Skip to navigation

Security Advisory Important: kernel-rt security and bug fix update

Advisory: RHSA-2010:0161-1
Type: Security Advisory
Severity: Important
Issued on: 2010-03-23
Last updated on: 2010-03-23
Affected Products: Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)
CVEs (cve.mitre.org): CVE-2009-4141
CVE-2009-4895
CVE-2010-0003
CVE-2010-0007
CVE-2010-0291
CVE-2010-0410
CVE-2010-0415
CVE-2010-0437
CVE-2010-0622

Details

Updated kernel-rt packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise MRG 1.2.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

This update fixes the following security issues:

* a deficiency was found in the fasync_helper() implementation. This could
allow a local, unprivileged user to leverage a use-after-free of locked,
asynchronous file descriptors to cause a denial of service or privilege
escalation. (CVE-2009-4141, Important)

* multiple flaws were found in the mmap and mremap implementations. A
local, unprivileged user could use these flaws to cause a local denial of
service or escalate their privileges. (CVE-2010-0291, Important)

* a missing boundary check was found in the do_move_pages() function in the
memory migration functionality. A local user could use this flaw to cause a
local denial of service or an information leak. (CVE-2010-0415, Important)

* a NULL pointer dereference flaw was found in the ip6_dst_lookup_tail()
function. An attacker on the local network could trigger this flaw by
sending IPv6 traffic to a target system, leading to a system crash (kernel
OOPS) if dst->neighbour is NULL on the target system when receiving an IPv6
packet. (CVE-2010-0437, Important)

* a NULL pointer dereference flaw was found in the Fast Userspace Mutexes
(futexes) implementation. The unlock code path did not check if the futex
value associated with pi_state->owner had been modified. A local user could
use this flaw to modify the futex value, possibly leading to a denial of
service or privilege escalation when the pi_state->owner pointer is
dereferenced. (CVE-2010-0622, Important)

* an information leak was found in the print_fatal_signal() implementation.
When "/proc/sys/kernel/print-fatal-signals" is set to 1 (the default value
is 0), memory that is reachable by the kernel could be leaked to
user-space. This issue could also result in a system crash. Note that this
flaw only affected the i386 architecture. (CVE-2010-0003, Moderate)

* a flaw was found in the kernel connector implementation. A local,
unprivileged user could trigger this flaw by sending an arbitrary amount of
notification requests using specially-crafted netlink messages, resulting
in a denial of service. (CVE-2010-0410, Moderate)

* missing capability checks were found in the ebtables implementation, used
for creating an Ethernet bridge firewall. This could allow a local,
unprivileged user to bypass intended capability restrictions and modify
ebtables rules. (CVE-2010-0007, Low)

This update also fixes the following bugs:

* references were missing for two LSI MegaRAID SAS controllers already
supported by the kernel, preventing systems using these controllers from
booting. (BZ#554664)

* a typo in the fix for CVE-2009-2691 resulted in gdb being unable to read
core files created by gcore. (BZ#554965)

* values for certain pointers used by the kernel, which should be
undereferencable, could potentially be abused when a kernel OOPS occurs.
Values that are harder to dereference are now used. (BZ#555227)

* this update redesigns the locking scheme of the TTY process group
(tty->pgrp) structure, due to race conditions introduced when tty->pgrp
started using struct pid instead of pid_t. (BZ#559101)

* the way the NFS kernel server used iget() and the way in which it kept
its cache of inode information, could have led to (mainly on busy file
servers) inconsistencies between the local file system and the file system
being served to clients. (BZ#561275)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)

SRPMS:
kernel-rt-2.6.24.7-149.el5rt.src.rpm
File outdated by:  RHBA-2013:0927
    MD5: 0c5f42eaf16bd9ed654f1a84da74dd49
SHA-256: a884761f958ea9e2a3631d7cb29010d792b61fd0e75dd135838998ab17fab0cd
 
