Date:         Thu, 21 Jan 2010 11:50:10 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Important: kernel on SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Important: kernel security and bug fix update
Issue date:	2010-01-19
CVE Names:	CVE-2006-6304 CVE-2009-2910 CVE-2009-3080
                 CVE-2009-3556 CVE-2009-3889 CVE-2009-3939
                 CVE-2009-4020 CVE-2009-4021 CVE-2009-4138
                 CVE-2009-4141 CVE-2009-4272

Security fixes:

* an array index error was found in the gdth driver. A local user could
send a specially-crafted IOCTL request that would cause a denial of 
service or, possibly, privilege escalation. (CVE-2009-3080, Important)

* a flaw was found in the FUSE implementation. When a system is low on
memory, fuse_put_request() could dereference an invalid pointer, 
possibly leading to a local denial of service or privilege escalation.
(CVE-2009-4021, Important)

* Tavis Ormandy discovered a deficiency in the fasync_helper()
implementation. This could allow a local, unprivileged user to leverage 
a use-after-free of locked, asynchronous file descriptors to cause a 
denial of service or privilege escalation. (CVE-2009-4141, Important)

* the Parallels Virtuozzo Containers team reported the RHSA-2009:1243
update introduced two flaws in the routing implementation. If an 
attacker was able to cause a large enough number of collisions in the 
routing hash table (via specially-crafted packets) for the emergency 
route flush to trigger, a deadlock could occur. Secondly, if the kernel 
routing cache was disabled, an uninitialized pointer would be left 
behind after a route lookup, leading to a kernel panic. (CVE-2009-4272, 
Important)

* the RHSA-2009:0225 update introduced a rewrite attack flaw in the
do_coredump() function. A local attacker able to guess the file name a
process is going to dump its core to, prior to the process crashing, 
could use this flaw to append data to the dumped core file. This issue 
only affects systems that have "/proc/sys/fs/suid_dumpable" set to 2 
(the default value is 0). (CVE-2006-6304, Moderate)

The fix for CVE-2006-6304 changes the expected behavior: With 
suid_dumpable set to 2, the core file will not be recorded if the file 
already exists. For example, core files will not be overwritten on 
subsequent crashes of processes whose core files map to the same name.

* an information leak was found in the Linux kernel. On AMD64 systems,
32-bit processes could access and read certain 64-bit registers by
temporarily switching themselves to 64-bit mode. (CVE-2009-2910, Moderate)

* the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV)
support in the qla2xxx driver, resulting in two new sysfs pseudo files,
"/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete".
These two files were world-writable by default, allowing a local user to
change SCSI host attributes. This flaw only affects systems using the
qla2xxx driver and NPIV capable hardware. (CVE-2009-3556, Moderate)

* permission issues were found in the megaraid_sas driver. The "dbg_lvl"
and "poll_mode_io" files on the sysfs file system ("/sys/") had
world-writable permissions. This could allow local, unprivileged users 
to change the behavior of the driver. (CVE-2009-3889, CVE-2009-3939, 
Moderate)

* a NULL pointer dereference flaw was found in the firewire-ohci driver
used for OHCI compliant IEEE 1394 controllers. A local, unprivileged 
user with access to /dev/fw* files could issue certain IOCTL calls, 
causing a denial of service or privilege escalation. The FireWire 
modules are blacklisted by default, and if enabled, only root has access 
to the files noted above by default. (CVE-2009-4138, Moderate)

* a buffer overflow flaw was found in the hfs_bnode_read() function in 
the HFS file system implementation. This could lead to a denial of 
service if a user browsed a specially-crafted HFS file system, for 
example, by running "ls". (CVE-2009-4020, Low)

Bug fixes:

* In rare cases, a system management interrupt (SMI) could occur during 
CPU frequency calibration (during boot), resulting in the frequency 
being calculated to a value larger than the CPU's specification. This 
could have resulted in timer values being miscalculated and firing at 
incorrect times. Note: This fix is optional. To enable the fix, the 
system must be booted with the avoid_smi kernel parameter.

