[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1141-1)

Thu Jun 2 02:51:08 PDT 2011

Synopsis: USN-1141-1 can now be patched using Ksplice
CVEs: CVE-2010-4243 CVE-2010-4263 CVE-2010-4342 CVE-2010-4529 CVE-2010-4565 CVE-2011-0463 CVE-2011-0695 CVE-2011-0711 CVE-2011-0726 CVE-2011-1013 CVE-2011-1016 CVE-2011-1019 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080 CVE-2011-1160 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1173 CVE-2011-1180 CVE-2011-1182 CVE-2011-1477 CVE-2011-1478 CVE-2011-1493 CVE-2011-1573

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-1141-1.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.04 Lucid users install
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.

DESCRIPTION

* Denial of service in r8169 receive queue handling.

An overflow in the packet receive queue on Ethernet cards using the r8169
driver could cause an infinite loop in an interrupt handler.

* Locking failure in cpuset_write_resmask.

The kernel function cpuset_write_resmask() could fail to release a
lock under certain error conditions, leading to denial of service
or other kernel misbehavior.

* Memory corruption in netfilter logging.

The netfilter logging code failed to check array bounds, leading to a
denial of service or memory corruption.

* CVE-2011-1019: Arbitrary module loading with CAP_NET_ADMIN.

A flaw in dev_load() could allow a local user who has the
CAP_NET_ADMIN capability to load arbitrary modules from
"/lib/modules/", instead of only netdev modules.

* CVE-2011-1013: Signedness error in drm.

The drm_modeset_ctl() function incorrectly treated an unsigned integer
as signed, leading to a local denial of service or possible privilege
escalation.

* CVE-2010-4342: Denial of service vulnerability in econet protocol.

Nelson Elhage reported an issue in the econet protocol.  Remote
attackers can cause a denial of service by sending an Acorn Universal
Networking packet over UDP.

* CVE-2010-4263: NULL pointer dereference in igb network driver.

If both Single Root I/O Virtualization (SR-IOV) and promiscuous mode
are enabled on an interface using igb, a tagged VLAN packet on that
interface could cause a denial of service (NULL pointer dereference).

* CVE-2010-4529: Integer underflow in IrDA IRLMP_ENUMDEVICES.

An integer underflow bug was found in the IrDA subsystem.  Local users
may be able to gain access to sensitive kernel memory via a specially
crafted IRLMP_ENUMDEVICES getsockopt call.

* CVE-2011-0695: Remote denial of service in InfiniBand setup.

A race condition was found in the way the Linux kernel's InfiniBand
implementation set up new connections. This could allow a remote user to
cause a denial of service.

* Denial of service in kobil_sct serial driver.

The kobil_sct serial driver would call the function tty_port_tty_get
and dereference the result, without checking whether it was NULL.

* Reference count failure in PCI device vpd attribute.

When registering a PCI device with sysfs, the kernel could handle errors
incorrectly, resulting in bad reference counting and a memory leak or double
free.

* CVE-2011-0726: Information leak in /proc/[pid]/stat.

The start_code and end_code values in "/proc/[pid]/stat" were not
protected. In certain scenarios, this flaw could be used to defeat
Address Space Layout Randomization (ASLR).

* CVE-2011-1016: Privilege escalation in Radeon GPU driver.

The Radeon GPU drivers in the Linux kernel were missing sanity checks
for the Anti Aliasing (AA) resolve register values which could allow
a local, unprivileged user to cause a denial of service or escalate
their privileges on systems using a graphics card from the ATI Radeon
R300, R400, or R500 family of cards.

* CVE-2011-1477: Missing validation in OPL-3 driver.

Missing validation of user data in the OPL-3 driver could could allow
a user to corrupt kernel memory and potentially escalate privileges.

* CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.

A userspace process could queue a signal for another process with a
siginfo.si_code field appearing to originate from a kernel. This could allow a
process to generate a fake tgkill signal to a thread it is not privileged to
signal.

