[Ksplice][EL6-Updates] New updates available via Ksplice (RHSA-2013:0744-1)

Fri Apr 26 02:08:04 PDT 2013

Synopsis: RHSA-2013:0744-1 can now be patched using Ksplice
CVEs: CVE-2012-6537 CVE-2012-6538 CVE-2012-6546 CVE-2012-6547 CVE-2013-0349 CVE-2013-0913 CVE-2013-1767 CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796 CVE-2013-1797 CVE-2013-1798 CVE-2013-1826 CVE-2013-1827

Systems running RHCK on Oracle Linux 6, Red Hat Enterprise Linux 6,
CentOS 6, and Scientific Linux 6 can now use Ksplice to patch against
the latest Red Hat Security Advisory, RHSA-2013:0744-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on OL 6, RHEL 6, CentOS
6, and Scientific Linux 6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2013-1798: Information leak in KVM APIC driver.

The KVM paravirtualised APIC driver does not correctly validate arguments
from the guest virtual machine when querying the APIC device allowing a
malicious guest virtual machine read kernel memory from the host.

* CVE-2013-1792: Denial-of-service in user keyring management.

A race condition in installing a user keyring could allow a local,
unprivileged user to crash the machine causing a denial-of-service.

* CVE-2012-6537: Kernel information leaks in network transformation subsystem.

This fixes several cases where xfrm_user code could lead kernel
memory to user space.

* CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.

Linux kernel built with XFRM framework support is vulnerable to a NULL pointer
dereference flaw. It occurs while accessing XFRM state via xfrm_state_netlink
routine.

* CVE-2013-1827: Denial-of-service in DCCP socket options.

A NULL pointer dereference in the Datagram Congestion Control Protocol
(DCCP) implementation could allow a local user to cause a denial of
service.

* CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak
from the kernel.

* CVE-2012-6546: Information leak in ATM sockets.

An malicious user can disclose the contents of kernel memory by calling
getsockname() on an ATM socket.

* CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.

If a tempfs mount that was originally mounted with the mpol=M
option is remounted it reuses the already freed mempolicy object.

* CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.

Unicode conversion functions used in the VFAT filesystem were vulnerable
to buffer overruns.  Carefully constructed VFAT partitions mounted with
the utf8 option could allow an attacker to corrupt kernel memory and
possibly execute code in kernel mode.

* CVE-2012-6547: Kernel stack leak from TUN ioctls.

The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel before
3.6 does not initialize a certain structure, which allows local users to
obtain sensitive information from kernel stack memory via a crafted
application.

* CVE-2013-0913: Kernel heap overflow in Intel i915 driver.

An integer overflow in the Intel i915 driver when relocating buffers can allow
a local user to overflow the kernel heap and gain privileged code execution.

* CVE-2013-1796, CVE-2013-1797: Privilege escalation in KVM system time.

The KVM paravirtualised MSR driver did not correctly validate arguments
and pin guest memory associated with paravirtualised timers allowing a
guest virtual machine to crash the host by unmapping memory or corrupt
the heap and escalate privileges.

* CVE-2012-6538: Information leak in network transformation subsystem.

Incorrect initialization of a buffer could leak up to 54 bytes of kernel
heap information to userspace.

* CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport serial driver.

A NULL pointer dereference may occur during disconnection of the driver
due to a missing check.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.