[Ksplice][EL6-Updates] New updates available via Ksplice (RHSA-2012-0743)

[Samson Yeung]

Synopsis: RHSA-2012-0743 can now be patched using Ksplice
CVEs: CVE-2012-0044 CVE-2012-1179 CVE-2012-2119 CVE-2012-2121 
CVE-2012-2123 CVE-2012-2136 CVE-2012-2137 CVE-2012-2372 CVE-2012-2373

Systems running Red Hat Enterprise Linux 6, CentOS 6, and Scientific
Linux 6 can now use Ksplice to patch against the latest Red Hat
Security Advisory, RHSA-2012-0743.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on RHEL 6, CentOS 6,
and Scientific Linux 6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.

A missing size check in drm_mode_dirtyfb_ioctl allowed an attacker to
overflow num_clips, causing a buffer allocation of an unintended,
small size. Future calls to fb->funcs->dirty could result in memory
corruption beyond that buffer.


* CVE-2012-2119: Stack overflow in KVM macvtap page pinning.

The vector length of pages passed to the host from the guest through
macvtap is not validated before the pages are pinned. A privileged
guest user could use this flaw to induce stack overflow on the
host with attacker non-controlled data but with attacker controlled length.


* CVE-2012-2123: Privilege escalation when assigning permissions using 
fcaps.

If a process increases permissions using fcaps, all of the dangerous
personality flags which are cleared for suid apps are not cleared. This has
allowed programs that gained elevated permissions using fcaps to disable
the address space randomization of other processes.


* CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.

The length of packet fragments to be sent wasn't validated before use,
leading to heap overflow. A user having access to TUN/TAP virtual
device could use this flaw to crash the system or to potentially
escalate their privileges.


* CVE-2012-2121: Memory leak in KVM device assignment.

KVM uses memory slots to track and map guest regions of memory.  When device
assignment is used, the pages backing these slots are pinned in memory 
and mapped
into the iommu.  The problem is that when a memory slot is destroyed the 
pages
for the associated memory slot are neither unpinned nor unmapped from 
the iommu.


* CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.

A buffer overflow flaw was found in the setup_routing_entry() function 
in the
KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts
(MSI) routing entry was handled. A local, unprivileged user could use 
this flaw
to cause a denial of service or, possibly, escalate their privileges.


* CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.

A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS)
protocol implementation. A local, unprivileged user could use this flaw
to cause a denial of service.


* CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.

CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem.

In some cases, the hugepage subsystem would allocate new PMDs when not
expected by the memory management subsystem. A privileged user in the
KVM guest can use this flaw to crash the host, an unprivileged local
user could use this flaw to crash the system.

CVE-2012-2373: Denial of service in PAE page tables.

On a PAE system, a non-atomic load could be corrupted by a page fault
resulting in a kernel crash, triggerable by an unprivileged user.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.