[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (USN-1160-1)

Tue Jun 28 22:53:48 PDT 2011

Synopsis: USN-1160-1 can now be patched using Ksplice
CVEs: CVE-2010-4529 CVE-2010-4565 CVE-2010-4656 CVE-2011-0463 CVE-2011-0521 CVE-2011-0695 CVE-2011-0711 CVE-2011-0712 CVE-2011-0726 CVE-2011-1010 CVE-2011-1012 CVE-2011-1013 CVE-2011-1016 CVE-2011-1017 CVE-2011-1019 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080 CVE-2011-1082 CVE-2011-1093 CVE-2011-1160 CVE-2011-1169 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1173 CVE-2011-1180 CVE-2011-1182 CVE-2011-1478 CVE-2011-1493 CVE-2011-1494 CVE-2011-1495 CVE-2011-1593 CVE-2011-1745 CVE-2011-1748 CVE-2011-2022

Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch against 
the latest Ubuntu Security Notice, USN-1160-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.10 Maverick 
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, 
these updates will be installed automatically and you do not need to take 
any additional action.

DESCRIPTION

* CVE-2011-1173: Information leak in Econet protocol.

Econet fails to initialize 4 bytes of padding in a structure, causing an 
information leak from the kernel stack over the network.

* CVE-2010-4529: Integer underflow in IrDA IRLMP_ENUMDEVICES.

An integer underflow bug was found in the IrDA subsystem.  Local users may 
be able to gain access to sensitive kernel memory via a specially crafted 
IRLMP_ENUMDEVICES getsockopt call.

* Reference count leak in netlink messaging.

The netlink subsystem did not properly clean up 'struct scm_cookie' 
structs created when sending messages, resulting in a memory leak or other 
consequences.

* Kernel BUG in NFS.

An incorrect return value in the NFS code could result in an IO request 
being incorrectly processed multipled times, resulting in a 
user-after-free condition leading to a denial of service (kernel BUG).

* Incorrect error handling in credential allocation.

Several pieces of the kernel credential management subsystem did not 
properly handle memory allocation failures, resulting in various potential 
denial-of-service conditions.

* CVE-2011-1010: Denial of service in Mac OS partition table handling.

A buffer overflow in the mac_partition function could allow a local 
attacker to cause a denial of service or possibly unspecified other impact 
via a malformed Mac OS partition table.

* CVE-2011-0712: Buffer overflows in caiaq driver.

An attacker with physical access could gain elevated privileges via 
pathways relating to buffer overflows in the caiaq audio driver.

* CVE-2011-1082: Denial of service in epoll.

The epoll subsystem did not prevent an unprivileged local user from 
creating a cycle of epoll file descriptors, which would lead to a denial 
of service.

* CVE-2011-1012: Denial of service in corrupted LDM partition.

Insufficient checks in parsing a corrupted LDM partition table could 
result in a kernel denial of service (crash) or potentially other 
consequences.

* CVE-2011-1017: Missing boundary checks in LDM partition table parsing.

When processing an LDM partition table, the kernel did not verify that 
certain fields were within bounds, resulting in a possible heap overflow.  
A local attacker could potentially exploit this to cause a denial of 
service or information leak.

* CVE-2011-1013: Signedness error in drm.

The drm_modeset_ctl() function incorrectly treated an unsigned integer as 
signed, leading to a local denial of service or possible privilege 
escalation.

* CVE-2011-1093: NULL pointer dereference in DCCP.

A flaw in the implementation of the dccp_rcv_state_process() function 
allowed a local unprivileged user, or a remote user, if the system 
accepted connections over the DCCP protocol, to cause a denial of service 
(kernel oops) via a NULL pointer dereference.

* CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.

Kees Cook reported an issue in the driver for I/O-Warrior USB devices. 
Local users with access to these devices may be able to overrun kernel 
buffers, resulting in a denial of service or privilege escalation.

* CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.

A userspace process could queue a signal for another process with a 
siginfo.si_code field appearing to originate from a kernel. This could 
allow a process to generate a fake tgkill signal to a thread it is not 
privileged to signal.

* CVE-2011-0726: Address space leakage through /proc/pid/stat.

The /proc/pid/stat file allowed unprivileged users to read the start and 
end address of other processes' text segments, potentially enabled an 
attacker to bypass address space layout randomization (ASLR) protection.

* Lost commands in CCISS driver.

Under certain workloads, the CCISS driver could mark commands as completed 
even though they were never processed, leading to disk corruption, system 
instability or potentially other consequences.

* CVE-2011-1180: Remote denial of service in IrDA subsystem.

A malicious IrDA peer could cause a kernel stack overflow by providing 
invalid length fields for names and attributes, leading to denial of 
service.

* CVE-2011-1493: Remote heap corruption in AX.25 PLP (Rose) driver.

