[Ksplice][Ubuntu 9.04 Updates] New updates available via Ksplice (USN-1000-1)
Tim Abbott
tabbott at ksplice.com
Sat Oct 23 15:40:52 PDT 2010
Synopsis: USN-1000-1 can now be patched using Ksplice
CVEs: CVE-2009-4895 CVE-2010-2226 CVE-2010-2240 CVE-2010-2248 CVE-2010-2521 CVE-2010-2798 CVE-2010-2942 CVE-2010-2946 CVE-2010-2954 CVE-2010-2955 CVE-2010-2963 CVE-2010-3015 CVE-2010-3067 CVE-2010-3078 CVE-2010-3080 CVE-2010-3310 CVE-2010-3432 CVE-2010-3437 CVE-2010-3442 CVE-2010-3477 CVE-2010-3705
Systems running Ubuntu 9.04 Jaunty can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-1000-1.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Ubuntu 9.04 Jaunty users install
these updates. You can install these updates by running:
# uptrack-upgrade -y
DESCRIPTION
* CVE-2009-4895: NULL pointer dereference in tty_fasync.
A Race condition in the tty_fasync function allows local users to
cause a NULL pointer dereference.
* CVE-2010-2226: Read access to write-only files in XFS filesystem.
A flaw was found in the handling of the SWAPEXT IOCTL in the Linux kernel
XFS file system implementation. A local user could use this flaw to read
write-only files, that they do not own, on an XFS file system. This could
lead to unintended information disclosure.
* CVE-2010-2248: Denial of service in CIFS with remote OS/2 server.
When writing to a remote OS/2 server with the CIFS network filesystem,
invalid data returned from the server may trigger a kernel BUG, leading to
denial of service.
* CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Buffer overflow flaws were found in the Linux kernel's implementation of
the server-side External Data Representation (XDR) for the Network File
System (NFS) version 4. An attacker on the local network could send a
specially-crafted large compound request to the NFSv4 server, which could
possibly result in a kernel panic (denial of service) or arbitrary code
execution (CVE-2010-2521).
* CVE-2010-2798: Denial of service in GFS2.
Bob Peterson reported an issue in the GFS2 file system. A file system user
could cause a denial of service (Oops) via certain rename operations.
* CVE-2010-2942: Information leaks in traffic control dump structures.
Incorrectly initialized structures in the traffic control dump code may
allow the disclosure of 32 bits of kernel memory to userspace
applications.
* CVE-2010-2946: Access control bypass in JFS filesystem.
Extended attribute namespace access rules may be bypassed by using the
legacy-format os2 namespace.
* CVE-2010-2954: NULL pointer dereference in irda subsystem.
The irda_bind function in net/irda/af_irda.c in the Linux kernel did not
properly handle a failure in the irda_open_tsap function. This allows
local users to cause a denial of service (NULL pointer dereference and
panic) via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA)
socket.
* CVE-2010-2955: Information leak in wireless extensions.
The cfg80211_wext_giwessid function in does not properly initialize
certain structure members. A local user could leverage an off-by-one
error in the ioctl_standard_iw_point function to obtain potentially
sensitive information from kernel heap memory using an SIOCGIWESSID ioctl
call that specifies a large buffer size.
* CVE-2010-3015: Integer overflow in ext4 filesystem.
An integer overflow flaw was found in the ext4_ext_get_blocks() function.
This can trigger a BUG() on certain configurations of ext4 file systems.
* CVE-2010-3067: Information leak in do_io_submit()
An integer overflow error in the do_io_submit function could be used by
userspace processes to read kernel memory.
* CVE-2010-3078: Information leak in XFS_IOC_FSGETXATTR ioctl.
The XFS_IOC_FSGETXATTR ioctl allowed unprivileged users to read 12 bytes
of uninitialized stack memory, because the fsxattr struct declared on the
stack in xfs_ioc_fsgetxattr() did not alter (or zero) the 12-byte fsx_pad
member before copying it back to the user.
* CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.
Tavis Ormandy reported an issue in the ALSA sequencer OSS emulation layer.
Local users with sufficient privileges to open /dev/sequencer can cause a
denial of service or privilege escalation via a NULL pointer dereference.
* CVE-2010-3310: Integer signedness errors in rose driver.
Multiple integer signedness errors in the rose driver allow local users to
cause a denial of service (heap memory corruption) or possibly have
unspecified other impact by calling rose_bind or rose_connect with a
negative destination digis count.
* CVE-2010-3432: Remote denial of service vulnerability in SCTP.
The sctp_outq_flush() function can call sctp_packet_reset() on a packet
structure that has already been filled with chunks. This resets the
packet length but does not remove the chunks from the list; the SCTP code
then re-initializes the packet, which because of the incorrect length
could overflow the skb, resulting in a kernel panic.
* CVE-2010-3437: Information leak in pktcdvd driver.
An integer signedness error in the pkt_find_dev_from_minor function allows
local users to obtain sensitive information from kernel memory or cause a
denial of service (invalid pointer dereference and system crash) via a
crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.
* CVE-2010-3442: Heap corruption vulnerability in ALSA core.
The snd_ctl_new() function allocates space for a snd_kcontrol struct by
performing arithmetic operations on a user-provided size without checking
for integer overflow. This allows an unprivileged user to write an
arbitrary value repeatedly past the bounds of this chunk, resulting in
heap corruption.
* CVE-2010-3477: Kernel information leak in act_police.
Incorrectly initialized structures in the traffic control dump code may
allow the disclosure of kernel memory to userspace applications. This is a
similar issue to CVE-2010-2942.
* CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.
The SCTP subsystem's sctp_asoc_get_hmac function did not correctly check
for an out of range value for the last id in the hmac_ids array,
potentially resulting in kernel memory corrptuon.
* CVE-2010-2963: Privilege escalation in V4L 32-bit compat support.
Kees Cook discovered that the V4L1 32bit compat interface did not
correctly validate certain parameters. A local attacker on a 64bit system
with access to a video device could exploit this to gain root privileges.
* Fix mlock regression introduced by CVE-2010-2240 fix.
The upstream patch for CVE-2010-2240 introduced a possible kernel crash
when privileged applications use mlock on portions of the kernel stack.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ubuntu-9.04-Updates
mailing list