[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (USN-1081-1)

Reid Barton rwbarton at ksplice.com
Thu Mar 3 18:32:59 PST 2011

Synopsis: USN-1081-1 can now be patched using Ksplice
CVEs: CVE-2010-3698 CVE-2010-3850 CVE-2010-3865 CVE-2010-3875
CVE-2010-3876 CVE-2010-3877 CVE-2010-3880 CVE-2010-4079 CVE-2010-4083
CVE-2010-4248 CVE-2010-4342 CVE-2010-4346 CVE-2010-4648 CVE-2010-4649
CVE-2010-4650 CVE-2011-1044

Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1081-1.


We recommend that all Ksplice Uptrack Ubuntu 10.10 Maverick users
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


* CVE-2010-3698: Denial of service vulnerability in KVM host.

A flaw was found in the way QEMU-KVM handled the reloading of fs and
gs segment registers when they had invalid selectors. A privileged
host user with access to "/dev/kvm" could use this flaw to crash the
host (denial of service).

* CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.

The FBIOGET_VBLANK device ioctl in the ivtvfb driver allows
unprivileged users to read 16 bytes of uninitialized stack memory.

* CVE-2010-3865: Integer overflow in RDS rdma page counting.

An integer overflow flaw was found in the Linux kernel's Reliable
Datagram Sockets (RDS) protocol implementation.  A local, unprivileged
user could use this flaw to cause a denial of service or escalate
their privileges.

* CVE-2010-3875: Information leak in AX.25 protocol.

The ax25_getname function sometimes leaks kernel stack memory to
userspace in uninitialized structure members and padding bytes.

* CVE-2010-3876: Kernel information leak in packet subsystem.

The packet_getname_spkt function doesn't initiatilize all members of a
sockaddr struct before copying it to userland, which allows
unprivileged users to read uninitialized stack memory.

* CVE-2010-3877: Kernel information leak in tipc driver.

The get_name function in net/tipc/socket.c did not properly initialize
a certain structure, which allows local users to obtain potentially
sensitive information from kernel stack memory by reading a copy of
this structure.

* CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.

A race condition in the __exit_signal function in kernel/exit.c allows
local users to cause a denial of service via vectors related to
multithreaded exec, the use of a thread group leader in
kernel/posix-cpu-timers.c, and the selection of a new thread group
leader in the de_thread function in fs/exec.c.

* CVE-2010-4083: Kernel information leak in semctl syscall.

The semctl system call allows unprivileged users to read uninitialized
kernel stack memory, because various fields of a semid_ds struct
declared on the stack are not altered or zeroed before being copied
back to the user.

* CVE-2010-4650: Integer overflow in FUSE_IOCTL_RETRY.

The iovec arguments to the FUSE_IOCTL_RETRY ioctl could have a combined
length larger than the maximum FUSE request size.

* Use-after-free bug in sunrpc xprt.

A race condition in the sunrpc protocol implementation can cause the kernel to
process garbage data.

* CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.

Dan Carpenter reported an issue in the uverb handling of the InfiniBand
subsystem.  A potential buffer overflow may allow local users to cause a
denial of service (memory corruption) by passing in a large cmd.ne value.

* Denial of service in 802.11 transmit buffer handling.

The transmit buffer code in the mac80211 subsystem fails to handle shared
buffers correctly, resulting in a BUG or other kernel misbehavior.

* Improved fix for CVE-2010-3850.

The previous fix for CVE-2010-3850 did not properly clean up after an
unprivileged user attempted to make a SIOCSIFADDR ioctl call, causing
a denial of service for other Econet users on the system.

* CVE-2010-4342: Denial of service vulnerability in econet protocol.

Nelson Elhage reported an issue in the econet protocol.  Remote
attackers can cause a denial of service by sending an Acorn Universal
Networking packet over UDP.

* CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.

The driver for Orinoco wireless cards fails to respond effectively to certain
attacks on WPA encryption.

* Data corruption on RAID recovery to hot-added device.

Linux software RAID arrays (md subsystem) with v1.x metadata can forget the
state of partial recovery onto a hot-added storage device, erroneously treating
the device as fully recovered.  This could lead to data corruption.

* CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.

Tavis Ormandy discovered an issue in the install_special_mapping
routine which allows local users to bypass the mmap_min_addr security
restriction. Combined with an otherwise low severity local denial of
service vulnerability (NULL pointer dereference), a local user could
obtain elevated privileges.

* Remote denial of service in 802.11 mesh networking drivers.

Under low-memory conditions, forwarding an 802.11 mesh networking packet can
cause a NULL pointer dereference.

* CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.

The INET-DIAG subsystem is inconsistent about how it looks up the
bytecode contained in a netlink message, making it possible for a user
to cause the kernel to execute unaudited INET-DIAG bytecode. This can
be abused to make the kernel enter an infinite loop, and possibly
other consequences.


Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ubuntu-10.10-Updates mailing list