount a malicious
ext3 or ext4 image that would crash the system.


* CVE-2011-4347: Denial of service in KVM device assignment.

Several bugs that allowed unprivileged users to improperly assign
devices to KVM guests could result in a denial of service.


* CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.

Starting PIT timers in the absence of irqchip support could cause a
NULL pointer dereference and kernel OOPs.


* CVE-2012-0038: In-memory corruption in XFS ACL processing.

A missing check in xfs_acl_from_disk on the number of XFS ACLs could
result in in-memory corruption and a kernel panic.


* CVE-2012-0045: Denial of service in KVM system call emulation.

A bug in the system call emulation for allowed local users on a 32-bit
KVM guest system to cause the guest system to panic.


* CVE-2012-0207: Denial of service bug in IGMP.

The IGMP subsystem's compatibility handling of v2 packets had a bug in
the computation of a delay field which could result in division by
zero (causing a kernel panic).


* CVE-2011-4594: Denial of service in network message batching.

Two flaws were found in the way the Linux kernel's __sys_sendmsg()
function, when invoked via the sendmmsg() system call, accessed user-space
memory.

A local, unprivileged user could use these flaws to cause a denial
of service.

[2.6.32-220.7.1.el6]
- [netdrv] tg3: Fix single-vector MSI-X code (John Feeney) [787162 703555]
- [mm] export remove_from_page_cache() to modules (Jerome Marchand) 
[772687 751419]
- [block] cfq-iosched: fix cfq_cic_link() race confition (Vivek Goyal) 
[786022 765673]
- [fs] cifs: lower default wsize when unix extensions are not used (Jeff 
Layton) [789058 773705]
- [net] svcrpc: fix double-free on shutdown of nfsd after changing pool 
mode (J. Bruce Fields) [787580 753030]
- [net] svcrpc: avoid memory-corruption on pool shutdown (J. Bruce 
Fields) [787580 753030]
- [net] svcrpc: destroy server sockets all at once (J. Bruce Fields) 
[787580 753030]
- [net] svcrpc: simplify svc_close_all (J. Bruce Fields) [787580 753030]
- [net] svcrpc: fix list-corrupting race on nfsd shutdown (J. Bruce 
Fields) [787580 753030]
- [fs] xfs: Fix missing xfs_iunlock() on error recovery path in 
xfs_readlink() (Carlos Maiolino) [749161 694702] {CVE-2011-4077}
- [fs] xfs: Fix memory corruption in xfs_readlink (Carlos Maiolino) 
[749161 694702] {CVE-2011-4077}
- [x86] hpet: Disable per-cpu hpet timer if ARAT is supported (Prarit 
Bhargava) [772884 750201]
- [x86] Improve TSC calibration using a delayed workqueue (Prarit 
Bhargava) [772884 750201]
- [kernel] clocksource: Add clocksource_register_hz/khz interface 
(Prarit Bhargava) [772884 750201]
- [kernel] clocksource: Provide a generic mult/shift factor calculation 
(Prarit Bhargava) [772884 750201]
- [block] cfq-iosched: fix a kbuild regression (Vivek Goyal) [769208 705698]
- [block] cfq-iosched: rethink seeky detection for SSDs (Vivek Goyal) 
[769208 705698]
- [block] cfq-iosched: rework seeky detection (Vivek Goyal) [769208 705698]
- [block] cfq-iosched: don't regard requests with long distance as close 
(Vivek Goyal) [769208 705698]

[2.6.32-220.6.1.el6]
- [scsi] qla2xxx: Module parameter to control use of async or sync port 
login (Chad Dupuis) [788003 769007]

[2.6.32-220.5.1.el6]
- [net] igmp: Avoid zero delay when receiving odd mixture of IGMP 
queries (Jiri Pirko) [772870 772871] {CVE-2012-0207}
- [fs] xfs: validate acl count (Eric Sandeen) [773282 773283] 
{CVE-2012-0038}
- [fs] Fix sendfile write-side file position (Steven Whitehouse) [771870 
770023]
- [virt] kvm: x86: fix missing checks in syscall emulation (Marcelo 
Tosatti) [773390 773391] {CVE-2012-0045}
- [virt] kvm: x86: extend "struct x86_emulate_ops" with "get_cpuid" 
(Marcelo Tosatti) [773390 773391] {CVE-2012-0045}
- [fs] nfs: when attempting to open a directory, fall back on normal 
lookup (Jeff Layton) [771981 755380]
- [kernel] crypto: ghash - Avoid null pointer dereference if no key is 
set (Jiri Benc) [749481 749482] {CVE-2011-4081}
- [fs] jbd2: validate sb->s_first in journal_get_superblock() (Eryu 
Guan) [753344 693981] {CVE-2011-4132}
- [net] fix unsafe pointer access in sendmmsg (Jiri Benc) [761668 
760798] {CVE-2011-4594}
- [scsi] increase qla2xxx firmware ready time-out (Mark Goodwin) [781971 
731917]
- [perf] powerpc: Handle events that raise an exception without 
overflowing (Steve Best) [767917 755737] {CVE-2011-4611}
- [sched] x86: Avoid unnecessary overflow in sched_clock (Prarit 
Bhargava) [781974 765720]
- [virt] x86: Prevent starting PIT timers in the absence of irqchip 
support (Marcelo Tosatti) [769634 769550] {CVE-2011-4622}
- [virt] vmxnet3: revert hw features change (Neil Horman) [761536 759613]
- [netdrv] qlge: fix size of external list for TX address descriptors 
(Steve Best) [783226 772237]
- [netdrv] e1000e: Avoid wrong check on TX hang (Dean Nelson) [768916 
751087]
- [virt] KVM: Device assignment permission checks (Alex Williamson) 
[756092 756093] {CVE-2011-4347}
- [virt] KVM: Remove ability to assign a device without iommu support 
(Alex Williamson) [756092 756093] {CVE-2011-4347}
- [virt] kvm: device-assignment: revert Disable the option to skip iommu 
setup (Alex Williamson) [756092 756093] {CVE-2011-4347}

More information about the El-errata mailing list