Skip to navigation

Security Advisory Important: kernel-rt security and bug fix update

Advisory: RHSA-2011:0330-1
Type: Security Advisory
Severity: Important
Issued on: 2011-03-10
Last updated on: 2011-03-10
Affected Products: Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)
CVEs (cve.mitre.org): CVE-2010-3477
CVE-2010-4160
CVE-2010-4162
CVE-2010-4163
CVE-2010-4165
CVE-2010-4242
CVE-2010-4248
CVE-2010-4249
CVE-2010-4250
CVE-2010-4346
CVE-2010-4347
CVE-2010-4565
CVE-2010-4648
CVE-2010-4649
CVE-2010-4655
CVE-2010-4656
CVE-2010-4668
CVE-2011-0521
CVE-2011-1044

Details

Updated kernel-rt packages that fix multiple security issues and three bugs
are now available for Red Hat Enterprise MRG 1.3.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

* Missing boundary checks in the PPP over L2TP sockets implementation could
allow a local, unprivileged user to cause a denial of service or escalate
their privileges. (CVE-2010-4160, Important)

* Integer overflow in ib_uverbs_poll_cq() could allow a local, unprivileged
user to cause a denial of service or escalate their privileges.
(CVE-2010-4649, Important)

* Missing boundary check in dvb_ca_ioctl() in the av7110 module. On systems
using old DVB cards requiring the av7110 module, a local, unprivileged user
could use this flaw to cause a denial of service or escalate their
privileges. (CVE-2011-0521, Important)

* Flaw in tcf_act_police_dump() in the network traffic policing
implementation could allow a local, unprivileged user to cause an
information leak. (CVE-2010-3477, Moderate)

* Missing boundary checks in the block layer implementation could allow a
local, unprivileged user to cause a denial of service. (CVE-2010-4162,
CVE-2010-4163, CVE-2010-4668, Moderate)

* Divide-by-zero flaw in tcp_select_initial_window() in the Linux kernel's
TCP/IP protocol suite implementation could allow a local, unprivileged user
to cause a denial of service. (CVE-2010-4165, Moderate)

* NULL pointer dereference flaw in the Bluetooth HCI UART driver could
allow a local, unprivileged user to cause a denial of service.
(CVE-2010-4242, Moderate)

* Flaw in the CPU time clocks implementation for the POSIX clock interface
could allow a local, unprivileged user to cause a denial of service.
(CVE-2010-4248, Moderate)

* Flaw in the garbage collector for AF_UNIX sockets could allow a local,
unprivileged user to trigger a denial of service (out-of-memory condition).
(CVE-2010-4249, Moderate)

* Memory leak in the inotify_init() system call. In some cases, it could
leak a group, which could allow a local, unprivileged user to eventually
cause a denial of service. (CVE-2010-4250, Moderate)

* /sys/kernel/debug/acpi/custom_method had world-writable permissions,
which could allow a local, unprivileged user to escalate their privileges.
Note: The debugfs file system must be mounted locally to exploit this
issue. It is not mounted by default. (CVE-2010-4347, Moderate)

* Heap overflow in iowarrior_write() could allow a user with access to an
IO-Warrior USB device to cause a denial of service or escalate their
privileges. (CVE-2010-4656, Moderate)

* Missing security check in the Linux kernel's implementation of the
install_special_mapping routine could allow a local, unprivileged user to
bypass the mmap_min_addr protection mechanism. (CVE-2010-4346, Low)

* Information leak in bcm_connect() in the Controller Area Network (CAN)
Broadcast Manager implementation could allow a local, unprivileged user to
leak kernel mode addresses in /proc/net/can-bcm. (CVE-2010-4565, Low)

* A logic error in orinoco_ioctl_set_auth() in the Linux kernel's ORiNOCO
wireless extensions support implementation could render TKIP
countermeasures ineffective when it is enabled, as it enabled the card
instead of shutting it down. (CVE-2010-4648, Low)

* Missing initialization flaw in ethtool_get_regs() could allow a local
user who has the CAP_NET_ADMIN capability to cause an information leak.
(CVE-2010-4655, Low)

* Flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to
cause an information leak. (CVE-2011-1044, Low)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-4160,
CVE-2010-4162, CVE-2010-4163, CVE-2010-4668, and CVE-2010-4565; Steve Chen
for reporting CVE-2010-4165; Alan Cox for reporting CVE-2010-4242; Vegard
Nossum for reporting CVE-2010-4249 and CVE-2010-4250; Kees Cook for
reporting CVE-2010-4656 and CVE-2010-4655; and Tavis Ormandy for reporting
CVE-2010-4346.

