[Ksplice][Fedora-18-updates] New updates available via Ksplice (FEDORA-2013-3893)

Tue Mar 19 03:50:29 PDT 2013

Synopsis: FEDORA-2013-3893 can now be patched using Ksplice
CVEs: CVE-2013-0914 CVE-2013-1858

Systems running Fedora 18 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-3893.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 18 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2013-1858: Privilege escalation in user namespaces.

An invalid interaction between user namespaces (CLONE_NEWUSER) and
sharing file system information (CLONE_FS) allows local unprivileged
users to gain privileged code execution.

* NULL pointer dereference in CIFS filesystem mounting.

The CIFS filesystem does not correctly handle attempts to mount paths
which contain symlinks causing a NULL pointer dereference and kernel panic.

* NULL pointer dereference in Parallel NFS direct I/O.

The kernel Parallel NFS implementation does not correctly handle
requests to perform direct I/O leading to a NULL pointer dereference and
kernel panic.

* Use-after-free in NFSv4.1 LAYOUTGET requests.

A reference counting error in the kernel NFS implementation when
handling LAYOUTGET requests can cause a use-after-free and kernel panic.

* Denial of service in kernel connector subsystem.

The kernel connector subsystem does not correctly validate privileges
allowing an unprivileged user to block connector notifications for all
local users.

* Kernel panic in fsyncing read-only RAID devices.

An unprivileged user can cause a kernel panic (BUG_ON) by causing an
fsync on a RAID device mounted read-only.

* Kernel IPC sysctl limit bypass.

A logic error in the kernel IPC subsystem allows unprivileged users to
receive IPC messages that are larger than the limit imposed by the
'msg_ctlmax' sysctl.

* Kernel panic in procfs symlinks.

The procfs filesystem does not correctly handle accessing symlinks which
are opened with O_NOFOLLOW leading to a BUG_ON and kernel panic.

* Use-after-free in mempolicy sharing.

A use-after-free condition can be caused when updating a range in a
shared mempolicy leading to kernel panic.

* Use-after-free in IEEE 802.11 shutdown.

The kernel IEEE 802.11 subsystem does not cancel pending asynchronous
work when shutting down leading to a use-after-free and kernel panic.

* Memory leak in keyctl instantiation.

The error path when handling KEYCTL_INSTANTIATE requests does not
correctly free allocated memory allowing an unprivileged user to leak
kernel memory.

* NULL pointer dereference in pipe closing.

The pipe subsystem does not correctly handle processes opening pipes for
neither reading nor writing leading to a NULL pointer dereference and
kernel panic.

* Use-after-free when suspending USB video devices.

A race condition in the USB video driver can cause a use-after-free and
kernel panic when suspending USB video devices.

* CVE-2013-0914: Information leak in signal handlers.

A logic error in the handling of signal handlers allows a child process
to leak information about the memory layout of parent processes.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.