[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1000-1)

[Tim Abbott]

Synopsis: USN-1000-1 can now be patched using Ksplice
CVEs: CVE-2010-2240 CVE-2010-2942 CVE-2010-2954 CVE-2010-2955 CVE-2010-2960 CVE-2010-2963 CVE-2010-3067 CVE-2010-3078 CVE-2010-3080 CVE-2010-3084 CVE-2010-3310 CVE-2010-3432 CVE-2010-3437 CVE-2010-3442 CVE-2010-3477 CVE-2010-3705 CVE-2010-3904

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch against 
the latest Ubuntu Security Notice, USN-1000-1.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.04 Lucid users install 
these updates.  You can install these updates by running:

# uptrack-upgrade -y


DESCRIPTION

* CVE-2010-2942: Information leaks in traffic control dump structures.

Incorrectly initialized structures in the traffic control dump code
may allow the disclosure of 32 bits of kernel memory to userspace
applications.


* CVE-2010-2954: NULL pointer dereference in irda subsystem.

The irda_bind function in net/irda/af_irda.c in the Linux kernel did
not properly handle a failure in the irda_open_tsap function.  This
allows local users to cause a denial of service (NULL pointer
dereference and panic) via multiple unsuccessful calls to bind on an
AF_IRDA (aka PF_IRDA) socket.


* CVE-2010-2955: Information leak in wireless extensions.

The cfg80211_wext_giwessid function in does not properly initialize
certain structure members.  A local user could leverage an off-by-one
error in the ioctl_standard_iw_point function to obtain potentially
sensitive information from kernel heap memory using an SIOCGIWESSID
ioctl call that specifies a large buffer size.


* CVE-2010-2960: NULL pointer dereference in keyctl_session_to_parent.

The keyctl_session_to_parent function in security/keys/keyctl.c in the
Linux kernel expects that a certain parent session keyring exists,
which allows local users to cause a NULL pointer dereference via a
KEYCTL_SESSION_TO_PARENT argument to the keyctl function.


* CVE-2010-3067: Information leak in do_io_submit()

An integer overflow error in the do_io_submit function could be used by
userspace processes to read kernel memory.


* CVE-2010-3078: Information leak in XFS_IOC_FSGETXATTR ioctl.

The XFS_IOC_FSGETXATTR ioctl allowed unprivileged users to read 12
bytes of uninitialized stack memory, because the fsxattr struct
declared on the stack in xfs_ioc_fsgetxattr() did not alter (or zero)
the 12-byte fsx_pad member before copying it back to the user.


* CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.

Tavis Ormandy reported an issue in the ALSA sequencer OSS emulation
layer.  Local users with sufficient privileges to open /dev/sequencer
can cause a denial of service or privilege escalation via a NULL
pointer dereference.


* CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.

The niu_get_ethtool_tcam_all does not check the user-provided output
buffer size before copying that many bytes into the output buffer,
resulting in a buffer overflow.


* CVE-2010-3310: Integer signedness errors in rose driver.

Multiple integer signedness errors in the rose driver allow local
users to cause a denial of service (heap memory corruption) or
possibly have unspecified other impact by calling rose_bind or
rose_connect with a negative destination digis count.


* CVE-2010-3432: Remote denial of service vulnerability in SCTP.

The sctp_outq_flush() function can call sctp_packet_reset() on a
packet structure that has already been filled with chunks.  This
resets the packet length but does not remove the chunks from the list;
the SCTP code then re-initializes the packet, which because of the
incorrect length could overflow the skb, resulting in a kernel panic.


* CVE-2010-3437: Information leak in pktcdvd driver.

Integer signedness error in the pkt_find_dev_from_minor function
allows local users to obtain sensitive information from kernel memory
or cause a denial of service (invalid pointer dereference and system
crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.


* CVE-2010-3442: Heap corruption vulnerability in ALSA core.

The snd_ctl_new() function allocates space for a snd_kcontrol struct
by performing arithmetic operations on a user-provided size without
checking for integer overflow.  This allows an unprivileged user to
write an arbitrary value repeatedly past the bounds of this chunk,
resulting in heap corruption.


* CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.

The SCTP subsystem's sctp_asoc_get_hmac function did not correctly
check for an out of range value for the last id in the hmac_ids array,
potentially resulting in kernel memory corrptuon.


* Out of bounds copy in ocfs2 fast symlink handling.

The ocfs2 fast symlink code used strlen() to compute how many bytes of
the fast symlink data in the inode data area to copy.  An attacker who
could cause the system to mount a malicious filesystem image could use
this vulnerability to copy too much data by providing a fast symlink
data string that is not NULL-terminated.


* Fix mlock regression introduced by CVE-2010-2240 fix.

The upstream patch for CVE-2010-2240 introduced a possible kernel
crash when privileged applications use mlock on portions of the kernel
stack.


* CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.

The rds_page_copy_user function did not perform any access checks on
user-provided pointers before using unchecked __copy_*_user_inatomic
functions, which can be exploited by a local user to write to
arbitrary kernel memory and escalate privileges.


* CVE-2010-2963: Privilege escalation in V4L 32-bit compat support.

Kees Cook discovered that the V4L1 32bit compat interface did not
correctly validate certain parameters.  A local attacker on a 64bit
system with access to a video device could exploit this to gain root
privileges.


* CVE-2010-3477: Kernel information leak in act_police.

Incorrectly initialized structures in the traffic control dump code
may allow the disclosure of kernel memory to userspace applications.
This is a similar issue to CVE-2010-2942.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.