[Ksplice][Debian 5.0 Updates] New updates available via Ksplice (DSA-2094-1)

Sat Aug 21 17:39:24 PDT 2010

Synopsis: DSA-2094-1 can now be patched using Ksplice
CVEs: CVE-2009-4895 CVE-2010-0307 CVE-2010-2226 CVE-2010-2240 CVE-2010-2248
      CVE-2010-2521 CVE-2010-2798 CVE-2010-2803 CVE-2010-2959 CVE-2010-3015

Systems running Debian 5.0 Lenny can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-2094-1.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Debian 5.0 Lenny users install
these updates.  You can install these updates by running:

# uptrack-upgrade -y

DESCRIPTION

* CVE-2010-2521: Remote buffer overflow in NFSv4 server.

Buffer overflow flaws were found in the Linux kernel's implementation
of the server-side External Data Representation (XDR) for the Network
File System (NFS) version 4.  An attacker on the local network could
send a specially-crafted large compound request to the NFSv4 server,
which could possibly result in a kernel panic (denial of service) or
arbitrary code execution (CVE-2010-2521).

* CVE-2010-2226: Read access to write-only files in XFS filesystem.

A flaw was found in the handling of the SWAPEXT IOCTL in the Linux
kernel XFS file system implementation.  A local user could use this
flaw to read write-only files, that they do not own, on an XFS file
system.  This could lead to unintended information disclosure.

* CVE-2010-2248: Remote denial of service in CIFS client.

A flaw was found in the CIFSSMBWrite() function in the Linux kernel
Common Internet File System (CIFS) implementation.  A remote attacker
could send a specially-crafted SMB response packet to a target CIFS
client, resulting in a kernel panic (denial of service).

* CVE-2010-2959: Privilege escalation in Controller Area Network subsystem.

Ben Hawkes discovered an integer overflow in the Controller Area
Network (CAN) subsystem when setting up frame content and filtering
certain messages. An attacker could send specially crafted CAN traffic
to crash the system or gain root privileges.

* CVE-2010-2803: Information leak in drm subsystem.

Kees Cook discovered that under certain situations the ioctl subsystem
for DRM did not properly sanitize its arguments.  A local attacker
could exploit this to read previously freed kernel memory.

* CVE-2010-3015: Integer overflow in ext4 filesystem.

An integer overflow flaw was found in the ext4_ext_get_blocks()
function. This can trigger a BUG() on certain configurations of ext4
file systems.

* CVE-2009-4895: NULL pointer deference in the tty subsystem.

A race the tty subsystem allowed local users to cause the kernel to
dereference a NULL pointer.

* CVE-2010-2798: NULL pointer dereference in gfs2 filesystem.

Under some circumstances, the gfs2 directory code incorrectly tried to
re-use sentinel directory entries when renaming files.  A local,
unprivileged user on a gfs2 mounted directory can trigger this issue,
resulting in a NULL pointer dereference.

* Improved fix for CVE-2010-0307.

The original fix for CVE-2010-0307 would under some circumstances
flush the new personality state being state rather than the old
personality state.

* CVE-2010-2240: Privilege escalation vulnerability in memory manager.

Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the
memory manager did not properly handle when applications grow stacks
into adjacent memory regions.  A local attacker could exploit this to
gain control of certain applications, potentially leading to privilege
escalation, as demonstrated in attacks against the X server.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.