====================================================================                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update
Advisory ID:       RHSA-2010:0631-01
Product:           Red Hat Enterprise MRG for RHEL-5
Advisory URL:      https://access.redhat.com/errata/RHSA-2010:0631.html
Issue date:        2010-08-17
CVE Names:         CVE-2008-7256 CVE-2009-4138 CVE-2010-1083 
                   CVE-2010-1084 CVE-2010-1086 CVE-2010-1087 
                   CVE-2010-1088 CVE-2010-1162 CVE-2010-1173 
                   CVE-2010-1437 CVE-2010-1643 CVE-2010-2240 
                   CVE-2010-2248 CVE-2010-2521 
====================================================================
1. Summary:

Updated kernel-rt packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise MRG 1.2.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

MRG Realtime for RHEL 5 Server - i386, noarch, x86_64

3. Description:

These packages contain the Linux kernel, the core of any Linux operating
system.

Security fixes:

* unsafe sprintf() use in the Bluetooth implementation. Creating a large
number of Bluetooth L2CAP, SCO, or RFCOMM sockets could result in arbitrary
memory pages being overwritten, allowing a local, unprivileged user to
cause a denial of service or escalate their privileges. (CVE-2010-1084,
Important)

* a flaw in the Unidirectional Lightweight Encapsulation implementation,
allowing a remote attacker to send a specially-crafted ISO MPEG-2 Transport
Stream frame to a target system, resulting in a denial of service.
(CVE-2010-1086, Important)

* NULL pointer dereference in nfs_wb_page_cancel(), allowing a local user
on a system that has an NFS-mounted file system to cause a denial of
service or escalate their privileges on that system. (CVE-2010-1087,
Important)

* flaw in sctp_process_unk_param(), allowing a remote attacker to send a
specially-crafted SCTP packet to an SCTP listening port on a target system,
causing a denial of service. (CVE-2010-1173, Important)

* race condition between finding a keyring by name and destroying a freed
keyring in the key management facility, allowing a local, unprivileged
user to cause a denial of service or escalate their privileges.
(CVE-2010-1437, Important)

* systems using the kernel NFS server to export a shared memory file system
and that have the sysctl overcommit_memory variable set to never overcommit
(a value of 2; by default, it is set to 0), may experience a NULL pointer
dereference, allowing a local, unprivileged user to cause a denial of
service or escalate their privileges. (CVE-2008-7256, CVE-2010-1643,
Important)

* when an application has a stack overflow, the stack could silently
overwrite another memory mapped area instead of a segmentation fault
occurring, which could lead to local privilege escalation on 64-bit
systems. This issue is fixed with an implementation of a stack guard
feature. (CVE-2010-2240, Important)

* flaw in CIFSSMBWrite() could allow a remote attacker to send a
specially-crafted SMB response packet to a target CIFS client, resulting in
a denial of service. (CVE-2010-2248, Important)

* buffer overflow flaws in the kernel's implementation of the server-side
XDR for NFSv4 could allow an attacker on the local network to send a
specially-crafted large compound request to the NFSv4 server, possibly
resulting in a denial of service or code execution. (CVE-2010-2521,
Important)

* NULL pointer dereference in the firewire-ohci driver used for OHCI
compliant IEEE 1394 controllers could allow a local, unprivileged user with
access to /dev/fw* files to issue certain IOCTL calls, causing a denial of
service or privilege escalation. The FireWire modules are blacklisted by
default. If enabled, only root has access to the files noted above by
default. (CVE-2009-4138, Moderate)

* flaw in the link_path_walk() function. Using the file descriptor
returned by open() with the O_NOFOLLOW flag on a subordinate NFS-mounted
file system, could result in a NULL pointer dereference, causing a denial
of service or privilege escalation. (CVE-2010-1088, Moderate)

* memory leak in release_one_tty() could allow a local, unprivileged user
to cause a denial of service. (CVE-2010-1162, Moderate)

* information leak in the USB implementation. Certain USB errors could
result in an uninitialized kernel buffer being sent to user-space. An
attacker with physical access to a target system could use this flaw to
cause an information leak. (CVE-2010-1083, Low)

Red Hat would like to thank Neil Brown for reporting CVE-2010-1084; Ang Way
Chuang for reporting CVE-2010-1086; Jukka Taimisto and Olli Jarva of
Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their
customer, for responsibly reporting CVE-2010-1173; the X.Org security team
for reporting CVE-2010-2240, with upstream acknowledging Rafal Wojtczuk as
the original reporter; and Marcus Meissner for reporting CVE-2010-1083.

