(RHSA-2010:0958) Important: kernel-rt security and bug fix update

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

• Missing sanity checks in the Intel i915 driver in the Linux kernel could
  allow a local, unprivileged user to escalate their privileges.
  (CVE-2010-2962, Important)

• A flaw in sctp_packet_config() in the Linux kernel’s Stream Control
  Transmission Protocol (SCTP) implementation could allow a remote attacker
  to cause a denial of service. (CVE-2010-3432, Important)

• A missing integer overflow check in snd_ctl_new() in the Linux kernel’s
  sound subsystem could allow a local, unprivileged user on a 32-bit system
  to cause a denial of service or escalate their privileges. (CVE-2010-3442,
  Important)

• A flaw in sctp_auth_asoc_get_hmac() in the Linux kernel’s SCTP
  implementation. When iterating through the hmac_ids array, it did not reset
  the last id element if it was out of range. This could allow a remote
  attacker to cause a denial of service. (CVE-2010-3705, Important)

• Missing sanity checks in setup_arg_pages() in the Linux kernel. When
  making the size of the argument and environment area on the stack very
  large, it could trigger a BUG_ON(), resulting in a local denial of service.
  (CVE-2010-3858, Moderate)

• A flaw in ethtool_get_rxnfc() in the Linux kernel’s ethtool IOCTL
  handler. When it is called with a large info.rule_cnt, it could allow a
  local user to cause an information leak. (CVE-2010-3861, Moderate)

• A flaw in bcm_connect() in the Linux kernel’s Controller Area Network
  (CAN) Broadcast Manager. On 64-bit systems, writing the socket address may
  overflow the procname character array. (CVE-2010-3874, Moderate)

• A flaw in inet_csk_diag_dump() in the Linux kernel’s module for
  monitoring the sockets of INET transport protocols. By sending a netlink
  message with certain bytecode, a local, unprivileged user could cause a
  denial of service. (CVE-2010-3880, Moderate)

• Missing sanity checks in gdth_ioctl_alloc() in the gdth driver in the
  Linux kernel, could allow a local user with access to “/dev/gdth” on a
  64-bit system to cause a denial of service or escalate their privileges.
  (CVE-2010-4157, Moderate)

• A use-after-free flaw in the mprotect() system call could allow a local,
  unprivileged user to cause a local denial of service. (CVE-2010-4169,
  Moderate)

• Missing initialization flaws in the Linux kernel could lead to
  information leaks. (CVE-2010-3876, CVE-2010-4072, CVE-2010-4073,
  CVE-2010-4074, CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080,
  CVE-2010-4082, CVE-2010-4083, CVE-2010-4158, Low)

Red Hat would like to thank Kees Cook for reporting CVE-2010-2962,
CVE-2010-3861, and CVE-2010-4072; Dan Rosenberg for reporting
CVE-2010-3442, CVE-2010-3705, CVE-2010-3874, CVE-2010-4073, CVE-2010-4074,
CVE-2010-4075, CVE-2010-4077, CVE-2010-4079, CVE-2010-4080, CVE-2010-4082,
CVE-2010-4083, and CVE-2010-4158; Brad Spengler for reporting
CVE-2010-3858; Nelson Elhage for reporting CVE-2010-3880; and Vasiliy
Kulikov for reporting CVE-2010-3876.

Bug fixes:

• A vulnerability in the 32-bit compatibility code for the VIDIOCSMICROCODE
  IOCTL in the Video4Linux implementation. It does not affect Red Hat
  Enterprise MRG, but as a preventive measure, this update removes the code.
  Red Hat would like to thank Kees Cook for reporting this vulnerability.
  (BZ#642469)

• The kernel-rt spec file was missing the crypto, drm, generated, and trace
  header directories when generating the kernel-rt-devel package, resulting
  in out-of-tree modules failing to build. (BZ#608784)

• On computers without a supported Performance Monitoring Unit, a crash
  would occur when running the “perf top” command, and occasionally other
  perf commands. perf software events are now marked as IRQ safe to avoid
  this crash. (BZ#647434)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.