[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (Ubuntu-2.6.35-25.44)

[Tim Abbott]

Synopsis: Ubuntu-2.6.35-25.44 can now be patched using Ksplice
CVEs: CVE-2010-3310 CVE-2010-3859 CVE-2010-3873 CVE-2010-3874 CVE-2010-3881 CVE-2010-4073 CVE-2010-4157 CVE-2010-4158 CVE-2010-4160 CVE-2010-4162 CVE-2010-4163 CVE-2010-4164 CVE-2010-4165 CVE-2010-4169 CVE-2010-4175 CVE-2010-4242 CVE-2010-4243 CVE-2010-4249 CVE-2010-4256 CVE-2010-4258 CVE-2010-4347

Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch against 
the latest Ubuntu kernel update, Ubuntu-2.6.35-25.44.


INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.10 Maverick users install 
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, 
these updates will be installed automatically and you do not need to take 
any additional action.


DESCRIPTION

* CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.

A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver 
in the Linux kernel.  A local, unprivileged user could use this flaw to 
cause a denial of service.  (CVE-2010-4242, Moderate)


* CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.

An integer overflow in ioc_general() may cause the computation of an 
incorrect buffer size, leading to memory corruption.


* CVE-2010-3310: Integer signedness errors in rose driver.

Multiple integer signedness errors in the rose driver allow local users to 
cause a denial of service (heap memory corruption) or possibly have 
unspecified other impact by calling rose_bind or rose_connect with a 
negative destination digis count.


* CVE-2010-4163: Kernel panic in block subsystem.

By submitting certain I/O requests with 0 length, a local user could cause 
a denial of service (kernel panic).


* Stack overflow in IrDA parameter extraction.

An boundary error within the irda_extract_string() function in 
net/irda/parameters.c can be exploited to cause a crash and potentially 
gain escalated privileges.


* Buffer overflow in IrDA IAP result parsing.

An boundary error within the iriap_getvaluebyclass_confirm() function in 
net/irda/iriap.c can be exploited to cause a crash and potentially gain 
escalated privileges.


* CVE-2010-4073: Kernel information leaks in ipc compat subsystem.

Several functions in the System V IPC 32-bit compatability subsystem did 
not properly clear fields before copying data to user space, leaking data 
from uninitialized kernel stack memory to user space.


* Denial of service in TTY interface.

The flush_to_ldisc function in the TTY interface has a race condition that 
could be exploited by a local user to cause denial of service via an 
infinite loop.


* CVE-2010-3881: Information leak in KVM.

It was found that some structure padding and reserved fields in certain 
data structures in QEMU-KVM were not initialized properly before being 
copied to user-space.  A privileged host user with access to "/dev/kvm" 
could use this flaw to leak kernel stack memory to user-space.


* Buffer overflows in FireWire when receiving split packets.

The FireWire driver may overflow a page boundary when receiving a split 
asynchronous packet, leading to crashes and data corruption when using 
firewire-net.


* CVE-2010-4162: Integer overflow in block I/O subsystem.

Due to integer underflow and overflow issues when determining the number 
of pages required for I/O requests, a local user could send a device ioctl 
that results in the sequential allocation of a very large number of pages, 
causing the OOM killer to be invoked and crashing the system.


* CVE-2010-4243: Denial of service due to wrong execve memory accounting.

A flaw was found in the Linux kernel execve() system call implementation.  
A local, unprivileged user could cause large amounts of memory to be 
allocated but not visible to the OOM (Out of Memory) killer, triggering a 
denial of service.  (CVE-2010-4243, Moderate)


* CVE-2010-4258: Privilege escalation via do_exit.

The do_exit function does not properly handle a KERNEL_DS get_fs value, 
which allows local users to bypass intended access_ok restrictions, 
overwrite arbitrary kernel memory locations, and gain privileges by 
leveraging a BUG, NULL pointer dereference, or page fault.


* CVE-2010-4169: Use-after-free bug in mprotect system call.

A use-after-free flaw in the mprotect() system call could allow a local, 
unprivileged user to cause a local denial of service.


* CVE-2010-3859, CVE-2010-4160: Privilege escalations in TIPC, PPP over L2TP.

A heap overflow flaw in the Linux kernel's Transparent Inter-Process 
Communication protocol (TIPC) implementation could allow a local, 
unprivileged user to escalate their privileges.  (CVE-2010-3859, 
Important).

Missing boundary checks in the PPP over L2TP sockets implementation could 
allow a local, unprivileged user to cause a denial of service or escalate 
their privileges.  (CVE-2010-4160, Important)


* CVE-2010-3873: Memory corruption in X.25 facilities parsing.

The x25_parse_facilities facilities function may cause a memcpy() of 
ULONG_MAX size, destroying the kernel heap.


* CVE-2010-4158: Kernel information leak in socket filters.

The sk_run_filter function in the kernel's socket filter implementation 
did not properly clear an array on the kernel stack, resulting in 
uninitialized kernel stack memory being copied to user space.


* CVE-2010-4164: Denial of service parsing bad X.25 facilities

On parsing malformed X.25 facilities, an integer underflow may cause a 
kernel crash.


* CVE-2010-4175: Integer overflow in RDS cmsg handling.

An incorrect range check in the rds_cmsg_rdma_args could result in an 
integer overflow, leading to memory corruption.


* CVE-2010-4256: Denial of service via named pipe fcntl.

The pipe_fcntl function in fs/pipe.c does not properly determine whether a 
file is a named pipe, which allows local users to cause a denial of 
service via an F_SETPIPE_SZ fcntl call.


* CVE-2010-4165: Denial of service in TCP from user MSS.

A user program could cause a division by 0 in tcp_select_initial_window by 
passing in an invalid TCP_MAXSEG, leading to a kernel oops.


* CVE-2010-4249: Denial of service in UNIX sockets garbage collector.

A flaw was found in the Linux kernel's garbage collector for AF_UNIX 
sockets.  A local, unprivileged user could use this flaw to trigger a 
denial of service (out-of-memory condition).  (CVE-2010-4249, Moderate)


SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.