[Ksplice][VZ4.6-Updates] New updates available via Ksplice (CU-2.6.18-028stab079.1)

Thu Dec 9 19:46:16 PST 2010

Synopsis: CU-2.6.18-028stab079.1 can now be patched using Ksplice
CVEs: CVE-2010-2963 CVE-2010-3066 CVE-2010-3067 CVE-2010-3078 CVE-2010-3086 CVE-2010-3477 CVE-2010-3904
Red Hat Security Advisory Severity: Important

Systems running Virtuozzo 4.6 can now use Ksplice to patch against the 
latest Parallels Virtuozzo Containers 4.6 kernel security update, 
CU-2.6.18-028stab079.1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Virtuozzo 4.6 install 
these updates.  You can install these updates by running:

# uptrack-upgrade -y

DESCRIPTION

* CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.

The rds_page_copy_user function did not perform any access checks on 
user-provided pointers before using unchecked __copy_*_user_inatomic 
functions, which can be exploited by a local user to write to arbitrary 
kernel memory and escalate privileges.

* CVE-2010-3066: NULL pointer dereference in io_submit_one.

A NULL pointer dereference flaw was found in the io_submit_one() function 
in the Linux kernel asynchronous I/O implementation. A local, unprivileged 
user could use this flaw to cause a denial of service. (CVE-2010-3066, 
Moderate)

* CVE-2010-3067: Information leak in sys_io_submit.

A missing upper bound integer check was found in the sys_io_submit() 
function in the Linux kernel asynchronous I/O implementation. A local, 
unprivileged user could use this flaw to cause an information leak. 
(CVE-2010-3067, Low)

* CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.

A flaw was found in the xfs_ioc_fsgetxattr() function in the Linux kernel 
XFS file system implementation. A data structure in xfs_ioc_fsgetxattr() 
was not initialized properly before being copied to user-space. A local, 
unprivileged user could use this flaw to cause an information leak.  
(CVE-2010-3078, Moderate)

* CVE-2010-3086: Denial of Service in futex atomic operations.

The exception fixup code for the __futex_atomic_op1, __futex_atomic_op2, 
and futex_atomic_cmpxchg_inatomic() macros replaced the LOCK prefix with a 
NOP instruction. A local, unprivileged user could use this flaw to cause a 
denial of service. (CVE-2010-3086, Moderate)

* CVE-2010-3477: Information leak in tcf_act_police_dump.

A flaw was found in the tcf_act_police_dump() function in the Linux kernel 
network traffic policing implementation. A data structure in 
tcf_act_police_dump() was not initialized properly before being copied to 
user-space. A local, unprivileged user could use this flaw to cause an 
information leak. (CVE-2010-3477, Moderate)

* CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.

The ioctl32 v4l1 compat code for VIDIOCSMICROCODE does not check the 
destination buffer for a copy_from_user() call, which allows anyone with 
access to a v4l device to write to arbitrary kernel memory locations.

* Buffer overflow in icmpmsg_put.

Reading from the /proc/net/snmp file could cause a buffer overflow when 
the number of different MIBs messages overran the internal buffer.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.