Skip to navigation

Security Advisory Important: kernel-rt security and bug fix update

Advisory: RHSA-2010:0958-1
Type: Security Advisory
Severity: Important
Issued on: 2010-12-08
Last updated on: 2010-12-08
Affected Products: Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)
CVEs (cve.mitre.org): CVE-2010-2962
CVE-2010-3432
CVE-2010-3442
CVE-2010-3705
CVE-2010-3858
CVE-2010-3861
CVE-2010-3874
CVE-2010-3876
CVE-2010-3880
CVE-2010-4072
CVE-2010-4073
CVE-2010-4074
CVE-2010-4075
CVE-2010-4077
CVE-2010-4079
CVE-2010-4080
CVE-2010-4082
CVE-2010-4083
CVE-2010-4157
CVE-2010-4158
CVE-2010-4169

Details

Updated kernel-rt packages that fix multiple security issues and three bugs
are now available for Red Hat Enterprise MRG 1.3.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

* Missing sanity checks in the Intel i915 driver in the Linux kernel could
allow a local, unprivileged user to escalate their privileges.
(CVE-2010-2962, Important)

* A flaw in sctp_packet_config() in the Linux kernel's Stream Control
Transmission Protocol (SCTP) implementation could allow a remote attacker
to cause a denial of service. (CVE-2010-3432, Important)

* A missing integer overflow check in snd_ctl_new() in the Linux kernel's
sound subsystem could allow a local, unprivileged user on a 32-bit system
to cause a denial of service or escalate their privileges. (CVE-2010-3442,
Important)

* A flaw in sctp_auth_asoc_get_hmac() in the Linux kernel's SCTP
implementation. When iterating through the hmac_ids array, it did not reset
the last id element if it was out of range. This could allow a remote
attacker to cause a denial of service. (CVE-2010-3705, Important)

* Missing sanity checks in setup_arg_pages() in the Linux kernel. When
making the size of the argument and environment area on the stack very
large, it could trigger a BUG_ON(), resulting in a local denial of service.
(CVE-2010-3858, Moderate)

* A flaw in ethtool_get_rxnfc() in the Linux kernel's ethtool IOCTL
handler. When it is called with a large info.rule_cnt, it could allow a
local user to cause an information leak. (CVE-2010-3861, Moderate)

* A flaw in bcm_connect() in the Linux kernel's Controller Area Network
(CAN) Broadcast Manager. On 64-bit systems, writing the socket address may
overflow the procname character array. (CVE-2010-3874, Moderate)

* A flaw in inet_csk_diag_dump() in the Linux kernel's module for
monitoring the sockets of INET transport protocols. By sending a netlink
message with certain bytecode, a local, unprivileged user could cause a
denial of service. (CVE-2010-3880, Moderate)

* Missing sanity checks in gdth_ioctl_alloc() in the gdth driver in the
Linux kernel, could allow a local user with access to "/dev/gdth" on a
64-bit system to cause a denial of service or escalate their privileges.
(CVE-2010-4157, Moderate)

* A use-after-free flaw in the mprotect() system call could allow a local,
unprivileged user to cause a local denial of service. (CVE-2010-4169,
Moderate)

* Missing initialization flaws in the Linux kernel could lead to
information leaks. (CVE-2010-3876, CVE-2010-4072, CVE-2010-4073,
CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080,
CVE-2010-4082, CVE-2010-4083, CVE-2010-4158, Low)

Red Hat would like to thank Kees Cook for reporting CVE-2010-2962,
CVE-2010-3861, and CVE-2010-4072; Dan Rosenberg for reporting
CVE-2010-3442, CVE-2010-3705, CVE-2010-3874, CVE-2010-4073, CVE-2010-4074,
CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4082,
CVE-2010-4083, and CVE-2010-4158; Brad Spengler for reporting
CVE-2010-3858; Nelson Elhage for reporting CVE-2010-3880; and Vasiliy
Kulikov for reporting CVE-2010-3876.

