[Ksplice][Debian 5.0 Updates] New updates available via Ksplice (DSA-2264-1)

Anders Kaseorg andersk at ksplice.com
Sun Jun 19 02:58:38 PDT 2011 

Synopsis: DSA-2264-1 can now be patched using Ksplice
CVEs: CVE-2010-2524 CVE-2010-3875 CVE-2010-4075 CVE-2010-4655 CVE-2011-0695 CVE-2011-0710 CVE-2011-0711 CVE-2011-0726 CVE-2011-1010 CVE-2011-1012 CVE-2011-1017 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080 CVE-2011-1090 CVE-2011-1093 CVE-2011-1160 CVE-2011-1163 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1173 CVE-2011-1180 CVE-2011-1182 CVE-2011-1493 CVE-2011-1577 CVE-2011-1593 CVE-2011-1598 CVE-2011-1745 CVE-2011-1746 CVE-2011-1748 CVE-2011-1759 CVE-2011-1767 CVE-2011-1776 CVE-2011-2022 CVE-2011-2182

Systems running Debian 5.0 Lenny can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-2264-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 5.0 Lenny
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2010-4655: Information leak in ethtool_get_regs.

A missing initialization flaw was found in the ethtool_get_regs()
function in the Linux kernel's ethtool IOCTL handler. A local user who
has the CAP_NET_ADMIN capability could use this flaw to cause an
information leak. (CVE-2010-4655, Low).


* CVE-2011-0711: Information leak in XFS filesystem.

The XFS filesystem leaves certain fields in the output of the
FSGEOMETRY_V1 ioctl uninitialized, leaking kernel stack data to
unprivileged callers.


* CVE-2011-0710: Information leak in /proc/[PID]/status on s390.

An information leak was found in the Linux kernel's task_show_regs()
implementation.  On IBM S/390 systems, a local, unprivileged user
could use this flaw to read /proc/[PID]/status files, allowing them to
discover the CPU register values of processes.  (CVE-2011-0710, Low)


* CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.

A missing validation check was found in the Linux kernel's
mac_partition() implementation, used for supporting file systems created
on Mac OS operating systems. A local attacker could use this flaw to cause
a denial of service by mounting a disk that contains specially-crafted
partitions.


* CVE-2011-1012: Denial of service via corrupted LDM partition.

The ldm_parse_vmdb function in fs/partitions/ldm.c does not validate
the VBLK size value in the VMDB structure in an LDM partition table,
which allows local users to cause a denial of service (divide-by-zero
error and OOPS) via a crafted partition table.


* CVE-2011-1078: Information leak in Bluetooth sco.

A missing initialization flaw in the sco_sock_getsockopt() function
could allow a local, unprivileged user to cause an information leak.
(CVE-2011-1078, Low)


* CVE-2011-1079: Denial of service in Bluetooth BNEP.

A string copied from userspace in the BNEP (Bluetooth Network
Encapsulation Protocol) driver is not checked for null termination,
leading to a denial of service (kernel crash) or information leak.


* CVE-2011-1090: Denial of Service in NFSv4 client.

An inconsistency was found in the interaction between the Linux
kernel's method for allocating NFSv4 (Network File System version 4)
ACL data and the method by which it was freed.  This inconsistency led
to a kernel panic which could be triggered by a local, unprivileged
user with files owned by said user on an NFSv4 share.  (CVE-2011-1090,
Moderate)


* CVE-2011-1093: NULL pointer dereference in DCCP.

A flaw in the implementation of the dccp_rcv_state_process() function
allowed a local unprivileged user, or a remote user, if the system
accepted connections over the DCCP protocol, to cause a denial of
service (kernel oops) via a NULL pointer dereference.


* CVE-2011-1163: Information leak parsing malformed OSF partition tables.

A buffer overflow flaw in the DEC Alpha OSF partition implementation
in the Linux kernel could allow a local attacker to cause an
information leak by mounting a disk that contains specially-crafted
partition tables.  (CVE-2011-1163, Low)


* CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.

Missing validations of null-terminated string data structure elements
in the do_replace(), compat_do_replace(), do_ipt_get_ctl(),
do_ip6t_get_ctl(), and do_arpt_get_ctl() functions could allow a local
user who has the CAP_NET_ADMIN capability to cause an information
leak.  (CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172,
Low)


* CVE-2011-1173: Remote information leak in Econet protocol.

