Skip to navigation

Security Advisory Important: kernel-rt security and bug fix update

Advisory: RHSA-2010:0631-2
Type: Security Advisory
Severity: Important
Issued on: 2010-08-17
Last updated on: 2010-08-18
Affected Products: Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)
CVEs (cve.mitre.org): CVE-2008-7256
CVE-2009-4138
CVE-2010-1083
CVE-2010-1084
CVE-2010-1086
CVE-2010-1087
CVE-2010-1088
CVE-2010-1162
CVE-2010-1173
CVE-2010-1437
CVE-2010-1643
CVE-2010-2240
CVE-2010-2248
CVE-2010-2521

Details

Updated kernel-rt packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise MRG 1.2.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

[Updated 18 August 2010]
The CVE-2010-2240 description has been updated to reflect that the issue
affects both 32-bit and 64-bit systems. No changes have been made to the
packages.

These packages contain the Linux kernel, the core of any Linux operating
system.

Security fixes:

* unsafe sprintf() use in the Bluetooth implementation. Creating a large
number of Bluetooth L2CAP, SCO, or RFCOMM sockets could result in arbitrary
memory pages being overwritten, allowing a local, unprivileged user to
cause a denial of service or escalate their privileges. (CVE-2010-1084,
Important)

* a flaw in the Unidirectional Lightweight Encapsulation implementation,
allowing a remote attacker to send a specially-crafted ISO MPEG-2 Transport
Stream frame to a target system, resulting in a denial of service.
(CVE-2010-1086, Important)

* NULL pointer dereference in nfs_wb_page_cancel(), allowing a local user
on a system that has an NFS-mounted file system to cause a denial of
service or escalate their privileges on that system. (CVE-2010-1087,
Important)

* flaw in sctp_process_unk_param(), allowing a remote attacker to send a
specially-crafted SCTP packet to an SCTP listening port on a target system,
causing a denial of service. (CVE-2010-1173, Important)

* race condition between finding a keyring by name and destroying a freed
keyring in the key management facility, allowing a local, unprivileged
user to cause a denial of service or escalate their privileges.
(CVE-2010-1437, Important)

* systems using the kernel NFS server to export a shared memory file system
and that have the sysctl overcommit_memory variable set to never overcommit
(a value of 2; by default, it is set to 0), may experience a NULL pointer
dereference, allowing a local, unprivileged user to cause a denial of
service or escalate their privileges. (CVE-2008-7256, CVE-2010-1643,
Important)

* when an application has a stack overflow, the stack could silently
overwrite another memory mapped area instead of a segmentation fault
occurring, which could cause an application to execute arbitrary code.
(CVE-2010-2240, Important)

* flaw in CIFSSMBWrite() could allow a remote attacker to send a
specially-crafted SMB response packet to a target CIFS client, resulting in
a denial of service. (CVE-2010-2248, Important)

* buffer overflow flaws in the kernel's implementation of the server-side
XDR for NFSv4 could allow an attacker on the local network to send a
specially-crafted large compound request to the NFSv4 server, possibly
resulting in a denial of service or code execution. (CVE-2010-2521,
Important)

* NULL pointer dereference in the firewire-ohci driver used for OHCI
compliant IEEE 1394 controllers could allow a local, unprivileged user with
access to /dev/fw* files to issue certain IOCTL calls, causing a denial of
service or privilege escalation. The FireWire modules are blacklisted by
default. If enabled, only root has access to the files noted above by
default. (CVE-2009-4138, Moderate)

* flaw in the link_path_walk() function. Using the file descriptor
returned by open() with the O_NOFOLLOW flag on a subordinate NFS-mounted
file system, could result in a NULL pointer dereference, causing a denial
of service or privilege escalation. (CVE-2010-1088, Moderate)

* memory leak in release_one_tty() could allow a local, unprivileged user
to cause a denial of service. (CVE-2010-1162, Moderate)

* information leak in the USB implementation. Certain USB errors could
result in an uninitialized kernel buffer being sent to user-space. An
attacker with physical access to a target system could use this flaw to
cause an information leak. (CVE-2010-1083, Low)

Red Hat would like to thank Neil Brown for reporting CVE-2010-1084; Ang Way
Chuang for reporting CVE-2010-1086; Jukka Taimisto and Olli Jarva of
Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their
customer, for responsibly reporting CVE-2010-1173; the X.Org security team
for reporting CVE-2010-2240, with upstream acknowledging Rafal Wojtczuk as
the original reporter; and Marcus Meissner for reporting CVE-2010-1083.


Solution

Users should upgrade to these updated packages, which contain
backported patches to correct these issues and fix the bugs noted in
the Kernel Security Update document, linked to in the References. The
system must be rebooted for this update to take effect.

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

Updated packages

Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)

SRPMS:
kernel-rt-2.6.24.7-161.el5rt.src.rpm
File outdated by:  RHBA-2013:0927
    MD5: f5097c26b155ecb9b2f0352b82938967
SHA-256: 26e2ecb3df9a471a2fb8039c31881f9a5ac46551aa4bea9441853d7f55deaa95
 
IA-32:
kernel-rt-2.6.24.7-161.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 8fd968bdfae023cac025cbc7f645191f
SHA-256: 48d9df4e7fe1d041b6c438bd34a67fe34514c3aa66edd618f0993ac71da274e4
kernel-rt-debug-2.6.24.7-161.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: c2b1cfba04348b06ea7b7679f1012cb4
SHA-256: 5f535252e7515aae98951bd89448adfa64ed83d3e47fdaa1334c652eb943dd3b
kernel-rt-debug-devel-2.6.24.7-161.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 3da87b286bc42d3b4132540a381c35f2
SHA-256: 2ee5ecca010b4dc909dd3628e0eea017cc27eb4870272899ee09fcd321a7a4be
kernel-rt-devel-2.6.24.7-161.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 6c269013fdbd754fa45d480418dd89d1
SHA-256: df12826e3cda39f1f69c1b34b2da60031d599d4706beeb28605c2c26c063ca89
kernel-rt-doc-2.6.24.7-161.el5rt.noarch.rpm
File outdated by:  RHBA-2013:0927
    MD5: 54a3f4555c3fd2c2ac92f1c6abaae3e5
SHA-256: cd25d7a5ab7e6b45bea32dfd7a8b70d6dfc1ff7cf0a3cd1c84b42f206a6c642a
kernel-rt-firmware-2.6.24.7-161.el5rt.noarch.rpm     MD5: 9240052b28d3879398be3089e7cb560f
SHA-256: 664eee5e8c89db6282463a50b395f911b913a3510ffbc74eadc6c8b2f3ef5602
kernel-rt-trace-2.6.24.7-161.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 79b0ee7e6fbebde5e6f7784cb03a2e9a
SHA-256: d219f2fb04477debb61a76dbecb952acd265d7c402008a879ff52d198ac3b1a2
kernel-rt-trace-devel-2.6.24.7-161.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: af627882085919e147cf37069cff35d4
SHA-256: 95ed1c6ccac5793589dd98e6ecde10e853c65b5dc123e0bfa5a00feebf97dfdf
kernel-rt-vanilla-2.6.24.7-161.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 65f348fdfb02ee7acd5eccfe157a4995
SHA-256: 21768e4914036f1e40b30ae9822d8bbb96723a6646b6ab55ae74f15fc70d5f3f
kernel-rt-vanilla-devel-2.6.24.7-161.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: dac98197e27ef5d5bd319ed66faa024e
SHA-256: 512543992804d7753782ca2cf217b007b0c43ce259143b0848a18290e20fd8e2
 
