[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (3.0.0-15.25)

[Jessica McKellar]

Synopsis: 3.0.0-15.25 can now be patched using Ksplice
CVEs: CVE-2010-4668 CVE-2011-2203 CVE-2011-4077 CVE-2011-4110 
CVE-2011-4132 CVE-2011-4330

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu kernel release, 3.0.0-15.25.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-4077: Buffer overflow in xfs_readlink.

A flaw in the way the XFS filesystem implementation handled links with
pathnames larger than MAXPATHLEN allowed an attacker to mount a
malicious XFS image that could crash the system or result in privilege
escalation.


* CVE-2011-4132: Denial of service in Journaling Block Device layer.

A flaw in the way the Journaling Block Device (JBD) layer handled an
invalid log first block value allowed an attacker to mount a malicious
ext3 or ext4 image that would crash the system.


* Denial of service in Nouveau video driver.

Insufficiently early initialization of a fence lock during channel
allocation can cause a kernel crash.


* CVE-2011-4110: Denial of service in kernel key management facilities.

A flaw in the way user-defined key types were handled allowed an
uprivileged local user to crash the system via a NULL pointer
dereference and kernel OOPS.


* CVE-2011-4330: Buffer overflow in HFS file name translation logic.

Clement Lecigne reported a flaw in the way the HFS filesystem
implementation handled file names larger than HFS_NAMELEN. A missing
length check in hfs_mac2asc could result in a buffer overflow.


* Integer overflow in xen grant references driver.

On 32-bit systems, a high value of op.count could lead to a series of
integer overflows which could result in memory corruption.


* Improved fix for CVE-2010-4668.

Ubuntu's original fix for CVE-2010-4668 didn't check for zero-length
strings after an unaligned entry.


* File creation race in eCryptfs.

A race between file creation and allocation could cause a null pointer
dereference or attempts to use uninitialized memory.


* NULL pointer dereference in 802.11 radiotap support.

When receiving failed PLCP frames is enabled, the kernel
will crash when adding a radiotap header to the frame.


* NULL pointer dereference in mac80211 probes.

A missing check for a NULL skb in ieee80211_build_probe_req can result
in a NULL pointer dereference.


* Information leak in nl80211 wireless driver.

Missing length attribute validation in NL80211_ATTR_HT_CAPABILITY
could allow a buffer over-read in the station handling logic.


* Prevent xfs quota memory corruption.

The xfs_qm_dqattach_one function in the xfs filesystem did not properly
pass the doalloc flag to xfs_qm_dqget.  As a result, xfs_qm_dqget would
not allocate a new quota object even if it is needed, resulting in
possible memory corruption.


* CVE-2011-2203: Null pointer dereference mounting HFS filesystems.

A NULL pointer dereference flaw was found in the Linux kernel's HFS
file system implementation. A local attacker could use this flaw to
cause a denial of service by mounting a disk that contains a
specially-crafted HFS file system with a corrupted MDB extent
record.


* Kernel information leak in eCryptfs.

Crafting a filename with characters with high ASCII values allowed an
attacker to read kernel memory past the end of the filename_rev_map
array.


* Integer overflow and memory corruption in DRM CRTC support.

A missing size check in drm_mode_dirtyfb_ioctl allowed an attacker to
overflow num_clips, causing a buffer allocation of an unintended,
small size. Future calls to fb->funcs->dirty could result in memory
corruption beyond that buffer.


* Information leak in TTM graphics driver.

Pages for a newly created TTM_PL_TT buffer were not zeroed before
being returned to userspace.


* Information leak in nl80211 MAC address validation.

Missing length attribute validation in NL80211_ATTR_MAC could allow a
buffer over-read.


* NULL pointer dereference in cfg80211 wireless driver.

The wiphy causing a regulatory domain request could go away before it
was processed, resulting in a NULL pointer dereference.


* In-memory corruption in XFS ACL processing.

A missing check in xfs_acl_from_disk on the number of XFS ACLs could
result in in-memory corruption and a kernel panic.


* Kernel crash in XFS extended attribute handling.

When operating on an inode with many delalloc extends, the if_bytes
value for the data fork can be larger than the available storage,
causing a kernel crash in xfs_attr_shortform_bytesfit.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.