[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (Ubuntu-2.6.35-23.40)

Thu Nov 25 00:37:54 PST 2010

Synopsis: Ubuntu-2.6.35-23.40 can now be patched using Ksplice
CVEs: CVE-2010-3067 CVE-2010-3078 CVE-2010-3296 CVE-2010-3297 CVE-2010-3298 CVE-2010-3432 CVE-2010-4074 CVE-2010-4078 CVE-2010-4082

Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch
against the latest Ubuntu Security Notice, Ubuntu-2.6.35-23.40.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.10 Maverick users
install these updates.  You can install these updates by running:

# uptrack-upgrade -y

DESCRIPTION

* Integer overflow bug in groups_search.

The groups_search function in the kernel has an integer overflow bug
causing it to not operate correctly in the event that the group_info
structure contains a gid higher than MAX_INT.

* CVE-2010-4074: Kernel information leaks in USB serial drivers.

The TIOCGICOUNT device ioctl in both mos7720.c and mos7840.c allows
unprivileged users to read uninitialized stack memory, because the
"reserved" member of the serial_icounter_struct struct declared on the
stack is not altered or zeroed before being copied back to the user.

* CVE-2010-3298: Kernel information leak in hso_get_count.

The TIOCGICOUNT device ioctl allows unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack in hso_get_count()
is not altered or zeroed before being copied back to the user.

* CVE-2010-3296: Kernel information leak in cxgb driver.

The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to
read 4 bytes of uninitialized stack memory, because the "addr" member
of the ch_reg struct declared on the stack in cxgb_extension_ioctl()
is not altered or zeroed before being copied back to the user.

* CVE-2010-3297: Kernel information leak in eql driver.

The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "master_name" member
of the master_config_t struct declared on the stack in
eql_g_master_cfg() is not altered or zeroed before being copied back
to the user.

* CVE-2010-4078: Kernel information leak in sisfb_ioctl.

The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "reserved" member of
the fb_vblank struct declared on the stack is not altered or zeroed
before being copied back to the user.

* CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO ioctl.

The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of
the viafb_ioctl_info struct declared on the stack is not altered or
zeroed before being copied back to the user.

* CVE-2010-3078: Information leak in XFS_IOC_FSGETXATTR ioctl.

The XFS_IOC_FSGETXATTR ioctl allowed unprivileged users to read 12
bytes of uninitialized stack memory, because the fsxattr struct
declared on the stack in xfs_ioc_fsgetxattr() did not alter (or zero)
the 12-byte fsx_pad member before copying it back to the user.

* CVE-2010-3432: Remote denial of service vulnerability in SCTP.

The sctp_outq_flush() function can call sctp_packet_reset() on a
packet structure that has already been filled with chunks.  This
resets the packet length but does not remove the chunks from the list;
the SCTP code then re-initializes the packet, which because of the
incorrect length could overflow the skb, resulting in a kernel panic.

* CVE-2010-3067: Information leak in do_io_submit()

An integer overflow error in the do_io_submit function could be used by
userspace processes to read kernel memory.

* Buffer overflow in vt6655 driver.

The vt6655 driver's wpa_set_associate function does not properly check
a user-provided length, resulting in a buffer overflow.

* Kernel information leak in rds driver.

A stack information leak vulnerability was found in the rds driver.
An unprivileged attacker could read uninitialized data from a kernel
stack.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.