[Ksplice][Fedora-14-Updates] New updates available via Ksplice (FEDORA-2010-18493)

Tim Abbott tabbott at ksplice.com
Mon Dec 6 21:15:52 PST 2010 

Synopsis: FEDORA-2010-18493 can now be patched using Ksplice
CVEs: CVE-2010-2240 CVE-2010-3310 CVE-2010-3442 CVE-2010-3880 CVE-2010-4072 CVE-2010-4073 CVE-2010-4075 CVE-2010-4076 CVE-2010-4077 CVE-2010-4080 CVE-2010-4081 CVE-2010-4157 CVE-2010-4248

Systems running Fedora 14 can now use Ksplice to patch against the latest 
Fedora security update, FEDORA-2010-18493.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Fedora 14 users install these 
updates.  You can install these updates by running:

# uptrack-upgrade -y


DESCRIPTION

* CVE-2010-3442: Heap corruption vulnerability in ALSA core.

The snd_ctl_new() function allocates space for a snd_kcontrol struct by 
performing arithmetic operations on a user-provided size without checking 
for integer overflow.  This allows an unprivileged user to write an 
arbitrary value repeatedly past the bounds of this chunk, resulting in 
heap corruption.


* CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.

The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO 
ioctls in hdspm.c and hdsp.c allow unprivileged users to read 
uninitialized kernel stack memory, because several fields of the 
hdsp{m}_config_info structs declared on the stack are not altered or 
zeroed before being copied back to the user.


* CVE-2010-3310: Integer signedness errors in rose driver.

Multiple integer signedness errors in the rose driver allow local users to 
cause a denial of service (heap memory corruption) or possibly have 
unspecified other impact by calling rose_bind or rose_connect with a 
negative destination digis count.


* Fix mlock regression introduced by CVE-2010-2240 fix.

The upstream patch for CVE-2010-2240 introduced a possible kernel crash 
when privileged applications use mlock on portions of the kernel stack.


* Fix use after free bug in mac80211 subsystem.


* Out of bounds copy in ocfs2 fast symlink handling.

The ocfs2 fast symlink code used strlen() to compute how many bytes of the 
fast symlink data in the inode data area to copy.  An attacker who could 
cause the system to mount a malicious filesystem image could use this 
vulnerability to copy too much data by providing a fast symlink data 
string that is not NULL-terminated.


* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.

An integer overflow in ioc_general() may cause the computation of an 
incorrect buffer size, leading to memory corruption.


* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.

Several functions in the System V IPC 32-bit compatability subsystem did 
not properly clear fields before copying data to user space, leaking data 
from uninitialized kernel stack memory to user space.


* CVE-2010-4072: Kernel information leak in ipc shm subsystem.

Several functions in the System V IPC shared memory subsystem did not 
properly clear fields before copying data to user space, leaking data from 
uninitialized kernel stack memory to user space.


* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.

The INET-DIAG subsystem is inconsistent about how it looks up the bytecode 
contained in a netlink message, making it possible for a user to cause the 
kernel to execute unaudited INET-DIAG bytecode. This can be abused to make 
the kernel enter an infinite loop, and possibly other consequences.


* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.

A race condition in the __exit_signal function in kernel/exit.c allows 
local users to cause a denial of service via vectors related to 
multithreaded exec, the use of a thread group leader in 
kernel/posix-cpu-timers.c, and the selection of a new thread group leader 
in the de_thread function in fs/exec.c.


* CVE-2010-4076: Kernel information leak in amiserial driver.

The TIOCGICOUNT device ioctl allows unprivileged users to read 
uninitialized stack memory, because the "reserved" member of the 
serial_icounter_struct struct declared on the stack is not altered or 
zeroed before being copied back to the user.


* CVE-2010-4077: Kernel information leak in nozomi driver.

The TIOCGICOUNT device ioctl allows unprivileged users to read 
uninitialized stack memory, because the "reserved" member of the 
serial_icounter_struct struct declared on the stack is not altered or 
zeroed before being copied back to the user.


* CVE-2010-4075: Kernel information leak in serial subsystem.

The TIOCGICOUNT device ioctl allows unprivileged users to read 
uninitialized stack memory, because the "reserved" member of the 
serial_icounter_struct struct declared on the stack is not altered or 
zeroed before being copied back to the user.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Fedora-14-Updates mailing list