From tabbott at ksplice.com Wed Dec 8 08:51:12 2010 From: tabbott at ksplice.com (Tim Abbott) Date: Wed, 8 Dec 2010 11:51:12 -0500 (EST) Subject: [Ksplice][Fedora-13-Updates] New updates available via Ksplice (FEDORA-2010-18506) Message-ID: Synopsis: FEDORA-2010-18506 can now be patched using Ksplice CVEs: CVE-2010-3880 CVE-2010-3904 CVE-2010-4072 CVE-2010-4073 CVE-2010-4075 CVE-2010-4076 CVE-2010-4077 CVE-2010-4082 CVE-2010-4248 Systems running Fedora 13 can now use Ksplice to patch against the latest Fedora security update, FEDORA-2010-18506. INSTALLING THE UPDATES We recommend that all Ksplice Uptrack Fedora 13 users install these updates. You can install these updates by running: # uptrack-upgrade -y DESCRIPTION * CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets. The rds_page_copy_user function did not perform any access checks on user-provided pointers before using unchecked __copy_*_user_inatomic functions, which can be exploited by a local user to write to arbitrary kernel memory and escalate privileges. * CVE-2010-4073: Kernel information leaks in ipc compat subsystem. Several functions in the System V IPC 32-bit compatability subsystem did not properly clear fields before copying data to user space, leaking data from uninitialized kernel stack memory to user space. * CVE-2010-4072: Kernel information leak in ipc shm subsystem. Several functions in the System V IPC shared memory subsystem did not properly clear fields before copying data to user space, leaking data from uninitialized kernel stack memory to user space. * CVE-2010-3880: Logic error in INET_DIAG bytecode auditing. The INET-DIAG subsystem is inconsistent about how it looks up the bytecode contained in a netlink message, making it possible for a user to cause the kernel to execute unaudited INET-DIAG bytecode. This can be abused to make the kernel enter an infinite loop, and possibly other consequences. * CVE-2010-4248: Race condition in __exit_signal with multithreaded exec. A race condition in the __exit_signal function in kernel/exit.c allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c. * CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO. The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246 bytes of uninitialized stack memory, because the "reserved" member of the viafb_ioctl_info struct declared on the stack is not altered or zeroed before being copied back to the user. * CVE-2010-4076: Kernel information leak in amiserial driver. The TIOCGICOUNT device ioctl allows unprivileged users to read uninitialized stack memory, because the "reserved" member of the serial_icounter_struct struct declared on the stack is not altered or zeroed before being copied back to the user. * CVE-2010-4077: Kernel information leak in nozomi driver. The TIOCGICOUNT device ioctl allows unprivileged users to read uninitialized stack memory, because the "reserved" member of the serial_icounter_struct struct declared on the stack is not altered or zeroed before being copied back to the user. * CVE-2010-4075: Kernel information leak in serial subsystem. The TIOCGICOUNT device ioctl allows unprivileged users to read uninitialized stack memory, because the "reserved" member of the serial_icounter_struct struct declared on the stack is not altered or zeroed before being copied back to the user. SUPPORT Ksplice support is available at support at ksplice.com or +1 765-577-5423. From nelhage at ksplice.com Thu Dec 23 21:08:06 2010 From: nelhage at ksplice.com (Nelson Elhage) Date: Fri, 24 Dec 2010 00:08:06 -0500 Subject: [Ksplice][Fedora-13-Updates] New updates available via Ksplice (FEDORA-2010-18983) Message-ID: <20101224050806.GI23414@ksplice.com> Synopsis: FEDORA-2010-18983 can now be patched using Ksplice CVEs: CVE-2010-2962 CVE-2010-2963 CVE-2010-3442 CVE-2010-3698 CVE-2010-3705 CVE-2010-4058 CVE-2010-4157 CVE-2010-4162 CVE-2010-4169 CVE-2010-4249 CVE-2010-4258 Systems running Fedora 13 can now use Ksplice to patch against the latest Fedora security update, FEDORA-2010-18983. INSTALLING THE UPDATES We recommend that all Ksplice Uptrack Fedora 13 users install these updates. You can install these updates by running: # uptrack-upgrade -y DESCRIPTION * CVE-2010-4258: Failure to revert address limit override after oops. If a kernel oops occurred with a kernel address limit override in place, the kernel did not properly reset the address limit before writing to a user-controlled address, potentially allowing a local user to escalate a denial-of-service attack into privilege escalation. * CVE-2010-3442: Heap corruption vulnerability in ALSA core. The snd_ctl_new() function allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. This allows an unprivileged user to write an arbitrary value repeatedly past the bounds of this chunk, resulting in heap corruption. * CVE-2010-3705: Remote memory corruption in SCTP HMAC handling. The SCTP subsystem's sctp_asoc_get_hmac function did not correctly check for an out of range value for the last id in the hmac_ids array, potentially resulting in kernel memory corrptuon. * CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls. The i915 driver's pread and pwrite ioctls had several bugs in their access control checks that could be used to achieve privilege escalation. * CVE-2010-2963: Privilege escalation in V4L 32-bit compat support. Kees Cook discovered that the V4L1 32bit compat interface did not correctly validate certain parameters. A local attacker on a 64bit system with access to a video device could exploit this to gain root privileges. * CVE-2010-4169: Use-after-free bug in mprotect system call. A use-after-free flaw in the mprotect() system call could allow a local, unprivileged user to cause a local denial of service. * CVE-2010-4162: Integer overflow in block I/O subsystem. Due to integer underflow and overflow issues when determining the number of pages required for I/O requests, a local user could send a device ioctl that results in the sequential allocation of a very large number of pages, causing the OOM killer to be invoked and crashing the system. * CVE-2010-4249: Denial of service vulnerability in socket subsystem. The wait_for_unix_gc function does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets. * CVE-2010-4157: Memory corruption in Intel/ICP RAID driver. An integer overflow in ioc_general() may cause the computation of an incorrect buffer size, leading to memory corruption. * CVE-2010-4058: Kernel information leak in socket filters. The sk_run_filter function in the kernel's socket filter implementation did not properly clear an array on the kernel stack, resulting in uninitialized kernel stack memory being copied to user space. * CVE-2010-3698: Denial of service vulnerability in KVM host. A flaw was found in the way QEMU-KVM handled the reloading of fs and gs segment registers when they had invalid selectors. A privileged host user with access to "/dev/kvm" could use this flaw to crash the host (denial of service). SUPPORT Ksplice support is available at support at ksplice.com or +1 765-577-5423.