[Ksplice][Fedora-14-Updates] New updates available via Ksplice (FEDORA-2010-18493)
Tim Abbott
tabbott at ksplice.com
Mon Dec 6 21:15:52 PST 2010
Synopsis: FEDORA-2010-18493 can now be patched using Ksplice
CVEs: CVE-2010-2240 CVE-2010-3310 CVE-2010-3442 CVE-2010-3880 CVE-2010-4072 CVE-2010-4073 CVE-2010-4075 CVE-2010-4076 CVE-2010-4077 CVE-2010-4080 CVE-2010-4081 CVE-2010-4157 CVE-2010-4248
Systems running Fedora 14 can now use Ksplice to patch against the latest
Fedora security update, FEDORA-2010-18493.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Fedora 14 users install these
updates. You can install these updates by running:
# uptrack-upgrade -y
DESCRIPTION
* CVE-2010-3442: Heap corruption vulnerability in ALSA core.
The snd_ctl_new() function allocates space for a snd_kcontrol struct by
performing arithmetic operations on a user-provided size without checking
for integer overflow. This allows an unprivileged user to write an
arbitrary value repeatedly past the bounds of this chunk, resulting in
heap corruption.
* CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and SNDRV_HDSP_IOCTL_GET_CONFIG_INFO
ioctls in hdspm.c and hdsp.c allow unprivileged users to read
uninitialized kernel stack memory, because several fields of the
hdsp{m}_config_info structs declared on the stack are not altered or
zeroed before being copied back to the user.
* CVE-2010-3310: Integer signedness errors in rose driver.
Multiple integer signedness errors in the rose driver allow local users to
cause a denial of service (heap memory corruption) or possibly have
unspecified other impact by calling rose_bind or rose_connect with a
negative destination digis count.
* Fix mlock regression introduced by CVE-2010-2240 fix.
The upstream patch for CVE-2010-2240 introduced a possible kernel crash
when privileged applications use mlock on portions of the kernel stack.
* Fix use after free bug in mac80211 subsystem.
* Out of bounds copy in ocfs2 fast symlink handling.
The ocfs2 fast symlink code used strlen() to compute how many bytes of the
fast symlink data in the inode data area to copy. An attacker who could
cause the system to mount a malicious filesystem image could use this
vulnerability to copy too much data by providing a fast symlink data
string that is not NULL-terminated.
* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
An integer overflow in ioc_general() may cause the computation of an
incorrect buffer size, leading to memory corruption.
* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Several functions in the System V IPC 32-bit compatability subsystem did
not properly clear fields before copying data to user space, leaking data
from uninitialized kernel stack memory to user space.
* CVE-2010-4072: Kernel information leak in ipc shm subsystem.
Several functions in the System V IPC shared memory subsystem did not
properly clear fields before copying data to user space, leaking data from
uninitialized kernel stack memory to user space.
* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
The INET-DIAG subsystem is inconsistent about how it looks up the bytecode
contained in a netlink message, making it possible for a user to cause the
kernel to execute unaudited INET-DIAG bytecode. This can be abused to make
the kernel enter an infinite loop, and possibly other consequences.
* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
A race condition in the __exit_signal function in kernel/exit.c allows
local users to cause a denial of service via vectors related to
multithreaded exec, the use of a thread group leader in
kernel/posix-cpu-timers.c, and the selection of a new thread group leader
in the de_thread function in fs/exec.c.
* CVE-2010-4076: Kernel information leak in amiserial driver.
The TIOCGICOUNT device ioctl allows unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack is not altered or
zeroed before being copied back to the user.
* CVE-2010-4077: Kernel information leak in nozomi driver.
The TIOCGICOUNT device ioctl allows unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack is not altered or
zeroed before being copied back to the user.
* CVE-2010-4075: Kernel information leak in serial subsystem.
The TIOCGICOUNT device ioctl allows unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack is not altered or
zeroed before being copied back to the user.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Fedora-14-Updates
mailing list