[Ksplice][RHEL 5 Updates] New updates available via Ksplice (RHSA-2011:0004)

Tim Abbott tabbott at ksplice.com
Thu Jan 6 20:05:01 PST 2011 

Synopsis: RHSA-2011:0004 can now be patched using Ksplice
CVEs: CVE-2010-3432 CVE-2010-3442 CVE-2010-3699 CVE-2010-3858 CVE-2010-3859 CVE-2010-3865 CVE-2010-3876 CVE-2010-3880 CVE-2010-4083 CVE-2010-4157 CVE-2010-4161 CVE-2010-4242 CVE-2010-4248
Red Hat Security Advisory Severity: Important

Systems running Red Hat Enterprise Linux 5, CentOS 5, and CentOSPlus 5 can 
now use Ksplice to patch against the latest Red Hat Security Advisory, 
RHSA-2011:0004.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack RHEL 5, CentOS 5, and CentOSPlus 5 
users install these updates.  You can install these updates by running:

# uptrack-upgrade -y

DESCRIPTION

* CVE-2010-3432: Remote denial of service vulnerability in SCTP.

The sctp_outq_flush() function can call sctp_packet_reset() on a packet 
structure that has already been filled with chunks.  This resets the 
packet length but does not remove the chunks from the list; the SCTP code 
then re-initializes the packet, which because of the incorrect length 
could overflow the skb, resulting in a kernel panic.


* CVE-2010-3442: Heap corruption vulnerability in ALSA core.

The snd_ctl_new() function allocates space for a snd_kcontrol struct by 
performing arithmetic operations on a user-provided size without checking 
for integer overflow.  This allows an unprivileged user to write an 
arbitrary value repeatedly past the bounds of this chunk, resulting in 
heap corruption.


* CVE-2010-3865: Integer overflow in RDS rdma page counting.

An integer overflow flaw was found in the Linux kernel's Reliable Datagram 
Sockets (RDS) protocol implementation.  A local, unprivileged user could 
use this flaw to cause a denial of service or escalate their privileges.


* CVE-2010-3876: Kernel information leak in packet subsystem.

The packet_getname_spkt function doesn't initiatilize all members of a 
sockaddr struct before copying it to userland, which allows unprivileged 
users to read uninitialized stack memory.


* CVE-2010-4083: Kernel information leak in semctl syscall.

The semctl system call allows unprivileged users to read uninitialized 
kernel stack memory, because various fields of a semid_ds struct declared 
on the stack are not altered or zeroed before being copied back to the 
user.


* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.

A race condition in the __exit_signal function in kernel/exit.c allows 
local users to cause a denial of service via vectors related to 
multithreaded exec, the use of a thread group leader in 
kernel/posix-cpu-timers.c, and the selection of a new thread group leader 
in the de_thread function in fs/exec.c.


* CVE-2010-3699: Denial of service vulnerability in Xen block I/O driver.

A flaw was found in the Xenbus code for the unified block-device I/O 
interface back end.  A privileged guest user could use this flaw to cause 
a denial of service on the host system running the Xen hypervisor.  
(CVE-2010-3699, Moderate)


* CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.

A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver 
in the Linux kernel.  A local, unprivileged user could use this flaw to 
cause a denial of service. (CVE-2010-4242, Moderate).


* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.

An integer overflow in ioc_general() may cause the computation of an 
incorrect buffer size, leading to memory corruption.


* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.

The INET-DIAG subsystem is inconsistent about how it looks up the bytecode 
contained in a netlink message, making it possible for a user to cause the 
kernel to execute unaudited INET-DIAG bytecode. This can be abused to make 
the kernel enter an infinite loop, and possibly other consequences.


* CVE-2010-3858: Denial of service vulnerability with large argument lists.

Missing sanity checks were found in setup_arg_pages() in the Linux kernel.  
When making the size of the argument and environment area on the stack 
very large, it could trigger a BUG_ON(), resulting in a local denial of 
service. (CVE-2010-3858, Moderate).


* Mitigate denial of service attacks with large argument lists.

This update improves interactivity and makes SIGKILL more effective at 
responding to issues where an attacker could make a system unresponsive 
through various attacks involving processes with very large argument 
lists.


* CVE-2010-4161: Deadlock in socket queue subsystem.

The fix for Red Hat Bugzilla bug 484590 as provided in RHSA-2009:1243 
introduced a deadlock in the socket queue subsystem.  A local, 
unprivileged user could use this flaw to cause a denial of service. 
(CVE-2010-4161, Moderate)


* CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.

A heap overflow flaw in the Linux kernel's Transparent Inter-Process 
Communication protocol (TIPC) implementation could allow a local, 
unprivileged user to escalate their privileges. (CVE-2010-3859, 
Important).

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ksplice-EL5-Updates mailing list