[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (Ubuntu-2.6.32-26.47)

[Anders Kaseorg]

Synopsis: Ubuntu-2.6.32-26.47 can now be patched using Ksplice
CVEs: CVE-2010-3296 CVE-2010-3297 CVE-2010-3298 CVE-2010-4074 CVE-2010-4078 CVE-2010-4082

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch against
the latest Ubuntu Security Notice, Ubuntu-2.6.32-26.47.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.04 Lucid users install
these updates.  You can install these updates by running:

# uptrack-upgrade -y


DESCRIPTION

* Integer overflow bug in groups_search.

The groups_search function in the kernel has an integer overflow bug
causing it to not operate correctly in the event that the group_info
structure contains a gid higher than MAX_INT.


* Denial of service vulnerability in tcp_read_sock.

A userspace program that splices data from a socket to either another
socket or to a file can cause the system to panic.


* CVE-2010-4074: Kernel information leaks in USB serial drivers.

The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory, because the
"reserved" member of the serial_icounter_struct struct declared on the
stack is not altered or zeroed before being copied back to the user.


* CVE-2010-3298: Kernel information leak in hso_get_count.

The TIOCGICOUNT device ioctl allows unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack in hso_get_count()
is not altered or zeroed before being copied back to the user.


* CVE-2010-3296: Kernel information leak in cxgb driver.

The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to
read 4 bytes of uninitialized stack memory, because the "addr" member
of the ch_reg struct declared on the stack in cxgb_extension_ioctl()
is not altered or zeroed before being copied back to the user.


* CVE-2010-3297: Kernel information leak in eql driver.

The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "master_name" member
of the master_config_t struct declared on the stack in
eql_g_master_cfg() is not altered or zeroed before being copied back
to the user.


* CVE-2010-4078: Kernel information leak in sisfb_ioctl.

The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "reserved" member of
the fb_vblank struct declared on the stack is not altered or zeroed
before being copied back to the user.


* CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO ioctl.

The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of
the viafb_ioctl_info struct declared on the stack is not altered or
zeroed before being copied back to the user.


* Kernel information leak in rds driver.

A stack information leak vulnerability was found in the rds driver.
An unprivileged attacker could read uninitialized data from a kernel
stack.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.