RHSA-2010:0046: Important: kernel security and bug fix update

First published: Tue Jan 19 2010(Updated: )

The kernel packages contain the Linux kernel, the core of any Linux<br>operating system.<br>Security fixes:<br><li> an array index error was found in the gdth driver. A local user could</li> send a specially-crafted IOCTL request that would cause a denial of service<br>or, possibly, privilege escalation. (CVE-2009-3080, Important)<br><li> a flaw was found in the FUSE implementation. When a system is low on</li> memory, fuse_put_request() could dereference an invalid pointer, possibly<br>leading to a local denial of service or privilege escalation.<br>(CVE-2009-4021, Important)<br><li> Tavis Ormandy discovered a deficiency in the fasync_helper()</li> implementation. This could allow a local, unprivileged user to leverage a<br>use-after-free of locked, asynchronous file descriptors to cause a denial<br>of service or privilege escalation. (CVE-2009-4141, Important)<br><li> the Parallels Virtuozzo Containers team reported the RHSA-2009:1243</li> update introduced two flaws in the routing implementation. If an attacker<br>was able to cause a large enough number of collisions in the routing hash<br>table (via specially-crafted packets) for the emergency route flush to<br>trigger, a deadlock could occur. Secondly, if the kernel routing cache was<br>disabled, an uninitialized pointer would be left behind after a route<br>lookup, leading to a kernel panic. (CVE-2009-4272, Important)<br><li> the RHSA-2009:0225 update introduced a rewrite attack flaw in the</li> do_coredump() function. A local attacker able to guess the file name a<br>process is going to dump its core to, prior to the process crashing, could<br>use this flaw to append data to the dumped core file. This issue only<br>affects systems that have "/proc/sys/fs/suid_dumpable" set to 2 (the<br>default value is 0). (CVE-2006-6304, Moderate)<br>The fix for CVE-2006-6304 changes the expected behavior: With suid_dumpable<br>set to 2, the core file will not be recorded if the file already exists.<br>For example, core files will not be overwritten on subsequent crashes of<br>processes whose core files map to the same name.<br><li> an information leak was found in the Linux kernel. On AMD64 systems,</li> 32-bit processes could access and read certain 64-bit registers by<br>temporarily switching themselves to 64-bit mode. (CVE-2009-2910, Moderate)<br><li> the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV)</li> support in the qla2xxx driver, resulting in two new sysfs pseudo files,<br>"/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete".<br>These two files were world-writable by default, allowing a local user to<br>change SCSI host attributes. This flaw only affects systems using the<br>qla2xxx driver and NPIV capable hardware. (CVE-2009-3556, Moderate)<br><li> permission issues were found in the megaraid_sas driver. The "dbg_lvl"</li> and "poll_mode_io" files on the sysfs file system ("/sys/") had<br>world-writable permissions. This could allow local, unprivileged users to<br>change the behavior of the driver. (CVE-2009-3889, CVE-2009-3939, Moderate)<br><li> a NULL pointer dereference flaw was found in the firewire-ohci driver</li> used for OHCI compliant IEEE 1394 controllers. A local, unprivileged user<br>with access to /dev/fw* files could issue certain IOCTL calls, causing a<br>denial of service or privilege escalation. The FireWire modules are<br>blacklisted by default, and if enabled, only root has access to the files<br>noted above by default. (CVE-2009-4138, Moderate)<br><li> a buffer overflow flaw was found in the hfs_bnode_read() function in the</li> HFS file system implementation. This could lead to a denial of service if a<br>user browsed a specially-crafted HFS file system, for example, by running<br>"ls". (CVE-2009-4020, Low)<br>Bug fix documentation for this update will be available shortly from<br>www.redhat.com/docs/en-US/errata/RHSA-2010-0046/Kernel_Security_Update/<br>index.html<br>Users should upgrade to these updated packages, which contain backported<br>patches to correct these issues. The system must be rebooted for this<br>update to take effect.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2010:0046
• agent/software-canonical-lookup
• package-manager/redhat