From nelhage at ksplice.com Wed Jun 22 08:51:16 2011 From: nelhage at ksplice.com (Nelson Elhage) Date: Wed, 22 Jun 2011 11:51:16 -0400 Subject: [Ksplice][Fedora-13-Updates] New updates available via Ksplice (FEDORA-2011-6447) Message-ID: <20110622155116.GB12192@ksplice.com> Synopsis: FEDORA-2011-6447 can now be patched using Ksplice CVEs: CVE-2010-2942 CVE-2010-3079 CVE-2010-3084 CVE-2010-3437 CVE-2010-3477 CVE-2010-3859 CVE-2010-3861 CVE-2010-3873 CVE-2010-3876 CVE-2010-3881 CVE-2010-4079 CVE-2010-4083 CVE-2010-4160 CVE-2010-4164 CVE-2010-4175 CVE-2010-4243 CVE-2010-4249 CVE-2010-4527 CVE-2011-0712 CVE-2011-1013 CVE-2011-1019 CVE-2011-1079 CVE-2011-1093 CVE-2011-1182 CVE-2011-1494 CVE-2011-1495 CVE-2011-1745 CVE-2011-1746 CVE-2011-2022 Systems running Fedora 13 can now use Ksplice to patch against the latest Fedora security update, FEDORA-2011-6447. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack on Fedora 13 install these updates. You can install these updates by running: # /usr/sbin/uptrack-upgrade -y On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any additional action. DESCRIPTION * Buffer overflow parsing IrDA messages. The IrDA parameter parsing code did not sufficiently validate the length of string parameters, potentially leading to a remote denial of service or arbitrary code execution. * Remote buffer overflow In IrDA GetValuebyClass parsing. While parsing an IrDA GetValuebyClass command, the kernel could potentially write beyond the end of the packet buffer, leading to a denial of service or potentially arbitrary code execution. * CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL. The ethtool_get_rxnfc() in the Linux kernel's ethtool IOCTL handler did not appropriately clear memory before returning it to userspace. When it is called with a large info.rule_cnt, it could allow a local user to cause an information leak. * CVE-2010-4083: Kernel information leak in semctl syscall. The semctl system call allows unprivileged users to read uninitialized kernel stack memory, because various fields of a semid_ds struct declared on the stack are not altered or zeroed before being copied back to the user. * CVE-2010-3881: Information leak in KVM. It was found that some structure padding and reserved fields in certain data structures in QEMU-KVM were not initialized properly before being copied to user-space. A privileged host user with access to "/dev/kvm" could use this flaw to leak kernel stack memory to user-space. * CVE-2010-3477: Kernel information leak in act_police. Incorrectly initialized structures in the traffic control dump code may allow the disclosure of kernel memory to userspace applications. This is a similar issue to CVE-2010-2942. * CVE-2010-3873: Memory corruption in X.25 facilities parsing The x25_parse_facilities facilities function may cause a memcpy() of ULONG_MAX size, destroying the kernel heap. * CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver. The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows unprivileged users to read 16 bytes of uninitialized stack memory. * CVE-2010-4164: Denial of service parsing bad X.25 facilities On parsing malformed X.25 facilities, an integer underflow may cause a kernel crash. * CVE-2010-4175: Integer overflow in RDS cmsg handling. An incorrect range check in the rds_cmsg_rdma_args could result in an integer overflow, leading to memory corruption. * CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP. A heap overflow flaw in the Linux kernel's Transparent Inter-Process Communication protocol (TIPC) implementation could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3859, Important). Missing boundary checks in the PPP over L2TP sockets implementation could allow a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-4160, Important) * CVE-2010-2942: Information leaks in traffic control dump structures. Incorrectly initialized structures in the traffic control dump code may allow the disclosure of 32 bits of kernel memory to userspace applications. * CVE-2010-3437: Information leak in pktcdvd driver. Integer signedness error in the pkt_find_dev_from_minor function allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call. * CVE-2010-4243: Denial of service due to wrong execve memory accounting. A flaw was found in the Linux kernel execve() system call implementation. A local, unprivileged user could cause large amounts of memory to be allocated but not visible to the OOM (Out of Memory) killer, triggering a denial of service. * CVE-2010-4249: Local denial of service vulnerability in UNIX sockets. A flaw was found in the Linux kernel's garbage collector for AF_UNIX sockets. A local, unprivileged user could use this flaw to trigger a denial of service (out-of-memory condition). * CVE-2010-3876: Kernel information leak in packet subsystem. The packet_getname_spkt function doesn't initiatilize all members of a sockaddr struct before copying it to userland, which allows unprivileged users to read uninitialized stack memory. * CVE-2010-3079: NULL pointer dereference in ftrace_regex_lseek. A NULL pointer dereference flaw in ftrace_regex_lseek() in the Linux kernel's ftrace implementation could allow a local, unprivileged user to cause a denial of service. * CVE-2010-4527: Buffer overflow in OSS load_mixer_volumes. The load_mixer_volumes function (accessed via the SOUND_MIXER_SETLEVELS ioctl) did not properly check the length of the provided "name" argument, resulting in a privilege escalation vulnerability via buffer overflow. * CVE-2011-1013: Signedness error in drm. The drm_modeset_ctl() function incorrectly treated an unsigned integer as signed, leading to a local denial of service or possible privilege escalation. * CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN. The CAP_NET_ADMIN capability should confer the right to load kernel modules only for network devices, but the kernel failed to implement this restriction. The result is that CAP_NET_ADMIN could be used to load any module in the /lib/modules/ directory. * CVE-2011-0712: Buffer overflows in caiaq driver. An attacker with physical access could gain elevated privileges via pathways relating to buffer overflows in the caiaq audio driver. * CVE-2011-1182: Signal spoofing in rt_sigqueueinfo. A userspace process could queue a signal for another process with a siginfo.si_code field appearing to originate from a kernel. This could allow a process to generate a fake tgkill signal to a thread it is not privileged to signal. * CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command. The niu_get_ethtool_tcam_all does not check the user-provided output buffer size before copying that many bytes into the output buffer, resulting in a buffer overflow. * CVE-2011-1079: Denial of service in Bluetooth BNEP. A string copied from userspace in the BNEP (Bluetooth Network Encapsulation Protocol) driver is not checked for null termination, leading to a denial of service (kernel crash) or information leak. * CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem. Multiple integer overflows in the AGP driver could allow local users to gain privileges or cause a denial of service (system crash) via crafted AGPIOC_BIND or AGPIOC_UNBIND ioctls. * CVE-2011-1746: Buffer overflow in AGP subsystem. The agp_allocate_memory function fails to correctly check a page count from userspace against overflow, and may allocate an insufficiently large buffer, leading to privilege escalation or denial of service. * CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver. Multiple vulnerabilities in the mpt2sas driver may allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory. * CVE-2011-1093: NULL pointer dereference in DCCP. A flaw in the implementation of the dccp_rcv_state_process() function allowed a local unprivileged user, or a remote user, if the system accepted connections over the DCCP protocol, to cause a denial of service (kernel oops) via a NULL pointer dereference. SUPPORT Ksplice support is available at support at ksplice.com or +1 765-577-5423.