[Ksplice][Debian 5.0 Updates] New updates available via Ksplice (DSA-2153-1)
Tim Abbott
tabbott at ksplice.com
Mon Jan 31 12:55:15 PST 2011
Synopsis: DSA-2153-1 can now be patched using Ksplice
CVEs: CVE-2010-0435 CVE-2010-3699 CVE-2010-4158 CVE-2010-4162 CVE-2010-4163 CVE-2010-4242 CVE-2010-4243 CVE-2010-4248 CVE-2010-4249 CVE-2010-4258 CVE-2010-4342 CVE-2010-4346 CVE-2010-4526 CVE-2010-4527 CVE-2010-4529 CVE-2010-4649 CVE-2010-4656 CVE-2010-4668 CVE-2011-0521
Systems running Debian 5.0 Lenny can now use Ksplice to patch against the
latest Debian Security Advisory, DSA-2153-1.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Debian 5.0 Lenny users install these
updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to take
any additional action.
DESCRIPTION
* CVE-2010-4158: Kernel information leak in socket filters.
The sk_run_filter function in the kernel's socket filter implementation
did not properly clear an array on the kernel stack, resulting in
uninitialized kernel stack memory being copied to user space.
* CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.
By submitting certain I/O requests with 0 length, a local user could cause
a denial of service (kernel panic).
* CVE-2010-4162: Integer overflow in block I/O subsystem.
Due to integer underflow and overflow issues when determining the number
of pages required for I/O requests, a local user could send a device ioctl
that results in the sequential allocation of a very large number of pages,
causing the OOM killer to be invoked and crashing the system.
* CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver
in the Linux kernel. A local, unprivileged user could use this flaw to
cause a denial of service. (CVE-2010-4242, Moderate)
* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
A race condition in the __exit_signal function in kernel/exit.c allows
local users to cause a denial of service via vectors related to
multithreaded exec, the use of a thread group leader in
kernel/posix-cpu-timers.c, and the selection of a new thread group leader
in the de_thread function in fs/exec.c.
* CVE-2010-0435: Denial of service in KVM on debug register access.
A NULL pointer dereference flaw was found when the host system had a
processor with the Intel VT-x extension enabled. A privileged guest user
could use this flaw to trick the host into emulating a certain
instruction, which could crash the host (denial of service).
* CVE-2010-4526: Remote denial of service vulnerability in SCTP.
A flaw was found in the sctp_icmp_proto_unreachable() function in the
Linux kernel's Stream Control Transmission Protocol (SCTP) implementation.
A remote attacker could use this flaw to cause a denial of service.
* CVE-2010-4527: Buffer overflow in OSS load_mixer_volumes.
The load_mixer_volumes function (accessed via the SOUND_MIXER_SETLEVELS
ioctl) did not properly check the length of the provided "name" argument,
resulting in a privilege escalation vulnerability via buffer overflow.
* CVE-2010-4243: Denial of service due to wrong execve memory accounting.
A flaw was found in the Linux kernel execve() system call implementation.
A local, unprivileged user could cause large amounts of memory to be
allocated but not visible to the OOM (Out of Memory) killer, triggering a
denial of service.
* CVE-2010-4529: Integer underflow in irda IRLMP_ENUMDEVICES.
An integer underflow bug as found in the irda subsystem. Local users may
be able to gain access to sensitive kernel memory via a specially crafted
IRLMP_ENUMDEVICES getsockopt call.
* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.
A flaw was found in the Linux kernel's garbage collector for AF_UNIX
sockets. A local, unprivileged user could use this flaw to trigger a
denial of service (out-of-memory condition).
* CVE-2010-4258: Privilege escalation via do_exit.
The do_exit function does not properly handle a KERNEL_DS get_fs value,
which allows local users to bypass intended access_ok restrictions,
overwrite arbitrary kernel memory locations, and gain privileges by
leveraging a BUG, NULL pointer dereference, or page fault.
* CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.
Kees Cook reported an issue in the driver for I/O-Warrior USB devices.
Local users with access to these devices maybe able to overrun kernel
buffers, resulting in a denial of service or privilege escalation.
* CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.
Dan Carpenter reported an issue in the DVB driver for AV7110 cards. Local
users can pass a negative info->num value, corrupting kernel memory and
causing a denial of service.
* CVE-2010-4342: Denial of service vulnerability in econet protocol.
Nelson Elhage reported an issue in the econet protocol. Remote attackers
can cause a denial of service by sending an Acorn Universal Networking
packet over UDP.
* CVE-2010-4649: Buffer overflow in InfiniBand uverb handling.
Dan Carpenter reported an issue in the uverb handling of the InfiniBand
subsystem. A potential buffer overflow may allow local users to cause a
denial of service (memory corruption) by passing in a large cmd.ne value.
* CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.
Tavis Ormandy discovered an issue in the install_special_mapping routine
which allows local users to bypass the mmap_min_addr security restriction.
Combined with an otherwise low severity local denial of service
vulnerability (NULL pointer dereference), a local user could obtain
elevated privileges.
* CVE-2010-3699: Denial of service vulnerability in Xen block I/O driver.
A flaw was found in the Xenbus code for the unified block-device I/O
interface back end. A privileged guest user could use this flaw to cause
a denial of service on the host system running the Xen hypervisor.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Debian-5.0-Updates
mailing list