[Ksplice][Fedora-18-updates] New updates available via Ksplice (FEDORA-2013-12530)

[Phil Turnbull]

Synopsis: FEDORA-2013-12530 can now be patched using Ksplice
CVEs: CVE-2013-1059 CVE-2013-2232 CVE-2013-2234

Systems running Fedora 18 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-12530.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 18 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory corruption in CephFS object storage client.

Incorrect locking in the Ceph distributed filesystem client can cause memory
corruption and kernel panic when requesting new OSD mappings.


* Use-after-free in Rados block device creation.

The Rados block device, as used by the Ceph distributed filesystem incorrectly
frees when failing to create a client leading to a use-after-free and kernel
panic.


* Kernel panic in Bluetooth L2CAP processing.

The Bluetooth L2CAP driver does not correctly validate the length of received
frames causing the driver to read invalid memory and trigger a kernel panic.


* Kernel panic in cgroup memory control subsystem.

The cgroup memory control subsystem does not correctly initialise a data structure
when setting a memory limit on a control group causing a page fault and kernel
panic.


* Deadlock in kernel swap cache.

A race condition in the kernel swap cache can cause a deadlock and kernel panic
when writing entries in the swap cache to disk.


* Memory corruption when removing a notifier from CLK.

When removing a notifier from the list, the entry is not
being removed keeping and invalid reference that affects
subsequent registrations.


* Kernel crash on IPv6 cork release.

When copying cork options on IPV6, the target memory space
for those is not zeroed, which could lead to a Kernel crash
as it could contain garbage when invoking the free routines.


* NULL pointer dereference in network transformation subsystem.

An error condition is not correctly checked in the network transformation subsystem
leading to a NULL pointer dereference and kernel panic.


* Kernel crash on ip_tunnel due to garbage data on IPCB.

If the link failure routine is called and IPCB is not
cleared, it will lead to a Kernel crash due to the existence
of garbage data.


* Information leak in AF_PACKET getname() call.

The getname() syscall does not correctly sanitize memory when called on an
AF_PACKET socket causing the contents of kernel memory to be disclosed to
userspace.


* Memory leak on L2TP PPP header.

When adding a PPP header, it leaks two bytes of unitialised memory
at the end of the socket buffer data buffer.


* Memory corruption in legacy PXA2XX SPI driver.

The legacy PXA2XX SPI driver uses an incorrect length when allocating memory for
a DMA operation leading to memory corruption and a kernel panic.


* Memory corruption in Bluetooth L2CAP MTU control.

An integer underflow and memory corruption can be triggered by reducing the MTU
of an L2CAP socket and then sending a large L2CAP packet.


* Kernel deadlock when removing a Frame Relay device.

Incorrect locking when removing a Frame Relay DLCI device can cause a deadlock
and kernel panic.


* Kernel panic when removing a Frame Relay device.

Using the DLCI ioctl to remove a Frame Relay device on a socket that is not a
Frame Relay device can cause an invalid memory access and kernel panic.


* Missing permission checks in perf monitoring of setuid processes.

An invalid security check when executing a new process can allow unprivileged
users to monitor setuid processes using the kernel performance event subsystem.


* Memory leak in IPv6 fragmentation tracking.

The kernel IPv6 connection tracker does not correctly handle fragmented IPv6
packets leading to a kernel memory leak.


* CVE-2013-2234: Information leak in IPsec key management.

An error in the AF_KEY implementation allows privileged users to leak contents of
the kernel stack to userspace.


* CVE-2013-1059: NULL pointer deference in CephFS authentication.

The CephFS does not check for a NULL pointer when processing 'none' authentication
leading to a NULL pointer dereference and kernel panic.


* CVE-2013-2232: Memory corruption in IPv6 routing cache.

Connecting an IPv6 socket to an IPv4 destination can cause IPv4 routing
information to be placed in the IPv6 routing cache causing memory corruption
and a kernel panic.


* Use-after-free in virtio networking.

Incorrect memory management in the virtio networking driver can cause a use-after
-free condition and kernel panic when flushing DMA requests.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.