[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1080-1)
Reid Barton
rwbarton at ksplice.com
Fri Mar 4 10:50:34 PST 2011
Synopsis: USN-1080-1 can now be patched using Ksplice
CVEs: CVE-2010-2653 CVE-2010-3865 CVE-2010-3875 CVE-2010-3876
CVE-2010-3877 CVE-2010-3880 CVE-2010-4248 CVE-2010-4346 CVE-2010-4526
CVE-2010-4527 CVE-2010-4648 CVE-2010-4649 CVE-2010-4650 CVE-2011-0006
CVE-2011-1044
Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-1080-1.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Ubuntu 10.04 Lucid users install
these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.
DESCRIPTION
* CVE-2010-4650: Integer overflow in FUSE_IOCTL_RETRY.
The iovec arguments to the FUSE_IOCTL_RETRY ioctl could have a combined
length larger than the maximum FUSE request size.
* Use-after-free bug in sunrpc xprt.
A race condition in the sunrpc protocol implementation can cause the kernel to
process garbage data.
* CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Dan Carpenter reported an issue in the uverb handling of the InfiniBand
subsystem. A potential buffer overflow may allow local users to cause a
denial of service (memory corruption) by passing in a large cmd.ne value.
* CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.
The driver for Orinoco wireless cards fails to respond effectively to certain
attacks on WPA encryption.
* Data corruption on RAID recovery to hot-added device.
Linux software RAID arrays (md subsystem) with v1.x metadata can forget the
state of partial recovery onto a hot-added storage device, erroneously treating
the device as fully recovered. This could lead to data corruption.
* CVE-2010-2653: Race condition in HVC subsystem.
A race condition between closing and removing a Hypervisor Virtual
Console device could lead to a NULL pointer dereference or possibly
unspecified other impact.
* CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.
Tavis Ormandy discovered an issue in the install_special_mapping
routine which allows local users to bypass the mmap_min_addr security
restriction. Combined with an otherwise low severity local denial of
service vulnerability (NULL pointer dereference), a local user could
obtain elevated privileges.
* CVE-2010-4527: Buffer overflow in OSS load_mixer_volumes.
The load_mixer_volumes function (accessed via the
SOUND_MIXER_SETLEVELS ioctl) did not properly check the length of the
provided "name" argument, resulting in a privilege escalation
vulnerability via buffer overflow.
* CVE-2011-0006: Unhandled error condition when adding security rules.
When a security rule is added on a system with a disabled Linux Security
Module, the kernel fails to detect an error condition, causing default security
rules to be disabled.
* CVE-2010-4526: Remote denial of service vulnerability in SCTP.
A flaw was found in the sctp_icmp_proto_unreachable() function in the
Linux kernel's Stream Control Transmission Protocol (SCTP)
implementation. A remote attacker could use this flaw to cause a
denial of service.
* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
A race condition in the __exit_signal function in kernel/exit.c allows
local users to cause a denial of service via vectors related to
multithreaded exec, the use of a thread group leader in
kernel/posix-cpu-timers.c, and the selection of a new thread group
leader in the de_thread function in fs/exec.c.
* CVE-2010-3865: Integer overflow in RDS rdma page counting.
An integer overflow flaw was found in the Linux kernel's Reliable
Datagram Sockets (RDS) protocol implementation. A local, unprivileged
user could use this flaw to cause a denial of service or escalate
their privileges.
* CVE-2010-3875: Information leak in AX.25 protocol.
The ax25_getname function sometimes leaks kernel stack memory to
userspace in uninitialized structure members and padding bytes.
* CVE-2010-3876: Kernel information leak in packet subsystem.
The packet_getname_spkt function doesn't initiatilize all members of a
sockaddr struct before copying it to userland, which allows
unprivileged users to read uninitialized stack memory.
* CVE-2010-3877: Kernel information leak in tipc driver.
The get_name function in net/tipc/socket.c did not properly initialize
a certain structure, which allows local users to obtain potentially
sensitive information from kernel stack memory by reading a copy of
this structure.
* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
The INET-DIAG subsystem is inconsistent about how it looks up the
bytecode contained in a netlink message, making it possible for a user
to cause the kernel to execute unaudited INET-DIAG bytecode. This can
be abused to make the kernel enter an infinite loop, and possibly
other consequences.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ubuntu-10.04-Updates
mailing list