* CVE-2011-1180: Remote denial of service in IrDA subsystem.

A malicious IrDA peer could cause a kernel stack overflow by providing
invalid length fields for names and attributes, leading to denial of
service.

* CVE-2011-1493: Remote heap corruption in AX.25 PLP (Rose) driver.

A remote host providing crafted FAC_NATIONAL_DIGIS,
FAC_CCITT_DEST_NSAP, or FAC_CCITT_SRC_NSAP fields could cause heap
corruption in the Rose driver, leading to denial of service (kernel
panic).

* Denial of Service in mremap.

An integer overflow in the mremap call can be exploited by a local
user to cause a kernel BUG, leading to denial of service.

* CVE-2011-1078: Information leak in Bluetooth SCO link driver.

One byte of the 'struct sco_conninfo' data structure was not
initialized before being copied to userspace, leading to a leak of
potentially sensitive kernel memory.

* CVE-2011-1079: Denial of service in Bluetooth BNEP.

A string copied from userspace in the BNEP (Bluetooth Network
Encapsulation Protocol) driver is not checked for null termination,
leading to a denial of service (kernel crash) or information leak.

* CVE-2011-0463: Information leak in OCFS2 holes crossing page boundaries.

The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the
Oracle Cluster File System 2 (OCFS2) did not properly handle holes
that cross page boundaries, which allowed local users to obtain
potentially sensitive information from uninitialized disk locations by
reading a file.

* CVE-2011-1160: Information leak in tpm driver.

A buffer was not initialized before being returned to userspace,
leading to a leak of potentially sensitive kernel memory.

* Buffer overflow in iptables CLUSTERIP target.

The iptables CLUSTERIP target copies a string from userspace without
checking for null termination, leading to a buffer overflow.

* CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.

Missing null-termination checks in the netfilter subsystem could cause
a portion of kernel stack memory to be made visible to all processes
on the system within the arguments to a spawned modprobe process.

* Data loss on mmap page write in nilfs2.

Writing to a file on a nilfs2 filesystem via a memory mapping
could result in data loss.

* CVE-2011-1173: Information leak in Econet protocol.

Econet fails to initialize 4 bytes of padding in a structure, causing
an information leak from the kernel stack over the network.

* CVE-2011-1478: NULL pointer dereference in GRO.

The generic receive offload (GRO) code failed to reset a reused
pointer, leading to a potential NULL pointer dereference.

* Missing boundary checks in squashfs.

Several missing boundary checks were discovered in the squashfs
filesystem, causing a denial of service if the system attempts to
process a corrupted or malicious squashfs image.

* CVE-2011-1573: Remote denial of service in SCTP.

A flaw in the Linux kernel's Stream Control Transmission Protocol
(SCTP) implementation could allow a remote attacker to cause a denial
of service if the sysctl "net.sctp.addip_enable" and "auth_enable"
variables were turned on (they are off by default).

* Denial of service in NFS server via reference count leak.

Repeated NLM lock operations can cause a reference count to overflow,
eventually leading to a use-after-free causing a denial of service
(kernel panic) or other unspecified impact.

* CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.

The bcm_connect function in the Broadcast Manager Controller Area
Network (CAN) implementation created a publicly accessible file with a
filename containing a kernel memory address, which allowed local users
to obtain potentially sensitive information about kernel memory use by
listing this filename.

* CVE-2010-4243: Denial of service due to wrong execve memory accounting.

A flaw was found in the Linux kernel execve() system call
implementation.  A local, unprivileged user could cause large amounts
of memory to be allocated but not visible to the OOM (Out of Memory)
killer, triggering a denial of service.

* CVE-2011-0711: Information leak in XFS filesystem.

The XFS filesystem leaves certain fields in the output of the
FSGEOMETRY_V1 ioctl uninitialized, leaking kernel stack data to
unprivileged callers.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.