[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (USN-1160-1)
Tim Abbott
tabbott at ksplice.com
Tue Jun 28 22:53:48 PDT 2011
Synopsis: USN-1160-1 can now be patched using Ksplice
CVEs: CVE-2010-4529 CVE-2010-4565 CVE-2010-4656 CVE-2011-0463 CVE-2011-0521 CVE-2011-0695 CVE-2011-0711 CVE-2011-0712 CVE-2011-0726 CVE-2011-1010 CVE-2011-1012 CVE-2011-1013 CVE-2011-1016 CVE-2011-1017 CVE-2011-1019 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080 CVE-2011-1082 CVE-2011-1093 CVE-2011-1160 CVE-2011-1169 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1173 CVE-2011-1180 CVE-2011-1182 CVE-2011-1478 CVE-2011-1493 CVE-2011-1494 CVE-2011-1495 CVE-2011-1593 CVE-2011-1745 CVE-2011-1748 CVE-2011-2022
Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-1160-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 10.10 Maverick
install these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to take
any additional action.
DESCRIPTION
* CVE-2011-1173: Information leak in Econet protocol.
Econet fails to initialize 4 bytes of padding in a structure, causing an
information leak from the kernel stack over the network.
* CVE-2010-4529: Integer underflow in IrDA IRLMP_ENUMDEVICES.
An integer underflow bug was found in the IrDA subsystem. Local users may
be able to gain access to sensitive kernel memory via a specially crafted
IRLMP_ENUMDEVICES getsockopt call.
* Reference count leak in netlink messaging.
The netlink subsystem did not properly clean up 'struct scm_cookie'
structs created when sending messages, resulting in a memory leak or other
consequences.
* Kernel BUG in NFS.
An incorrect return value in the NFS code could result in an IO request
being incorrectly processed multipled times, resulting in a
user-after-free condition leading to a denial of service (kernel BUG).
* Incorrect error handling in credential allocation.
Several pieces of the kernel credential management subsystem did not
properly handle memory allocation failures, resulting in various potential
denial-of-service conditions.
* CVE-2011-1010: Denial of service in Mac OS partition table handling.
A buffer overflow in the mac_partition function could allow a local
attacker to cause a denial of service or possibly unspecified other impact
via a malformed Mac OS partition table.
* CVE-2011-0712: Buffer overflows in caiaq driver.
An attacker with physical access could gain elevated privileges via
pathways relating to buffer overflows in the caiaq audio driver.
* CVE-2011-1082: Denial of service in epoll.
The epoll subsystem did not prevent an unprivileged local user from
creating a cycle of epoll file descriptors, which would lead to a denial
of service.
* CVE-2011-1012: Denial of service in corrupted LDM partition.
Insufficient checks in parsing a corrupted LDM partition table could
result in a kernel denial of service (crash) or potentially other
consequences.
* CVE-2011-1017: Missing boundary checks in LDM partition table parsing.
When processing an LDM partition table, the kernel did not verify that
certain fields were within bounds, resulting in a possible heap overflow.
A local attacker could potentially exploit this to cause a denial of
service or information leak.
* CVE-2011-1013: Signedness error in drm.
The drm_modeset_ctl() function incorrectly treated an unsigned integer as
signed, leading to a local denial of service or possible privilege
escalation.
* CVE-2011-1093: NULL pointer dereference in DCCP.
A flaw in the implementation of the dccp_rcv_state_process() function
allowed a local unprivileged user, or a remote user, if the system
accepted connections over the DCCP protocol, to cause a denial of service
(kernel oops) via a NULL pointer dereference.
* CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.
Kees Cook reported an issue in the driver for I/O-Warrior USB devices.
Local users with access to these devices may be able to overrun kernel
buffers, resulting in a denial of service or privilege escalation.
* CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.
A userspace process could queue a signal for another process with a
siginfo.si_code field appearing to originate from a kernel. This could
allow a process to generate a fake tgkill signal to a thread it is not
privileged to signal.
* CVE-2011-0726: Address space leakage through /proc/pid/stat.
The /proc/pid/stat file allowed unprivileged users to read the start and
end address of other processes' text segments, potentially enabled an
attacker to bypass address space layout randomization (ASLR) protection.
* Lost commands in CCISS driver.
Under certain workloads, the CCISS driver could mark commands as completed
even though they were never processed, leading to disk corruption, system
instability or potentially other consequences.
* CVE-2011-1180: Remote denial of service in IrDA subsystem.
A malicious IrDA peer could cause a kernel stack overflow by providing
invalid length fields for names and attributes, leading to denial of
service.
* CVE-2011-1493: Remote heap corruption in AX.25 PLP (Rose) driver.