* In certain situations, a bug found in either the HTB or TBF network 
packet schedulers in the Linux kernel could have caused a kernel panic 
when using Broadcom network cards with the bnx2 driver.

* A KVM pvclock fix in the kernel-2.6.18-164.2.1.el5 update introduced a 
bug: Some SMP guest operating systems experienced time drift. This could 
cause problems for time-sensitive applications.

* In certain situations, kdump occasionally dumped a vmcore file with no 
registers on Intel Itanium systems that were under high disk I/O load. 
In these cases, this prevented the kernel stack backtrace in the vmcore 
from being viewed with the crash utility.

* In certain situations, when using IP over InfiniBand and network 
interface bonding, a bug in the ipoib driver in the Linux kernel caused 
problems, such as packet loss and not being able to communicate with 
some hosts. Restarting the network service via service network restart 
temporarily resolved this issue. This update resolves this bug, and 
using IP over InfiniBand and network interface bonding now works as 
expected.

* A glock reference counting bug in GFS2 has been fixed. When the glock 
memory shrinker run while the system was under heavy memory pressure, 
the system could crash or experience very poor performance.

* Previously, when using GFS2, if two nodes concurrently updated the 
same file, each node would overwrite the other node's data, as the file 
position for such a file was not being updated correctly. This issue 
only occurred when using open() with the O_APPEND flag, and then issuing 
a write() without first performing another operation on the inode, such 
as stat() or read().

* Running time ifconfig ethx up on a network interface that was under 
heavy load may have triggered a soft lockup (BUG: soft lockup). This 
could have possibly caused cluster nodes to be fenced.

* A logic error in the Linux kernel memory management could have caused 
a BUG: sleeping function called from invalid context message on some 
systems when running certain backup software or performing an LVM 
snapshot, while at the same time performing a copy-on-write (COW) of a 
file page.

* Detection of AMD multi-node processors could have confused 
Hardware-assisted virtual machine (HVM) guests and caused a crash on 
boot during identify_cpu(). This update ensures the topology information 
is not used by virtual machines.

* A bug in the lpfc driver intermittently caused ports on an Emulex 
Fibre Channel Host Bus Adapter (HBA) to be offlined during target 
controller faults.

* Previously, if an administrator set 
/proc/sys/net/ipv4/route/secret_interval to 0, and then attempted to 
change the value by echoing a non-zero value to the file, the 
administrator's shell would hang. This bug could have also possibly sent 
other processes into an uninterpretable sleep state, and was introduced 
in the kernel-2.6.18-164.el5 update.

* Under some circumstances, a locking bug could have caused an online 
ext3 file system resize to deadlock, which may have, in turn, caused the 
file system or the entire system to become unresponsive. In either case, 
a reboot was required after the deadlock. With this update, using 
resize2fs to perform an online resize of an ext3 file system works as 
expected.

* Scientific Linux 5.4 guests using KVM pvclock, calling the 
clock_gettime(CLOCK_REALTIME) and gettimeofday() functions in sequence 
could have, in rare cases, caused clock_gettime() to return a smaller 
value than gettimeofday(). If the sequence was reversed, gettimeofday() 
could return a smaller value than clock_gettime(CLOCK_REALTIME). This 
could cause applications to hang and use large amounts of CPU (up to 
100%), or cause problems for applications that depend on timestamps to 
order events. Note: This update only resolves this issue for Intel 64 
and AMD64 systems. The issue can still present on i386 systems.

The system must be rebooted for this update to take effect.

Note1: Due to the fuse kernel module now being part of the kernel, we
are updating fuse on the older releases to match the fuse that was
released by The Upstream Vendor.

Note2: xfs is now part of the kernel in x86_64.  Because of this there
is no kernel-module-xfs for x86_64.

Note3: ipw3945 support has been changed to iwlwifi3945 in SL 54, and is
in the kernel.  Because of this there is no kernel-module-ipw3945 for SL54.

Note4: Support for the Atheros chipset in now in the kernel.  We are not
sure if the infrastructure is in place for SL 50-53, so we are still
providing the madwifi kernel modules for SL 50-53.

