Updated kernel-rt packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise MRG 1.2. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. [Updated 18 August 2010] The CVE-2010-2240 description has been updated to reflect that the issue affects both 32-bit and 64-bit systems. No changes have been made to the packages.
These packages contain the Linux kernel, the core of any Linux operating system. Security fixes: * unsafe sprintf() use in the Bluetooth implementation. Creating a large number of Bluetooth L2CAP, SCO, or RFCOMM sockets could result in arbitrary memory pages being overwritten, allowing a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-1084, Important) * a flaw in the Unidirectional Lightweight Encapsulation implementation, allowing a remote attacker to send a specially-crafted ISO MPEG-2 Transport Stream frame to a target system, resulting in a denial of service. (CVE-2010-1086, Important) * NULL pointer dereference in nfs_wb_page_cancel(), allowing a local user on a system that has an NFS-mounted file system to cause a denial of service or escalate their privileges on that system. (CVE-2010-1087, Important) * flaw in sctp_process_unk_param(), allowing a remote attacker to send a specially-crafted SCTP packet to an SCTP listening port on a target system, causing a denial of service. (CVE-2010-1173, Important) * race condition between finding a keyring by name and destroying a freed keyring in the key management facility, allowing a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2010-1437, Important) * systems using the kernel NFS server to export a shared memory file system and that have the sysctl overcommit_memory variable set to never overcommit (a value of 2; by default, it is set to 0), may experience a NULL pointer dereference, allowing a local, unprivileged user to cause a denial of service or escalate their privileges. (CVE-2008-7256, CVE-2010-1643, Important) * when an application has a stack overflow, the stack could silently overwrite another memory mapped area instead of a segmentation fault occurring, which could cause an application to execute arbitrary code. (CVE-2010-2240, Important) * flaw in CIFSSMBWrite() could allow a remote attacker to send a specially-crafted SMB response packet to a target CIFS client, resulting in a denial of service. (CVE-2010-2248, Important) * buffer overflow flaws in the kernel's implementation of the server-side XDR for NFSv4 could allow an attacker on the local network to send a specially-crafted large compound request to the NFSv4 server, possibly resulting in a denial of service or code execution. (CVE-2010-2521, Important) * NULL pointer dereference in the firewire-ohci driver used for OHCI compliant IEEE 1394 controllers could allow a local, unprivileged user with access to /dev/fw* files to issue certain IOCTL calls, causing a denial of service or privilege escalation. The FireWire modules are blacklisted by default. If enabled, only root has access to the files noted above by default. (CVE-2009-4138, Moderate) * flaw in the link_path_walk() function. Using the file descriptor returned by open() with the O_NOFOLLOW flag on a subordinate NFS-mounted file system, could result in a NULL pointer dereference, causing a denial of service or privilege escalation. (CVE-2010-1088, Moderate) * memory leak in release_one_tty() could allow a local, unprivileged user to cause a denial of service. (CVE-2010-1162, Moderate) * information leak in the USB implementation. Certain USB errors could result in an uninitialized kernel buffer being sent to user-space. An attacker with physical access to a target system could use this flaw to cause an information leak. (CVE-2010-1083, Low) Red Hat would like to thank Neil Brown for reporting CVE-2010-1084; Ang Way Chuang for reporting CVE-2010-1086; Jukka Taimisto and Olli Jarva of Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their customer, for responsibly reporting CVE-2010-1173; the X.Org security team for reporting CVE-2010-2240, with upstream acknowledging Rafal Wojtczuk as the original reporter; and Marcus Meissner for reporting CVE-2010-1083.