[Ksplice][Fedora-13-Updates] New updates available via Ksplice (FEDORA-2011-6447)
Nelson Elhage
nelhage at ksplice.com
Wed Jun 22 08:51:16 PDT 2011
Synopsis: FEDORA-2011-6447 can now be patched using Ksplice
CVEs: CVE-2010-2942 CVE-2010-3079 CVE-2010-3084 CVE-2010-3437
CVE-2010-3477 CVE-2010-3859 CVE-2010-3861 CVE-2010-3873
CVE-2010-3876 CVE-2010-3881 CVE-2010-4079 CVE-2010-4083
CVE-2010-4160 CVE-2010-4164 CVE-2010-4175 CVE-2010-4243
CVE-2010-4249 CVE-2010-4527 CVE-2011-0712 CVE-2011-1013
CVE-2011-1019 CVE-2011-1079 CVE-2011-1093 CVE-2011-1182
CVE-2011-1494 CVE-2011-1495 CVE-2011-1745 CVE-2011-1746
CVE-2011-2022
Systems running Fedora 13 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-6447.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Fedora 13 install
these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.
DESCRIPTION
* Buffer overflow parsing IrDA messages.
The IrDA parameter parsing code did not sufficiently validate the length of
string parameters, potentially leading to a remote denial of service or
arbitrary code execution.
* Remote buffer overflow In IrDA GetValuebyClass parsing.
While parsing an IrDA GetValuebyClass command, the kernel could potentially
write beyond the end of the packet buffer, leading to a denial of service or
potentially arbitrary code execution.
* CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL.
The ethtool_get_rxnfc() in the Linux kernel's ethtool IOCTL handler did not
appropriately clear memory before returning it to userspace. When it is called
with a large info.rule_cnt, it could allow a local user to cause an information
leak.
* CVE-2010-4083: Kernel information leak in semctl syscall.
The semctl system call allows unprivileged users to read uninitialized
kernel stack memory, because various fields of a semid_ds struct
declared on the stack are not altered or zeroed before being copied
back to the user.
* CVE-2010-3881: Information leak in KVM.
It was found that some structure padding and reserved fields in
certain data structures in QEMU-KVM were not initialized properly
before being copied to user-space. A privileged host user with access
to "/dev/kvm" could use this flaw to leak kernel stack memory to
user-space.
* CVE-2010-3477: Kernel information leak in act_police.
Incorrectly initialized structures in the traffic control dump code
may allow the disclosure of kernel memory to userspace
applications. This is a similar issue to CVE-2010-2942.
* CVE-2010-3873: Memory corruption in X.25 facilities parsing
The x25_parse_facilities facilities function may cause a memcpy() of
ULONG_MAX size, destroying the kernel heap.
* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.
The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows
unprivileged users to read 16 bytes of uninitialized stack memory.
* CVE-2010-4164: Denial of service parsing bad X.25 facilities
On parsing malformed X.25 facilities, an integer underflow may cause a
kernel crash.
* CVE-2010-4175: Integer overflow in RDS cmsg handling.
An incorrect range check in the rds_cmsg_rdma_args could result in an
integer overflow, leading to memory corruption.
* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP.
A heap overflow flaw in the Linux kernel's Transparent Inter-Process
Communication protocol (TIPC) implementation could allow a local,
unprivileged user to escalate their privileges. (CVE-2010-3859,
Important).
Missing boundary checks in the PPP over L2TP sockets implementation
could allow a local, unprivileged user to cause a denial of service or
escalate their privileges. (CVE-2010-4160, Important)
* CVE-2010-2942: Information leaks in traffic control dump structures.
Incorrectly initialized structures in the traffic control dump code
may allow the disclosure of 32 bits of kernel memory to userspace
applications.
* CVE-2010-3437: Information leak in pktcdvd driver.
Integer signedness error in the pkt_find_dev_from_minor function
allows local users to obtain sensitive information from kernel memory
or cause a denial of service (invalid pointer dereference and system
crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.
* CVE-2010-4243: Denial of service due to wrong execve memory accounting.
A flaw was found in the Linux kernel execve() system call
implementation. A local, unprivileged user could cause large amounts
of memory to be allocated but not visible to the OOM (Out of Memory)
killer, triggering a denial of service.
* CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
A flaw was found in the Linux kernel's garbage collector for AF_UNIX
sockets. A local, unprivileged user could use this flaw to trigger a
denial of service (out-of-memory condition).
* CVE-2010-3876: Kernel information leak in packet subsystem.
The packet_getname_spkt function doesn't initiatilize all members of a
sockaddr struct before copying it to userland, which allows
unprivileged users to read uninitialized stack memory.
* CVE-2010-3079: NULL pointer dereference in ftrace_regex_lseek.
A NULL pointer dereference flaw in ftrace_regex_lseek() in the Linux
kernel's ftrace implementation could allow a local, unprivileged user to
cause a denial of service.
* CVE-2010-4527: Buffer overflow in OSS load_mixer_volumes.
The load_mixer_volumes function (accessed via the
SOUND_MIXER_SETLEVELS ioctl) did not properly check the length of the
provided "name" argument, resulting in a privilege escalation
vulnerability via buffer overflow.
* CVE-2011-1013: Signedness error in drm.
The drm_modeset_ctl() function incorrectly treated an unsigned
integer as signed, leading to a local denial of service or possible
privilege escalation.
* CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.
The CAP_NET_ADMIN capability should confer the right to load kernel modules
only for network devices, but the kernel failed to implement this restriction.
The result is that CAP_NET_ADMIN could be used to load any module in the
/lib/modules/ directory.
* CVE-2011-0712: Buffer overflows in caiaq driver.
An attacker with physical access could gain elevated privileges via
pathways relating to buffer overflows in the caiaq audio driver.
* CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.
A userspace process could queue a signal for another process with a
siginfo.si_code field appearing to originate from a kernel. This could
allow a process to generate a fake tgkill signal to a thread it is not
privileged to signal.
* CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.
The niu_get_ethtool_tcam_all does not check the user-provided output
buffer size before copying that many bytes into the output buffer,
resulting in a buffer overflow.
* CVE-2011-1079: Denial of service in Bluetooth BNEP.
A string copied from userspace in the BNEP (Bluetooth Network
Encapsulation Protocol) driver is not checked for null termination,
leading to a denial of service (kernel crash) or information leak.
* CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Multiple integer overflows in the AGP driver could allow local users
to gain privileges or cause a denial of service (system crash) via
crafted AGPIOC_BIND or AGPIOC_UNBIND ioctls.
* CVE-2011-1746: Buffer overflow in AGP subsystem.
The agp_allocate_memory function fails to correctly check a page count
from userspace against overflow, and may allocate an insufficiently
large buffer, leading to privilege escalation or denial of service.
* CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Multiple vulnerabilities in the mpt2sas driver may allow local users
to gain privileges, cause a denial of service (memory corruption), or
obtain sensitive information from kernel memory.
* CVE-2011-1093: NULL pointer dereference in DCCP.
A flaw in the implementation of the dccp_rcv_state_process() function
allowed a local unprivileged user, or a remote user, if the system
accepted connections over the DCCP protocol, to cause a denial of
service (kernel oops) via a NULL pointer dereference.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Fedora-13-Updates
mailing list