[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (Ubuntu-2.6.35-22.34)

Tim Abbott tabbott at ksplice.com
Wed Oct 13 15:14:13 PDT 2010 

Synopsis: Ubuntu-2.6.35-22.34 can now be patched using Ksplice
CVEs: CVE-2010-2954 CVE-2010-2955 CVE-2010-2960 CVE-2010-2962 CVE-2010-3080 CVE-2010-3437 CVE-2010-3705

Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch against 
the latest Ubuntu kernel update, Ubuntu-2.6.35-22.34.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.10 Maverick users install 
these updates.  You can install these updates by running:

# uptrack-upgrade -y


DESCRIPTION

* CVE-2010-2954: NULL pointer dereference in irda subsystem.

The irda_bind function in net/irda/af_irda.c in the Linux kernel did
not properly handle a failure in the irda_open_tsap function.  This
allows local users to cause a denial of service (NULL pointer
dereference and panic) via multiple unsuccessful calls to bind on an
AF_IRDA (aka PF_IRDA) socket.


* CVE-2010-2955: Information leak in wireless extensions.

The cfg80211_wext_giwessid function in does not properly initialize
certain structure members.  A local user could leverage an off-by-one
error in the ioctl_standard_iw_point function to obtain potentially
sensitive information from kernel heap memory using an SIOCGIWESSID
ioctl call that specifies a large buffer size.


* CVE-2010-2960: NULL pointer dereference in keyctl_session_to_parent.

The keyctl_session_to_parent function in security/keys/keyctl.c in the
Linux kernel expects that a certain parent session keyring exists,
which allows local users to cause a NULL pointer dereference via a
KEYCTL_SESSION_TO_PARENT argument to the keyctl function.


* CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.

Tavis Ormandy reported an issue in the ALSA sequencer OSS emulation
layer.  Local users with sufficient privileges to open /dev/sequencer
can cause a denial of service or privilege escalation via a NULL
pointer dereference.


* CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.

The i915 driver's pread and pwrite ioctls had several bugs in their
access control checks that could be used to achieve privilege
escalation.


* CVE-2010-3437: Information leak in pktcdvd driver.

Integer signedness error in the pkt_find_dev_from_minor function
allows local users to obtain sensitive information from kernel memory
or cause a denial of service (invalid pointer dereference and system
crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.


* CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.

The SCTP subsystem's sctp_asoc_get_hmac function did not correctly
check for an out of range value for the last id in the hmac_ids array,
potentially resulting in kernel memory corrptuon.


* Out of bounds copy in ocfs2 fast symlink handling.

The ocfs2 fast symlink code used strlen() to compute how many bytes of
the fast symlink data in the inode data area to copy.  An attacker who
could cause the system to mount a malicious filesystem image could use
this vulnerability to copy too much data by providing a fast symlink
data string that is not NULL-terminated.


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ubuntu-10.10-Updates mailing list