(RHSA-2011:0330) Important: kernel-rt security and bug fix update

The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.

Security fixes:

• Missing boundary checks in the PPP over L2TP sockets implementation could
  allow a local, unprivileged user to cause a denial of service or escalate
  their privileges. (CVE-2010-4160, Important)

• Integer overflow in ib_uverbs_poll_cq() could allow a local, unprivileged
  user to cause a denial of service or escalate their privileges.
  (CVE-2010-4649, Important)

• Missing boundary check in dvb_ca_ioctl() in the av7110 module. On systems
  using old DVB cards requiring the av7110 module, a local, unprivileged user
  could use this flaw to cause a denial of service or escalate their
  privileges. (CVE-2011-0521, Important)

• Flaw in tcf_act_police_dump() in the network traffic policing
  implementation could allow a local, unprivileged user to cause an
  information leak. (CVE-2010-3477, Moderate)

• Missing boundary checks in the block layer implementation could allow a
  local, unprivileged user to cause a denial of service. (CVE-2010-4162,
  CVE-2010-4163, CVE-2010-4668, Moderate)

• Divide-by-zero flaw in tcp_select_initial_window() in the Linux kernel’s
  TCP/IP protocol suite implementation could allow a local, unprivileged user
  to cause a denial of service. (CVE-2010-4165, Moderate)

• NULL pointer dereference flaw in the Bluetooth HCI UART driver could
  allow a local, unprivileged user to cause a denial of service.
  (CVE-2010-4242, Moderate)

• Flaw in the CPU time clocks implementation for the POSIX clock interface
  could allow a local, unprivileged user to cause a denial of service.
  (CVE-2010-4248, Moderate)

• Flaw in the garbage collector for AF_UNIX sockets could allow a local,
  unprivileged user to trigger a denial of service (out-of-memory condition).
  (CVE-2010-4249, Moderate)

• Memory leak in the inotify_init() system call. In some cases, it could
  leak a group, which could allow a local, unprivileged user to eventually
  cause a denial of service. (CVE-2010-4250, Moderate)

• /sys/kernel/debug/acpi/custom_method had world-writable permissions,
  which could allow a local, unprivileged user to escalate their privileges.
  Note: The debugfs file system must be mounted locally to exploit this
  issue. It is not mounted by default. (CVE-2010-4347, Moderate)

• Heap overflow in iowarrior_write() could allow a user with access to an
  IO-Warrior USB device to cause a denial of service or escalate their
  privileges. (CVE-2010-4656, Moderate)

• Missing security check in the Linux kernel’s implementation of the
  install_special_mapping routine could allow a local, unprivileged user to
  bypass the mmap_min_addr protection mechanism. (CVE-2010-4346, Low)

• Information leak in bcm_connect() in the Controller Area Network (CAN)
  Broadcast Manager implementation could allow a local, unprivileged user to
  leak kernel mode addresses in /proc/net/can-bcm. (CVE-2010-4565, Low)

• A logic error in orinoco_ioctl_set_auth() in the Linux kernel’s ORiNOCO
  wireless extensions support implementation could render TKIP
  countermeasures ineffective when it is enabled, as it enabled the card
  instead of shutting it down. (CVE-2010-4648, Low)

• Missing initialization flaw in ethtool_get_regs() could allow a local
  user who has the CAP_NET_ADMIN capability to cause an information leak.
  (CVE-2010-4655, Low)

• Flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to
  cause an information leak. (CVE-2011-1044, Low)

Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-4160,
CVE-2010-4162, CVE-2010-4163, CVE-2010-4668, and CVE-2010-4565; Steve Chen
for reporting CVE-2010-4165; Alan Cox for reporting CVE-2010-4242; Vegard
Nossum for reporting CVE-2010-4249 and CVE-2010-4250; Kees Cook for
reporting CVE-2010-4656 and CVE-2010-4655; and Tavis Ormandy for reporting
CVE-2010-4346.

This update also fixes three bugs. Documentation for these bug fixes will
be available shortly from the Technical Notes document linked to in the
References section.