[Ksplice][Fedora-15-updates] New updates available via Ksplice (FEDORA-2012-0492)

Tue Jan 17 15:00:59 PST 2012

Synopsis: FEDORA-2012-0492 can now be patched using Ksplice
CVEs: CVE-2011-2203 CVE-2011-4077 CVE-2011-4347 CVE-2011-4622 
CVE-2012-0038 CVE-2012-0045 CVE-2012-0207

Systems running Fedora 15 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2012-0492.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 15 install
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.

DESCRIPTION

* File creation race in eCryptfs.

A race between file creation and allocation could cause a null pointer
dereference or attempts to use uninitialized memory.

* Use after free bug in ext4_end_io_dio.

A 'use-after-free' bug in ext4_end_io_dio causes a data leak of a struct
ext4_io_end_t structure. If the slab object is reallocated, then
ext4_end_io_dio ends up clearing the wrong iocb->private, which can
cause a leak of an ext4_io_end_t struct.

* Improved fix for CVE-2011-4077.

Fedora provided an improved patch for CVE-2011-4077, fixing a buffer
overflow in xfs_readlink.

* Prevent xfs quota memory corruption.

The xfs_qm_dqattach_one function in the xfs filesystem did not properly
pass the doalloc flag to xfs_qm_dqget.  As a result, xfs_qm_dqget would
not allocate a new quota object even if it is needed, resulting in
possible memory corruption.

* Kernel OOPS in fork() under heavy load.

Because MMU updates weren't being flushed when doing kmap_atomic (or
kunmap_atomic), we could hit a dereference bug when processing a "fork()"
on a heavy loaded machine.

* NULL pointer dereference in CIFS directory search handling.

In some cases, a FIND reply will cause the last_entry field of a
cifs_search_info struct to be NULL. Missing checks on this field in
find_cifs_entry allowed a NULL pointer dereference and kernel OOPS.

* CVE-2011-2203: Null pointer dereference mounting HFS filesystems.

A NULL pointer dereference flaw was found in the Linux kernel's HFS
file system implementation. A local attacker could use this flaw to
cause a denial of service by mounting a disk that contains a
specially-crafted HFS file system with a corrupted MDB extent
record.

* Use-after-free in ext4 direct I/O (DIO) management.

iocb->private was cleared too late in ext4_end_io_dio. An fsync() run
on another CPU could free an iocb struct that was still in use.

* Information leak in ext4 page-IO.

Parts of a page beyond EOF were not zeroed before being returned to
the user in ext4_bio_write_page. This allowed an mmap of a size other
than a multiple of PAGE_SIZE to read uninitialized memory.

* Buffer overflow in FUSE page retrieval.

If more than FUSE_MAX_PAGES_PER_REQ pages were requested in
fuse_retrieve, the request page array would overflow.

* CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.

Starting PIT timers in the absence of irqchip support could cause a
NULL pointer dereference and kernel OOPs.

* CVE-2012-0045: Denial of service in KVM system call emulation.

A bug in the system call emulation for allowed local users on a 32-bit
KVM guest system to cause the guest system to panic.

* CVE-2012-0038: Buffer overflow in XFS ACL handling code.

An integer overflow bug in the XFS filesystem's ACL handling could
lead to a heap-based buffed overflow when mounting a maliciously
crafted XFS filesystem.

* CVE-2012-0207: Denial of service bug in IGMP.

The IGMP subsystem's compatability handling of v2 packets had a bug in
the computation of a delay field which could result in division by
zero (causing a kernel panic).

* CVE-2011-4347: Denial of service in KVM device assignment.

Several bugs that allowed unprivileged users to improperly assign
devices to KVM guests could result in a denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.