Bug fixes:

* A vulnerability in the 32-bit compatibility code for the VIDIOCSMICROCODE
IOCTL in the Video4Linux implementation. It does not affect Red Hat
Enterprise MRG, but as a preventive measure, this update removes the code.
Red Hat would like to thank Kees Cook for reporting this vulnerability.
(BZ#642469)

* The kernel-rt spec file was missing the crypto, drm, generated, and trace
header directories when generating the kernel-rt-devel package, resulting
in out-of-tree modules failing to build. (BZ#608784)

* On computers without a supported Performance Monitoring Unit, a crash
would occur when running the "perf top" command, and occasionally other
perf commands. perf software events are now marked as IRQ safe to avoid
this crash. (BZ#647434)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

Updated packages

Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)

IA-32:
kernel-rt-2.6.33.7-rt29.47.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: bd623b7a2c3e12ebbdc7f29da5f832c6
SHA-256: 118a0df1aeab0615146ffcaca85bb4ca61f76b20850583a94be87e368a06b9cc
kernel-rt-debug-2.6.33.7-rt29.47.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 43298d87ef42e52cbe7e058ef24ebec7
SHA-256: aaa9794bca585b7955755a17c7b44dee23c2372294eef194c0ddadd62d705839
kernel-rt-debug-devel-2.6.33.7-rt29.47.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 4910a9f812c4f85f1949c6e7c31628ed
SHA-256: 28fdda430a14b2be5c11b049548c668d3fd9e1218213b4004c4bd6ec8295a7c8
kernel-rt-devel-2.6.33.7-rt29.47.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: e1d17d071cc28174e4d90e10e81e68a1
SHA-256: 3cd5271c415ac0732400b63fffee9a041617762920718e5317c9487b3acdcb6f
kernel-rt-doc-2.6.33.7-rt29.47.el5rt.noarch.rpm
File outdated by:  RHBA-2013:0927
    MD5: 851c15d0ffd94dee650cecc03bd103ce
SHA-256: 919ae813fe4037acbd8921d38130db36641ee3749fe07d43f39bab486e8613de
kernel-rt-trace-2.6.33.7-rt29.47.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 4f207c1df8aadf8bc45b4e8fb277ea26
SHA-256: 22157f90de69481a0df10900a3234c1cf64b1d01cd5afaf1e09ce27b2d5604ac
kernel-rt-trace-devel-2.6.33.7-rt29.47.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 281286b56faf9aa0070d5c0b9078ce7b
SHA-256: 104483cb15f53468746255a6d32ff43f17059b009f9fd5c742f67868a74bc471
kernel-rt-vanilla-2.6.33.7-rt29.47.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 4480100f87c6e175108b574685971fe0
SHA-256: 5fa9dbbdf060358f8bd0202421ae2eda69ef9044f8f2c0eb740e8501504484f8
kernel-rt-vanilla-devel-2.6.33.7-rt29.47.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 44901cb7d6e278d64a9af43a1d1c35f6
SHA-256: 24602938f4ab1d8ebe16edbb548e4408e7a78ff8d2c110798d2f8d80f3a0651a
perf-2.6.33.7-rt29.47.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 3b8f33ca0d38cd1d25dea763015bd64b
SHA-256: ec634c2dbd366982082a3f36a180136f752bf482817a01317a9793e500357e1c
 