A remote host providing crafted FAC_NATIONAL_DIGIS, FAC_CCITT_DEST_NSAP,
or FAC_CCITT_SRC_NSAP fields could cause heap corruption in the Rose
driver, leading to denial of service (kernel panic).
* Denial of Service in mremap.
An integer overflow in the mremap call can be exploited by a local user to
cause a kernel BUG, leading to denial of service.
* CVE-2011-1078: Information leak in Bluetooth SCO link driver.
One byte of the 'struct sco_conninfo' data structure was not initialized
before being copied to userspace, leading to a leak of potentially
sensitive kernel memory.
* CVE-2011-1079: Denial of service in Bluetooth BNEP.
A string copied from userspace in the BNEP (Bluetooth Network
Encapsulation Protocol) driver is not checked for null termination,
leading to a denial of service (kernel crash) or information leak.
* CVE-2011-0463: Information leak in OCFS2 holes crossing page boundaries.
The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the Oracle
Cluster File System 2 (OCFS2) did not properly handle holes that cross
page boundaries, which allowed local users to obtain potentially sensitive
information from uninitialized disk locations by reading a file.
* CVE-2011-1160: Information leak in tpm driver.
A buffer was not initialized before being returned to userspace, leading
to a leak of potentially sensitive kernel memory.
* Buffer overflow in iptables CLUSTERIP target.
The iptables CLUSTERIP target copies a string from userspace without
checking for null termination, leading to a buffer overflow.
* CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Missing null-termination checks in the netfilter subsystem could cause a
portion of kernel stack memory to be made visible to all processes on the
system within the arguments to a spawned modprobe process.
* CVE-2011-1478: NULL pointer dereference in GRO.
The generic receive offload (GRO) code failed to reset a reused pointer,
leading to a potential NULL pointer dereference.
* Missing boundary checks in squashfs.
Several missing boundary checks were discovered in the squashfs
filesystem, causing a denial of service if the system attempts to process
a corrupted or malicious squashfs image.
* Denial of service in NFS server via reference count leak.
Repeated NLM lock operations can cause a reference count to overflow,
eventually leading to a use-after-free causing a denial of service (kernel
panic) or other unspecified impact.
* CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.
The bcm_connect function in the Broadcast Manager Controller Area Network
(CAN) implementation created a publicly accessible file with a filename
containing a kernel memory address, which allowed local users to obtain
potentially sensitive information about kernel memory use by listing this
filename.
* CVE-2011-0711: Information leak in XFS filesystem.
The XFS filesystem leaves certain fields in the output of the
FSGEOMETRY_V1 ioctl uninitialized, leaking kernel stack data to
unprivileged callers.
* CVE-2011-1593: Missing bounds check in proc filesystem.
A local attacker could exploit a missing bounds check to read kernel
memory or cause a denial of service.
* CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Multiple integer overflows in the AGP driver could allow local users to
gain privileges or cause a denial of service (system crash) via crafted
AGPIOC_BIND or AGPIOC_UNBIND ioctls.
* CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Multiple vulnerabilities in the mpt2sas driver may allow local users to
gain privileges, cause a denial of service (memory corruption), or obtain
sensitive information from kernel memory.
* CVE-2011-0695: Remote denial of service in InfiniBand setup.
A race condition was found in the way the Linux kernel's InfiniBand
implementation set up new connections. This could allow a remote user to
cause a denial of service.
* CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.
Dan Carpenter reported an issue in the DVB driver for AV7110 cards. Local
users can pass a negative info->num value, corrupting kernel memory and
causing a denial of service.
* CVE-2011-1016: Privilege escalation in radeon GPU driver.
The Radeon GPU drivers in the Linux kernel were missing sanity checks for
the Anti Aliasing (AA) resolve register values which could allow a local,
unprivileged user to cause a denial of service or escalate their
privileges on systems using a graphics card from the ATI Radeon R300,
R400, or R500 family of cards.
* CVE-2011-1748: Denial of service in CAN raw sockets.
Oliver Kartkopp reported an issue in the Controller Area Network (CAN) raw
socket implementation which permits local users to cause a NULL pointer
dereference, resulting in a denial of service.
* CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.
The CAP_NET_ADMIN capability should confer the right to load kernel
modules only for network devices, but the kernel failed to implement this
restriction. The result is that CAP_NET_ADMIN could be used to load any
module in the /lib/modules/ directory.
* CVE-2011-1169: Buffer overflow in AudioScience HPI driver.
An array index error in the asihpi_hpi_ioctl function in the AudioScience
HPI driver in the Linux kernel before 2.6.38.1 might allow local users to
cause a denial of service (memory corruption) or possibly gain privileges
via a crafted adapter index value that triggers access to an invalid
kernel pointer.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ubuntu-10.10-Updates
mailing list