[Ksplice][Ubuntu-11.04-Updates] New updates available via Ksplice (USN-1167-1)

Anders Kaseorg andersk at ksplice.com
Thu Jul 14 02:24:26 PDT 2011 

Synopsis: USN-1167-1 can now be patched using Ksplice
CVEs: CVE-2011-0463 CVE-2011-1017 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080 CVE-2011-1160 CVE-2011-1170 CVE-2011-1171 CVE-2011-1172 CVE-2011-1173 CVE-2011-1180 CVE-2011-1474 CVE-2011-1476 CVE-2011-1477 CVE-2011-1479 CVE-2011-1493 CVE-2011-1494 CVE-2011-1495 CVE-2011-1577 CVE-2011-1593 CVE-2011-1598 CVE-2011-1745 CVE-2011-1746 CVE-2011-1748 CVE-2011-1770 CVE-2011-1771 CVE-2011-1927 CVE-2011-2022 CVE-2011-2479 CVE-2011-2534

Systems running Ubuntu 11.04 Natty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1167-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.04 Natty
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* Lost commands in CCISS driver.

Under certain workloads, the CCISS driver could mark commands as
completed even though they were never processed, leading to disk
corruption, system instability or potentially other consequences.


* CVE-2011-1477: Missing validation in OPL-3 driver.

Missing validation of user data in the OPL-3 driver could could allow
a user to corrupt kernel memory and potentially escalate privileges.


* CVE-2011-1180: Missing boundary checks in IrDA subsystem.

Several missing boundary checks were discovered in the IrDA subsystem,
allowing an attacker in physical proximity to the system to cause
memory corruption, leading to a denial of service, system instability
or potentially other unspecified impact.


* Data loss on mmap page write in nilfs2.

Writing to a file on a nilfs2 filesystem via a memory mapping
could result in data loss.


* CVE-2011-1479: Double free in inotify.

Under certain error conditions, the inotify_init1 system call could
free a block of memory twice, leading to memory corruption.  A local
unprivileged attacker could exploit this error to cause a kernel
panic, system instability, or possibly escalation of privileges.


* Reference count leak in perf subsystem.

The perf subsystem did not properly drop references to a 'struct
task_struct' when opening a performance event, resulting in a memory
leak or other consequences.


* CVE-2011-1493: Missing boundary checks in rose driver.

Several missing boundary checks were discovered in the rose driver,
allowing a remote host to cause memory corruption or a kernel panic by
sending malformed packets.


* CVE-2011-1078: Information leak in Bluetooth SCO module.

One byte of the 'struct sco_conninfo' data structure was not
initialized before being copied to userspace, leading to a leak of
potentially sensitive kernel memory.


* CVE-2011-1079: Buffer overflow in Bluetooth bnep module.

A missing null-termination check in a Bluetooth driver could cause a
denial of service or an information leak.


* CVE-2011-0463: Information leak in OCFS2 holes crossing page boundaries.

The ocfs2_prepare_page_for_write function in fs/ocfs2/aops.c in the
Oracle Cluster File System 2 (OCFS2) did not properly handle holes
that cross page boundaries, which allowed local users to obtain
potentially sensitive information from uninitialized disk locations by
reading a file.


* CVE-2011-1160: Information leak in tpm driver.

A buffer was not initialized before being returned to userspace,
leading to a leak of potentially sensitive kernel memory.


* CVE-2011-2534: Denial of service in iptables CLUSTERIP target.

A buffer overflow in the clusterip_proc_write function in
net/ipv4/netfilter/ipt_CLUSTERIP.c might allow local users to cause a
denial of service or have unspecified other impact via a crafted write
operation, related to string data that lacks a terminating '\0'
character.


* CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilters.

Missing null-terminations check in the networking subsystem could
cause a portion of kernel stack memory to be made visible to all
processes on the system.


* CVE-2011-1173: Remote information leak in econet subsystem.

The econet subsystem did not fully initialize packets before sending
them, causing a leak of kernel stack memory to remote hosts.


* CVE-2011-1476, CVE-2011-1474: Missing boundary checks in OSS.

Several missing boundary checks in the OSS subsystem could lead to
memory corruption or a denial of service.


* Missing boundary checks in squashfs.

Several missing boundary checks were discovered in the squashfs
filesystem, causing a denial of service if the system attempts to
process a corrupted or malicious squashfs image.


