[Ksplice][Fedora-18-updates] New updates available via Ksplice (FEDORA-2013-5368)

[Sasha Levin]

Synopsis: FEDORA-2013-5368 can now be patched using Ksplice
CVEs: CVE-2013-1929

Systems running Fedora 18 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-5368.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 18 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference when closing Bluetooth SCO sockets.

Sockets which are in the middle of a connection process and were being
closed wouldn't stop the connection process properly, and would trigger
a NULL pointer dereference.


* Use after free due to directory read race in sysfs.

A race between reading and seeking a directory may occur due
to missing locking when executing the seek.


* Use after free on sysfs failure on readdir.

Errors in readdir weren't handled properly and internal structures were released
without being cleared, trigerring a use after free when they were later used
again.


* CVE-2013-1929: Buffer overflow in TG3 VPD firmware parsing.

Incorrect length checks when parsing the firmware could cause a buffer
overflow and corruption of memory.


* Buffer overflow when removing a PNFS device.

The buffer allocated for the removal command was too small, writing
too much data into it would have caused a buffer overflow.


* Missing security check when spoofing PIDs in user namespace.

Spoofing PIDs inside a user namespace without a PID namespace didn't
require admin priviliges.


* Privilege escalation in creation of user namespaces in a chroot.

Creating a user namespace inside a chroot may change the way permissions apply
on files under the root of the filesystem.


* Privilege escalation in user namespace read only mounts.

Mounts that were passed as read only to a user namespace could become
read/write inside the namespace.


* Use after free in loop device destruction.

A loop device may still be used after it was freed due to wrong reference
counting.


* Use after free in 802.1Q vlan tag deletion.

A vlan data structure may be used even after it was released due to wrong
release order.


* NULL pointer dereference in UNIX socket security management.

An incorrect ordering between marking a UNIX socket as dead and releasing
it can cause a NULL pointer dereference when the security subsystem tries
to verify permissions on that socket.


* Buffer overflow in AoE block driver SKB allocation.

The SKB size allocated for usage in the AoE driver was too small and
may cause buffer overflow.


* NULL pointer dereference in CPSW ethernet driver error check.

An incorrect check may cause NULL pointer dereference as it won't evaluate
as expected.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.