This update also fixes three bugs. Documentation for these bug fixes will
be available shortly from the Technical Notes document linked to in the
References section.


Solution

Users should upgrade to these updated kernel-rt packages. They are
based on upstream version 2.6.33.7.2-rt30 (despite package naming) and
correct these issues. The system must be rebooted for this update to
take effect.

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

Updated packages

Red Hat Enterprise MRG v1 for Red Hat Enterprise Linux (version 5)

SRPMS:
kernel-rt-2.6.33.7-rt29.55.el5rt.src.rpm
File outdated by:  RHBA-2013:0927
    MD5: 52c1ee962b34e91261011bd552a5482e
SHA-256: 31a801c06955005be157b13276e22de6bd24e96447850695794161672d1afa4e
 
IA-32:
kernel-rt-2.6.33.7-rt29.55.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 632d4f7020b57a0d9b3931c3c76b02d3
SHA-256: 5d843af0e74a688499ed7cad6d3180c566024a9ce534eb3f97e00d93169bfd3b
kernel-rt-debug-2.6.33.7-rt29.55.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 69d5508f7011d2464fa48a053462dfb2
SHA-256: 9167dbdb2b6813ce05a28262e5a327ad3c2aa424ce0b394d0473deb977eb94a5
kernel-rt-debug-devel-2.6.33.7-rt29.55.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 509a352fe979ad9c14ce703d4e4a009e
SHA-256: 805f57bb3e3d029ccf360b2b1ffbc7e3937327b5f790f38070ba7ece5f3f6adf
kernel-rt-devel-2.6.33.7-rt29.55.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: ef027a2f3b4e6a7f731deee7eb25ef82
SHA-256: bf64e05f0e0dcb6a09d96cd442f6fc9147b21ff750337f2397e6876c69269b5c
kernel-rt-doc-2.6.33.7-rt29.55.el5rt.noarch.rpm
File outdated by:  RHBA-2013:0927
    MD5: 27f5184a7f255f02d857663da32c8ebd
SHA-256: 4f10ddfc50444731295fb45376b5d55fd4cca234e50423c21eea9a121b00a922
kernel-rt-trace-2.6.33.7-rt29.55.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 3c021ac52884aa1ea04adb11b399f841
SHA-256: 2550e995f97c16c3074764fccecc51f2481ec6f798b8fa25deb7e0e69be48f07
kernel-rt-trace-devel-2.6.33.7-rt29.55.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: cd1f0ed34442be596f6fc1eb44013f06
SHA-256: d7b77fdcfef98e7c33f21f7d6e85d484180d0660d8eef875b6866ec420e81c56
kernel-rt-vanilla-2.6.33.7-rt29.55.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: fca240b50362dd8640982c8b57961fa9
SHA-256: 1fbb1a1509cbc1361c8aea1f7909dd06189ecc7a35a4b6751227b49873b465be
kernel-rt-vanilla-devel-2.6.33.7-rt29.55.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 435def95c9832ec475fd41e4d941b683
SHA-256: 9d1f5097171c5107568ad62d52bfd4cf6a31305d2cf9e1e3265abc30fd751a46
perf-2.6.33.7-rt29.55.el5rt.i686.rpm
File outdated by:  RHBA-2013:0927
    MD5: 9a82318b8df167a343bcbe35400329b2
SHA-256: 3a584cd257148df2a7d378c5bb317d3400d8e53452c62c2550f3911f86c5c1ad
 
