[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (Ubuntu-2.6.32-25.44)

[Anders Kaseorg]

Synopsis: Ubuntu-2.6.32-25.44 can now be patched using Ksplice
CVEs: CVE-2010-2066 CVE-2010-2226 CVE-2010-2478 CVE-2010-2495 CVE-2010-2524 CVE-2010-2537 CVE-2010-2538 CVE-2010-2798 CVE-2010-2946 CVE-2010-3015

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch against
the latest Ubuntu kernel update, Ubuntu-2.6.32-25.44.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.04 Lucid users install
these updates.  You can install these updates by running:

# uptrack-upgrade -y


DESCRIPTION

* CVE-2010-2495: Denial of Service in L2TP.

The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP
implementation in the Linux kernel before 2.6.34 does not properly
validate certain values associated with an interface, which allows
attackers to cause a denial of service (NULL pointer dereference and
OOPS) or possibly have unspecified other impact via vectors related to a
routing change.


* CVE-2010-2524: False CIFS mount via DNS cache poisoning.

A flaw was found in the dns_resolver upcall used by CIFS.  A local,
unprivileged user could redirect a Microsoft Distributed File System
link to another IP address, tricking the client into mounting the share
from a server of the user's choosing.  (CVE-2010-2524, Moderate)


* CVE-2010-2537, CVE-2010-2538: Missing access checks in btrfs filesystem.

The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls allows write access
to append-only files.  The BTRFS_IOC_CLONE_RANGE ioctl potentially
allows unauthorized reading at out-of-bounds offsets.


* CVE-2010-2478: Buffer overflow in ethtool.

An integer overflow in the implementation of the unprivileged
ETHTOOL_GRXCLSRLALL command may lead to a buffer overflow in the kernel,
resulting in denial of service or privilege escalation.


* CVE-2010-2226: Read access to write-only files in XFS filesystem.

A flaw was found in the handling of the SWAPEXT IOCTL in the Linux
kernel XFS file system implementation.  A local user could use this flaw
to read write-only files, that they do not own, on an XFS file system.
This could lead to unintended information disclosure.  (CVE-2010-2226,
Moderate)


* CVE-2010-2798: Denial of service in GFS2.

Bob Peterson reported an issue in the GFS2 file system. A file system
user could cause a denial of service (Oops) via certain rename
operations.


* CVE-2010-2946: Access control bypass in JFS filesystem.

Extended attribute namespace access rules may be bypassed by using the
legacy-format os2 namespace.


* CVE-2010-2066: Missing privilege check in ext4 for append-only files.

A missing check was found in the mext_check_arguments() function in the
ext4 file system code.  A local user could use this flaw to cause the
MOVE_EXT IOCTL to overwrite the contents of an append-only file on an
ext4 file system, if they have write permissions for that file.
(CVE-2010-2066, Low)


* Denial of Service in OCFS2 locking.

A flaw was found in the ocfs2_lock() implementation.  The OCFS2 locking
code could skip the lock operation for files that have the S_ISGID bit
(set-group-ID on execution) in their mode set.  A local, unprivileged
user on a system that has a OCFS2 file system mounted could use this
flaw to cause a kernel panic.


* Additional CVE-2010-2240 update: Fix stack guard with mlock/mprotect.

The stack guard page code in the original upstream patch for
CVE-2010-2240 failed when the stack memory area had been split by
certain calls to mlock or mprotect.


* CVE-2010-3015: Integer overflow in ext4 filesystem.

An integer overflow flaw was found in the ext4_ext_get_blocks()
function. This can trigger a BUG() on certain configurations of ext4
file systems.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.