4. Solution:

Users should upgrade to these updated packages, which contain
backported patches to correct these issues and fix the bugs noted in
the Kernel Security Update document, linked to in the References. The
system must be rebooted for this update to take effect.

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

5. Bugs fixed (http://bugzilla.redhat.com/):

547236 - CVE-2009-4138 kernel: firewire: ohci: handle receive packets with a data length of zero
555671 - MRG -146/-147 kernels have older broadcom drivers compared with RHEL5.4
562075 - kernel: vfs: add MNT_NOFOLLOW flag to umount(2) [mrg-1]
566624 - CVE-2010-1083 kernel: information leak via userspace USB interface
567184 - CVE-2010-1087 kernel: NFS: Fix an Oops when truncating a file
567813 - CVE-2010-1088 kernel: fix LOOKUP_FOLLOW on automount "symlinks"
569237 - CVE-2010-1086 kernel: dvb-core: DoS bug in ULE decapsulation code
576018 - CVE-2010-1084 kernel: bluetooth: potential bad memory access with sysfs files
582076 - CVE-2010-1162 kernel: tty: release_one_tty() forgets to put pids
584645 - CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet
585094 - CVE-2010-1437 kernel: keyrings: find_keyring_by_name() can gain the freed keyring
594630 - kernel: security: testing the wrong variable in create_by_name() [mrg-1]
595970 - CVE-2008-7256 CVE-2010-1643 kernel: nfsd: fix vm overcommit crash
601210 - Fusion MPT misc device (ioctl) driver  too verbose in message/fusion/mptctl.c::mptctl_ioctl()
606611 - CVE-2010-2240 kernel: mm: keep a guard page below a grow-down stack segment
608583 - CVE-2010-2248 kernel: cifs: Fix a kernel BUG with remote OS/2 server
612028 - CVE-2010-2521 kernel: nfsd4: bug in read_buf

6. Package List:

MRG Realtime for RHEL 5 Server:

Source:

i386:
kernel-rt-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-debug-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-debug-debuginfo-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-debug-devel-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-debuginfo-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-debuginfo-common-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-devel-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-trace-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-trace-debuginfo-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-trace-devel-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-vanilla-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-vanilla-debuginfo-2.6.24.7-161.el5rt.i686.rpm
kernel-rt-vanilla-devel-2.6.24.7-161.el5rt.i686.rpm

noarch:
kernel-rt-doc-2.6.24.7-161.el5rt.noarch.rpm
kernel-rt-firmware-2.6.24.7-161.el5rt.noarch.rpm

x86_64:
kernel-rt-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-debug-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-debug-debuginfo-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-debug-devel-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-debuginfo-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-debuginfo-common-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-devel-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-trace-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-trace-debuginfo-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-trace-devel-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-vanilla-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-vanilla-debuginfo-2.6.24.7-161.el5rt.x86_64.rpm
kernel-rt-vanilla-devel-2.6.24.7-161.el5rt.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2008-7256.html
https://www.redhat.com/security/data/cve/CVE-2009-4138.html
https://www.redhat.com/security/data/cve/CVE-2010-1083.html
https://www.redhat.com/security/data/cve/CVE-2010-1084.html
https://www.redhat.com/security/data/cve/CVE-2010-1086.html
https://www.redhat.com/security/data/cve/CVE-2010-1087.html
https://www.redhat.com/security/data/cve/CVE-2010-1088.html
https://www.redhat.com/security/data/cve/CVE-2010-1162.html
https://www.redhat.com/security/data/cve/CVE-2010-1173.html
https://www.redhat.com/security/data/cve/CVE-2010-1437.html
https://www.redhat.com/security/data/cve/CVE-2010-1643.html
https://www.redhat.com/security/data/cve/CVE-2010-2240.html
https://www.redhat.com/security/data/cve/CVE-2010-2248.html
https://www.redhat.com/security/data/cve/CVE-2010-2521.html
http://www.redhat.com/security/updates/classification/#important
https://access.redhat.com/kb/docs/DOC-31052

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.

