RHSA-2010:0504: Important: kernel security and bug fix update
First published: Thu Jul 01 2010(Updated: )
The kernel packages contain the Linux kernel, the core of any Linux<br>operating system.<br>This update fixes the following security issues:<br><li> multiple flaws were found in the mmap and mremap implementations. A local</li> user could use these flaws to cause a local denial of service or escalate<br>their privileges. (CVE-2010-0291, Important)<br><li> a NULL pointer dereference flaw was found in the Fast Userspace Mutexes</li> (futexes) implementation. The unlock code path did not check if the futex<br>value associated with pi_state->owner had been modified. A local user could<br>use this flaw to modify the futex value, possibly leading to a denial of<br>service or privilege escalation when the pi_state->owner pointer is<br>dereferenced. (CVE-2010-0622, Important)<br><li> a NULL pointer dereference flaw was found in the Linux kernel Network</li> File System (NFS) implementation. A local user on a system that has an<br>NFS-mounted file system could use this flaw to cause a denial of service or<br>escalate their privileges on that system. (CVE-2010-1087, Important)<br><li> a flaw was found in the sctp_process_unk_param() function in the Linux</li> kernel Stream Control Transmission Protocol (SCTP) implementation. A remote<br>attacker could send a specially-crafted SCTP packet to an SCTP listening<br>port on a target system, causing a kernel panic (denial of service).<br>(CVE-2010-1173, Important)<br><li> a flaw was found in the Linux kernel Transparent Inter-Process</li> Communication protocol (TIPC) implementation. If a client application, on a<br>local system where the tipc module is not yet in network mode, attempted to<br>send a message to a remote TIPC node, it would dereference a NULL pointer<br>on the local system, causing a kernel panic (denial of service).<br>(CVE-2010-1187, Important)<br><li> a buffer overflow flaw was found in the Linux kernel Global File System 2</li> (GFS2) implementation. In certain cases, a quota could be written past the<br>end of a memory page, causing memory corruption, leaving the quota stored<br>on disk in an invalid state. A user with write access to a GFS2 file system<br>could trigger this flaw to cause a kernel crash (denial of service) or<br>escalate their privileges on the GFS2 server. This issue can only be<br>triggered if the GFS2 file system is mounted with the "quota=on" or<br>"quota=account" mount option. (CVE-2010-1436, Important)<br><li> a race condition between finding a keyring by name and destroying a freed</li> keyring was found in the Linux kernel key management facility. A local user<br>could use this flaw to cause a kernel panic (denial of service) or escalate<br>their privileges. (CVE-2010-1437, Important)<br><li> a flaw was found in the link_path_walk() function in the Linux kernel.</li> Using the file descriptor returned by the open() function with the<br>O_NOFOLLOW flag on a subordinate NFS-mounted file system, could result in a<br>NULL pointer dereference, causing a denial of service or privilege<br>escalation. (CVE-2010-1088, Moderate)<br><li> a missing permission check was found in the gfs2_set_flags() function in</li> the Linux kernel GFS2 implementation. A local user could use this flaw to<br>change certain file attributes of files, on a GFS2 file system, that they<br>do not own. (CVE-2010-1641, Low)<br>Red Hat would like to thank Jukka Taimisto and Olli Jarva of Codenomicon<br>Ltd, Nokia Siemens Networks, and Wind River on behalf of their customer,<br>for responsibly reporting CVE-2010-1173; Mario Mikocevic for responsibly<br>reporting CVE-2010-1436; and Dan Rosenberg for responsibly reporting<br>CVE-2010-1641.<br>This update also fixes several bugs. Documentation for these bug fixes will<br>be available shortly from<br><a href="http://www.redhat.com/docs/en-US/errata/RHSA-2010-0504/Kernel_Security_Update/index.html" target="_blank">http://www.redhat.com/docs/en-US/errata/RHSA-2010-0504/Kernel_Security_Update/index.html</a> Users should upgrade to these updated packages, which contain backported<br>patches to correct these issues. The system must be rebooted for this<br>update to take effect.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-debug | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-debug-devel | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-devel | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-doc | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-headers | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-xen | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-xen-devel | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-debug | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-debug-devel | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-devel | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-headers | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-xen | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-xen-devel | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-kdump | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
| redhat/kernel-kdump-devel | <2.6.18-194.8.1.el5 | 2.6.18-194.8.1.el5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=556703
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=563091
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567184
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567813
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=578057
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=584645
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=585094
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=586006
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=587957
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=588219
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=591493
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=591611
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=592844
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=592846
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=594054
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=594057
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=594061
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=595579
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=596384
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=596385
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=598355
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=599332
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=599730
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=599734
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=599737
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=599739
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=600215
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=600498
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=601080
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=601090
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=607087
- http://www.redhat.com/security/updates/classification/#important
- http://kbase.redhat.com/faq/docs/DOC-31052
- http://www.redhat.com/docs/en-US/errata/RHSA-2010-0504/Kernel_Security_Update/index.html
- https://access.redhat.com/errata/RHSA-2010:0504 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2010:0504
- agent/software-canonical-lookup
- package-manager/redhat