[Ksplice][Fedora-14-Updates] New updates available via Ksplice (FEDORA-2011-11103)

[Tim Abbott]

Synopsis: FEDORA-2011-11103 can now be patched using Ksplice
CVEs: CVE-2010-2478 CVE-2011-1017 CVE-2011-1090 CVE-2011-1163 CVE-2011-1577 CVE-2011-1748 CVE-2011-2182 CVE-2011-2213 CVE-2011-2484 CVE-2011-2495 CVE-2011-2497 CVE-2011-2517 CVE-2011-2699 CVE-2011-2707 CVE-2011-2909

Systems running Fedora 14 can now use Ksplice to patch against the latest 
Fedora security update, FEDORA-2011-11103.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 14 install these 
updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, 
these updates will be installed automatically and you do not need to take 
any additional action.


DESCRIPTION

* Null kernel dereference in the USB subsystem.

tty_port_tty_get could return NULL, which was dereferenced in 
usb_wwan_indat_callback, causing a kernel OOPS.


* Heap corruption bug in pmcraid driver.

The pmcraid driver had a bug that allowed a privileged user to cause heap 
corruption and other issues.


* Filesystem hang in btrfs.

Unprivileged users could trigger a filesystem rebalancing, which affects 
the entire filesystem and may run uninterruptibly for a long time.


* CVE-2010-2478: buffer overflow in the ethtool driver diagnostic tool.

The niu_get_ethtool_tcam_all function used by the ethtool driver 
diagnostic tool did not check the size of its output buffer, allowing a 
local denial of service vulnerability.


* CVE-2011-1748: NULL pointer dereference vulnerability in the CAN protocol.

A missing check in the can/raw socket release function allowed a NULL 
socket argument to be passed in from userspace, allowing a NULL pointer 
dereference vulnerability.


* NULL pointer dereference in SCSI subsystem.

A missing NULL pointer check on q->queuedata in scsi_run_queue could cause 
a kernel OOPS.


* Integer underflow in CIFS subsystem.

While decoding the string area in a SESSION_SETUP response, a missing 
check on the number of bytes remaining to be decoded could underflow.


* Buffer overflow in the CIFS subsysterm.

A missing check in password processing allowed a buffer overflow.


* Missing validation of user-supplied data in the megaraid_sas driver.

The user-supplied ioc->sgl[i].iov_len was not validated before being 
passed to dma_alloc_coherent, allowing a kernel OOPS.


* ext3 filesystem corruption when no space is left on the device.

When make_indexed_dir failed because there was no space left on the 
device, not all changed buffers were being marked as dirty and thus being 
written to disk, corrupting the directory.


* CVE-2011-2182: Incomplete fix for CVE-2011-1017 buffer overflow in ldm_frag_add.

The patch for CVE-2011-1017 (buffer overflow in ldm_frag_add) did not 
handle some edge cases allowing for buffer overflows in the ldm_frag_add 
function of the Windows Logical Disk Manager.


* CVE-2011-2517: buffer overflow in the nl80211 driver.

Incorrect SSID length checks in the trigger_scan and sched_scan operations 
of the nl80211 driver allowed a buffer overflow when copying long SSIDs.


* CVE-2011-2213: arbitrary code injection and denial of service in the ipv4 subsystem.

Insufficient validation in inet_diag_bc_audit allowed a malicious user to 
inject code or trigger an infinite loop.


* CVE-2011-2495: Information leak in /proc/PID/io.

/proc/PID/io could be used for gathering private information and did not 
have access restrictions.


* CVE-2011-2707: Arbitrary read vulnerability in ptrace.

A missing access control check in the ptrace_setxregs() function in the 
xtensa architecture allowed an unprivileged user to read arbitrary kernel 
memory.


* System freeze in JMicron driver.

A missing dma_unmap in the JMicron ethernet device driver caused system 
freezes under heavy loads.


* TKIP replay vulnerability in the mac80211 driver.

Missing protections against a TKIP replay vulnerability allowed an 
attacker to take a QoS packet with TID 0 and replay it as a non-QoS 
packet.


* CVE-2011-2909: Information leak in comedi driver.

The do_devinfo_ioctl function in the comedi driver incorrectly copied 
uninitialized memory beyond the end of a string to user space.


* CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.

A small user-provide value for the command size field in the command 
header of an l2cap configuration request can cause a buffer overflow.


* CVE-2011-2517: Buffer overflow in nl80211 driver.

A missing check on the length of an SSID passed in a scan or sched_scan 
request allowed a buffer overflow when copying the SSID.


* CVE-2011-2699: Predictable ipv6 fragment identification numbers.

The generator for ipv6 fragment identification numbers used a single 
generator and thus was highly predictable and thus vulnerable to a denial 
of service attack.


* CVE-2011-1017: kernel OOPS caused by corrupted LDM partition table.

Missing validation in the LDM subsystem could cause a kernel OOPS on 
certain corrupted LDM partitions.


* CVE-2011-1090: local denial of service attack in the NFS subsystem.

The __nfs4_proc_set_acl function stored NFSv4 ACL data in memory that was 
allocated but not properly freed, allowing a local denial of service 
attack via a crafted attempt to set an ACL.


* CVE-2011-1163: Information leak in corrupted OFS partition table.

The osf_partition function in fs/partitions/osf.c did not properly handle 
an invalid number of partitions, allowing a local information leak of 
potentially sensitive data.


* CVE-2011-1577: kernel OOPS caused by corrupted GUID partition tables.

A heap-based buffer overflow in the is_gpt_valid function of the EFI 
partition logic allowed a local denial of service attack via a crafted 
size of the EFI GUID partition-table header on removable media.


* CVE-2011-2484: denial of service attack in taskstats kernel reporting utility.

The add_del_listener function in kernel/taskstats.c did not prevent 
multiple registrations of exit handlers, allowing a local denial of 
service attack via a crafted application.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.