A remote host providing crafted FAC_NATIONAL_DIGIS, FAC_CCITT_DEST_NSAP, 
or FAC_CCITT_SRC_NSAP fields could cause heap corruption in the Rose 
driver, leading to denial of service (kernel panic).

* Denial of Service in mremap.

An integer overflow in the mremap call can be exploited by a local user to 
cause a kernel BUG, leading to denial of service.

* CVE-2011-1078: Information leak in Bluetooth SCO link driver.

One byte of the 'struct sco_conninfo' data structure was not initialized 
before being copied to userspace, leading to a leak of potentially 
sensitive kernel memory.

* CVE-2011-1079: Denial of service in Bluetooth BNEP.

A string copied from userspace in the BNEP (Bluetooth Network 
Encapsulation Protocol) driver is not checked for null termination, 
leading to a denial of service (kernel crash) or information leak.

* CVE-2011-0463: Information leak in OCFS2 holes crossing page boundaries.

The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the Oracle 
Cluster File System 2 (OCFS2) did not properly handle holes that cross 
page boundaries, which allowed local users to obtain potentially sensitive 
information from uninitialized disk locations by reading a file.

* CVE-2011-1160: Information leak in tpm driver.

A buffer was not initialized before being returned to userspace, leading 
to a leak of potentially sensitive kernel memory.

* Buffer overflow in iptables CLUSTERIP target.

The iptables CLUSTERIP target copies a string from userspace without 
checking for null termination, leading to a buffer overflow.

* CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.

Missing null-termination checks in the netfilter subsystem could cause a 
portion of kernel stack memory to be made visible to all processes on the 
system within the arguments to a spawned modprobe process.

* CVE-2011-1478: NULL pointer dereference in GRO.

The generic receive offload (GRO) code failed to reset a reused pointer, 
leading to a potential NULL pointer dereference.

* Missing boundary checks in squashfs.

Several missing boundary checks were discovered in the squashfs 
filesystem, causing a denial of service if the system attempts to process 
a corrupted or malicious squashfs image.

* Denial of service in NFS server via reference count leak.

Repeated NLM lock operations can cause a reference count to overflow, 
eventually leading to a use-after-free causing a denial of service (kernel 
panic) or other unspecified impact.

* CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.

The bcm_connect function in the Broadcast Manager Controller Area Network 
(CAN) implementation created a publicly accessible file with a filename 
containing a kernel memory address, which allowed local users to obtain 
potentially sensitive information about kernel memory use by listing this 
filename.

* CVE-2011-0711: Information leak in XFS filesystem.

The XFS filesystem leaves certain fields in the output of the 
FSGEOMETRY_V1 ioctl uninitialized, leaking kernel stack data to 
unprivileged callers.

* CVE-2011-1593: Missing bounds check in proc filesystem.

A local attacker could exploit a missing bounds check to read kernel 
memory or cause a denial of service.

* CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.

Multiple integer overflows in the AGP driver could allow local users to 
gain privileges or cause a denial of service (system crash) via crafted 
AGPIOC_BIND or AGPIOC_UNBIND ioctls.

* CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.

Multiple vulnerabilities in the mpt2sas driver may allow local users to 
gain privileges, cause a denial of service (memory corruption), or obtain 
sensitive information from kernel memory.

* CVE-2011-0695: Remote denial of service in InfiniBand setup.

A race condition was found in the way the Linux kernel's InfiniBand 
implementation set up new connections. This could allow a remote user to 
cause a denial of service.

* CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.

Dan Carpenter reported an issue in the DVB driver for AV7110 cards. Local 
users can pass a negative info->num value, corrupting kernel memory and 
causing a denial of service.

* CVE-2011-1016: Privilege escalation in radeon GPU driver.

The Radeon GPU drivers in the Linux kernel were missing sanity checks for 
the Anti Aliasing (AA) resolve register values which could allow a local, 
unprivileged user to cause a denial of service or escalate their 
privileges on systems using a graphics card from the ATI Radeon R300, 
R400, or R500 family of cards.

* CVE-2011-1748: Denial of service in CAN raw sockets.

Oliver Kartkopp reported an issue in the Controller Area Network (CAN) raw 
socket implementation which permits local users to cause a NULL pointer 
dereference, resulting in a denial of service.

* CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.

The CAP_NET_ADMIN capability should confer the right to load kernel 
modules only for network devices, but the kernel failed to implement this 
restriction. The result is that CAP_NET_ADMIN could be used to load any 
module in the /lib/modules/ directory.

* CVE-2011-1169: Buffer overflow in AudioScience HPI driver.

An array index error in the asihpi_hpi_ioctl function in the AudioScience 
HPI driver in the Linux kernel before 2.6.38.1 might allow local users to 
cause a denial of service (memory corruption) or possibly gain privileges 
via a crafted adapter index value that triggers access to an invalid 
kernel pointer.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.