[Ksplice][Debian 6.0 Updates] New updates available via Ksplice (DSA-2240-1)
Tim Abbott
tabbott at ksplice.com
Fri May 27 10:57:27 PDT 2011
Synopsis: DSA-2240-1 can now be patched using Ksplice
CVEs: CVE-2010-3865 CVE-2011-0695 CVE-2011-0711 CVE-2011-0726 CVE-2011-1016 CVE-2011-1017 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080 CVE-2011-1090 CVE-2011-1160 CVE-2011-1163 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1173 CVE-2011-1180 CVE-2011-1182 CVE-2011-1476 CVE-2011-1477 CVE-2011-1478 CVE-2011-1493 CVE-2011-1494 CVE-2011-1495 CVE-2011-1573 CVE-2011-1585 CVE-2011-1593 CVE-2011-1598 CVE-2011-1745 CVE-2011-1746 CVE-2011-1748 CVE-2011-1759 CVE-2011-1767 CVE-2011-1770 CVE-2011-1776 CVE-2011-2022
Systems running Debian 6.0 Squeeze can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-2240-1.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Debian 6.0 Squeeze users install
these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.
DESCRIPTION
* Denial of service in r8169 receive queue handling.
An overflow in the packet receive queue on Ethernet cards using the r8169
driver could cause an infinite loop in an interrupt handler.
* CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
A buffer overflow flaw in the DEC Alpha OSF partition implementation in
the Linux kernel could allow a local attacker to cause an information leak
by mounting a disk that contains specially-crafted partition tables.
* Denial of service in kobil_sct serial driver.
The kobil_sct serial driver would call the function tty_port_tty_get and
dereference the result, without checking whether it was NULL.
* Reference count failure in PCI device vpd attribute.
When registering a PCI device with sysfs, the kernel could handle errors
incorrectly, resulting in bad reference counting and a memory leak or
double free.
* CVE-2011-0726: Information leak in /proc/[pid]/stat.
The start_code and end_code values in "/proc/[pid]/stat" were not
protected. In certain scenarios, this flaw could be used to defeat Address
Space Layout Randomization (ASLR).
* CVE-2011-1090: Denial of service in NFSv4 client.
An inconsistency was found in the interaction between the Linux kernel's
method for allocating NFSv4 (Network File System version 4) ACL data and
the method by which it was freed. This inconsistency led to a kernel panic
which could be triggered by a local, unprivileged user with files owned by
said user on an NFSv4 share.
* CVE-2011-1477: Missing validation in OPL-3 driver.
Missing validation of user data in the OPL-3 driver could could allow a
user to corrupt kernel memory and potentially escalate privileges.
* CVE-2011-0711: Information leak in XFS filesystem.
The XFS filesystem leaves certain fields in the output of the
FSGEOMETRY_V1 ioctl uninitialized, leaking kernel stack data to
unprivileged callers.
* CVE-2011-1180: Missing boundary checks in IrDA subsystem.
Several missing boundary checks were discovered in the IrDA subsystem,
allowing an attacker in physical proximity to the system to cause memory
corruption, leading to a denial of service, system instability or
potentially other unspecified impact.
* Data loss on mmap page write in nilfs2.
Writing to a file on a nilfs2 filesystem via a memory mapping could result
in data loss.
* CVE-2011-1493: Remote heap corruption in AX.25 PLP (Rose) driver.
A remote host providing crafted FAC_NATIONAL_DIGIS, FAC_CCITT_DEST_NSAP,
or FAC_CCITT_SRC_NSAP fields could cause heap corruption in the Rose
driver, leading to denial of service (kernel panic).
* CVE-2011-1078: Information leak in Bluetooth SCO link driver.
One byte of the 'struct sco_conninfo' data structure was not initialized
before being copied to userspace, leading to a leak of potentially
sensitive kernel memory.
* CVE-2011-1079: Denial of service in Bluetooth BNEP.
A string copied from userspace in the BNEP (Bluetooth Network
Encapsulation Protocol) driver is not checked for null termination,
leading to a denial of service (kernel crash) or information leak.
* CVE-2011-1160: Information leak in tpm driver.
A buffer was not initialized before being returned to userspace, leading
to a leak of potentially sensitive kernel memory.
* CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Missing null-termination checks in the netfilter subsystem could cause a
portion of kernel stack memory to be made visible to all processes on the
system within the arguments to a spawned modprobe process.
* Buffer overflow in iptables CLUSTERIP target.
The ipt_CLUSTERIP module parses a user-provided string without checking it
for null termination, resulting in a possible buffer overflow.
* CVE-2011-1173: Information leak in Econet protocol.
Econet fails to initialize 4 bytes of padding in a structure, causing an
information leak from the kernel stack over the network.
* Missing boundary checks in squashfs.
Several missing boundary checks were discovered in the squashfs
filesystem, causing a denial of service if the system attempts to process
a corrupted or malicious squashfs image.
* File corruption and information leak in OCFS2.
Under certain circumstances, writing to a file with holes on an OCFS2
filesystem could fill part of a hole with uninitialized data from the disk
rather than zero bytes, leading to file corruption and potentially a leak
of sensitive information.
* CVE-2011-1573: Remote denial of service in SCTP.
