RHSA-2010:0631: Important: kernel-rt security and bug fix update
First published: Tue Aug 17 2010(Updated: )
These packages contain the Linux kernel, the core of any Linux operating<br>system.<br>Security fixes:<br><li> unsafe sprintf() use in the Bluetooth implementation. Creating a large</li> number of Bluetooth L2CAP, SCO, or RFCOMM sockets could result in arbitrary<br>memory pages being overwritten, allowing a local, unprivileged user to<br>cause a denial of service or escalate their privileges. (CVE-2010-1084,<br>Important)<br><li> a flaw in the Unidirectional Lightweight Encapsulation implementation,</li> allowing a remote attacker to send a specially-crafted ISO MPEG-2 Transport<br>Stream frame to a target system, resulting in a denial of service.<br>(CVE-2010-1086, Important)<br><li> NULL pointer dereference in nfs_wb_page_cancel(), allowing a local user</li> on a system that has an NFS-mounted file system to cause a denial of<br>service or escalate their privileges on that system. (CVE-2010-1087,<br>Important)<br><li> flaw in sctp_process_unk_param(), allowing a remote attacker to send a</li> specially-crafted SCTP packet to an SCTP listening port on a target system,<br>causing a denial of service. (CVE-2010-1173, Important)<br><li> race condition between finding a keyring by name and destroying a freed</li> keyring in the key management facility, allowing a local, unprivileged<br>user to cause a denial of service or escalate their privileges.<br>(CVE-2010-1437, Important)<br><li> systems using the kernel NFS server to export a shared memory file system</li> and that have the sysctl overcommit_memory variable set to never overcommit<br>(a value of 2; by default, it is set to 0), may experience a NULL pointer<br>dereference, allowing a local, unprivileged user to cause a denial of<br>service or escalate their privileges. (CVE-2008-7256, CVE-2010-1643,<br>Important)<br><li> when an application has a stack overflow, the stack could silently</li> overwrite another memory mapped area instead of a segmentation fault<br>occurring, which could cause an application to execute arbitrary code.<br>(CVE-2010-2240, Important)<br><li> flaw in CIFSSMBWrite() could allow a remote attacker to send a</li> specially-crafted SMB response packet to a target CIFS client, resulting in<br>a denial of service. (CVE-2010-2248, Important)<br><li> buffer overflow flaws in the kernel's implementation of the server-side</li> XDR for NFSv4 could allow an attacker on the local network to send a<br>specially-crafted large compound request to the NFSv4 server, possibly<br>resulting in a denial of service or code execution. (CVE-2010-2521,<br>Important)<br><li> NULL pointer dereference in the firewire-ohci driver used for OHCI</li> compliant IEEE 1394 controllers could allow a local, unprivileged user with<br>access to /dev/fw* files to issue certain IOCTL calls, causing a denial of<br>service or privilege escalation. The FireWire modules are blacklisted by<br>default. If enabled, only root has access to the files noted above by<br>default. (CVE-2009-4138, Moderate)<br><li> flaw in the link_path_walk() function. Using the file descriptor</li> returned by open() with the O_NOFOLLOW flag on a subordinate NFS-mounted<br>file system, could result in a NULL pointer dereference, causing a denial<br>of service or privilege escalation. (CVE-2010-1088, Moderate)<br><li> memory leak in release_one_tty() could allow a local, unprivileged user</li> to cause a denial of service. (CVE-2010-1162, Moderate)<br><li> information leak in the USB implementation. Certain USB errors could</li> result in an uninitialized kernel buffer being sent to user-space. An<br>attacker with physical access to a target system could use this flaw to<br>cause an information leak. (CVE-2010-1083, Low)<br>Red Hat would like to thank Neil Brown for reporting CVE-2010-1084; Ang Way<br>Chuang for reporting CVE-2010-1086; Jukka Taimisto and Olli Jarva of<br>Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their<br>customer, for responsibly reporting CVE-2010-1173; the X.Org security team<br>for reporting CVE-2010-2240, with upstream acknowledging Rafal Wojtczuk as<br>the original reporter; and Marcus Meissner for reporting CVE-2010-1083.<br>
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=547236
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=555671
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=562075
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=566624
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567184
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=567813
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=569237
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=576018
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=582076
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=584645
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=585094
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=594630
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=595970
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=601210
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=606611
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=608583
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=612028
- http://www.redhat.com/security/updates/classification/#important
- http://www.redhat.com/docs/en-US/errata/RHSA-2010-0631/Kernel_Security_Update/index.html
- https://access.redhat.com/kb/docs/DOC-31052
- https://access.redhat.com/errata/RHSA-2010:0631 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2010:0631