linux-2.6 - several issues

Several vulnerabilities have been discovered in the Linux kernel that may lead
to a privilege escalation, denial of service or information leak. The Common
Vulnerabilities and Exposures project identifies the following problems:

• CVE-2010-2963
  Kees Cook discovered an issue in the v4l 32-bit compatibility layer for
  64-bit systems that allows local users with /dev/video write permission to
  overwrite arbitrary kernel memory, potentially leading to a privilege
  escalation. On Debian systems, access to /dev/video devices is restricted to
  members of the ‘video’ group by default.
• CVE-2010-3067
  Tavis Ormandy discovered an issue in the io_submit system call. Local users
  can cause an integer overflow resulting in a denial of service.
• CVE-2010-3296
  Dan Rosenberg discovered an issue in the cxgb network driver that allows
  unprivileged users to obtain the contents of sensitive kernel memory.
• CVE-2010-3297
  Dan Rosenberg discovered an issue in the eql network driver that allows
  local users to obtain the contents of sensitive kernel memory.
• CVE-2010-3310
  Dan Rosenberg discovered an issue in the ROSE socket implementation. On
  systems with a rose device, local users can cause a denial of service
  (kernel memory corruption).
• CVE-2010-3432
  Thomas Dreibholz discovered an issue in the SCTP protocol that permits a
  remote user to cause a denial of service (kernel panic).
• CVE-2010-3437
  Dan Rosenberg discovered an issue in the pktcdvd driver. Local users with
  permission to open /dev/pktcdvd/control can obtain the contents of sensitive
  kernel memory or cause a denial of service. By default on Debian systems,
  this access is restricted to members of the group ‘cdrom’.
• CVE-2010-3442
  Dan Rosenberg discovered an issue in the ALSA sound system. Local users with
  permission to open /dev/snd/controlC0 can create an integer overflow
  condition that causes a denial of service. By default on Debian systems,
  this access is restricted to members of the group ‘audio’.
• CVE-2010-3448
  Dan Jacobson reported an issue in the thinkpad-acpi driver. On certain
  Thinkpad systems, local users can cause a denial of service (X.org crash) by
  reading /proc/acpi/ibm/video.
• CVE-2010-3477
  Jeff Mahoney discovered an issue in the Traffic Policing (act_police) module
  that allows local users to obtain the contents of sensitive kernel memory.
• CVE-2010-3705
  Dan Rosenberg reported an issue in the HMAC processing code in the SCTP
  protocol that allows remote users to create a denial of service (memory
  corruption).
• CVE-2010-3848
  Nelson Elhage discovered an issue in the Econet protocol. Local users can
  cause a stack overflow condition with large msg->msgiovlen values that can
  result in a denial of service or privilege escalation.
• CVE-2010-3849
  Nelson Elhage discovered an issue in the Econet protocol. Local users can
  cause a denial of service (oops) if a NULL remote addr value is passed as a
  parameter to sendmsg().
• CVE-2010-3850
  Nelson Elhage discovered an issue in the Econet protocol. Local users can
  assign econet addresses to arbitrary interfaces due to a missing
  capabilities check.
• CVE-2010-3858
  Brad Spengler reported an issue in the setup_arg_pages() function. Due to a
  bounds-checking failure, local users can create a denial of service (kernel
  oops).
• CVE-2010-3859
  Dan Rosenberg reported an issue in the TIPC protocol. When the tipc module
  is loaded, local users can gain elevated privileges via the sendmsg() system
  call.
• CVE-2010-3873
  Dan Rosenberg reported an issue in the X.25 network protocol. Local users
  can cause heap corruption, resulting in a denial of service (kernel panic).
• CVE-2010-3874
  Dan Rosenberg discovered an issue in the Control Area Network (CAN)
  subsystem on 64-bit systems. Local users may be able to cause a denial of
  service (heap corruption).
• CVE-2010-3875
  Vasiliy Kulikov discovered an issue in the AX.25 protocol. Local users can
  obtain the contents of sensitive kernel memory.
• CVE-2010-3876
  Vasiliy Kulikov discovered an issue in the Packet protocol. Local users can
  obtain the contents of sensitive kernel memory.
• CVE-2010-3877
  Vasiliy Kulikov discovered an issue in the TIPC protocol. Local users can
  obtain the contents of sensitive kernel memory.
• CVE-2010-3880
  Nelson Elhage discovered an issue in the INET_DIAG subsystem. Local users
  can cause the kernel to execute unaudited INET_DIAG bytecode, resulting in a
  denial of service.
• CVE-2010-4072
  Kees Cook discovered an issue in the System V shared memory subsystem.
  Local users can obtain the contents of sensitive kernel memory.
• CVE-2010-4073
  Dan Rosenberg discovered an issue in the System V shared memory subsystem.
  Local users on 64-bit system can obtain the contents of sensitive kernel
  memory via the 32-bit compatible semctl() system call.
• CVE-2010-4074
  Dan Rosenberg reported issues in the mos7720 and mos7840 drivers for USB
  serial converter devices. Local users with access to these devices can
  obtain the contents of sensitive kernel memory.
• CVE-2010-4078
  Dan Rosenberg reported an issue in the framebuffer driver for SiS graphics
  chipsets (sisfb). Local users with access to the framebuffer device can
  obtain the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl.
• CVE-2010-4079
  Dan Rosenberg reported an issue in the ivtvfb driver used for the Hauppauge
  PVR-350 card. Local users with access to the framebuffer device can obtain
  the contents of sensitive kernel memory via the FBIOGET_VBLANK ioctl.
• CVE-2010-4080
  Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP
  audio devices. Local users with access to the audio device can obtain the
  contents of sensitive kernel memory via the SNDRV_HDSP_IOCTL_GET_CONFIG_INFO
  ioctl.
• CVE-2010-4081
  Dan Rosenberg discovered an issue in the ALSA driver for RME Hammerfall DSP
  MADI audio devices. Local users with access to the audio device can obtain
  the contents of sensitive kernel memory via the
  SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl.
• CVE-2010-4083
  Dan Rosenberg discovered an issue in the semctl system call. Local users can
  obtain the contents of sensitive kernel memory through usage of the semid_ds
  structure.
• CVE-2010-4164
  Dan Rosenberg discovered an issue in the X.25 network protocol. Remote users
  can achieve a denial of service (infinite loop) by taking advantage of an
  integer underflow in the facility parsing code.

For the stable distribution (lenny), this problem has been fixed in version
2.6.26-26lenny1.

We recommend that you upgrade your linux-2.6 and user-mode-linux packages.

The following matrix lists additional source packages that were rebuilt for
compatibility with or to take advantage of this update: