[Ksplice][Fedora-13-Updates] New updates available via Ksplice (FEDORA-2011-2134)

[Keegan McAllister]

Synopsis: FEDORA-2011-2134 can now be patched using Ksplice
CVEs: CVE-2010-1173 CVE-2010-3078 CVE-2010-3079 CVE-2010-3296
CVE-2010-3297 CVE-2010-3298 CVE-2010-3310 CVE-2010-3861 CVE-2010-4074
CVE-2010-4078 CVE-2010-4080 CVE-2010-4081 CVE-2010-4163 CVE-2010-4165
CVE-2010-4242 CVE-2010-4346 CVE-2010-4648 CVE-2010-4649 CVE-2010-4650
CVE-2010-4668 CVE-2011-0006 CVE-2011-0521 CVE-2011-0716

Systems running Fedora 13 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-2134.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Fedora 13 users install these
updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* Improved fix to CVE-2010-1173.

The original fix from Fedora to CVE-2010-1173 didn't properly add an append
error cause to the error chunks.


* Improved fix for CVE-2010-3079.

The original fix from Fedora did not eliminate all means by which a local
attacker could cause a denial of service (kernel oops) via the
set_ftrace_filter special file.


* CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.

The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory.


* Kernel information leak in rds driver.

A stack information leak vulnerability was found in the rds driver.
An unprivileged attacker could read uninitialized data from a kernel
stack.


* Infinite loop in unix_autobind.

A local user can potentially consume all available UNIX domain name socket
names, causing the unix_autobind function to spin forever in the kernel.


* CVE-2010-3298: Information leak in hso_get_count().

The TIOCGICOUNT device ioctl allowed unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack in
hso_get_count() was not altered or zeroed before being copied back to
the user.


* CVE-2010-3296: Kernel information leak in cxgb driver.

The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to
read 4 bytes of uninitialized stack memory, because the "addr" member
of the ch_reg struct declared on the stack in cxgb_extension_ioctl()
is not altered or zeroed before being copied back to the user.


* CVE-2010-3297: Kernel information leak in eql driver.

The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "master_name" member
of the master_config_t struct declared on the stack in
eql_g_master_cfg() is not altered or zeroed before being copied back
to the user.


* CVE-2010-4078: Information leak in SiS framebuffer driver.

The FBIOGET_VBLANK device ioctl in the sisfb driver allows
unprivileged users to read 16 bytes of uninitialized stack memory.


* CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.

A flaw was found in the xfs_ioc_fsgetxattr() function in the Linux
kernel XFS file system implementation. A data structure in
xfs_ioc_fsgetxattr() was not initialized properly before being copied
to user-space. A local, unprivileged user could use this flaw to cause
an information leak.


* CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.

The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO
ioctls in hdspm.c and hdsp.c allow unprivileged users to read
uninitialized kernel stack memory, because several fields of the
hdsp{m}_config_info structs declared on the stack are not altered or
zeroed before being copied back to the user.


* CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.

The ethtool_get_rxnfc function did not initialize a block of heap memory, which
allowed local users to obtain potentially sensitive information via an
ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value.


* CVE-2010-3310: Integer signedness errors in rose driver.

Multiple integer signedness errors in the rose driver allow local
users to cause a denial of service (heap memory corruption) or
possibly have unspecified other impact by calling rose_bind or
rose_connect with a negative destination digis count.


* CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.

A NULL pointer dereference flaw was found in the Bluetooth HCI UART
driver in the Linux kernel.  A local, unprivileged user could use this
flaw to cause a denial of service.


* CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.

Dan Carpenter reported an issue in the DVB driver for AV7110 cards. Local
users can pass a negative info->num value, corrupting kernel memory and
causing a denial of service.


* CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.

By submitting certain I/O requests with 0 length, a local user could cause
a denial of service (kernel panic).


* CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.

Tavis Ormandy discovered an issue in the install_special_mapping
routine which allows local users to bypass the mmap_min_addr security
restriction. Combined with an otherwise low severity local denial of
service vulnerability (NULL pointer dereference), a local user could
obtain elevated privileges.


* CVE-2010-4649: Buffer overflow in InfiniBand uverb handling.

Dan Carpenter reported an issue in the uverb handling of the InfiniBand
subsystem.  A potential buffer overflow may allow local users to cause a
denial of service (memory corruption) by passing in a large cmd.ne value.


* CVE-2011-0006: Unhandled error condition when adding security rules.

When a security rule is added on a system with a disabled Linux Security
Module, the kernel fails to detect an error condition, causing default security
rules to be disabled.


* CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.

The driver for Orinoco wireless cards fails to respond effectively to certain
attacks on WPA encryption.


* CVE-2010-4165: Denial of service in TCP from user MSS.

A user program could cause a division by 0 in tcp_select_initial_window by
passing in an invalid TCP_MAXSEG, leading to a kernel oops.


* CVE-2011-0716: Memory corruption in IGMP bridge snooping.

IGMP packets sent on a bridged interface could cause corruption
in 512-byte slabs, most commonly leading to crashes in jbd2.


* CVE-2010-4650: Integer overflow in FUSE_IOCTL_RETRY.

The iovec arguments to the FUSE_IOCTL_RETRY ioctl could have a combined
length larger than the maximum FUSE request size.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.