[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (Ubuntu-2.6.35-25.44)
Tim Abbott
tabbott at ksplice.com
Sat Jan 29 15:19:55 PST 2011
Synopsis: Ubuntu-2.6.35-25.44 can now be patched using Ksplice
CVEs: CVE-2010-3310 CVE-2010-3859 CVE-2010-3873 CVE-2010-3874 CVE-2010-3881 CVE-2010-4073 CVE-2010-4157 CVE-2010-4158 CVE-2010-4160 CVE-2010-4162 CVE-2010-4163 CVE-2010-4164 CVE-2010-4165 CVE-2010-4169 CVE-2010-4175 CVE-2010-4242 CVE-2010-4243 CVE-2010-4249 CVE-2010-4256 CVE-2010-4258 CVE-2010-4347
Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch against
the latest Ubuntu kernel update, Ubuntu-2.6.35-25.44.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Ubuntu 10.10 Maverick users install
these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to take
any additional action.
DESCRIPTION
* CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver
in the Linux kernel. A local, unprivileged user could use this flaw to
cause a denial of service. (CVE-2010-4242, Moderate)
* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
An integer overflow in ioc_general() may cause the computation of an
incorrect buffer size, leading to memory corruption.
* CVE-2010-3310: Integer signedness errors in rose driver.
Multiple integer signedness errors in the rose driver allow local users to
cause a denial of service (heap memory corruption) or possibly have
unspecified other impact by calling rose_bind or rose_connect with a
negative destination digis count.
* CVE-2010-4163: Kernel panic in block subsystem.
By submitting certain I/O requests with 0 length, a local user could cause
a denial of service (kernel panic).
* Stack overflow in IrDA parameter extraction.
An boundary error within the irda_extract_string() function in
net/irda/parameters.c can be exploited to cause a crash and potentially
gain escalated privileges.
* Buffer overflow in IrDA IAP result parsing.
An boundary error within the iriap_getvaluebyclass_confirm() function in
net/irda/iriap.c can be exploited to cause a crash and potentially gain
escalated privileges.
* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Several functions in the System V IPC 32-bit compatability subsystem did
not properly clear fields before copying data to user space, leaking data
from uninitialized kernel stack memory to user space.
* Denial of service in TTY interface.
The flush_to_ldisc function in the TTY interface has a race condition that
could be exploited by a local user to cause denial of service via an
infinite loop.
* CVE-2010-3881: Information leak in KVM.
It was found that some structure padding and reserved fields in certain
data structures in QEMU-KVM were not initialized properly before being
copied to user-space. A privileged host user with access to "/dev/kvm"
could use this flaw to leak kernel stack memory to user-space.
* Buffer overflows in FireWire when receiving split packets.
The FireWire driver may overflow a page boundary when receiving a split
asynchronous packet, leading to crashes and data corruption when using
firewire-net.
* CVE-2010-4162: Integer overflow in block I/O subsystem.
Due to integer underflow and overflow issues when determining the number
of pages required for I/O requests, a local user could send a device ioctl
that results in the sequential allocation of a very large number of pages,
causing the OOM killer to be invoked and crashing the system.
* CVE-2010-4243: Denial of service due to wrong execve memory accounting.
A flaw was found in the Linux kernel execve() system call implementation.
A local, unprivileged user could cause large amounts of memory to be
allocated but not visible to the OOM (Out of Memory) killer, triggering a
denial of service. (CVE-2010-4243, Moderate)
* CVE-2010-4258: Privilege escalation via do_exit.
The do_exit function does not properly handle a KERNEL_DS get_fs value,
which allows local users to bypass intended access_ok restrictions,
overwrite arbitrary kernel memory locations, and gain privileges by
leveraging a BUG, NULL pointer dereference, or page fault.
* CVE-2010-4169: Use-after-free bug in mprotect system call.
A use-after-free flaw in the mprotect() system call could allow a local,
unprivileged user to cause a local denial of service.
* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP.
A heap overflow flaw in the Linux kernel's Transparent Inter-Process
Communication protocol (TIPC) implementation could allow a local,
unprivileged user to escalate their privileges. (CVE-2010-3859,
Important).
Missing boundary checks in the PPP over L2TP sockets implementation could
allow a local, unprivileged user to cause a denial of service or escalate
their privileges. (CVE-2010-4160, Important)
* CVE-2010-3873: Memory corruption in X.25 facilities parsing.
The x25_parse_facilities facilities function may cause a memcpy() of
ULONG_MAX size, destroying the kernel heap.
* CVE-2010-4158: Kernel information leak in socket filters.
The sk_run_filter function in the kernel's socket filter implementation
did not properly clear an array on the kernel stack, resulting in
uninitialized kernel stack memory being copied to user space.
* CVE-2010-4164: Denial of service parsing bad X.25 facilities
On parsing malformed X.25 facilities, an integer underflow may cause a
kernel crash.
* CVE-2010-4175: Integer overflow in RDS cmsg handling.
An incorrect range check in the rds_cmsg_rdma_args could result in an
integer overflow, leading to memory corruption.
* CVE-2010-4256: Denial of service via named pipe fcntl.
The pipe_fcntl function in fs/pipe.c does not properly determine whether a
file is a named pipe, which allows local users to cause a denial of
service via an F_SETPIPE_SZ fcntl call.
* CVE-2010-4165: Denial of service in TCP from user MSS.
A user program could cause a division by 0 in tcp_select_initial_window by
passing in an invalid TCP_MAXSEG, leading to a kernel oops.
* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.
A flaw was found in the Linux kernel's garbage collector for AF_UNIX
sockets. A local, unprivileged user could use this flaw to trigger a
denial of service (out-of-memory condition). (CVE-2010-4249, Moderate)
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ubuntu-10.10-Updates
mailing list