From keegan at ksplice.com Wed Mar 9 13:11:48 2011 From: keegan at ksplice.com (Keegan McAllister) Date: Wed, 9 Mar 2011 16:11:48 -0500 Subject: [Ksplice][Fedora-13-Updates] New updates available via Ksplice (FEDORA-2011-2134) Message-ID: Synopsis: FEDORA-2011-2134 can now be patched using Ksplice CVEs: CVE-2010-1173 CVE-2010-3078 CVE-2010-3079 CVE-2010-3296 CVE-2010-3297 CVE-2010-3298 CVE-2010-3310 CVE-2010-3861 CVE-2010-4074 CVE-2010-4078 CVE-2010-4080 CVE-2010-4081 CVE-2010-4163 CVE-2010-4165 CVE-2010-4242 CVE-2010-4346 CVE-2010-4648 CVE-2010-4649 CVE-2010-4650 CVE-2010-4668 CVE-2011-0006 CVE-2011-0521 CVE-2011-0716 Systems running Fedora 13 can now use Ksplice to patch against the latest Fedora security update, FEDORA-2011-2134. INSTALLING THE UPDATES We recommend that all Ksplice Uptrack Fedora 13 users install these updates. You can install these updates by running: # /usr/sbin/uptrack-upgrade -y On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any additional action. DESCRIPTION * Improved fix to CVE-2010-1173. The original fix from Fedora to CVE-2010-1173 didn't properly add an append error cause to the error chunks. * Improved fix for CVE-2010-3079. The original fix from Fedora did not eliminate all means by which a local attacker could cause a denial of service (kernel oops) via the set_ftrace_filter special file. * CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers. The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows unprivileged users to read uninitialized stack memory. * Kernel information leak in rds driver. A stack information leak vulnerability was found in the rds driver. An unprivileged attacker could read uninitialized data from a kernel stack. * Infinite loop in unix_autobind. A local user can potentially consume all available UNIX domain name socket names, causing the unix_autobind function to spin forever in the kernel. * CVE-2010-3298: Information leak in hso_get_count(). The TIOCGICOUNT device ioctl allowed unprivileged users to read uninitialized stack memory, because the "reserved" member of the serial_icounter_struct struct declared on the stack in hso_get_count() was not altered or zeroed before being copied back to the user. * CVE-2010-3296: Kernel information leak in cxgb driver. The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4 bytes of uninitialized stack memory, because the "addr" member of the ch_reg struct declared on the stack in cxgb_extension_ioctl() is not altered or zeroed before being copied back to the user. * CVE-2010-3297: Kernel information leak in eql driver. The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16 bytes of uninitialized stack memory, because the "master_name" member of the master_config_t struct declared on the stack in eql_g_master_cfg() is not altered or zeroed before being copied back to the user. * CVE-2010-4078: Information leak in SiS framebuffer driver. The FBIOGET_VBLANK device ioctl in the sisfb driver allows unprivileged users to read 16 bytes of uninitialized stack memory. * CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr. A flaw was found in the xfs_ioc_fsgetxattr() function in the Linux kernel XFS file system implementation. A data structure in xfs_ioc_fsgetxattr() was not initialized properly before being copied to user-space. A local, unprivileged user could use this flaw to cause an information leak. * CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers. The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow unprivileged users to read uninitialized kernel stack memory, because several fields of the hdsp{m}_config_info structs declared on the stack are not altered or zeroed before being copied back to the user. * CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl. The ethtool_get_rxnfc function did not initialize a block of heap memory, which allowed local users to obtain potentially sensitive information via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value. * CVE-2010-3310: Integer signedness errors in rose driver. Multiple integer signedness errors in the rose driver allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact by calling rose_bind or rose_connect with a negative destination digis count. * CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver. A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. * CVE-2011-0521: Buffer underflow vulnerability in av7110 driver. Dan Carpenter reported an issue in the DVB driver for AV7110 cards. Local users can pass a negative info->num value, corrupting kernel memory and causing a denial of service. * CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem. By submitting certain I/O requests with 0 length, a local user could cause a denial of service (kernel panic). * CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping. Tavis Ormandy discovered an issue in the install_special_mapping routine which allows local users to bypass the mmap_min_addr security restriction. Combined with an otherwise low severity local denial of service vulnerability (NULL pointer dereference), a local user could obtain elevated privileges. * CVE-2010-4649: Buffer overflow in InfiniBand uverb handling. Dan Carpenter reported an issue in the uverb handling of the InfiniBand subsystem. A potential buffer overflow may allow local users to cause a denial of service (memory corruption) by passing in a large cmd.ne value. * CVE-2011-0006: Unhandled error condition when adding security rules. When a security rule is added on a system with a disabled Linux Security Module, the kernel fails to detect an error condition, causing default security rules to be disabled. * CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver. The driver for Orinoco wireless cards fails to respond effectively to certain attacks on WPA encryption. * CVE-2010-4165: Denial of service in TCP from user MSS. A user program could cause a division by 0 in tcp_select_initial_window by passing in an invalid TCP_MAXSEG, leading to a kernel oops. * CVE-2011-0716: Memory corruption in IGMP bridge snooping. IGMP packets sent on a bridged interface could cause corruption in 512-byte slabs, most commonly leading to crashes in jbd2. * CVE-2010-4650: Integer overflow in FUSE_IOCTL_RETRY. The iovec arguments to the FUSE_IOCTL_RETRY ioctl could have a combined length larger than the maximum FUSE request size. SUPPORT Ksplice support is available at support at ksplice.com or +1 765-577-5423.