Red Hat: 2010:0631-01: kernel-rt: Important Advisory

Updated kernel-rt packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise MRG 1.2

Summary

These packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* unsafe sprintf() use in the Bluetooth implementation. Creating a large number of Bluetooth L2CAP, SCO, or RFCOMM sockets could result in arbitrary memory pages being overwritten, allowing a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-1084, Important)
* a flaw in the Unidirectional Lightweight Encapsulation implementation, allowing a remote attacker to send a specially-crafted ISO MPEG-2 Transport Stream frame to a target system, resulting in a denial of service. (CVE-2010-1086, Important)
* NULL pointer dereference in nfs_wb_page_cancel(), allowing a local user on a system that has an NFS-mounted file system to cause a denial of service or escalate their privileges on that system. (CVE-2010-1087, Important)
* flaw in sctp_process_unk_param(), allowing a remote attacker to send a specially-crafted SCTP packet to an SCTP listening port on a target system, causing a denial of service. (CVE-2010-1173, Important)
* race condition between finding a keyring by name and destroying a freed keyring in the key management facility, allowing a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-1437, Important)
* systems using the kernel NFS server to export a shared memory file system and that have the sysctl overcommit_memory variable set to never overcommit (a value of 2; by default, it is set to 0), may experience a NULL pointer dereference, allowing a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2008-7256, CVE-2010-1643, Important)
* when an application has a stack overflow, the stack could silently overwrite another memory mapped area instead of a segmentation fault occurring, which could lead to local privilege escalation on 64-bit systems. This issue is fixed with an implementation of a stack guard feature. (CVE-2010-2240, Important)
* flaw in CIFSSMBWrite() could allow a remote attacker to send a specially-crafted SMB response packet to a target CIFS client, resulting in a denial of service. (CVE-2010-2248, Important)
* buffer overflow flaws in the kernel's implementation of the server-side XDR for NFSv4 could allow an attacker on the local network to send a specially-crafted large compound request to the NFSv4 server, possibly resulting in a denial of service or code execution. (CVE-2010-2521, Important)
* NULL pointer dereference in the firewire-ohci driver used for OHCI compliant IEEE 1394 controllers could allow a local, unprivileged user with access to /dev/fw* files to issue certain IOCTL calls, causing a denial of service or privilege escalation. The FireWire modules are blacklisted by default. If enabled, only root has access to the files noted above by default. (CVE-2009-4138, Moderate)
* flaw in the link_path_walk() function. Using the file descriptor returned by open() with the O_NOFOLLOW flag on a subordinate NFS-mounted file system, could result in a NULL pointer dereference, causing a denial of service or privilege escalation. (CVE-2010-1088, Moderate)
* memory leak in release_one_tty() could allow a local, unprivileged user to cause a denial of service. (CVE-2010-1162, Moderate)
* information leak in the USB implementation. Certain USB errors could result in an uninitialized kernel buffer being sent to user-space. An attacker with physical access to a target system could use this flaw to cause an information leak. (CVE-2010-1083, Low)
Red Hat would like to thank Neil Brown for reporting CVE-2010-1084; Ang Way Chuang for reporting CVE-2010-1086; Jukka Taimisto and Olli Jarva of Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their customer, for responsibly reporting CVE-2010-1173; the X.Org security team for reporting CVE-2010-2240, with upstream acknowledging Rafal Wojtczuk as the original reporter; and Marcus Meissner for reporting CVE-2010-1083.



Summary


Solution

Users should upgrade to these updated packages, which contain backported patches to correct these issues and fix the bugs noted in the Kernel Security Update document, linked to in the References. The system must be rebooted for this update to take effect.
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at
To install kernel packages manually, use "rpm -ivh [package]". Do not use "rpm -Uvh" as that will remove the running kernel binaries from your system. You may use "rpm -e" to remove old kernels after determining that the new kernel functions properly on your system.

References

https://www.redhat.com/security/data/cve/CVE-2008-7256.html https://www.redhat.com/security/data/cve/CVE-2009-4138.html https://www.redhat.com/security/data/cve/CVE-2010-1083.html https://www.redhat.com/security/data/cve/CVE-2010-1084.html https://www.redhat.com/security/data/cve/CVE-2010-1086.html https://www.redhat.com/security/data/cve/CVE-2010-1087.html https://www.redhat.com/security/data/cve/CVE-2010-1088.html https://www.redhat.com/security/data/cve/CVE-2010-1162.html https://www.redhat.com/security/data/cve/CVE-2010-1173.html https://www.redhat.com/security/data/cve/CVE-2010-1437.html https://www.redhat.com/security/data/cve/CVE-2010-1643.html https://www.redhat.com/security/data/cve/CVE-2010-2240.html https://www.redhat.com/security/data/cve/CVE-2010-2248.html https://www.redhat.com/security/data/cve/CVE-2010-2521.html http://www.redhat.com/security/updates/classification/#important https://access.redhat.com/kb/docs/DOC-31052