IA-32:
kernel-rt-2.6.24.7-149.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: a0cb493a09c0aedbc30fe891033219a3
SHA-256: 9836df58638c0e972999674b87c7f377b7fb6b40e37c16bcb2a1997322b33cd5
kernel-rt-debug-2.6.24.7-149.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 668d3b12158a2d7419ea3c2c383ce186
SHA-256: 0d016abf8c0484b6a32995b424d67c2457c901747f25f790d9c2da0adcb1817c
kernel-rt-debug-devel-2.6.24.7-149.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: f124ff6a41bacec54ea5bb01bfc845a1
SHA-256: c769e320556388a3c368df6ed9e2bdf8d96060a0d104b1569d6a7c9f756ee600
kernel-rt-devel-2.6.24.7-149.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: e714ffc54cf41dfa3b1ad84d04f7d8d0
SHA-256: 7f24cf534b04dce3798233515953988dcc0b2a308cb8526710d73f56d3ff1073
kernel-rt-doc-2.6.24.7-149.el5rt.noarch.rpm
File outdated by:  RHBA-2013:0927
    MD5: bb88c0b9349dc1de7cec274b2d06a441
SHA-256: 28aad316236631481d3d934ad6235f0cfe33875f8e7a2c356c3da27f9ebdcf9b
kernel-rt-trace-2.6.24.7-149.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: bfd1c021de355b65a3d7477a4636388d
SHA-256: 7748fabb02c8d5918efdf197c150df280ba6abde85d05929c87dd27d4b764616
kernel-rt-trace-devel-2.6.24.7-149.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 87ed7c867cae05184fa359522ac62941
SHA-256: 1bfdcebf348afb36fa9362e40d73b7575b70d8cfabc97bf6e726bdce1cc240d6
kernel-rt-vanilla-2.6.24.7-149.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 063d8b8c6d239258d8b8b44c8e4a4b96
SHA-256: 492b43640954a1863916c7801519c3d2a907e34abec772c40ad58a81024bfef7
kernel-rt-vanilla-devel-2.6.24.7-149.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 9e36d6d217bfd9000bbad29f6b5dd229
SHA-256: 482d3b4452ee07cd2389cde4a45deb67851b436f74cc58a069e7f4abb5a9d6bc
 
x86_64:
kernel-rt-2.6.24.7-149.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 28af79de712f38bafc098c5ec6f687ef
SHA-256: 566f94235f2746b13a7b999f2fd4dd089daa1d0b538929f578090917161c12dc
kernel-rt-debug-2.6.24.7-149.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 6c927784c2fec6f6432e79f5028bef74
SHA-256: f844e8e31bd0112760e39bcc5cfbd0bb0b12767c26ce1839f63ed5375eefc8c9
kernel-rt-debug-devel-2.6.24.7-149.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 7884e2f2746d773eefb8babef2318468
SHA-256: f1c774c8055e2956eee9cd4571709bd25890f428e72a426656819322ffac6e66
kernel-rt-devel-2.6.24.7-149.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 204ba51e5d0c36787dec2d0be5b739f9
SHA-256: 639ae15ad8159b62fc3ea89582eb67fe3b627a293e0474165542bf3c2b6fdafa
kernel-rt-doc-2.6.24.7-149.el5rt.noarch.rpm
File outdated by:  RHBA-2013:0927
    MD5: bb88c0b9349dc1de7cec274b2d06a441
SHA-256: 28aad316236631481d3d934ad6235f0cfe33875f8e7a2c356c3da27f9ebdcf9b
kernel-rt-trace-2.6.24.7-149.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 4c8a2c5fcfc29c08535185de2c432a12
SHA-256: 14ec96d96776649ec72173690685d64cdf9fe6f351cf07d7dc7af84fc0ba3d43
kernel-rt-trace-devel-2.6.24.7-149.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 13a13bb4f00df4d3a1ce7ea3ac398f30
SHA-256: 0b8b52bc9ba41253547c230e03749d26ccae3731f13432eb0576c578f9cf7633
kernel-rt-vanilla-2.6.24.7-149.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 0d34aad7392631a7657ab11afc2e5d35
SHA-256: eddc0cc690c53538cf60c1e8e86015fc3e7dd4295fb996ab3fd38498f94031c6
kernel-rt-vanilla-devel-2.6.24.7-149.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 35a40f020a270788336480b5aea2e0c0
SHA-256: de9cf85e658fbaea8ddf4cfb19218f0d5109d443fdb9683b98a06effe72c8e2d
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

547906 - CVE-2009-4141 kernel: create_elf_tables can leave urandom in a bad state
554578 - CVE-2010-0003 kernel: infoleak if print-fatal-signals=1
554664 - MRG current has a very old megaraid_sas driver
554965 - gcore tool produces unusable corefile with MRG kernel
555238 - CVE-2010-0007 kernel: netfilter: ebtables: enforce CAP_NET_ADMIN
556703 - CVE-2010-0291 kernel: untangle the do_mremap()
561275 - kernel: serious ugliness in iget() uses by nfsd [mrg-1]
561682 - CVE-2010-0410 kernel: OOM/crash in drivers/connector
562582 - CVE-2010-0415 kernel: sys_move_pages infoleak
563091 - CVE-2010-0622 kernel: futex: Handle user space corruption gracefully
563781 - CVE-2010-0437 kernel: ipv6: fix ip6_dst_lookup_tail() NULL pointer dereference


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/