[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1080-1)

[Reid Barton]

Synopsis: USN-1080-1 can now be patched using Ksplice
CVEs: CVE-2010-2653 CVE-2010-3865 CVE-2010-3875 CVE-2010-3876
CVE-2010-3877 CVE-2010-3880 CVE-2010-4248 CVE-2010-4346 CVE-2010-4526
CVE-2010-4527 CVE-2010-4648 CVE-2010-4649 CVE-2010-4650 CVE-2011-0006
CVE-2011-1044

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-1080-1.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.04 Lucid users install
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2010-4650: Integer overflow in FUSE_IOCTL_RETRY.

The iovec arguments to the FUSE_IOCTL_RETRY ioctl could have a combined
length larger than the maximum FUSE request size.


* Use-after-free bug in sunrpc xprt.

A race condition in the sunrpc protocol implementation can cause the kernel to
process garbage data.


* CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.

Dan Carpenter reported an issue in the uverb handling of the InfiniBand
subsystem.  A potential buffer overflow may allow local users to cause a
denial of service (memory corruption) by passing in a large cmd.ne value.


* CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.

The driver for Orinoco wireless cards fails to respond effectively to certain
attacks on WPA encryption.


* Data corruption on RAID recovery to hot-added device.

Linux software RAID arrays (md subsystem) with v1.x metadata can forget the
state of partial recovery onto a hot-added storage device, erroneously treating
the device as fully recovered.  This could lead to data corruption.


* CVE-2010-2653: Race condition in HVC subsystem.

A race condition between closing and removing a Hypervisor Virtual
Console device could lead to a NULL pointer dereference or possibly
unspecified other impact.


* CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.

Tavis Ormandy discovered an issue in the install_special_mapping
routine which allows local users to bypass the mmap_min_addr security
restriction. Combined with an otherwise low severity local denial of
service vulnerability (NULL pointer dereference), a local user could
obtain elevated privileges.


* CVE-2010-4527: Buffer overflow in OSS load_mixer_volumes.

The load_mixer_volumes function (accessed via the
SOUND_MIXER_SETLEVELS ioctl) did not properly check the length of the
provided "name" argument, resulting in a privilege escalation
vulnerability via buffer overflow.


* CVE-2011-0006: Unhandled error condition when adding security rules.

When a security rule is added on a system with a disabled Linux Security
Module, the kernel fails to detect an error condition, causing default security
rules to be disabled.


* CVE-2010-4526: Remote denial of service vulnerability in SCTP.

A flaw was found in the sctp_icmp_proto_unreachable() function in the
Linux kernel's Stream Control Transmission Protocol (SCTP)
implementation.  A remote attacker could use this flaw to cause a
denial of service.


* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.

A race condition in the __exit_signal function in kernel/exit.c allows
local users to cause a denial of service via vectors related to
multithreaded exec, the use of a thread group leader in
kernel/posix-cpu-timers.c, and the selection of a new thread group
leader in the de_thread function in fs/exec.c.


* CVE-2010-3865: Integer overflow in RDS rdma page counting.

An integer overflow flaw was found in the Linux kernel's Reliable
Datagram Sockets (RDS) protocol implementation.  A local, unprivileged
user could use this flaw to cause a denial of service or escalate
their privileges.


* CVE-2010-3875: Information leak in AX.25 protocol.

The ax25_getname function sometimes leaks kernel stack memory to
userspace in uninitialized structure members and padding bytes.


* CVE-2010-3876: Kernel information leak in packet subsystem.

The packet_getname_spkt function doesn't initiatilize all members of a
sockaddr struct before copying it to userland, which allows
unprivileged users to read uninitialized stack memory.


* CVE-2010-3877: Kernel information leak in tipc driver.

The get_name function in net/tipc/socket.c did not properly initialize
a certain structure, which allows local users to obtain potentially
sensitive information from kernel stack memory by reading a copy of
this structure.


* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.

The INET-DIAG subsystem is inconsistent about how it looks up the
bytecode contained in a netlink message, making it possible for a user
to cause the kernel to execute unaudited INET-DIAG bytecode. This can
be abused to make the kernel enter an infinite loop, and possibly
other consequences.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.