[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (2.6.32-39.86)

Tue Mar 6 03:49:45 PST 2012

Synopsis: 2.6.32-39.86 can now be patched using Ksplice
CVEs: CVE-2009-4307 CVE-2011-4127 CVE-2011-4622 CVE-2012-0038

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu Security Notice, 2.6.32-39.86.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.

DESCRIPTION

* CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.

Starting PIT timers in the absence of irqchip support could cause a
NULL pointer dereference and kernel OOPs.

* Denial of service in the CFQ I/O scheduler.

A race condition which may occur between two processes may stop any I/O to one of
the processes.

* Use after free in the USB communication device driver.

A dangling pointer in the USB communication device driver which may occur as a result
of a previous failure in that device, may be used to corrupt kernel memory.

* Denial of service in the ASIX network controller.

The ASIX 88772 network controller may enter an infinite loop due to heavy load
for a short period of time.

* Kernel panic in the SCSI device handler.

When using software RAID, activating a new SCSI data path might cause a kernel
panic due to lack of validation of a pointer.

* CVE-2012-0038: Buffer overflow in XFS ACL handling code.

An integer overflow bug in the XFS filesystem's ACL handling could
lead to a heap-based buffed overflow when mounting a maliciously
crafted XFS filesystem.

* Improved fix for CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.

The sanity check added in the original CVE-2009-4307 fix relied on undefined
compiler behaviour, which meant that it worked only on specific architectures
and didn't work on x86 for example.

This fix replaces the check with a standards compliant check which works on
all architectures.

* Use after free in UBI driver.

The error path in erase_worker in the UBI (unsorted block images)
driver may allow an erase entry object to be used after it is freed.

* Denial of service in Video4Linux2 ioctls.

An integer overflow in video_usercopy in the Video4Linux2 subsystem
may cause access to invalid memory.

* CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.

Using the SG_IO IOCTL to issue SCSI requests to partitions or LVM
volumes resulted in the requests being passed to the underlying block
device. If a privileged user only had access to a single partition or
LVM volume, they could use this flaw to bypass those restrictions and
gain read and write access (and be able to issue other SCSI commands)
to the entire block device.

In KVM (Kernel-based Virtual Machine) environments using raw format
virtio disks backed by a partition or LVM volume, a privileged guest
user could bypass intended restrictions and issue read and write
requests (and other SCSI commands) on the host, and possibly access
the data of other guests that reside on the same underlying block
device.

* NULL dereference in the NCR53C8XX/SYM53C8XX SCSI controller drivers.

During the destruction of a driver instance, a NULL dereference will occur if
the driver wasn't successfully allocated at the initialization function.

* Denial of service in the eCryptfs filesystem.

On 32bit systems, when truncating a file, the integer holding the file size
could overflow, which would put the write operation in an infinite loop in
the kernel.

* Bad SHA512 calculation under heavy load.

If the SHA512 hash function is being used under heavy load it may silently
calculate a wrong hash for the given data.

This may allow an attacker to cause invalid hash calculations by
repeatedly calling the hash function.

* Memory corruption in the Direct Rendering Manager.

A race condition in the Direct Rendering Manager may allow an
unprivileged user to corrupt kernel memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.