x86_64:
kernel-rt-2.6.33.7-rt29.47.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 3712ca738af8fecc87a09c8529598a34
SHA-256: fea23709fa33dac80a69d792a436a0aaef7b8619e47e2aaffa6dd44d445de289
kernel-rt-debug-2.6.33.7-rt29.47.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: b9f4b0e8881640e954a8862262a44885
SHA-256: 06e9861f490e02062bbd7c0b9e584cdb54d8913ba6383c5b48cea35f67564096
kernel-rt-debug-devel-2.6.33.7-rt29.47.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 826cff3282d28145a2de6acd6f840b21
SHA-256: 34f8caa569aa7b44ca25389b919575100666624a104ebe306f3010734f8282a9
kernel-rt-devel-2.6.33.7-rt29.47.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 2b09b706678275917699498079e2c1f9
SHA-256: dda3c5da5814252836b3f829af0ad54b7999a83ecb3c2b36aae0b4d307684574
kernel-rt-doc-2.6.33.7-rt29.47.el5rt.noarch.rpm
File outdated by:  RHBA-2013:0927
    MD5: 851c15d0ffd94dee650cecc03bd103ce
SHA-256: 919ae813fe4037acbd8921d38130db36641ee3749fe07d43f39bab486e8613de
kernel-rt-trace-2.6.33.7-rt29.47.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 1f51a0e127fd9e65a4d3d8813d6b4f3e
SHA-256: 1cefc2918ba6efc0fb8e9f3ca3cf0fa7d0afb810e23456abd80de709ec448f25
kernel-rt-trace-devel-2.6.33.7-rt29.47.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 07f14717a2b407808f4c77b895ff576f
SHA-256: 0643b3e2069abc32de54c00870f5c30c5a76d49e2b43afef95f9378fe07860e9
kernel-rt-vanilla-2.6.33.7-rt29.47.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 8f601cb1d9a0a181e2cc07f7e114403e
SHA-256: 8b617448e47423bebfcb931ade21ed9e5109b4f526d6f29dab27f8d1da7bd7d1
kernel-rt-vanilla-devel-2.6.33.7-rt29.47.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 61ed22bc6e2556493a49abd5abf290e8
SHA-256: f590091581637ed3b6082949221068ee8e3eabb4322f6ed8740ab8548717234c
perf-2.6.33.7-rt29.47.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: fedeec48b3a7ea9f5b60edf0ca14fa09
SHA-256: 441436a222f47af9b552d4f810b45b2b7d93bb048fb9833ccbcad7882b7de05e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

608784 - cannot build third-party modules based upon 2.6.33.5-rt* packages
637675 - CVE-2010-3432 kernel: sctp: do not reset the packet during sctp_packet_config
637688 - CVE-2010-2962 kernel: arbitrary kernel memory write via i915 GEM ioctl
638478 - CVE-2010-3442 kernel: prevent heap corruption in snd_ctl_new()
640036 - CVE-2010-3705 kernel: sctp memory corruption in HMAC handling
642469 - CVE-2010-2963 kernel: v4l: VIDIOCSMICROCODE arbitrary write [mrg-1.3]
645222 - CVE-2010-3858 kernel: setup_arg_pages: diagnose excessive argument size
646725 - CVE-2010-3861 kernel: heap contents leak from ETHTOOL_GRXCLSRLALL
647434 - perf: Mark software events as irqsafe
648656 - CVE-2010-4072 kernel: ipc/shm.c: reading uninitialized stack memory
648658 - CVE-2010-4073 kernel: ipc/compat*.c: reading uninitialized stack memory
648659 - CVE-2010-4074 kernel: drivers/usb/serial/mos*.c: reading uninitialized stack memory
648660 - CVE-2010-4075 kernel: drivers/serial/serial_core.c: reading uninitialized stack memory
648663 - CVE-2010-4077 kernel: drivers/char/nozomi.c: reading uninitialized stack memory
648666 - CVE-2010-4079 kernel: drivers/video/ivtv/ivtvfb.c: reading uninitialized stack memory
648669 - CVE-2010-4080 kernel: drivers/sound/pci/rme9652/hdsp.c: reading uninitialized stack memory
648671 - CVE-2010-4082 kernel: drivers/video/via/ioctl.c: reading uninitialized stack memory
648673 - CVE-2010-4083 kernel: ipc/sem.c: reading uninitialized stack memory
649695 - CVE-2010-3874 kernel: CAN info leak/minor heap overflow
649715 - CVE-2010-3876 kernel: net/packet/af_packet.c: reading uninitialized stack memory
651147 - CVE-2010-4157 kernel: gdth: integer overflow in ioc_general()
651264 - CVE-2010-3880 kernel: logic error in INET_DIAG bytecode auditing
651671 - CVE-2010-4169 kernel: perf bug
651698 - CVE-2010-4158 kernel: socket filters infoleak


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/