Package List

MRG Realtime for RHEL 5 Server:
Source:
i386: kernel-rt-2.6.24.7-161.el5rt.i686.rpm kernel-rt-debug-2.6.24.7-161.el5rt.i686.rpm kernel-rt-debug-debuginfo-2.6.24.7-161.el5rt.i686.rpm kernel-rt-debug-devel-2.6.24.7-161.el5rt.i686.rpm kernel-rt-debuginfo-2.6.24.7-161.el5rt.i686.rpm kernel-rt-debuginfo-common-2.6.24.7-161.el5rt.i686.rpm kernel-rt-devel-2.6.24.7-161.el5rt.i686.rpm kernel-rt-trace-2.6.24.7-161.el5rt.i686.rpm kernel-rt-trace-debuginfo-2.6.24.7-161.el5rt.i686.rpm kernel-rt-trace-devel-2.6.24.7-161.el5rt.i686.rpm kernel-rt-vanilla-2.6.24.7-161.el5rt.i686.rpm kernel-rt-vanilla-debuginfo-2.6.24.7-161.el5rt.i686.rpm kernel-rt-vanilla-devel-2.6.24.7-161.el5rt.i686.rpm
noarch: kernel-rt-doc-2.6.24.7-161.el5rt.noarch.rpm kernel-rt-firmware-2.6.24.7-161.el5rt.noarch.rpm
x86_64: kernel-rt-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-debug-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-debug-debuginfo-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-debug-devel-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-debuginfo-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-debuginfo-common-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-devel-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-trace-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-trace-debuginfo-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-trace-devel-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-vanilla-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-vanilla-debuginfo-2.6.24.7-161.el5rt.x86_64.rpm kernel-rt-vanilla-devel-2.6.24.7-161.el5rt.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package


Severity
Advisory ID: RHSA-2010:0631-01
Product: Red Hat Enterprise MRG for RHEL-5
Advisory URL: https://access.redhat.com/errata/RHSA-2010:0631.html
Issued Date: : 2010-08-17
CVE Names: CVE-2008-7256 CVE-2009-4138 CVE-2010-1083 CVE-2010-1084 CVE-2010-1086 CVE-2010-1087 CVE-2010-1088 CVE-2010-1162 CVE-2010-1173 CVE-2010-1437 CVE-2010-1643 CVE-2010-2240 CVE-2010-2248 CVE-2010-2521

Topic

Updated kernel-rt packages that fix multiple security issues and severalbugs are now available for Red Hat Enterprise MRG 1.2.The Red Hat Security Response Team has rated this update as havingimportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.


Topic


 

Relevant Releases Architectures

MRG Realtime for RHEL 5 Server - i386, noarch, x86_64


Bugs Fixed

547236 - CVE-2009-4138 kernel: firewire: ohci: handle receive packets with a data length of zero

555671 - MRG -146/-147 kernels have older broadcom drivers compared with RHEL5.4

562075 - kernel: vfs: add MNT_NOFOLLOW flag to umount(2) [mrg-1]

566624 - CVE-2010-1083 kernel: information leak via userspace USB interface

567184 - CVE-2010-1087 kernel: NFS: Fix an Oops when truncating a file

567813 - CVE-2010-1088 kernel: fix LOOKUP_FOLLOW on automount "symlinks"

569237 - CVE-2010-1086 kernel: dvb-core: DoS bug in ULE decapsulation code

576018 - CVE-2010-1084 kernel: bluetooth: potential bad memory access with sysfs files

582076 - CVE-2010-1162 kernel: tty: release_one_tty() forgets to put pids

584645 - CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet

585094 - CVE-2010-1437 kernel: keyrings: find_keyring_by_name() can gain the freed keyring

594630 - kernel: security: testing the wrong variable in create_by_name() [mrg-1]

595970 - CVE-2008-7256 CVE-2010-1643 kernel: nfsd: fix vm overcommit crash

601210 - Fusion MPT misc device (ioctl) driver too verbose in message/fusion/mptctl.c::mptctl_ioctl()

606611 - CVE-2010-2240 kernel: mm: keep a guard page below a grow-down stack segment

608583 - CVE-2010-2248 kernel: cifs: Fix a kernel BUG with remote OS/2 server

612028 - CVE-2010-2521 kernel: nfsd4: bug in read_buf


Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved