[Ksplice][Debian 6.0 Updates] New updates available via Ksplice (Debian 6.0.4)

[Tim Abbott]

Synopsis: Debian 6.0.4 can now be patched using Ksplice
CVEs: CVE-2011-1161 CVE-2011-1162 CVE-2011-1576 CVE-2011-2203 
CVE-2011-2494 CVE-2011-2699 CVE-2011-3638 CVE-2011-4127 CVE-2011-4132 
CVE-2011-4326 CVE-2011-4330

Systems running Debian 6.0 Squeeze can now use Ksplice to patch
against the latest Debian kernel release, Debian 6.0.4.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 6.0 Squeeze
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-1161: Information leak in transmission logic of TPM driver.

A missing buffer size check in tpm_transmit could allow leaking of
potentially sensitive kernel memory.


* CVE-2011-1162: Information leak in TPM driver.

A buffer in tpm_read was not initialized before being returned to
userspace, leading to a leak of potentially sensitive kernel memory.


* Buffer overread in x25.

Insufficient data size checking in x25_find_listener could result in
buffer overreads.


* Denial of service in NFSv4 server open downgrade operation.

The WANT bits in the NFSv4 open downgrade operation could
potentially be used to trigger a denial of service (kernel BUG).


* Wrong reserved DMA addresses in AMD IOMMU.

An arithmetic error in the AMD IOMMU driver caused incorrect
addresses to be reserved for DMA.


* CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.

When splitting two extents in ext4_ext_convert_to_initialized(), an
extent was incorrectly not dirtied, resulting in the disk layout being
corrupted, which will eventually cause a kernel crash.


* Privilege escalation in Sun RPC credential cache.

A programming mistake in the cache of recently used Sun RPC
credentials may allow access to be incorrectly granted to
processes with certain group lists.


* CVE-2011-4330: Buffer overflow in HFS file name translation logic.

Clement Lecigne reported a flaw in the way the HFS filesystem
implementation handled file names larger than HFS_NAMELEN. A missing
length check in hfs_mac2asc could result in a buffer overflow.


* CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.

A flaw was found in the way the Linux kernel handled fragmented IPv6
UDP datagrams over the bridge with UDP Fragmentation Offload (UFO)
functionality on.  A remote attacker could use this flaw to cause a
denial of service.


* Information leak in ecryptfs_decode_from_filename().

An attacker could read a small amount of kernel memory beyond the end of
the filename_rev_map[] array by creating a file with a filename
containing characters with ASCII values greater than the size of the
array.


* Additional fix for CVE-2011-1576: Denial of service with VLAN packets 
and GRO.

Debian's previous fix for CVE-2011-1576 did not completely address the
issue.


* Potential NULL pointer dereference in scsi_kill_request().

The scsi_kill_request function attempts to dereference the cmd member of
the request argument before checking whether or not it is NULL, in which
case it would BUG().


* CVE-2011-4132: Denial of service in Journaling Block Device layer.

A flaw in the way the Journaling Block Device (JBD) layer handled an
invalid log first block value allowed an attacker to mount a malicious
ext3 or ext4 image that would crash the system.


* CVE-2011-2494: Information leak in taskstats.

Taskstats information could be used to gather private information, such
as precise password lengths from openssh. This update restricts
taskstats information to the root user, which has the side effect
of making the "iotop" program require root.


* CVE-2011-2203: Null pointer dereference mounting HFS filesystems.

A NULL pointer dereference flaw was found in the Linux kernel's HFS
file system implementation. A local attacker could use this flaw to
cause a denial of service by mounting a disk that contains a
specially-crafted HFS file system with a corrupted MDB extent
record.


* CVE-2011-2699: Predictable ipv6 fragment identification numbers.

The generator for ipv6 fragment identification numbers used a single
generator and thus was highly predictable and thus vulnerable to a
denial of service attack.


* Potential deadlock in filesystem core.

An incorrect argument to a memory allocator function in the Linux
kernel's core filesystem layer could result in a denial of service
(kernel deadlock) in certain cases.


* In-memory corruption in XFS ACL processing.

A missing check in xfs_acl_from_disk on the number of XFS ACLs could
result in in-memory corruption and a kernel panic.


* Updated fix for CVE-2011-4127.

Debian's original fix could potentially cause regressions in some
cases, such as running the 'eject' command on a partition of a
removable device.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.