[Ksplice][Debian 5.0 Updates] New updates available via Ksplice (DSA-2153-1)

[Tim Abbott]

Synopsis: DSA-2153-1 can now be patched using Ksplice
CVEs: CVE-2010-0435 CVE-2010-3699 CVE-2010-4158 CVE-2010-4162 CVE-2010-4163 CVE-2010-4242 CVE-2010-4243 CVE-2010-4248 CVE-2010-4249 CVE-2010-4258 CVE-2010-4342 CVE-2010-4346 CVE-2010-4526 CVE-2010-4527 CVE-2010-4529 CVE-2010-4649 CVE-2010-4656 CVE-2010-4668 CVE-2011-0521

Systems running Debian 5.0 Lenny can now use Ksplice to patch against the 
latest Debian Security Advisory, DSA-2153-1.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Debian 5.0 Lenny users install these 
updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, 
these updates will be installed automatically and you do not need to take 
any additional action.


DESCRIPTION

* CVE-2010-4158: Kernel information leak in socket filters.

The sk_run_filter function in the kernel's socket filter implementation 
did not properly clear an array on the kernel stack, resulting in 
uninitialized kernel stack memory being copied to user space.


* CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.

By submitting certain I/O requests with 0 length, a local user could cause 
a denial of service (kernel panic).


* CVE-2010-4162: Integer overflow in block I/O subsystem.

Due to integer underflow and overflow issues when determining the number 
of pages required for I/O requests, a local user could send a device ioctl 
that results in the sequential allocation of a very large number of pages, 
causing the OOM killer to be invoked and crashing the system.


* CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.

A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver 
in the Linux kernel.  A local, unprivileged user could use this flaw to 
cause a denial of service.  (CVE-2010-4242, Moderate)


* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.

A race condition in the __exit_signal function in kernel/exit.c allows 
local users to cause a denial of service via vectors related to 
multithreaded exec, the use of a thread group leader in 
kernel/posix-cpu-timers.c, and the selection of a new thread group leader 
in the de_thread function in fs/exec.c.


* CVE-2010-0435: Denial of service in KVM on debug register access.

A NULL pointer dereference flaw was found when the host system had a 
processor with the Intel VT-x extension enabled.  A privileged guest user 
could use this flaw to trick the host into emulating a certain 
instruction, which could crash the host (denial of service).


* CVE-2010-4526: Remote denial of service vulnerability in SCTP.

A flaw was found in the sctp_icmp_proto_unreachable() function in the 
Linux kernel's Stream Control Transmission Protocol (SCTP) implementation.  
A remote attacker could use this flaw to cause a denial of service.


* CVE-2010-4527: Buffer overflow in OSS load_mixer_volumes.

The load_mixer_volumes function (accessed via the SOUND_MIXER_SETLEVELS 
ioctl) did not properly check the length of the provided "name" argument, 
resulting in a privilege escalation vulnerability via buffer overflow.


* CVE-2010-4243: Denial of service due to wrong execve memory accounting.

A flaw was found in the Linux kernel execve() system call implementation.  
A local, unprivileged user could cause large amounts of memory to be 
allocated but not visible to the OOM (Out of Memory) killer, triggering a 
denial of service.


* CVE-2010-4529: Integer underflow in irda IRLMP_ENUMDEVICES.

An integer underflow bug as found in the irda subsystem.  Local users may 
be able to gain access to sensitive kernel memory via a specially crafted 
IRLMP_ENUMDEVICES getsockopt call.


* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.

A flaw was found in the Linux kernel's garbage collector for AF_UNIX 
sockets.  A local, unprivileged user could use this flaw to trigger a 
denial of service (out-of-memory condition).


* CVE-2010-4258: Privilege escalation via do_exit.

The do_exit function does not properly handle a KERNEL_DS get_fs value, 
which allows local users to bypass intended access_ok restrictions, 
overwrite arbitrary kernel memory locations, and gain privileges by 
leveraging a BUG, NULL pointer dereference, or page fault.


* CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.

Kees Cook reported an issue in the driver for I/O-Warrior USB devices. 
Local users with access to these devices maybe able to overrun kernel 
buffers, resulting in a denial of service or privilege escalation.


* CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.

Dan Carpenter reported an issue in the DVB driver for AV7110 cards. Local 
users can pass a negative info->num value, corrupting kernel memory and 
causing a denial of service.


* CVE-2010-4342: Denial of service vulnerability in econet protocol.

Nelson Elhage reported an issue in the econet protocol.  Remote attackers 
can cause a denial of service by sending an Acorn Universal Networking 
packet over UDP.


* CVE-2010-4649: Buffer overflow in InfiniBand uverb handling.

Dan Carpenter reported an issue in the uverb handling of the InfiniBand 
subsystem.  A potential buffer overflow may allow local users to cause a 
denial of service (memory corruption) by passing in a large cmd.ne value.


* CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.

Tavis Ormandy discovered an issue in the install_special_mapping routine 
which allows local users to bypass the mmap_min_addr security restriction. 
Combined with an otherwise low severity local denial of service 
vulnerability (NULL pointer dereference), a local user could obtain 
elevated privileges.


* CVE-2010-3699: Denial of service vulnerability in Xen block I/O driver.

A flaw was found in the Xenbus code for the unified block-device I/O 
interface back end.  A privileged guest user could use this flaw to cause 
a denial of service on the host system running the Xen hypervisor.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.