[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1218-1)

Tim Abbott tim.abbott at oracle.com
Fri Sep 30 16:49:32 PDT 2011


Synopsis: USN-1218-1 can now be patched using Ksplice
CVEs: CVE-2010-4076 CVE-2010-4077 CVE-2011-1017 CVE-2011-1020 
CVE-2011-1493 CVE-2011-1577 CVE-2011-1585 CVE-2011-1767 CVE-2011-2183 
CVE-2011-2213 CVE-2011-2484 CVE-2011-2492 CVE-2011-2495 CVE-2011-2517 
CVE-2011-2700 CVE-2011-2707 CVE-2011-2723 CVE-2011-2909 CVE-2011-2918

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1218-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2010-4077: Kernel information leak in nozomi driver.

The TIOCGICOUNT device ioctl allows unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack is not altered or
zeroed before being copied back to the user.


* CVE-2010-4076: Kernel information leak in amiserial driver.

The TIOCGICOUNT device ioctl allows unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack is not altered or
zeroed before being copied back to the user.


* CVE-2011-1577: Missing boundary checks in GPT partition handling.

A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation
could allow a local attacker to cause a denial of service by mounting a
disk containing specially-crafted partition tables.


* Information leak in kernel memory leak detector.

In kmemleak_seq_next, failure to get the last object during list
traversal leaked a pointer when it should have returned NULL.


* ext3 filesystem corruption when no space is left on the device.

When make_indexed_dir failed because there was no space left on the
device, not all changed buffers were being marked as dirty and thus
being written to disk, corrupting the directory.


* Additional fix for CVE-2011-1017.

Ubuntu provided an additional fix for CVE-2011-1017 (Missing boundary
checks in LDM partition table parsing).


* CVE-2011-2517: Buffer overflow in 802.11 netlink interface.

The nl80211_trigger_scan function failed to check for a valid SSID
length, leading to denial of service via buffer overflow.


* CVE-2011-2484: Denial of service in taskstats subsystem.

The add_del_listener function in kernel/taskstats.c in the Linux kernel
did not prevent multiple registrations of exit handlers, which allowed
local users to cause a denial of service (memory and CPU consumption),
and bypass the OOM Killer, via a crafted application.


* CVE-2011-2183: NULL pointer dereference in ksmd.

Andrea Righi reported a case where an exiting task can race against
ksmd::scan_get_next_rmap_item and trigger a NULL pointer dereference
in ksmd.


* CVE-2011-2213: Denial of service in inet_diag_bc_audit.

A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to
cause a denial of service (infinite loop).


* CVE-2011-1020: Missing access restrictions in /proc subsystem.

The proc filesystem implementation did not restrict access to the /proc
directory tree of a process after this process performs an exec of a
setuid program, which allowed local users to obtain sensitive information
or potentially cause other integrity issues.


* CVE-2011-1493: Missing boundary checks in rose driver.

Several missing boundary checks were discovered in the rose driver,
allowing a remote host to cause memory corruption or a kernel panic by
sending malformed packets.


* CVE-2011-2492: Information leak in Bluetooth implementation.

Structure padding in two structures in the Bluetooth implementation was
not initialized properly before being copied to user-space, possibly
allowing local, unprivileged users to leak kernel stack memory to
user-space.


* CVE-2011-2723: Remote denial of service vulnerability in gro.

The skb_gro_header_slow function in the Linux kernel had a bug which
allowed a remote attacker to put certain gro fields in an inconsistent
state, resulting in a denial of service.


* Threading bugs caused by incorrect declaration in rpcbind client.

struct rpcbind_args *map was declared static, allowing the values
assigned to map to be sent two two different tasks if two threads
entered this method at the same time, causing use-after-free and
double-free memory bugs.


* CVE-2011-2700: Buffer overflow in the si4713 radio driver.

Mauro Carvalho Chehab reported insufficient length checks in
si4713_write_econtrol_string allowing a buffer overflow.


* CVE-2011-2909: Information leak in comedi driver.

The do_devinfo_ioctl function in the comedi driver incorrectly copied
uninitialized memory beyond the end of a string to user space.


* System freeze in JMicron driver.

A missing dma_unmap in the JMicron ethernet device driver caused
system freezes under heavy loads.


* Heap corruption bug in pmcraid driver.

Passing a malformed PMCRAID_PASSTHROUGH_IOCTL ioctl from userspace
could lead to heap corruption or denial of service.


* CVE-2011-2707: Arbitrary read vulnerability in ptrace.

A missing access control check in the ptrace_setxregs() function in
the xtensa architecture allowed an unprivileged user to read arbitrary
kernel memory.


* CVE-2011-1585: Authentication bypass in CIFS.

Jeff Layton reported an issue in the Common Internet File System (CIFS).
Local users can bypass authentication requirements for shares that are
already mounted by another user.


* Denial of service in CIFS password handling.

The kernel's CIFS implementation would sometimes dereference a NULL
pointer representing a missing password.


* CVE-2011-1767: Incorrect initialization order in ip_gre.

The ip_gre module initializes structures out of order, resulting in a
possible denial of service (kernel oops) if a packet arrives during
certain intervals while the module is being loaded.


* CVE-2011-2495: Information leak in /proc/PID/io.

/proc/PID/io could be used for gathering private information and did
not have access restrictions.


* NULL pointer deference in dm multipath driver.

Supplying fewer feature arguments than indicated to parse_features
allowed a NULL pointer dereference.


* CVE-2011-2918: Denial of service in event overflows in perf.

Vince Weaver discovered that incorrect handling of software event
overflows in the perf analysis tool could lead to local denial of
service.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.




More information about the Ksplice-Ubuntu-10.04-Updates mailing list