[Ksplice][Fedora-16-updates] New updates available via Ksplice (FEDORA-2012-12046)

Michael Ploujnikov michael.ploujnikov at oracle.com
Thu Aug 23 10:17:27 PDT 2012 

Synopsis: FEDORA-2012-12046 can now be patched using Ksplice
CVEs: CVE-2012-3412

Systems running Fedora 16 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2012-12046.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 16 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak via incomplete copies in USB.

Copies of non-contiguous isochronous buffers in the USB subsystem may
leak kernel memory to a potential attacker.


* Out-of-bound values allowed by fcntl_setlease.

A missing bounds check in fcntl_setlease may allow out-of-bounds values
due to an incorrect cast from a long to an integer.


* NULL pointer dereference in qeth driver.

Missing NULL pointer checks could result in a kernel crash and
denial-of-service.


* Use-after-free in tg3 network driver stats.

Invalid locking could result in a use-after-free condition when
accessing device statistics.


* Kernel crash in radeon DRM driver.

Incorrect error handling in the CS parser could result in a kernel oops
when managing fence buffer objects.


* Memory leak in radeon buffer object management.

Incorrect error handling could result in a memory leak and
denial-of-service.


* Memory leak in device mapper thin provisioning driver.

Incorrect error handling could result in a memory leak and denial of
service.


* Data loss in ext4 filesystems.

An integer underflow in metadata block management could result in
allocation failure and data loss.


* NULL pointer dereference in CIPSO socket options.

Adding a CIPSO option to a socket could result in a NULL pointer
dereference and kernel crash under specific conditions.


* Kernel information leak in put_cmsg_compat().

A networking compatibility handler for 32-bit processes used stack
variables outside of their scope resulting in a kernel stack information
leak to users.


* NULL pointer dereference in Ralink rt2x00 wireless network driver.

Due to incorrect initialization of a data structure, a NULL pointer
dereference may occur on device wakeup.


* NULL pointer dereference in caif tty driver.

A missing NULL pointer check could result in a kernel crash when opening
the tty device.


* Kernel stack information leak in tun ioctls.

Incorrect initialisation of ioctl structures could result in leaking
stack bytes to a userspace process.


* NULL pointer dereference in futex requeuing.

A missing NULL pointer check could result in a kernel crash when
attempting to requeue a futex.


* NULL pointer dereference in non-pi futexes.

Incorrect configuration of futex addresses could lead to a NULL pointer
dereference and kernel crash.


* Kernel panic on SUNRPC initialization failure.

A kernel panic may occur due to a failed SUNRPC initialization due to 
invalid
return values returned by the initialization function.


* Use-after-free in freed page LRU handling.

A race condition between MMU notifier release and page unmapping may cause
the memory manager to access a page which was already freed.


* Data corruption in raid1 from known bad blocks.

Resyncing a RAID1 array with 2 devices could cause 'sync' to abort early
if a bad block is found, leading to data corruption.


* Out-of-bound access in ORE handling of external filesystems.

External filesystems using ORE may cause an out-of-bound access if the use
more than one ORE COMP for their device table.


* Denial of service in hugetlbfs shared page table teardown.

A race condition in hugetlbfs shared page table teardown may cause a 
corruption
of the pagetables, leading to a kernel BUG.


* Various problems in target core unmap command.

The target core did not do sufficient checking when the unmap command was
issued to it. As a result, an attacker could unmap things they should
not be allowed to, potentially causing a denial of service on the
server.


* NULL pointer dereference in non-persistent tunnel devices.

A NULL pointer dereference in the tunneling network device may occur
when closing a tunnel device.


* CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.

A malicious remote user may trigger a denial-of-service in hosts using 
the SFC
NIC by reducing the size of the TCP MSS and causing the victim to run out
of resources while processing the packets.


* Kernel information leak in Intel wireless driver debug output.

A missing parameter from a printf formatted debug output function could
leak internal kernel data.


* Use-after-free in SCSI request handling.

A use-after-free may occur if a SCSI request has no more references,
but is still rescheduled for completion.


* Use-after-free in CAIF module unloading.

A wrong order of freeing internal data structures may cause a
use-after-free when removing the CAIF module.


* Memory leak in net driver reload vlan handling.

Internal vlan structures weren't properly released when a driver
was moved to a disabled state.


* Kernel crash when closing sockets in tunnel.

An invalid inode passed to the tunneling subsystem would modify invalid
memory which will lead to memory leaks and corruption, ultimately
causing the kernel to crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-16-Updates mailing list