[Ksplice][Fedora-16-updates] New updates available via Ksplice (FEDORA-2012-11048)

[Jamie Iles]

Synopsis: FEDORA-2012-11048 can now be patched using Ksplice
CVEs: CVE-2012-2119 CVE-2012-2136 CVE-2012-2373

Systems running Fedora 16 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2012-11048.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 16 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.

The length of packet fragments to be sent wasn't validated before use,
leading to heap overflow. A user having access to TUN/TAP virtual
device could use this flaw to crash the system or to potentially
escalate their privileges.


* Use-after-free in r1869 probe/remove.

A missing call to remove the kernel's network driver interrupt
mitigation structures resulting in a use-after-free condition.


* Use-after-free in l2tp_eth driver.

Incorrect module reference counts could result in the module being
unloaded whilst it was still in use and a use-after-free condition could
result in a kernel crash.


* Use-after-free in l2tp_ip module.

Incorrect use of RCU could result in a use-after-free condition and
kernel crash in the l2tp_ip module.


* Use-after-free in benet driver.

The benet driver could attempt to access a socket buffer after
transmission resulting in a use-after-free condition.


* Kernel panic in bnx2x network driver.

An off by one error in the bnx2x network driver could result in a kernel
crash under high traffic volumes.


* NULL pointer dereference in NFC raw socket closing.

Closing an NFC raw socket could result in a NULL pointer dereference and
kernel crash under specific conditions.


* Buffer overflow in NFC NCI interface.

Incorrect bounds checking in the NCI module could result in a stack
buffer overflow and remote code execution.


* Kernel crash in Xen block backend driver.

The Xen block backend driver didn't correctly set the response ID on a
discard operation triggering a crash in the frontend.


* Kernel crash in IGBVF network driver ethtool handling.

A divide-by-zero in the IGBVF network driver could result in a kernel
crash.


* Use-after-free in device mapper RAID5 mode.

Incorrect reference counting in the RAID5 mode for device mapper could
result in a use-after-free condition and kernel crash.


* Use-after-free in device-mapper persistent data management.

Incorrect error handling on allocation in the persistent data management
could result in a use-after-free condition and kernel crash.


* Kernel crash in eCryptfs on handling inherited files.

eCryptfs would fail with assertions and kernel crash rather than
returning error codes under specific circumstances when handling with
files that had been inherited on a fork() or passed by IPC.


* Lockup in eCryptfs message context handling.

Circular locking in eCryptfs could result in a lockup when accessing
files.


* NULL pointer dereference in e1000e network driver.

The e1000e driver could unconditionally access optional function
pointers resulting in a NULL pointer dereference and kernel crash.


* CVE-2012-2373: denial-of-service in PAE page tables.

On a PAE system, a non-atomic load could be corrupted by a page fault
resulting in a kernel crash, triggerable by an unprivileged user.


* Improved fix to CVE-2012-2119.

The previous upstream kernels did not contain all fixes for
CVE-2012-2119.

The vector length of pages passed to the host from the guest through
macvtap is not validated before the pages are pinned. A privileged guest
user could use this flaw to induce stack overflow on the host with
attacker non-controlled data but with attacker controlled length.


* Denial-of-service in pipe buffer management.

A race condition in the pipe buffer management could result in a kernel
crash when resizing buffers, allowing an unprivileged user to crash the
system.


* Denial-of-service in file advisory locking.

The virtual filesystem layer did not gracefully handle an unexpected
file lease type resulting in a kernel BUG() and system crash,
triggerable by an unprivileged user.


* Use-after-free in device mapper RAID1 data-check.

Under specific hardware configurations, the device mapper code could
attempt to read requests after they had been freed resulting in possible
kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.