[Ksplice][Fedora-13-Updates] New updates available via Ksplice (FEDORA-2010-18506)

Wed Dec 8 08:51:12 PST 2010

Synopsis: FEDORA-2010-18506 can now be patched using Ksplice
CVEs: CVE-2010-3880 CVE-2010-3904 CVE-2010-4072 CVE-2010-4073 CVE-2010-4075 CVE-2010-4076 CVE-2010-4077 CVE-2010-4082 CVE-2010-4248

Systems running Fedora 13 can now use Ksplice to patch against the latest 
Fedora security update, FEDORA-2010-18506.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Fedora 13 users install these
updates.  You can install these updates by running:

# uptrack-upgrade -y

DESCRIPTION

* CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.

The rds_page_copy_user function did not perform any access checks on 
user-provided pointers before using unchecked __copy_*_user_inatomic 
functions, which can be exploited by a local user to write to arbitrary 
kernel memory and escalate privileges.

* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.

Several functions in the System V IPC 32-bit compatability subsystem did 
not properly clear fields before copying data to user space, leaking data 
from uninitialized kernel stack memory to user space.

* CVE-2010-4072: Kernel information leak in ipc shm subsystem.

Several functions in the System V IPC shared memory subsystem did not 
properly clear fields before copying data to user space, leaking data from 
uninitialized kernel stack memory to user space.

* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.

The INET-DIAG subsystem is inconsistent about how it looks up the bytecode 
contained in a netlink message, making it possible for a user to cause the 
kernel to execute unaudited INET-DIAG bytecode. This can be abused to make 
the kernel enter an infinite loop, and possibly other consequences.

* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.

A race condition in the __exit_signal function in kernel/exit.c allows 
local users to cause a denial of service via vectors related to 
multithreaded exec, the use of a thread group leader in 
kernel/posix-cpu-timers.c, and the selection of a new thread group leader 
in the de_thread function in fs/exec.c.

* CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.

The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246 
bytes of uninitialized stack memory, because the "reserved" member of the 
viafb_ioctl_info struct declared on the stack is not altered or zeroed 
before being copied back to the user.

* CVE-2010-4076: Kernel information leak in amiserial driver.

The TIOCGICOUNT device ioctl allows unprivileged users to read 
uninitialized stack memory, because the "reserved" member of the 
serial_icounter_struct struct declared on the stack is not altered or 
zeroed before being copied back to the user.

* CVE-2010-4077: Kernel information leak in nozomi driver.

The TIOCGICOUNT device ioctl allows unprivileged users to read 
uninitialized stack memory, because the "reserved" member of the 
serial_icounter_struct struct declared on the stack is not altered or 
zeroed before being copied back to the user.

* CVE-2010-4075: Kernel information leak in serial subsystem.

The TIOCGICOUNT device ioctl allows unprivileged users to read 
uninitialized stack memory, because the "reserved" member of the 
serial_icounter_struct struct declared on the stack is not altered or 
zeroed before being copied back to the user.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.