[Ksplice][Fedora-15-updates] New updates available via Ksplice (FEDORA-2012-7594)

[Christine Spang]

Synopsis: FEDORA-2012-7594 can now be patched using Ksplice
CVEs: CVE-2012-2313 CVE-2012-2319

Systems running Fedora 15 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2012-7594.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 15 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference when closing a Bluetooth TTY.

A NULL pointer dereference would occur when closing a Bluetooth TTY
because the driver would attempt to close the protocol driver before
the device had unregistered.


* NULL pointer dereference during Bluetooth HCI unregistration.

A race between hci_dev_open and hci_dev_unregister could result in a
NULL pointer dereference and kernel OOPS.


* Data corruption and kernel OOPS in HMC5843 magnetometer driver.

Client data was incorrectly extracted and initialized in
hmc5843_init_client, causing data corruption and an eventual kernel
panic.


* NULL pointer dereference in Altera UART driver.

A missing check on platp in altera_uart_probe allowed a NULL pointer
dereference and kernel OOPS.


* NULL pointer dereference in USB serial driver.

A race condition between probing and opening a USB serial device
could result in a NULL pointer dereference.


* NULL pointer dereference in USB scatter-gather library.

In a race between the unlinking and completion logic, sg_complete
could set urb->dev to NULL when it was still in use, causing a NULL
pointer dereference and kernel OOPS.


* Information disclosure in futex robust list handling.

An unprivileged user may acquire the address of a robust list
head from a setuid process, allowing an ASLR info leak.


* Byte counter overflow in SHA-512.

An incorrect check in sha512_update prevented the upper 64 bits of the
SHA-512 byte counter from being incremented when the lower 64 bits
overflowed.


* NULL pointer dereference in USB gadget FunctionFS ioctl.

A missing check in ffs_ep0_ioctl on whether or not the FunctionFS was
bound allowed a NULL pointer dereference and kernel OOPS.


* Use-after-free in netlink receive queue.

A race between threads on consuming a buffer from the receive queue in
netlink_sendskb could result in a use-after-free.


* Denial of service in PHONET message sending.

The PHONET driver would attempt to allocate any packet size requested
from userspace. This could lead to memory exhaustion and OOM kills.


* Use-after-free in socket error queue.

A race between threads on consuming a buffer from the socket error
queue in sock_queue_err_skb could result in a use-after-free.


* Buffer overflow in KS8851 network driver.

Insufficient buffer space when processing pending frames in ks_rcv
could result in a buffer overflow.


* Denial of service in the network GRED scheduler.

A kernel OOPS may occur in the GRED (Generic Random Early Detection)
network scheduler due to incorrect usage of the internal qdisc API.


* Denial of service in network namespace initialization.

The network namespace initialization routine would leak internal
network generic structure if the initialization of one of the network
subsystems would fail, leading to possible denial of service.


* Integer overflow in Intel i915 command processing.

An integer overflow in the Intel i915 family display driver could cause 
memory
corruption on 32-bit systems.


* CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.

A buffer overflow flaw was found in the hfsplus_bnode_read() function in
the HFS+ file system implementation.  This could lead to a denial of
service if a user browsed a specially-crafted HFS+ file system, for
example, by running "ls".


* CVE-2012-2313: Privilege escalation in the dl2k NIC.

The D-LINK dl2k network card was missing permission checks in the ioctl
handling function. This would allow an unprivileged user to reconfigure
the low-level link device and trigger a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.