The Econet protocol did not fully initialize packets before sending
them, causing a leak of kernel stack memory to remote hosts.


* CVE-2011-1180: Remote denial of service in IrDA subsystem.

A malicious IrDA peer could cause a kernel stack overflow by providing
invalid length fields for names and attributes, leading to denial of
service.


* CVE-2011-0695: Remote denial of service in InfiniBand setup.

A race condition was found in the way the Linux kernel's InfiniBand
implementation set up new connections. This could allow a remote user
to cause a denial of service.


* CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.

A userspace process could queue a signal for another process with a
siginfo.si_code field appearing to originate from a kernel. This could
allow a process to generate a fake tgkill signal to a thread it is not
privileged to signal.


* CVE-2011-0726: Address space leakage through /proc/[pid]/stat.

The start_stack, start_code, and end_code values in "/proc/[pid]/stat"
were not protected.  In certain scenarios, this flaw could be used to
defeat Address Space Layout Randomization (ASLR).


* CVE-2010-2524: False CIFS mount via DNS cache poisoning.

A flaw was found in the dns_resolver upcall used by CIFS. A local,
unprivileged user could redirect a Microsoft Distributed File System
link to another IP address, tricking the client into mounting the
share from a server of the user's choosing. (CVE-2010-2524, Moderate)


* CVE-2010-4075: Kernel information leak in serial driver.

The uart_get_count function in drivers/serial/serial_core.c does not
properly initialize a certain structure member, which allows local
users to obtain potentially sensitive information from kernel stack
memory via a TIOCGICOUNT ioctl call.


* Improved fix for CVE-2010-3875: Information leak in AX.25 protocol.

The original upstream fix for CVE-2010-3875 passed the wrong size to a
memset call, so that only part of a structure being passed to
userspace was cleared.


* CVE-2011-1160: Information leak in tpm driver.

A buffer was not initialized before being returned to userspace,
leading to a leak of potentially sensitive kernel memory.


* CVE-2011-1493: Remote heap corruption in AX.25 PLP (Rose) driver.

A remote host providing crafted FAC_NATIONAL_DIGIS,
FAC_CCITT_DEST_NSAP, or FAC_CCITT_SRC_NSAP fields could cause heap
corruption in the Rose driver, leading to denial of service (kernel
panic).


* CVE-2011-1593: Missing bounds check in proc filesystem.

A local attacker could exploit a missing bounds check to read kernel
memory or cause a denial of service.


* CVE-2011-1598: Denial of service in CAN/BCM protocol.

Dave Jones reported an issue in the Broadcast Manager Controller Area
Network (CAN/BCM) protocol that may allow local users to cause a NULL
pointer dereference, resulting in a denial of service.


* CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.

Multiple integer overflows in the AGP driver could allow local users
to gain privileges or cause a denial of service (system crash) via
crafted AGPIOC_BIND or AGPIOC_UNBIND ioctls.


* CVE-2011-1746: Buffer overflow in AGP subsystem.

The agp_allocate_memory function fails to correctly check a page count
from userspace against overflow, and may allocate an insufficiently
large buffer, leading to privilege escalation or denial of service.


* CVE-2011-1748: Denial of service in CAN raw sockets.

Oliver Kartkopp reported an issue in the Controller Area Network (CAN)
raw socket implementation which permits local users to cause a NULL
pointer dereference, resulting in a denial of service.


* CVE-2011-1759: Privilege escalation in semtimedop on ARM processors.

Dan Rosenberg reported an issue in the support for executing "old ABI"
binaries on ARM processors.  Local users can obtain elevated
privileges due to insufficient bounds checking in the semtimedop
system call.


* CVE-2011-1767: Remote denial of service in GRE over IP.

Alexecy Dobriyan reported an issue in the GRE over IP implementation.
Remote users can cause a denial of service by sending a packet during
module initialization.


* CVE-2011-1017, CVE-2011-2182: Privilege escalation via LDM partitions.

When processing an LDM partition table, the kernel did not verify that
certain fields were within bounds, resulting in a possible heap
overflow.  A local attacker could potentially exploit this to cause a
denial of service or information leak.


* CVE-2011-1577, CVE-2011-1776: Missing validation for GPT partitions.

Multiple heap overflow flaws in the Linux kernel's EFI GUID Partition
Table (GPT) implementation could allow a local attacker to cause a
denial of service by mounting a disk that contains specially-crafted
partition tables.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Debian-5.0-Updates mailing list