x86_64:
kernel-rt-2.6.24.7-161.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 71374bfe553c7e9b5f563f1878e25b86
SHA-256: b7239a95fc42bb5797bd4450672f0cece191992b7902eaa21b9ff767882db861
kernel-rt-debug-2.6.24.7-161.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 6e1ba438d2021da5a19c38d3868afe73
SHA-256: 5b90e04ed59d26164e692596a2710efa56c017ff492ec146e6ff207c58eb5bf7
kernel-rt-debug-devel-2.6.24.7-161.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: f1334e1b0405e0605b5b11b6e57939e5
SHA-256: 6fdd4434a2a7264ce50eeaf8d69f99a8b1a63023dd9f34fc8bbaf2aaba49f7c8
kernel-rt-devel-2.6.24.7-161.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 77c0e8de4e1715a314795eb21d204df6
SHA-256: bbfbe107aa34735f5a8298100302252c26c3fc6310d811367a6dcc9be7e999db
kernel-rt-doc-2.6.24.7-161.el5rt.noarch.rpm
File outdated by:  RHBA-2013:0927
    MD5: 54a3f4555c3fd2c2ac92f1c6abaae3e5
SHA-256: cd25d7a5ab7e6b45bea32dfd7a8b70d6dfc1ff7cf0a3cd1c84b42f206a6c642a
kernel-rt-firmware-2.6.24.7-161.el5rt.noarch.rpm     MD5: 9240052b28d3879398be3089e7cb560f
SHA-256: 664eee5e8c89db6282463a50b395f911b913a3510ffbc74eadc6c8b2f3ef5602
kernel-rt-trace-2.6.24.7-161.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 82247179e7b9e6a138294e34834b681f
SHA-256: 5a5959b01120127bd59c72d94830f1858b68f7671d8508f77d2c51062a3cbb1d
kernel-rt-trace-devel-2.6.24.7-161.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: f1b2d50a7a4796cbdf9ec2d6ea7d58b8
SHA-256: 246c38853a5b246435493dae29be018391df798f51b6100d8a1cb522e88ae7a2
kernel-rt-vanilla-2.6.24.7-161.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: caba844019a3c2b2b6da690ca6782f0e
SHA-256: 875d5c876e25af3ff8379e6104b49d9a964f2cf30b74963d063c706f9741d5ba
kernel-rt-vanilla-devel-2.6.24.7-161.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 16ec97152a67d75bf867dd300044ade2
SHA-256: 67ce80d116b283e8b869df0bf519260d56199185c1071811938aff09757ea68e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

547236 - CVE-2009-4138 kernel: firewire: ohci: handle receive packets with a data length of zero
555671 - MRG -146/-147 kernels have older broadcom drivers compared with RHEL5.4
562075 - kernel: vfs: add MNT_NOFOLLOW flag to umount(2) [mrg-1]
566624 - CVE-2010-1083 kernel: information leak via userspace USB interface
567184 - CVE-2010-1087 kernel: NFS: Fix an Oops when truncating a file
567813 - CVE-2010-1088 kernel: fix LOOKUP_FOLLOW on automount "symlinks"
569237 - CVE-2010-1086 kernel: dvb-core: DoS bug in ULE decapsulation code
576018 - CVE-2010-1084 kernel: bluetooth: potential bad memory access with sysfs files
582076 - CVE-2010-1162 kernel: tty: release_one_tty() forgets to put pids
584645 - CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet
585094 - CVE-2010-1437 kernel: keyrings: find_keyring_by_name() can gain the freed keyring
594630 - kernel: security: testing the wrong variable in create_by_name() [mrg-1]
595970 - CVE-2008-7256 CVE-2010-1643 kernel: nfsd: fix vm overcommit crash
601210 - Fusion MPT misc device (ioctl) driver too verbose in message/fusion/mptctl.c::mptctl_ioctl()
606611 - CVE-2010-2240 kernel: mm: keep a guard page below a grow-down stack segment
608583 - CVE-2010-2248 kernel: cifs: Fix a kernel BUG with remote OS/2 server
612028 - CVE-2010-2521 kernel: nfsd4: bug in read_buf


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/