[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (USN-1081-1)
rwbarton at ksplice.com
Thu Mar 3 18:32:59 PST 2011
Synopsis: USN-1081-1 can now be patched using Ksplice
CVEs: CVE-2010-3698 CVE-2010-3850 CVE-2010-3865 CVE-2010-3875
CVE-2010-3876 CVE-2010-3877 CVE-2010-3880 CVE-2010-4079 CVE-2010-4083
CVE-2010-4248 CVE-2010-4342 CVE-2010-4346 CVE-2010-4648 CVE-2010-4649
Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1081-1.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Ubuntu 10.10 Maverick users
install these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.
* CVE-2010-3698: Denial of service vulnerability in KVM host.
A flaw was found in the way QEMU-KVM handled the reloading of fs and
gs segment registers when they had invalid selectors. A privileged
host user with access to "/dev/kvm" could use this flaw to crash the
host (denial of service).
* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.
The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows
unprivileged users to read 16 bytes of uninitialized stack memory.
* CVE-2010-3865: Integer overflow in RDS rdma page counting.
An integer overflow flaw was found in the Linux kernel's Reliable
Datagram Sockets (RDS) protocol implementation. A local, unprivileged
user could use this flaw to cause a denial of service or escalate
* CVE-2010-3875: Information leak in AX.25 protocol.
The ax25_getname function sometimes leaks kernel stack memory to
userspace in uninitialized structure members and padding bytes.
* CVE-2010-3876: Kernel information leak in packet subsystem.
The packet_getname_spkt function doesn't initiatilize all members of a
sockaddr struct before copying it to userland, which allows
unprivileged users to read uninitialized stack memory.
* CVE-2010-3877: Kernel information leak in tipc driver.
The get_name function in net/tipc/socket.c did not properly initialize
a certain structure, which allows local users to obtain potentially
sensitive information from kernel stack memory by reading a copy of
* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
A race condition in the __exit_signal function in kernel/exit.c allows
local users to cause a denial of service via vectors related to
multithreaded exec, the use of a thread group leader in
kernel/posix-cpu-timers.c, and the selection of a new thread group
leader in the de_thread function in fs/exec.c.
* CVE-2010-4083: Kernel information leak in semctl syscall.
The semctl system call allows unprivileged users to read uninitialized
kernel stack memory, because various fields of a semid_ds struct
declared on the stack are not altered or zeroed before being copied
back to the user.
* CVE-2010-4650: Integer overflow in FUSE_IOCTL_RETRY.
The iovec arguments to the FUSE_IOCTL_RETRY ioctl could have a combined
length larger than the maximum FUSE request size.
* Use-after-free bug in sunrpc xprt.
A race condition in the sunrpc protocol implementation can cause the kernel to
process garbage data.
* CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Dan Carpenter reported an issue in the uverb handling of the InfiniBand
subsystem. A potential buffer overflow may allow local users to cause a
denial of service (memory corruption) by passing in a large cmd.ne value.
* Denial of service in 802.11 transmit buffer handling.
The transmit buffer code in the mac80211 subsystem fails to handle shared
buffers correctly, resulting in a BUG or other kernel misbehavior.
* Improved fix for CVE-2010-3850.
The previous fix for CVE-2010-3850 did not properly clean up after an
unprivileged user attempted to make a SIOCSIFADDR ioctl call, causing
a denial of service for other Econet users on the system.
* CVE-2010-4342: Denial of service vulnerability in econet protocol.
Nelson Elhage reported an issue in the econet protocol. Remote
attackers can cause a denial of service by sending an Acorn Universal
Networking packet over UDP.
* CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.
The driver for Orinoco wireless cards fails to respond effectively to certain
attacks on WPA encryption.
* Data corruption on RAID recovery to hot-added device.
Linux software RAID arrays (md subsystem) with v1.x metadata can forget the
state of partial recovery onto a hot-added storage device, erroneously treating
the device as fully recovered. This could lead to data corruption.
* CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.
Tavis Ormandy discovered an issue in the install_special_mapping
routine which allows local users to bypass the mmap_min_addr security
restriction. Combined with an otherwise low severity local denial of
service vulnerability (NULL pointer dereference), a local user could
obtain elevated privileges.
* Remote denial of service in 802.11 mesh networking drivers.
Under low-memory conditions, forwarding an 802.11 mesh networking packet can
cause a NULL pointer dereference.
* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
The INET-DIAG subsystem is inconsistent about how it looks up the
bytecode contained in a netlink message, making it possible for a user
to cause the kernel to execute unaudited INET-DIAG bytecode. This can
be abused to make the kernel enter an infinite loop, and possibly
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ubuntu-10.10-Updates