x86_64:
kernel-rt-2.6.33.7-rt29.55.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 95fcb0ff1fb61aee6a970492b7a83830
SHA-256: 1d67220a5c505293d4aa1d6334df94af2736642703483b121c229f00fb044981
kernel-rt-debug-2.6.33.7-rt29.55.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: b017351c8edb27b7c36c3b3316b67a5d
SHA-256: 72485a18a4095303a23e76a388376a581ffe6cc6bfa3c39c2e27db241a653333
kernel-rt-debug-devel-2.6.33.7-rt29.55.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 458b895a9cad8d37130474f6f1552dde
SHA-256: 253bafbd88e6503f43e8aaf97e3cb35a9a102d3a535c57bd2b6880a74755a214
kernel-rt-devel-2.6.33.7-rt29.55.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 538ab41ba00279b96dc67e0be0c6c8cd
SHA-256: c59c8b09c206078222c6170248eca96013091bbcafb281a1acbe81487957ee9a
kernel-rt-doc-2.6.33.7-rt29.55.el5rt.noarch.rpm
File outdated by:  RHBA-2013:0927
    MD5: 27f5184a7f255f02d857663da32c8ebd
SHA-256: 4f10ddfc50444731295fb45376b5d55fd4cca234e50423c21eea9a121b00a922
kernel-rt-trace-2.6.33.7-rt29.55.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: b98a668bb731e9f64107a6389dd9916f
SHA-256: 878184dbd88fdcd49f3fecee4e41ddcb090768984bc3a662e9fedb3bc56646a4
kernel-rt-trace-devel-2.6.33.7-rt29.55.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 4446937b080e3f5faea6260bb7379144
SHA-256: ed7324e5bd7d767c297b14cb81e3ae45b20937d3dd850aede97d065fd252f195
kernel-rt-vanilla-2.6.33.7-rt29.55.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: d9f27df96f9dbc9d9dfb4a9fea2b99ce
SHA-256: 7d0306b1456186a0dfef0b30c572a0343ca333a199feae784265772a81e3d713
kernel-rt-vanilla-devel-2.6.33.7-rt29.55.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: cce11a48d97259ac46f8edd5a6e650d7
SHA-256: 02b3eb2e81c274962fed90f1422cdca29a234840e20630a18f8c9c979f56123d
perf-2.6.33.7-rt29.55.el5rt.x86_64.rpm
File outdated by:  RHBA-2013:0927
    MD5: 30ac1644742d709f010b8a245eca3cf0
SHA-256: 95c79936b573f1274481be4812bd685703ce4cda5049500752ad66a220e6cc6f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

636386 - CVE-2010-3477 kernel: net/sched/act_police.c infoleak
641410 - CVE-2010-4242 kernel: missing tty ops write function presence check in hci_uart_tty_open()
651892 - CVE-2010-4160 kernel: L2TP send buffer allocation size overflows
652508 - CVE-2010-4165 kernel: possible kernel oops from user MSS
652529 - CVE-2010-4162 kernel: bio: integer overflow page count when mapping/copying user data
652957 - CVE-2010-4163 CVE-2010-4668 kernel: panic when submitting certain 0-length I/O requests
656264 - CVE-2010-4248 kernel: posix-cpu-timers: workaround to suppress the problems with mt exec
656756 - CVE-2010-4249 kernel: unix socket local dos
656830 - CVE-2010-4250 kernel: inotify memory leak
659574 - CVE-2010-4258 kernel: failure to revert address limit override in OOPS error path [mrg-1.3]
662189 - CVE-2010-4346 kernel: install_special_mapping skips security_file_mmap check
663542 - CVE-2010-4347 kernel: local privilege escalation via /sys/kernel/debug/acpi/custom_method
664544 - CVE-2010-4565 kernel: CAN info leak
667907 - CVE-2010-4648 kernel: orinoco: fix TKIP countermeasure behaviour
667916 - CVE-2010-4649 CVE-2011-1044 kernel: IB/uverbs: Handle large number of entries in poll CQ
672398 - CVE-2011-0521 kernel: av7110 negative array offset
672420 - CVE-2010-4656 kernel: iowarrior usb device heap overflow
672428 - CVE-2010-4655 kernel: heap contents leak for CAP_NET_ADMIN via ethtool ioctl


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/