SL 5.x

     SRPMS:
kernel-2.6.18-164.11.1.el5.src.rpm
     i386:
kernel-2.6.18-164.11.1.el5.i686.rpm
kernel-debug-2.6.18-164.11.1.el5.i686.rpm
kernel-debug-devel-2.6.18-164.11.1.el5.i686.rpm
kernel-devel-2.6.18-164.11.1.el5.i686.rpm
kernel-doc-2.6.18-164.11.1.el5.noarch.rpm
kernel-headers-2.6.18-164.11.1.el5.i386.rpm
kernel-PAE-2.6.18-164.11.1.el5.i686.rpm
kernel-PAE-devel-2.6.18-164.11.1.el5.i686.rpm
kernel-xen-2.6.18-164.11.1.el5.i686.rpm
kernel-xen-devel-2.6.18-164.11.1.el5.i686.rpm
   Dependancies:
kernel-module-aufs-2.6.18-164.11.1.el5-0.20090202.cvs-6.sl5.i686.rpm
kernel-module-aufs-2.6.18-164.11.1.el5PAE-0.20090202.cvs-6.sl5.i686.rpm
kernel-module-aufs-2.6.18-164.11.1.el5xen-0.20090202.cvs-6.sl5.i686.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5-1.55-1.SL.i686.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5PAE-1.55-1.SL.i686.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5xen-1.55-1.SL.i686.rpm
kernel-module-openafs-2.6.18-164.11.1.el5-1.4.11-76.sl5.i686.rpm
kernel-module-openafs-2.6.18-164.11.1.el5PAE-1.4.11-76.sl5.i686.rpm
kernel-module-openafs-2.6.18-164.11.1.el5xen-1.4.11-76.sl5.i686.rpm
kernel-module-xfs-2.6.18-164.11.1.el5-0.4-2.sl5.i686.rpm
kernel-module-xfs-2.6.18-164.11.1.el5PAE-0.4-2.sl5.i686.rpm
kernel-module-xfs-2.6.18-164.11.1.el5xen-0.4-2.sl5.i686.rpm
   Dependancies for SL50,51,52,53:
kernel-module-ipw3945-2.6.18-164.11.1.el5-1.2.0-2.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-164.11.1.el5PAE-1.2.0-2.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-164.11.1.el5xen-1.2.0-2.sl5.i686.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5PAE-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5PAE-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.i686.rpm

     x86_64:
kernel-2.6.18-164.11.1.el5.x86_64.rpm
kernel-debug-2.6.18-164.11.1.el5.x86_64.rpm
kernel-debug-devel-2.6.18-164.11.1.el5.x86_64.rpm
kernel-devel-2.6.18-164.11.1.el5.x86_64.rpm
kernel-doc-2.6.18-164.11.1.el5.noarch.rpm
kernel-headers-2.6.18-164.11.1.el5.x86_64.rpm
kernel-xen-2.6.18-164.11.1.el5.x86_64.rpm
kernel-xen-devel-2.6.18-164.11.1.el5.x86_64.rpm
   Dependancies:
kernel-module-aufs-2.6.18-164.11.1.el5-0.20090202.cvs-6.sl5.x86_64.rpm
kernel-module-aufs-2.6.18-164.11.1.el5xen-0.20090202.cvs-6.sl5.x86_64.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5-1.55-1.SL.x86_64.rpm
kernel-module-ndiswrapper-2.6.18-164.11.1.el5xen-1.55-1.SL.x86_64.rpm
kernel-module-openafs-2.6.18-164.11.1.el5-1.4.11-76.sl5.x86_64.rpm
kernel-module-openafs-2.6.18-164.11.1.el5xen-1.4.11-76.sl5.x86_64.rpm
   Dependancies for SL50,51,52,53:
kernel-module-ipw3945-2.6.18-164.11.1.el5-1.2.0-2.sl5.x86_64.rpm
kernel-module-ipw3945-2.6.18-164.11.1.el5xen-1.2.0-2.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-164.11.1.el5xen-0.9.4-15.sl5.x86_64.rpm

-Connie Sieh
-Troy Dawson