* Reference count leak in nfs server.

Repeated NLM lock operations can cause a reference count to overflow,
eventually leading to a use-after-free causing a denial of service
(kernel panic) or other unspecified impact.


* Remote denial of service in cifs_mount.

The kernel's CIFS client code could trigger a denial of service (BUG()
assertion failure) when connecting to a CIFS server providing unusual
shares.


* CVE-2011-1771: Denial of service in CIFS with O_DIRECT.

A missing NULL check in the cifs_close function in the Common Internet
File System (CIFS) implementation could allow a local, unprivileged
user with write access to a CIFS file system to cause a denial of
service.  (CVE-2011-1771, Moderate)


* Denial of service in UBIFS filesystem via fsync.

Calling fsync on a file in a read-only UBIFS filesystem caused a
kernel oops, leading to denial of service.


* CVE-2011-1593: Missing bounds check in proc filesystem.

A local attacker could exploit a missing bounds check to read kernel
memory or cause a denial of service.


* CVE-2011-1017: Missing boundary checks in LDM partition table parsing.

When processing an LDM partition table, the kernel did not verify that
certain fields were within bounds, resulting in a possible heap
overflow.  A local attacker could potentially exploit this to cause a
denial of service or information leak.


* CVE-2011-2479: Denial of service with transparent hugepages and /dev/zero.

It was found that an mmap() call with the MAP_PRIVATE flag on
"/dev/zero" would create transparent hugepages and trigger a certain
robustness check.  A local, unprivileged user could use this flaw to
cause a denial of service.  (CVE-2011-2479, Moderate)


* CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.

Multiple integer overflows in the AGP driver could allow local users
to gain privileges or cause a denial of service (system crash) via
crafted AGPIOC_BIND or AGPIOC_UNBIND ioctls.


* CVE-2011-1746: Buffer overflow in AGP subsystem.

The agp_allocate_memory function fails to correctly check a page count
from userspace against overflow, and may allocate an insufficiently
large buffer, leading to privilege escalation or denial of service.


* CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.

Multiple vulnerabilities in the mpt2sas driver may allow local users
to gain privileges, cause a denial of service (memory corruption), or
obtain sensitive information from kernel memory.


* Use after free bug in iwlwifi driver.

A use-after-free bug was found in the iwl_tx_queue_reclaim function in
the iwlwifi driver.


* CVE-2011-1598: Denial of service in CAN/BCM protocol.

Dave Jones reported an issue in the Broadcast Manager Controller Area
Network (CAN/BCM) protocol that may allow local users to cause a NULL
pointer dereference, resulting in a denial of service.


* CVE-2011-1748: Denial of service in CAN raw sockets.

Oliver Kartkopp reported an issue in the Controller Area Network (CAN)
raw socket implementation which permits local users to cause a NULL
pointer dereference, resulting in a denial of service.


* CVE-2011-1577: Missing boundary checks in GPT partition handling.

A heap overflow flaw in the Linux kernel's EFI GUID Partition Table
(GPT) implementation could allow a local attacker to cause a denial of
service by mounting a disk that contains specially-crafted partition
tables.  (CVE-2011-1577, Low)


* Missing boundary checks in mremap() and stack expansion.

A local unprivileged user could cause a denial of service (kernel
panic) by carefully crafted mremap() system calls.


* Denial of service in memory management subsystem.

A local unprivileged user could cause a denial of service via a
specially-crafted mlock() system call.


* CVE-2011-1770: Remote denial of service in DCCP options parsing.

Dan Rosenberg reported an issue in the Datagram Congestion Control
Protocol (DCCP).  Remote users can cause a denial of service or
potentially obtain access to sensitive kernel memory.


* Multiple buffer overflows in CIFS.

Incorrect length and null termination checks in the
decode_unicode_ssetup, CIFS_SessSetup, coalesce_t2, and
cifs_parse_mount_options functions in the CIFS subsystem could lead to
buffer overflows.


* CVE-2011-1927: Remote denial of service in ICMP.

In the icmp_send function in net/ipv4/icmp.c, a parameter passed to
the dev_net function is not properly validated.  A remote attacker can
exploit this to cause denial of service via NULL pointer dereference.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ksplice-Ubuntu-11.04-Updates mailing list