A flaw in the Linux kernel's Stream Control Transmission Protocol (SCTP)
implementation could allow a remote attacker to cause a denial of service
if the sysctl "net.sctp.addip_enable" and "auth_enable" variables were
turned on (they are off by default).
* Denial of service in NFS server via reference count leak.
Repeated NLM lock operations can cause a reference count to overflow,
eventually leading to a use-after-free causing a denial of service (kernel
panic) or other unspecified impact.
* Denial of service in UBIFS filesystem via fsync.
Calling fsync on a file in a read-only UBIFS filesystem caused a kernel
oops, leading to denial of service.
* Improved fix for CVE-2010-3865.
Debian provided an improvement to their previous fix for the security
issue CVE-2010-3865.
* CVE-2011-1017: Missing boundary checks in LDM partition table parsing.
When processing an LDM partition table, the kernel did not verify that
certain fields were within bounds, resulting in a possible heap overflow.
A local attacker could potentially exploit this to cause a denial of
service or information leak.
* CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Multiple vulnerabilities in the mpt2sas driver may allow local users to
gain privileges, cause a denial of service (memory corruption), or obtain
sensitive information from kernel memory.
* CVE-2011-1598: Denial of service in CAN/BCM protocol.
Dave Jones reported an issue in the Broadcast Manager Controller Area
Network (CAN/BCM) protocol that may allow local users to cause a NULL
pointer dereference, resulting in a denial of service.
* CVE-2011-1748: Denial of service in CAN raw sockets.
Oliver Kartkopp reported an issue in the Controller Area Network (CAN) raw
socket implementation which permits local users to cause a NULL pointer
dereference, resulting in a denial of service.
* CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Multiple integer overflows in the AGP driver could allow local users to
gain privileges or cause a denial of service (system crash) via crafted
AGPIOC_BIND or AGPIOC_UNBIND ioctls.
* CVE-2011-1746: Buffer overflow in AGP subsystem.
The agp_allocate_memory function fails to correctly check a page count
from userspace against overflow, and may allocate an insufficiently large
buffer, leading to privilege escalation or denial of service.
* CVE-2011-1776: Missing boundary checks in EFI partition table parsing.
Timo Warns reported an issue in the Linux implementation for GUID
partitions. Users with physical access can gain access to sensitive kernel
memory by adding a storage device with a specially crafted corrupted
invalid partition table.
* CVE-2011-1770: Remote denial of service in DCCP options parsing.
Dan Rosenberg reported an issue in the Datagram Congestion Control
Protocol (DCCP). Remote users can cause a denial of service or potentially
obtain access to sensitive kernel memory.
* CVE-2011-1016: Privilege escalation in Radeon GPU driver.
The Radeon GPU drivers in the Linux kernel were missing sanity checks for
the Anti Aliasing (AA) resolve register values which could allow a local,
unprivileged user to cause a denial of service or escalate their
privileges on systems using a graphics card from the ATI Radeon R300,
R400, or R500 family of cards.
* CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.
A userspace process could queue a signal for another process with a
siginfo.si_code field appearing to originate from a kernel. This could
allow a process to generate a fake tgkill signal to a thread it is not
privileged to signal.
* Remote denial of service in cifs_mount.
The kernel's CIFS client code could trigger a denial of service (BUG()
assertion failure) when connecting to a CIFS server providing unusual
shares.
* CVE-2011-1585: Authentication bypass in CIFS.
Jeff Layton reported an issue in the Common Internet File System (CIFS).
Local users can bypass authentication requirements for shares that are
already mounted by another user.
* Denial of service in CIFS password handling.
The kernel's CIFS implementation would sometimes dereference a NULL
pointer representing a missing password.
* CVE-2011-1767: Remote denial of service in GRE over IP.
Alexecy Dobriyan reported an issue in the GRE over IP implementation.
Remote users can cause a denial of service by sending a packet during
module initialization.
* CVE-2011-1593: Missing bounds check in proc filesystem.
A local attacker could exploit a missing bounds check to read kernel
memory or cause a denial of service.
* CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
A NULL pointer dereference flaw was found in the Generic Receive Offload
(GRO) functionality in the Linux kernel's networking implementation. If
both GRO and promiscuous mode were enabled on an interface in a virtual
LAN (VLAN), it could result in a denial of service when a malformed VLAN
frame is received on that interface.
* CVE-2011-0695: Remote denial of service in InfiniBand setup.
A race condition was found in the way the Linux kernel's InfiniBand
implementation set up new connections. This could allow a remote user to
cause a denial of service.
* Locking failure in cpuset_write_resmask.
The kernel function cpuset_write_resmask() could fail to release a lock
under certain error conditions, leading to denial of service or other
kernel misbehavior.
* Memory corruption in netfilter logging.
The netfilter logging code failed to check array bounds, leading to a
denial of service or memory corruption.
* CVE-2011-1476: Missing boundary checks in OSS.
Several missing boundary checks in the OSS subsystem could lead to memory
corruption or a denial of service.
* CVE-2011-1759: Privilege escalation in semtimedop on ARM processors.
Dan Rosenberg reported an issue in the support for executing "old ABI"
binaries on ARM processors. Local users can obtain elevated privileges due
to insufficient bounds checking in the semtimedop system call.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Debian-6.0-Updates
mailing list