[Ksplice][Fedora-18-updates] New updates available via Ksplice (FEDORA-2013-3893)

Mon Mar 18 21:46:22 PDT 2013

Synopsis: FEDORA-2013-3893 can now be patched using Ksplice
CVEs: CVE-2013-0914 CVE-2013-1858

Systems running Fedora 18 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-3893.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 18 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2013-1858: Privilege escalation in user namespaces.

An invalid interaction between user namespaces (CLONE_NEWUSER) and sharing file
system information (CLONE_FS) allows local unprivileged users to gain privileged
code execution.

* NULL pointer dereference in CIFS filesystem mounting.

The CIFS filesystem does not correctly handle attempts to mount paths which
contain symlinks causing a NULL pointer dereference and kernel panic.

* NULL pointer dereference in Parallel NFS direct I/O.

The kernel Parallel NFS implementation does not correctly handle requests to
perform direct I/O leading to a NULL pointer dereference and kernel panic.

* Use-after-free in NFSv4.1 LAYOUTGET requests.

A reference counting error in the kernel NFS implementation when handling
LAYOUTGET requests can cause a use-after-free and kernel panic.

* Denial of service in kernel connector subsystem.

The kernel connector subsystem does not correctly validate privileges allowing
an unprivileged user to block connector notifications for all local users.

* Kernel panic in fsyncing read-only RAID devices.

An unprivileged user can cause a kernel panic (BUG_ON) by causing an fsync
on a RAID device mounted read-only.

* NULL pointer dereference in kernel IPC.

A kernel NULL pointer dereference can be triggered by attempting to receive a
kernel IPC message which is larger than 4KB.

* Kernel IPC sysctl limit bypass.

A logic error in the kernel IPC subsystem allows unprivileged users to receive
IPC messages that are larger than the limit imposed by the 'msg_ctlmax' sysctl.

* Kernel panic in procfs symlinks.

The procfs filesystem does not correctly handle accessing symlinks which are
opened with O_NOFOLLOW leading to a BUG_ON and kernel panic.

* Use-after-free in mempolicy sharing.

A use-after-free condition can be caused when updating a range in a shared
mempolicy leading to kernel panic.

* Use-after-free in IEEE 802.11 shutdown.

The kernel IEEE 802.11 subsystem does not cancel pending asynchronous work
when shutting down leading to a use-after-free and kernel panic.

* NULL pointer dereference in session keyring.

A NULL pointer dereference and kernel panic can be triggered when attempting to
copy a session keyring from one process into its parent process.

* Memory leak in keyctl instantiation.

The error path when handling KEYCTL_INSTANTIATE requests does not correctly free
allocated memory allowing an unprivileged user to leak kernel memory.

* NULL pointer dereference in pipe closing.

The pipe subsystem does not correctly handle processes opening pipes for neither
reading nor writing leading to a NULL pointer dereference and kernel panic.

* Use-after-free when suspending USB video devices.

A race condition in the USB video driver can cause a use-after-free and kernel
panic when suspending USB video devices.

* CVE-2013-0914: Information leak in signal handlers.

A logic error in the handling of signal handlers allows a child process to
leak information about the memory layout of parent processes.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.