[Ksplice][RHEL 5 Updates] New updates available via Ksplice (RHSA-2011:0017-1)

Sat Jan 15 14:25:31 PST 2011

Synopsis: RHSA-2011:0017-1 can now be patched using Ksplice
CVEs: CVE-2010-3296 CVE-2010-3877 CVE-2010-4058 CVE-2010-4072 CVE-2010-4073 CVE-2010-4077 CVE-2010-4080 CVE-2010-4081 CVE-2010-4238 CVE-2010-4243 CVE-2010-4258
Red Hat Security Advisory Severity: Important

Systems running Red Hat Enterprise Linux 5, CentOS 5, and CentOSPlus 5 can 
now use Ksplice to patch against the latest Red Hat Security Advisory, 
RHSA-2011:0017-1.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack RHEL 5, CentOS 5, and CentOSPlus 5 
users install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, 
these updates will be installed automatically and you do not need to take 
any additional action.

DESCRIPTION

* CVE-2010-3296: Kernel information leak in cxgb driver.

The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4 
bytes of uninitialized stack memory, because the "addr" member of the 
ch_reg struct declared on the stack in cxgb_extension_ioctl() is not 
altered or zeroed before being copied back to the user.

* CVE-2010-3877: Kernel information leak in tipc driver.

The get_name function in net/tipc/socket.c did not properly initialize a 
certain structure, which allows local users to obtain potentially 
sensitive information from kernel stack memory by reading a copy of this 
structure.

* CVE-2010-4072: Kernel information leak in ipc shm subsystem.

Several functions in the System V IPC shared memory subsystem did not 
properly clear fields before copying data to user space, leaking data from 
uninitialized kernel stack memory to user space.

* CVE-2010-4058: Kernel information leak in socket filters.

The sk_run_filter function in the kernel's socket filter implementation 
did not properly clear an array on the kernel stack, resulting in 
uninitialized kernel stack memory being copied to user space.

* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.

Several functions in the System V IPC 32-bit compatability subsystem did 
not properly clear fields before copying data to user space, leaking data 
from uninitialized kernel stack memory to user space.

* Integer overflow in sys_remap_file_pages.

The remap_file_pages() system call in fremap.c has an integer overflow bug 
that is exploitable for denial of service and potentially other 
consequences.

* CVE-2010-4258: Failure to revert address limit override after oops.

If a kernel oops occurred with a kernel address limit override in place, 
the kernel did not properly reset the address limit before writing to a 
user-controlled address, potentially allowing a local user to escalate a 
denial-of-service attack into privilege escalation.

* CVE-2010-4077: Kernel information leak in nozomi driver.

The TIOCGICOUNT device ioctl allows unprivileged users to read 
uninitialized stack memory, because the "reserved" member of the 
serial_icounter_struct struct declared on the stack is not altered or 
zeroed before being copied back to the user.

* CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.

The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO 
ioctls in hdspm.c and hdsp.c allow unprivileged users to read 
uninitialized kernel stack memory, because several fields of the 
hdsp{m}_config_info structs declared on the stack are not altered or 
zeroed before being copied back to the user.

* CVE-2010-4238: Xen host crash with CDROM drives and Xen blkback driver.

A missing sanity check was found in vbd_create() in the Xen hypervisor 
implementation.  As CD-ROM drives are not supported by the blkback 
back-end driver, attempting to use a virtual CD-ROM drive with blkback 
could trigger a denial of service (crash) on the host system running the 
Xen hypervisor.  (CVE-2010-4238, Moderate)

* CVE-2010-4243: Denial of service due to wrong execve memory accounting.

A flaw was found in the Linux kernel execve() system call implementation.  
A local, unprivileged user could cause large amounts of memory to be 
allocated but not visible to the OOM (Out of Memory) killer, triggering a 
denial of service. (CVE-2010-4243, Moderate)

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.