[Ksplice][Fedora-13-Updates] New updates available via Ksplice (FEDORA-2010-18983)

[Nelson Elhage]

Synopsis: FEDORA-2010-18983 can now be patched using Ksplice
CVEs: CVE-2010-2962 CVE-2010-2963 CVE-2010-3442 CVE-2010-3698 CVE-2010-3705
      CVE-2010-4058 CVE-2010-4157 CVE-2010-4162 CVE-2010-4169 CVE-2010-4249
      CVE-2010-4258

Systems running Fedora 13 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2010-18983.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Fedora 13 users install these
updates.  You can install these updates by running:

# uptrack-upgrade -y


DESCRIPTION

* CVE-2010-4258: Failure to revert address limit override after oops.

If a kernel oops occurred with a kernel address limit override in place, the
kernel did not properly reset the address limit before writing to a
user-controlled address, potentially allowing a local user to escalate a
denial-of-service attack into privilege escalation.


* CVE-2010-3442: Heap corruption vulnerability in ALSA core.

The snd_ctl_new() function allocates space for a snd_kcontrol struct
by performing arithmetic operations on a user-provided size without
checking for integer overflow.  This allows an unprivileged user to
write an arbitrary value repeatedly past the bounds of this chunk,
resulting in heap corruption.


* CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.

The SCTP subsystem's sctp_asoc_get_hmac function did not correctly
check for an out of range value for the last id in the hmac_ids array,
potentially resulting in kernel memory corrptuon.


* CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.

The i915 driver's pread and pwrite ioctls had several bugs in their
access control checks that could be used to achieve privilege
escalation.


* CVE-2010-2963: Privilege escalation in V4L 32-bit compat support.

Kees Cook discovered that the V4L1 32bit compat interface did not
correctly validate certain parameters.  A local attacker on a 64bit
system with access to a video device could exploit this to gain root
privileges.


* CVE-2010-4169: Use-after-free bug in mprotect system call.

A use-after-free flaw in the mprotect() system call could allow a
local, unprivileged user to cause a local denial of service.


* CVE-2010-4162: Integer overflow in block I/O subsystem.

Due to integer underflow and overflow issues when determining the
number of pages required for I/O requests, a local user could send a
device ioctl that results in the sequential allocation of a very large
number of pages, causing the OOM killer to be invoked and crashing the
system.


* CVE-2010-4249: Denial of service vulnerability in socket subsystem.

The wait_for_unix_gc function does not properly select times for
garbage collection of inflight sockets, which allows local users to
cause a denial of service (system hang) via crafted use of the
socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.


* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.

An integer overflow in ioc_general() may cause the computation of an
incorrect buffer size, leading to memory corruption.


* CVE-2010-4058: Kernel information leak in socket filters.

The sk_run_filter function in the kernel's socket filter
implementation did not properly clear an array on the kernel stack,
resulting in uninitialized kernel stack memory being copied to user
space.


* CVE-2010-3698: Denial of service vulnerability in KVM host.

A flaw was found in the way QEMU-KVM handled the reloading of fs and
gs segment registers when they had invalid selectors. A privileged
host user with access to "/dev/kvm" could use this flaw to crash the
host (denial of service).


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.