[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (Ubuntu-2.6.32-28.55)

Tim Abbott tabbott at ksplice.com
Sat Jan 29 15:24:37 PST 2011 

Synopsis: Ubuntu-2.6.32-28.55 can now be patched using Ksplice
CVEs: CVE-2010-0435 CVE-2010-3859 CVE-2010-3873 CVE-2010-3874 CVE-2010-3881 CVE-2010-4073 CVE-2010-4079 CVE-2010-4083 CVE-2010-4160 CVE-2010-4162 CVE-2010-4163 CVE-2010-4164 CVE-2010-4165 CVE-2010-4169 CVE-2010-4175 CVE-2010-4249 CVE-2010-4258

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch against 
the latest Ubuntu kerenl update, Ubuntu-2.6.32-28.55.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.04 Lucid users install 
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, 
these updates will be installed automatically and you do not need to take 
any additional action.


DESCRIPTION

* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.

Several functions in the System V IPC 32-bit compatability subsystem did 
not properly clear fields before copying data to user space, leaking data 
from uninitialized kernel stack memory to user space.


* CVE-2010-4165: Denial of service in TCP from user MSS.

A user program could cause a division by 0 in tcp_select_initial_window by 
passing in an invalid TCP_MAXSEG, leading to a kernel oops.


* CVE-2010-4169: Use-after-free bug in mprotect system call.

A use-after-free flaw in the mprotect() system call could allow a local, 
unprivileged user to cause a local denial of service.


* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.

A flaw was found in the Linux kernel's garbage collector for AF_UNIX 
sockets.  A local, unprivileged user could use this flaw to trigger a 
denial of service (out-of-memory condition).  (CVE-2010-4249, Moderate)


* CVE-2010-4163: Kernel panic in block subsystem.

By submitting certain I/O requests with 0 length, a local user could cause 
a denial of service (kernel panic).


* Stack overflow in IrDA parameter extraction.

An boundary error within the irda_extract_string() function in 
net/irda/parameters.c can be exploited to cause a crash and potentially 
gain escalated privileges.


* Buffer overflow in IrDA IAP result parsing.

An boundary error within the iriap_getvaluebyclass_confirm() function in 
net/irda/iriap.c can be exploited to cause a crash and potentially gain 
escalated privileges.


* CVE-2010-4083: Information leak in System V IPC.

A missing initialization flaw was found in System V IPC.  A local, 
unprivileged user could use this flaw to cause information leaks. 
(CVE-2010-4083, Low)


* Denial of service in TTY interface.

The flush_to_ldisc function in the TTY interface has a race condition
that could be exploited by a local user to cause denial of service via
an infinite loop.


* CVE-2010-0435: Denial of service in KVM on debug register access.

A NULL pointer dereference flaw was found when the host system had a 
processor with the Intel VT-x extension enabled.  A privileged guest user 
could use this flaw to trick the host into emulating a certain 
instruction, which could crash the host (denial of service).


* CVE-2010-3881: Information leak in KVM.

It was found that some structure padding and reserved fields in certain 
data structures in QEMU-KVM were not initialized properly before being 
copied to user-space.  A privileged host user with access to "/dev/kvm" 
could use this flaw to leak kernel stack memory to user-space.


* Buffer overflows in FireWire when receiving split packets.

The FireWire driver may overflow a page boundary when receiving a split 
asynchronous packet, leading to crashes and data corruption when using 
firewire-net.


* CVE-2010-4162: Integer overflow in block I/O subsystem.

Due to integer underflow and overflow issues when determining the number 
of pages required for I/O requests, a local user could send a device ioctl 
that results in the sequential allocation of a very large number of pages, 
causing the OOM killer to be invoked and crashing the system.


* CVE-2010-4258: Privilege escalation via do_exit.

The do_exit function does not properly handle a KERNEL_DS get_fs value, 
which allows local users to bypass intended access_ok restrictions, 
overwrite arbitrary kernel memory locations, and gain privileges by 
leveraging a BUG, NULL pointer dereference, or page fault.


* CVE-2010-3873: Memory corruption in X.25 facilities parsing.

The x25_parse_facilities facilities function may cause a memcpy() of 
ULONG_MAX size, destroying the kernel heap.


* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.

The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows unprivileged 
users to read 16 bytes of uninitialized stack memory.


* CVE-2010-4164: Denial of service parsing bad X.25 facilities

On parsing malformed X.25 facilities, an integer underflow may cause a 
kernel crash.


* CVE-2010-4175: Integer overflow in RDS cmsg handling.

An incorrect range check in the rds_cmsg_rdma_args could result in an 
integer overflow, leading to memory corruption.


* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over 
L2TP.

A heap overflow flaw in the Linux kernel's Transparent Inter-Process 
Communication protocol (TIPC) implementation could allow a local, 
unprivileged user to escalate their privileges.  (CVE-2010-3859, 
Important).

Missing boundary checks in the PPP over L2TP sockets implementation could 
allow a local, unprivileged user to cause a denial of service or escalate 
their privileges.  (CVE-2010-4160, Important)


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ubuntu-10.04-Updates mailing list