[Ksplice][Fedora-14-Updates] New updates available via Ksplice (FEDORA-2011-6541)
Anders Kaseorg
andersk at ksplice.com
Wed May 11 01:55:26 PDT 2011
Synopsis: FEDORA-2011-6541 can now be patched using Ksplice
CVEs: CVE-2010-3865 CVE-2010-3875 CVE-2010-4529 CVE-2010-4565 CVE-2011-0463 CVE-2011-0711 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080 CVE-2011-1160 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1180 CVE-2011-1478 CVE-2011-1493 CVE-2011-1494 CVE-2011-1495 CVE-2011-1593 CVE-2011-1745 CVE-2011-1746 CVE-2011-2022
Systems running Fedora 14 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-6541.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Fedora 14 users install these
updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.
DESCRIPTION
* CVE-2011-1180: Remote denial of service in IrDA subsystem.
A malicious IrDA peer could cause a kernel stack overflow by providing
invalid length fields for names and attributes, leading to denial of
service.
* CVE-2011-1493: Remote heap corruption in AX.25 PLP (Rose) driver.
A remote host providing crafted FAC_NATIONAL_DIGIS,
FAC_CCITT_DEST_NSAP, or FAC_CCITT_SRC_NSAP fields could cause heap
corruption in the Rose driver, leading to denial of service (kernel
panic).
* Denial of Service in mremap.
An integer overflow in the mremap call can be exploited by a local
user to cause a kernel BUG, leading to denial of service.
* CVE-2011-1078: Information leak in Bluetooth SCO link driver.
One byte of the 'struct sco_conninfo' data structure was not
initialized before being copied to userspace, leading to a leak of
potentially sensitive kernel memory.
* CVE-2011-1079: Denial of service in Bluetooth BNEP.
A string copied from userspace in the BNEP (Bluetooth Network
Encapsulation Protocol) driver is not checked for null termination,
leading to a denial of service (kernel crash) or information leak.
* CVE-2011-0463: Information leak in OCFS2 holes crossing page boundaries.
The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the
Oracle Cluster File System 2 (OCFS2) did not properly handle holes
that cross page boundaries, which allowed local users to obtain
potentially sensitive information from uninitialized disk locations by
reading a file.
* CVE-2011-1160: Information leak in tpm driver.
A buffer was not initialized before being returned to userspace,
leading to a leak of potentially sensitive kernel memory.
* Buffer overflow in iptables CLUSTERIP target.
The iptables CLUSTERIP target copies a string from userspace without
checking for null termination, leading to a buffer overflow.
* CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Missing null-termination checks in the netfilter subsystem could cause
a portion of kernel stack memory to be made visible to all processes
on the system within the arguments to a spawned modprobe process.
* CVE-2011-1478: NULL pointer dereference in GRO.
The generic receive offload (GRO) code failed to reset a reused
pointer, leading to a potential NULL pointer dereference.
* Missing boundary checks in squashfs.
Several missing boundary checks were discovered in the squashfs
filesystem, causing a denial of service if the system attempts to
process a corrupted or malicious squashfs image.
* Denial of service in NFS server via reference count leak.
Repeated NLM lock operations can cause a reference count to overflow,
eventually leading to a use-after-free causing a denial of service
(kernel panic) or other unspecified impact.
* CVE-2010-4529: Integer underflow in IrDA IRLMP_ENUMDEVICES.
An integer underflow bug was found in the IrDA subsystem. Local users
may be able to gain access to sensitive kernel memory via a specially
crafted IRLMP_ENUMDEVICES getsockopt call.
* CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.
The bcm_connect function in the Broadcast Manager Controller Area
Network (CAN) implementation created a publicly accessible file with a
filename containing a kernel memory address, which allowed local users
to obtain potentially sensitive information about kernel memory use by
listing this filename.
* CVE-2010-3865: Integer overflow in RDS rdma page counting.
An integer overflow flaw was found in the Linux kernel's Reliable
Datagram Sockets (RDS) protocol implementation. A local, unprivileged
user could use this flaw to cause a denial of service or escalate
their privileges.
* CVE-2011-0711: Information leak in XFS filesystem.
The XFS filesystem leaves certain fields in the output of the
FSGEOMETRY_V1 ioctl uninitialized, leaking kernel stack data to
unprivileged callers.
* Denial of service in UBIFS filesystem via fsync.
Calling fsync on a file in a read-only UBIFS filesystem caused a
kernel oops, leading to denial of service.
* CVE-2011-1593: Missing bounds check in proc filesystem.
A local attacker could exploit a missing bounds check to read kernel
memory or cause a denial of service.
* Improved fix for CVE-2010-3875: Information leak in AX.25 protocol.
The original upstream fix for CVE-2010-3875 passed the wrong size to a
memset call, so that only part of a structure being passed to
userspace was cleared.
* CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Multiple integer overflows in the AGP driver could allow local users
to gain privileges or cause a denial of service (system crash) via
crafted AGPIOC_BIND or AGPIOC_UNBIND ioctls.
* CVE-2011-1746: Buffer overflow in AGP subsystem.
The agp_allocate_memory function fails to correctly check a page count
from userspace against overflow, and may allocate an insufficiently
large buffer, leading to privilege escalation or denial of service.
* CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Multiple vulnerabilities in the mpt2sas driver may allow local users
to gain privileges, cause a denial of service (memory corruption), or
obtain sensitive information from kernel memory.
* Reference count leak in netlink messaging.
The netlink subsystem did not properly clean up 'struct scm_cookie'
structs created when sending messages, resulting in a memory leak or
other consequences.
This bug was originally fixed in Fedora 14 with kernel
2.6.35.12-88.fc14, but was reintroduced in kernel 2.6.35.12-90.fc14.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Fedora-14-Updates
mailing list