(RHSA-2010:0631) Important: kernel-rt security and bug fix update

These packages contain the Linux kernel, the core of any Linux operating
system.

Security fixes:

• unsafe sprintf() use in the Bluetooth implementation. Creating a large
  number of Bluetooth L2CAP, SCO, or RFCOMM sockets could result in arbitrary
  memory pages being overwritten, allowing a local, unprivileged user to
  cause a denial of service or escalate their privileges. (CVE-2010-1084,
  Important)

• a flaw in the Unidirectional Lightweight Encapsulation implementation,
  allowing a remote attacker to send a specially-crafted ISO MPEG-2 Transport
  Stream frame to a target system, resulting in a denial of service.
  (CVE-2010-1086, Important)

• NULL pointer dereference in nfs_wb_page_cancel(), allowing a local user
  on a system that has an NFS-mounted file system to cause a denial of
  service or escalate their privileges on that system. (CVE-2010-1087,
  Important)

• flaw in sctp_process_unk_param(), allowing a remote attacker to send a
  specially-crafted SCTP packet to an SCTP listening port on a target system,
  causing a denial of service. (CVE-2010-1173, Important)

• race condition between finding a keyring by name and destroying a freed
  keyring in the key management facility, allowing a local, unprivileged
  user to cause a denial of service or escalate their privileges.
  (CVE-2010-1437, Important)

• systems using the kernel NFS server to export a shared memory file system
  and that have the sysctl overcommit_memory variable set to never overcommit
  (a value of 2; by default, it is set to 0), may experience a NULL pointer
  dereference, allowing a local, unprivileged user to cause a denial of
  service or escalate their privileges. (CVE-2008-7256, CVE-2010-1643,
  Important)

• when an application has a stack overflow, the stack could silently
  overwrite another memory mapped area instead of a segmentation fault
  occurring, which could cause an application to execute arbitrary code.
  (CVE-2010-2240, Important)

• flaw in CIFSSMBWrite() could allow a remote attacker to send a
  specially-crafted SMB response packet to a target CIFS client, resulting in
  a denial of service. (CVE-2010-2248, Important)

• buffer overflow flaws in the kernel’s implementation of the server-side
  XDR for NFSv4 could allow an attacker on the local network to send a
  specially-crafted large compound request to the NFSv4 server, possibly
  resulting in a denial of service or code execution. (CVE-2010-2521,
  Important)

• NULL pointer dereference in the firewire-ohci driver used for OHCI
  compliant IEEE 1394 controllers could allow a local, unprivileged user with
  access to /dev/fw* files to issue certain IOCTL calls, causing a denial of
  service or privilege escalation. The FireWire modules are blacklisted by
  default. If enabled, only root has access to the files noted above by
  default. (CVE-2009-4138, Moderate)

• flaw in the link_path_walk() function. Using the file descriptor
  returned by open() with the O_NOFOLLOW flag on a subordinate NFS-mounted
  file system, could result in a NULL pointer dereference, causing a denial
  of service or privilege escalation. (CVE-2010-1088, Moderate)

• memory leak in release_one_tty() could allow a local, unprivileged user
  to cause a denial of service. (CVE-2010-1162, Moderate)

• information leak in the USB implementation. Certain USB errors could
  result in an uninitialized kernel buffer being sent to user-space. An
  attacker with physical access to a target system could use this flaw to
  cause an information leak. (CVE-2010-1083, Low)

Red Hat would like to thank Neil Brown for reporting CVE-2010-1084; Ang Way
Chuang for reporting CVE-2010-1086; Jukka Taimisto and Olli Jarva of
Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their
customer, for responsibly reporting CVE-2010-1173; the X.Org security team
for reporting CVE-2010-2240, with upstream acknowledging Rafal Wojtczuk as
the original reporter; and Marcus Meissner for reporting CVE-2010-1083.