[Ksplice][Fedora-18-updates] New updates available via Ksplice (FEDORA-2013-14778)

[Jamie Iles]

Synopsis: FEDORA-2013-14778 can now be patched using Ksplice
CVEs: CVE-2013-4205

Systems running Fedora 18 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-14778.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 18 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Buffer overflow in iSCSI target configfs.

An incorrect length check when configuring an iSCSI target via configfs can allow
kernel memory corruption and privilege escalation.


* Use-after-free in iSCSI iSER command handling.

Missing reference counting in the iSCSI RDMA extensions (iSER) could
result in a use-after-free and kernel crash.


* Use-after-free in SCSI unit attention handling.

Incorrect handling of commands during a retry due to unit attention
codes could result in a use-after-free and kernel crash.


* Deadlock in module unloading with tracing enabled.

Incorrect locking in removing trace events could lead to deadlock when
removing a module that contains tracepoints.


* NULL pointer dereference in USB XHCI doorbell.

A missing check for NULL could result in a kernel crash when handling
non-responsive XHCI peripherals.


* NULL pointer dereference in XHCI host controller failure.

Missing NULL pointer checks could result in a kernel crash when a XHCI
host controller fails.


* Denial-of-service in Moschip 7840/7820 USB serial driver.

Missing resource freeing would result in a memory leak when failing to
open the device allowing a user with sufficient privileges to exhaust
memory.


* Memory corruption in comedi read/write with concurrent ioctl.

Missing locking in the comedi driver could result in memory corruption
and a kernel crash.


* Filesystem corruption in btrfs during device replacement.

Incorrect offset calculation during device replacement could result in
the filesystem being corrupted on disk.


* Deadlock in btrfs snapshot deletion.

Missing lock tracking could result in deadlock when deleting a snapshot
causing the system to hang.


* Kernel panic in SunRPC RDMA transport marshalling.

The RDMA transport for the kernel SunRPC server does not validate chunk lists in
received packets allowing remote users to cause a kernel panic.


* Kernel crash in NFS file open failure.

Incorrect handling of the return value from a failed open() call on an
NFS filesystem could result in dereferencing an invalid pointer and
triggering a kernel crash.


* NULL pointer dereference in register map driver.

Missing pointer checks could result in a NULL pointer dereference in the
register map driver.


* Use-after-free in ACPI memory hotplug failure.

Incorrect handling of memory hotplug failure could result in accessing a
stale pointer and triggering a kernel crash.


* NULL pointer dereference in radeon HDMI handling.

Missing NULL pointer checks in the radeon HDMI handling could result in
a NULL pointer dereference and kernel crash.


* Kernel crash in i915 connector handling.

Incorrect handling of multiple connectors on an Intel integrated
graphics device could result in accessing an invalid address resulting
in undefined behaviour.


* Denial-of-service in memory policy management with mbind().

Incorrect handling of memory policies during mbind() calls could result
in leaking memory policies allowing a local user to cause a
denial-of-service.


* Memory leak in TTY device hangup.

Missing reference counting in TTY hangup could result in a memory leak.


* Livelock in filesystem mounting.

Incorrect locking in filesystem superblock handling could result in
livelock causing the filesystem to fail to mount and the mounting tasks
to hang.


* Deadlock in Xen event channel removal.

Incorrect locking in the Xen event channel driver could result in
deadlock and a system hang when unbinding a channel with the
IOCTL_EVTCHN_UNBIND ioctl.


* Memory corruption in Intel i915 memory management.

Incorrect list handling could result in accessing invalid memory and
corrupting the state of the DRM memory management system.


* Firmware crash in Intel WiFi block acknowledgement sessions.

Incorrect resource handling could result in a firmware assertion after
multiple block acknowledgement sessions causing the system to crash.


* Kernel crash in Intel WiFi with small beacon intervals.

Attempting to connect to an access point with a becaon interval less
than 16 could trigger a firmware bug causing a kernel crash.


* NULL pointer dereference in 802.11 Minstrel rate control.

A missing pointer check could result in dereferencing a NULL pointer and
crashing the system when performing wireless rate control.


* Kernel stack information leak in non-station 802.11 ethtool stats.

Missing initialization could allow a local user to gain kernel stack
information through ethtool statistics on a non-station 802.11
interface.


* Multiple kernel crashes in bluetooth subsystem.

Incorrect handling of error return values could result in incorrect
behaviour or a kernel crash.


* Kernel crash in SUNRPC GSS proxy.

Incorrect cleanup when proxying GSS credentials in the SunRPC server
could trigger a kernel panic.


* Use-after-free in zram driver unloading.

When the zram driver is unloading, it incorrectly attempts to reset a zram device
after destroying it leading to a use-after-free condition and kernel panic.


* Use-after-free in freeing zram pages.

Incorrect locking the zram driver when freeing pages can trigger a use-after-free
or BUG_ON leading to a kernel panic.


* Double free in zram partial writes.

The zram driver does not correctly handle partial writes to zero filled memory
leading to a double free and kernel panic.


* Memory corruption in zram reading and writing.

Read and write requests from userspace to a zram device are not correctly validated
leading to kernel memory corruption and possible elevation of privileges.


* Use-after-free in zram sysfs interface.

Incorrect locking in the zram sysfs interface can cause a use-after-free and kernel
panic when reading from the 'mem_used_total' sysfs file while reseting a device.


* NULL pointer dereference in PCI hotplug device removal.

Removing a PCI device with SR-IOV enabled could trigger a NULL pointer
dereference in the PCI hotplug system, crashing the kernel.


* Race condition in unloading cgroup kernel modules.

A race condition between unloading a cgroup kernel module and unmounting a cgroup
filesystem can trigger a reference counting error and cause a kernel panic.


* Kernel crash in btrfs unique value list.

Incorrect copying of data pointers could result in invalid memory
accesses including NULL pointer dereferences under specific conditions
on a btrfs filesystem.


* CVE-2013-4205: Denial-of-service in user namespaces.

Unbound creation of user namespaces could result a memory leak allowing
a local, unprivileged user to crash the machine by repeatedly creating
new user namespaces.


* Use-after-free in IPv6 multicast routing namespace cleanup.

Incorrect locking could result in a use-after-free and kernel crash when
removing a network namespace.


* Kernel information leak in Class Based Queueing network scheduler.

Missing initialization in the CBQ network scheduler could result in
leaking kernel stack information to userspace.


* Kernel stack information leaks in PF_KEY sockets.

Missing initialization in a number of PF_KEY socket calls could result
in leaking kernel stack information to userspace.


* Kernel stack information leak in ATM network scheduler.

Missing initialization could cause kernel stack information to be leaked
from the ATM network scheduler to userspace.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.