[Ksplice][Debian 5.0 Updates] New updates available via Ksplice (DSA-2126-1)

Nelson Elhage nelhage at ksplice.com
Mon Nov 29 15:05:53 PST 2010 

Synopsis: DSA-2126-1 can now be patched using Ksplice
CVEs: CVE-2010-2963 CVE-2010-3067 CVE-2010-3296 CVE-2010-3297 CVE-2010-3310
      CVE-2010-3432 CVE-2010-3437 CVE-2010-3442 CVE-2010-3477 CVE-2010-3705
      CVE-2010-3848 CVE-2010-3849 CVE-2010-3850 CVE-2010-3858 CVE-2010-3859
      CVE-2010-3873 CVE-2010-3875 CVE-2010-3877 CVE-2010-3880 CVE-2010-4072
      CVE-2010-4073 CVE-2010-4074 CVE-2010-4079 CVE-2010-4080 CVE-2010-4081
      CVE-2010-4083 CVE-2010-4157 CVE-2010-4164

Systems running Debian 5.0 Lenny can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-2126-1.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Debian 5.0 Lenny users install
these updates.  You can install these updates by running:

# uptrack-upgrade -y

DESCRIPTION

* Kernel crash due to corrupted XFS inode log.

Andras Korn reported an oops on log replay causes by a corrupted
xfs_inode_log_format_t passing a 0 size to kmem_zalloc.


* CVE-2010-3477: Kernel information leak in act_police.

Incorrectly initialized structures in the traffic control dump code
may allow the disclosure of kernel memory to userspace
applications. This is a similar issue to CVE-2010-2942.


* CVE-2010-3067: Information leak in do_io_submit.

An integer overflow error in the do_io_submit function could be used
by userspace processes to read kernel memory.


* CVE-2010-3296: Kernel information leak in cxgb driver.

The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to
read 4 bytes of uninitialized stack memory, because the "addr" member
of the ch_reg struct declared on the stack in cxgb_extension_ioctl()
is not altered or zeroed before being copied back to the user.


* CVE-2010-3297: Kernel information leak in eql driver.

The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "master_name" member
of the master_config_t struct declared on the stack in
eql_g_master_cfg() is not altered or zeroed before being copied back
to the user.


* CVE-2010-3310: Integer signedness errors in rose driver.

Multiple integer signedness errors in the rose driver allow local
users to cause a denial of service (heap memory corruption) or
possibly have unspecified other impact by calling rose_bind or
rose_connect with a negative destination digis count.


* CVE-2010-3432: Remote denial of service vulnerability in SCTP.

The sctp_outq_flush() function can call sctp_packet_reset() on a
packet structure that has already been filled with chunks.  This
resets the packet length but does not remove the chunks from the list;
the SCTP code then re-initializes the packet, which because of the
incorrect length could overflow the skb, resulting in a kernel panic.


* CVE-2010-3437: Information leak in pktcdvd driver.

An integer signedness error in the pkt_find_dev_from_minor function
allows local users to obtain sensitive information from kernel memory
or cause a denial of service (invalid pointer dereference and system
crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.


* CVE-2010-3442: Heap corruption vulnerability in ALSA core.

The snd_ctl_new() function allocates space for a snd_kcontrol struct
by performing arithmetic operations on a user-provided size without
checking for integer overflow.  This allows an unprivileged user to
write an arbitrary value repeatedly past the bounds of this chunk,
resulting in heap corruption.


* CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.

The SCTP subsystem's sctp_asoc_get_hmac function did not correctly
check for an out of range value for the last id in the hmac_ids array,
potentially resulting in kernel memory corruption.


* CVE-2010-3858: Denial of service with excessive argument size

Creating a process with a very large argument list or environment may
trigger a kernel BUG in the setup_arg_pages function.


* Denial of service in X.25 call accepted packet parsing.

The x25_state1_machine function accesses data beyond the end of
certain call accepted packets, possibly crashing the system with an
unhandled kernel paging request.


* CVE-2010-3873: Memory corruption in X.25 facilities parsing

The x25_parse_facilities facilities function may cause a memcpy() of
ULONG_MAX size, destroying the kernel heap.


* CVE-2010-4083: Information leak in semctl system call

The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory.


* CVE-2010-4080, CVE-2010-4081: Information leaks in RME 9652 sound driver

The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in the RME 9652 sound driver
allow unprivileged users to read uninitialized kernel stack memory.


* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.

The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows
unprivileged users to read 16 bytes of uninitialized stack memory.


* CVE-2010-4164: Denial of service parsing bad X.25 facilities

On parsing malformed X.25 facilities, an integer underflow may cause a
kernel crash.


* CVE-2010-2963: Privilege escalation in Video4Linux 1.

Kees Cook discovered that the V4L1 32-bit compatibility interface did
not correctly validate certain parameters.  A local attacker on a
64-bit system with access to a video device could exploit this to gain
root privileges.


* CVE-2010-3859: Privilege escalation in TIPC protocol

Integer overflows in the TIPC protcol could cause kernel heap
overflows, potentially leading to privilege escalation.


* CVE-2010-3875: Information leak in AX.25 protocol.

The ax25_getname function sometimes leaks kernel stack memory to
userspace in uninitialized structure members and padding bytes.


* CVE-2010-3877: Information leak in TIPC protocol

The TIPC protocol may leak uninitialized padding bytes in a
sockaddr_tipc structure to user programs.


* CVE-2010-3880: Denial of service in socket monitoring interface

INET-DIAG is inconsistent about how it looks up the bytecode contained
in a netlink message, making it possible for a user to cause the
kernel to execute unaudited INET-DIAG bytecode.  This can be abused to
make the kernel enter an infinite loop, and possibly other
consequences.


* CVE-2010-4072: Information leak in System V IPC

System V IPC leaks uninitialized kernel stack memory to user programs
in unused fields of the shmid_ds structure.


* CVE-2010-4073: Information leak in System V IPC 32-bit compatibility

The 32-bit compatibility functions for System V IPC leaked
uninitialized kernel stack memory to user programs.


* CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.

The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory.


* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.

An integer overflow in ioc_general() may cause the computation of an
incorrect buffer size, leading to memory corruption.


* CVE-2010-3849: Denial of service in Econet sendmsg.

When given a NULL remote address, the sendmsg implementation in the
Econet protocol could dereference a NULL pointer, leading to a kernel
oops.


* CVE-2010-3850: Privilege escalation in Econet SIOCSIFADDR operation.

The SIOCSIFADDR operation in the Econet protocol failed to check that
the caller is privileged.


* CVE-2010-3848: Privilege escalation in Econet with large iovecs.

The sendmsg implementation in the Econet protocol could overflow the
kernel stack on a message with a large iovec array, potentially
leading to privilege escalation.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Debian-5.0-Updates mailing list