[Ksplice][Fedora-14-Updates] New updates available via Ksplice (FEDORA-2011-6541)

[Anders Kaseorg]

Synopsis: FEDORA-2011-6541 can now be patched using Ksplice
CVEs: CVE-2010-3865 CVE-2010-3875 CVE-2010-4529 CVE-2010-4565 CVE-2011-0463 CVE-2011-0711 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080 CVE-2011-1160 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1180 CVE-2011-1478 CVE-2011-1493 CVE-2011-1494 CVE-2011-1495 CVE-2011-1593 CVE-2011-1745 CVE-2011-1746 CVE-2011-2022

Systems running Fedora 14 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-6541.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Fedora 14 users install these
updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-1180: Remote denial of service in IrDA subsystem.

A malicious IrDA peer could cause a kernel stack overflow by providing
invalid length fields for names and attributes, leading to denial of
service.


* CVE-2011-1493: Remote heap corruption in AX.25 PLP (Rose) driver.

A remote host providing crafted FAC_NATIONAL_DIGIS,
FAC_CCITT_DEST_NSAP, or FAC_CCITT_SRC_NSAP fields could cause heap
corruption in the Rose driver, leading to denial of service (kernel
panic).


* Denial of Service in mremap.

An integer overflow in the mremap call can be exploited by a local
user to cause a kernel BUG, leading to denial of service.


* CVE-2011-1078: Information leak in Bluetooth SCO link driver.

One byte of the 'struct sco_conninfo' data structure was not
initialized before being copied to userspace, leading to a leak of
potentially sensitive kernel memory.


* CVE-2011-1079: Denial of service in Bluetooth BNEP.

A string copied from userspace in the BNEP (Bluetooth Network
Encapsulation Protocol) driver is not checked for null termination,
leading to a denial of service (kernel crash) or information leak.


* CVE-2011-0463: Information leak in OCFS2 holes crossing page boundaries.

The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the
Oracle Cluster File System 2 (OCFS2) did not properly handle holes
that cross page boundaries, which allowed local users to obtain
potentially sensitive information from uninitialized disk locations by
reading a file.


* CVE-2011-1160: Information leak in tpm driver.

A buffer was not initialized before being returned to userspace,
leading to a leak of potentially sensitive kernel memory.


* Buffer overflow in iptables CLUSTERIP target.

The iptables CLUSTERIP target copies a string from userspace without
checking for null termination, leading to a buffer overflow.


* CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.

Missing null-termination checks in the netfilter subsystem could cause
a portion of kernel stack memory to be made visible to all processes
on the system within the arguments to a spawned modprobe process.


* CVE-2011-1478: NULL pointer dereference in GRO.

The generic receive offload (GRO) code failed to reset a reused
pointer, leading to a potential NULL pointer dereference.


* Missing boundary checks in squashfs.

Several missing boundary checks were discovered in the squashfs
filesystem, causing a denial of service if the system attempts to
process a corrupted or malicious squashfs image.


* Denial of service in NFS server via reference count leak.

Repeated NLM lock operations can cause a reference count to overflow,
eventually leading to a use-after-free causing a denial of service
(kernel panic) or other unspecified impact.


* CVE-2010-4529: Integer underflow in IrDA IRLMP_ENUMDEVICES.

An integer underflow bug was found in the IrDA subsystem.  Local users
may be able to gain access to sensitive kernel memory via a specially
crafted IRLMP_ENUMDEVICES getsockopt call.


* CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.

The bcm_connect function in the Broadcast Manager Controller Area
Network (CAN) implementation created a publicly accessible file with a
filename containing a kernel memory address, which allowed local users
to obtain potentially sensitive information about kernel memory use by
listing this filename.


* CVE-2010-3865: Integer overflow in RDS rdma page counting.

An integer overflow flaw was found in the Linux kernel's Reliable
Datagram Sockets (RDS) protocol implementation.  A local, unprivileged
user could use this flaw to cause a denial of service or escalate
their privileges.


* CVE-2011-0711: Information leak in XFS filesystem.

The XFS filesystem leaves certain fields in the output of the
FSGEOMETRY_V1 ioctl uninitialized, leaking kernel stack data to
unprivileged callers.


* Denial of service in UBIFS filesystem via fsync.

Calling fsync on a file in a read-only UBIFS filesystem caused a
kernel oops, leading to denial of service.


* CVE-2011-1593: Missing bounds check in proc filesystem.

A local attacker could exploit a missing bounds check to read kernel
memory or cause a denial of service.


* Improved fix for CVE-2010-3875: Information leak in AX.25 protocol.

The original upstream fix for CVE-2010-3875 passed the wrong size to a
memset call, so that only part of a structure being passed to
userspace was cleared.


* CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.

Multiple integer overflows in the AGP driver could allow local users
to gain privileges or cause a denial of service (system crash) via
crafted AGPIOC_BIND or AGPIOC_UNBIND ioctls.


* CVE-2011-1746: Buffer overflow in AGP subsystem.

The agp_allocate_memory function fails to correctly check a page count
from userspace against overflow, and may allocate an insufficiently
large buffer, leading to privilege escalation or denial of service.


* CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.

Multiple vulnerabilities in the mpt2sas driver may allow local users
to gain privileges, cause a denial of service (memory corruption), or
obtain sensitive information from kernel memory.


* Reference count leak in netlink messaging.

The netlink subsystem did not properly clean up 'struct scm_cookie'
structs created when sending messages, resulting in a memory leak or
other consequences.

This bug was originally fixed in Fedora 14 with kernel
2.6.35.12-88.fc14, but was reintroduced in kernel 2.6.35.12-90.fc14.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.