[Ksplice][Fedora-13-Updates] New updates available via Ksplice (FEDORA-2011-6447)

[Nelson Elhage]

Synopsis: FEDORA-2011-6447 can now be patched using Ksplice
CVEs: CVE-2010-2942 CVE-2010-3079 CVE-2010-3084 CVE-2010-3437
      CVE-2010-3477 CVE-2010-3859 CVE-2010-3861 CVE-2010-3873
      CVE-2010-3876 CVE-2010-3881 CVE-2010-4079 CVE-2010-4083
      CVE-2010-4160 CVE-2010-4164 CVE-2010-4175 CVE-2010-4243
      CVE-2010-4249 CVE-2010-4527 CVE-2011-0712 CVE-2011-1013
      CVE-2011-1019 CVE-2011-1079 CVE-2011-1093 CVE-2011-1182
      CVE-2011-1494 CVE-2011-1495 CVE-2011-1745 CVE-2011-1746
      CVE-2011-2022

Systems running Fedora 13 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-6447.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 13 install
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* Buffer overflow parsing IrDA messages.

The IrDA parameter parsing code did not sufficiently validate the length of
string parameters, potentially leading to a remote denial of service or
arbitrary code execution.


* Remote buffer overflow In IrDA GetValuebyClass parsing.

While parsing an IrDA GetValuebyClass command, the kernel could potentially
write beyond the end of the packet buffer, leading to a denial of service or
potentially arbitrary code execution.


* CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL.

The ethtool_get_rxnfc() in the Linux kernel's ethtool IOCTL handler did not
appropriately clear memory before returning it to userspace. When it is called
with a large info.rule_cnt, it could allow a local user to cause an information
leak.


* CVE-2010-4083: Kernel information leak in semctl syscall.

The semctl system call allows unprivileged users to read uninitialized
kernel stack memory, because various fields of a semid_ds struct
declared on the stack are not altered or zeroed before being copied
back to the user.


* CVE-2010-3881: Information leak in KVM.

It was found that some structure padding and reserved fields in
certain data structures in QEMU-KVM were not initialized properly
before being copied to user-space.  A privileged host user with access
to "/dev/kvm" could use this flaw to leak kernel stack memory to
user-space.


* CVE-2010-3477: Kernel information leak in act_police.

Incorrectly initialized structures in the traffic control dump code
may allow the disclosure of kernel memory to userspace
applications. This is a similar issue to CVE-2010-2942.


* CVE-2010-3873: Memory corruption in X.25 facilities parsing

The x25_parse_facilities facilities function may cause a memcpy() of
ULONG_MAX size, destroying the kernel heap.


* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.

The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows
unprivileged users to read 16 bytes of uninitialized stack memory.


* CVE-2010-4164: Denial of service parsing bad X.25 facilities

On parsing malformed X.25 facilities, an integer underflow may cause a
kernel crash.


* CVE-2010-4175: Integer overflow in RDS cmsg handling.

An incorrect range check in the rds_cmsg_rdma_args could result in an
integer overflow, leading to memory corruption.


* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP.

A heap overflow flaw in the Linux kernel's Transparent Inter-Process
Communication protocol (TIPC) implementation could allow a local,
unprivileged user to escalate their privileges.  (CVE-2010-3859,
Important).

Missing boundary checks in the PPP over L2TP sockets implementation
could allow a local, unprivileged user to cause a denial of service or
escalate their privileges.  (CVE-2010-4160, Important)


* CVE-2010-2942: Information leaks in traffic control dump structures.

Incorrectly initialized structures in the traffic control dump code
may allow the disclosure of 32 bits of kernel memory to userspace
applications.


* CVE-2010-3437: Information leak in pktcdvd driver.

Integer signedness error in the pkt_find_dev_from_minor function
allows local users to obtain sensitive information from kernel memory
or cause a denial of service (invalid pointer dereference and system
crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.


* CVE-2010-4243: Denial of service due to wrong execve memory accounting.

A flaw was found in the Linux kernel execve() system call
implementation.  A local, unprivileged user could cause large amounts
of memory to be allocated but not visible to the OOM (Out of Memory)
killer, triggering a denial of service.


* CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.

A flaw was found in the Linux kernel's garbage collector for AF_UNIX
sockets. A local, unprivileged user could use this flaw to trigger a
denial of service (out-of-memory condition).


* CVE-2010-3876: Kernel information leak in packet subsystem.

The packet_getname_spkt function doesn't initiatilize all members of a
sockaddr struct before copying it to userland, which allows
unprivileged users to read uninitialized stack memory.


* CVE-2010-3079: NULL pointer dereference in ftrace_regex_lseek.

A NULL pointer dereference flaw in ftrace_regex_lseek() in the Linux
kernel's ftrace implementation could allow a local, unprivileged user to
cause a denial of service.


* CVE-2010-4527: Buffer overflow in OSS load_mixer_volumes.

The load_mixer_volumes function (accessed via the
SOUND_MIXER_SETLEVELS ioctl) did not properly check the length of the
provided "name" argument, resulting in a privilege escalation
vulnerability via buffer overflow.


* CVE-2011-1013: Signedness error in drm.

The drm_modeset_ctl() function incorrectly treated an unsigned
integer as signed, leading to a local denial of service or possible
privilege escalation.


* CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.

The CAP_NET_ADMIN capability should confer the right to load kernel modules
only for network devices, but the kernel failed to implement this restriction.
The result is that CAP_NET_ADMIN could be used to load any module in the
/lib/modules/ directory.


* CVE-2011-0712: Buffer overflows in caiaq driver.

An attacker with physical access could gain elevated privileges via
pathways relating to buffer overflows in the caiaq audio driver.


* CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.

A userspace process could queue a signal for another process with a
siginfo.si_code field appearing to originate from a kernel. This could
allow a process to generate a fake tgkill signal to a thread it is not
privileged to signal.


* CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.

The niu_get_ethtool_tcam_all does not check the user-provided output
buffer size before copying that many bytes into the output buffer,
resulting in a buffer overflow.


* CVE-2011-1079: Denial of service in Bluetooth BNEP.

A string copied from userspace in the BNEP (Bluetooth Network
Encapsulation Protocol) driver is not checked for null termination,
leading to a denial of service (kernel crash) or information leak.


* CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.

Multiple integer overflows in the AGP driver could allow local users
to gain privileges or cause a denial of service (system crash) via
crafted AGPIOC_BIND or AGPIOC_UNBIND ioctls.


* CVE-2011-1746: Buffer overflow in AGP subsystem.

The agp_allocate_memory function fails to correctly check a page count
from userspace against overflow, and may allocate an insufficiently
large buffer, leading to privilege escalation or denial of service.


* CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.

Multiple vulnerabilities in the mpt2sas driver may allow local users
to gain privileges, cause a denial of service (memory corruption), or
obtain sensitive information from kernel memory.


* CVE-2011-1093: NULL pointer dereference in DCCP.

A flaw in the implementation of the dccp_rcv_state_process() function
allowed a local unprivileged user, or a remote user, if the system
accepted connections over the DCCP protocol, to cause a denial of
service (kernel oops) via a NULL pointer dereference.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.