[Ksplice][Fedora-18-updates] New updates available via Ksplice (FEDORA-2013-0952)

[Sasha Levin]

Synopsis: FEDORA-2013-0952 can now be patched using Ksplice
CVEs: CVE-2013-0190

Systems running Fedora 18 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-0952.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 18 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak in Atheros ath5k driver.

The Atheros ath5k driver does not correctly release transmitted packets
leading to a kernel memory leak and eventual kernel panic.


* Out-of-bounds read in FireWire packet processing.

The FireWire driver does not correctly parse fragmented multicast and
broadcast packets leading to an out-of-bounds read and kernel panic.


* Deadlock in iSCSI asynchronous messages.

When processing asynchronous messages the iSCSI driver can deadlock when
attempting to allocate kernel memory.


* Memory leak in ext4 extended attributes.

The ext4 filesystem driver does not correctly release kernel memory if
setting an extended attribute on a file fails.


* Use-after-free in ext4 inode creation.

When creating a new inode the ext4 filesystem driver uses kernel
memory after it has been freed, leading to a kernel panic.


* Use-after-free in SunRPC pipefs unmount.

When unmounting a pipefs filesystem the kernel releases the pipefs filesystem
before notifying other kernel threads, leading to a use-after-free and kernel
panic.


* Memory corruption in ext4 file truncation.

When truncating an existing file, the ext4 filesystem driver does not correctly
handle files with large extent trees leading to memory corruption and a kernel
panic.


* Kernel panic in jbd2 driver.

A race condition in the jbd2 filesystem driver when writing a journal to disk
can trigger a kernel panic.


* Memory leak in ext4 directory search.

When searching for a directory on an ext4 filesystem the kernel will leak memory
when it finds a malformed directory entry.


* Memory leak in udf file writing.

The udf filesystem driver leaks kernel memory when allocating blocks
for a new file on a udf filesystem.


* Kernel panic on 802.11 driver unload.

The mac80211 wireless driver schedules an asynchronous job when unloading
leading to a use-after-free and kernel panic.


* Memory corruption in Nouveau graphics driver.

A lack of synchronisation in the Nouveau graphics driver can lead
to memory corruption and a kernel panic.


* Memory corruption in Nouveau GeForce 400/500 drivers.

A lack of synchronisation in the Nouveau graphics driver for GeForce 400
and GeForce 500 devices can lead to memory corruption and a kernel panic.


* Kernel panic in EDAC module unload.

The Error Detection and Correction reporting module incorrectly releases
resources when unloading leading to a use-after-free and kernel panic.


* Memory corruption in Ceph client.

The Ceph filesystem driver does not correctly initialise internal data structures
when creating objects leading to memory corruption and a kernel panic.


* NULL pointer dereference in Ceph lingering requests.

The Ceph filesystem driver does not correctly release resources when processing
lingering requests leading to a NULL pointer dereference.


* Kernel panic in Ceph object storage server.

The Ceph object storage server does not correctly handle malformed requests
leading to a failed assertion and kernel panic.


* Use-after-free in Ceph client.

A race condition in the Ceph client can cause a use-after-free and kernel
panic when processing asynchronous requests.


* Kernel panic in Ceph server messenger.

The Ceph server messenger does not correctly track the state of disconnected
sockets leading to a kernel panic (BUG_ON).


* Use-after-free in Ceph object storage client.

A use-after-free condition can be triggered in the Ceph filesystem client when
finishing a request leading to a kernel panic.


* Infinite loop in Ceph client.

The Ceph filesystem client can enter an infinite loop when waking up pending
tasks leading to a kernel deadlock.


* Deadlock in Ceph server.

The Ceph filesystem server does not correctly unlock resources leading
to a kernel deadlock when another process attempts to access those
resources.


* CVE-2013-0190: stack corruption with Xen 32-bit paravirtualied guests.

Incorrect manipulation of the stack pointer in the error path for iret
failure with a 32-bit paravirtualized guest could result in stack
corruption.  This could be triggered by an unprivileged user in the
guest to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.