[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (Ubuntu-2.6.32-28.55)
Tim Abbott
tabbott at ksplice.com
Sat Jan 29 15:24:37 PST 2011
Synopsis: Ubuntu-2.6.32-28.55 can now be patched using Ksplice
CVEs: CVE-2010-0435 CVE-2010-3859 CVE-2010-3873 CVE-2010-3874 CVE-2010-3881 CVE-2010-4073 CVE-2010-4079 CVE-2010-4083 CVE-2010-4160 CVE-2010-4162 CVE-2010-4163 CVE-2010-4164 CVE-2010-4165 CVE-2010-4169 CVE-2010-4175 CVE-2010-4249 CVE-2010-4258
Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch against
the latest Ubuntu kerenl update, Ubuntu-2.6.32-28.55.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Ubuntu 10.04 Lucid users install
these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to take
any additional action.
DESCRIPTION
* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Several functions in the System V IPC 32-bit compatability subsystem did
not properly clear fields before copying data to user space, leaking data
from uninitialized kernel stack memory to user space.
* CVE-2010-4165: Denial of service in TCP from user MSS.
A user program could cause a division by 0 in tcp_select_initial_window by
passing in an invalid TCP_MAXSEG, leading to a kernel oops.
* CVE-2010-4169: Use-after-free bug in mprotect system call.
A use-after-free flaw in the mprotect() system call could allow a local,
unprivileged user to cause a local denial of service.
* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.
A flaw was found in the Linux kernel's garbage collector for AF_UNIX
sockets. A local, unprivileged user could use this flaw to trigger a
denial of service (out-of-memory condition). (CVE-2010-4249, Moderate)
* CVE-2010-4163: Kernel panic in block subsystem.
By submitting certain I/O requests with 0 length, a local user could cause
a denial of service (kernel panic).
* Stack overflow in IrDA parameter extraction.
An boundary error within the irda_extract_string() function in
net/irda/parameters.c can be exploited to cause a crash and potentially
gain escalated privileges.
* Buffer overflow in IrDA IAP result parsing.
An boundary error within the iriap_getvaluebyclass_confirm() function in
net/irda/iriap.c can be exploited to cause a crash and potentially gain
escalated privileges.
* CVE-2010-4083: Information leak in System V IPC.
A missing initialization flaw was found in System V IPC. A local,
unprivileged user could use this flaw to cause information leaks.
(CVE-2010-4083, Low)
* Denial of service in TTY interface.
The flush_to_ldisc function in the TTY interface has a race condition
that could be exploited by a local user to cause denial of service via
an infinite loop.
* CVE-2010-0435: Denial of service in KVM on debug register access.
A NULL pointer dereference flaw was found when the host system had a
processor with the Intel VT-x extension enabled. A privileged guest user
could use this flaw to trick the host into emulating a certain
instruction, which could crash the host (denial of service).
* CVE-2010-3881: Information leak in KVM.
It was found that some structure padding and reserved fields in certain
data structures in QEMU-KVM were not initialized properly before being
copied to user-space. A privileged host user with access to "/dev/kvm"
could use this flaw to leak kernel stack memory to user-space.
* Buffer overflows in FireWire when receiving split packets.
The FireWire driver may overflow a page boundary when receiving a split
asynchronous packet, leading to crashes and data corruption when using
firewire-net.
* CVE-2010-4162: Integer overflow in block I/O subsystem.
Due to integer underflow and overflow issues when determining the number
of pages required for I/O requests, a local user could send a device ioctl
that results in the sequential allocation of a very large number of pages,
causing the OOM killer to be invoked and crashing the system.
* CVE-2010-4258: Privilege escalation via do_exit.
The do_exit function does not properly handle a KERNEL_DS get_fs value,
which allows local users to bypass intended access_ok restrictions,
overwrite arbitrary kernel memory locations, and gain privileges by
leveraging a BUG, NULL pointer dereference, or page fault.
* CVE-2010-3873: Memory corruption in X.25 facilities parsing.
The x25_parse_facilities facilities function may cause a memcpy() of
ULONG_MAX size, destroying the kernel heap.
* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.
The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows unprivileged
users to read 16 bytes of uninitialized stack memory.
* CVE-2010-4164: Denial of service parsing bad X.25 facilities
On parsing malformed X.25 facilities, an integer underflow may cause a
kernel crash.
* CVE-2010-4175: Integer overflow in RDS cmsg handling.
An incorrect range check in the rds_cmsg_rdma_args could result in an
integer overflow, leading to memory corruption.
* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over
L2TP.
A heap overflow flaw in the Linux kernel's Transparent Inter-Process
Communication protocol (TIPC) implementation could allow a local,
unprivileged user to escalate their privileges. (CVE-2010-3859,
Important).
Missing boundary checks in the PPP over L2TP sockets implementation could
allow a local, unprivileged user to cause a denial of service or escalate
their privileges. (CVE-2010-4160, Important)
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ubuntu-10.04-Updates
mailing list