[Ksplice][Fedora-18-updates] New updates available via Ksplice (FEDORA-2013-20748)

[Oracle Ksplice]

Synopsis: FEDORA-2013-20748 can now be patched using Ksplice
CVEs: CVE-2013-4299 CVE-2013-4348 CVE-2013-4470

Systems running Fedora 18 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-20748.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 18 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash in Bluetooth HID reporting.

Out of bounds memory accesses could trigger a page fault and kernel
crash when reading data that was not naturally aligned.


* NULL pointer dereference in IPv6 FIB rule addition failure.

Incorrect error handling could trigger a NULL pointer dereference when
failing to add an IPv6 FIB rule and causing a kernel crash.


* NULL pointer dereference in netpoll driver cleanup.

Incorrect locking could result in a NULL pointer dereference when
cleaning up a netpoll device as used in netconsole resulting in a kernel
crash.


* Kernel crash in Xen netback frontend slot packing.

Under specific conditions the number of slots required to send packets
were incorrectly counted in the backend.  This could cause the frontend
to lose synchronization and later crash the guest kernel.


* NULL pointer dereference in bridge link handling.

Incorrect locking could result in a race condition and subsequent NULL
pointer dereference and kernel crash.


* NULL pointer dereference in bridge port removal.

Incorrect synchronization could cause a NULL pointer and kernel crash
when receiving a frame at the same time as removing the port.


* Predictable sequence numbers in network packets.

On a server that never opened a TCP socket, the networking secret used
to derive sequence numbers would never be initialized and could result
in predictable sequence numbers for other protocols.


* Use-after-free in IP tunnel transmission.

A use-after-free in packet transmission in an IP tunnel could result in
a kernel crash or memory corruption.


* Memory corruption in IP tunnel packet transmission.

Incorrect handling of the IP in IP header could result in heap memory
corruption when transmitting packets under specific conditions.


* Kernel panic in ELF coredumping with large number of mmapped files.

On a system where a large number of mappings are permitted, a local,
unprivileged user could trigger a NULL pointer dereference when writing
corefiles and storing the filenames of the mapped files.


* Kernel crash in max98095 audio codec driver.

Incorrect validation of user supplied data could allow a local user with
access to the codec device to trigger an out-of-bounds memory access and
kernel panic.


* Kernel crash in 88pm860x audio codec driver.

Missing validation of user supplied data could allow a local user with
access to the codec device to trigger an out of bounds memory access and
kernel panic.


* Kernel crash and information leak in ab8500 audio codec driver.

Missing validation of user supplied input could result in an
out-of-bounds memory access and kernel panic or stack information leak
if a local user has access to the audio codec device.


* Use-after-free in Linux Security Modules.

Incorrect synchronization could cause a race condition between security
and auditing checks.  This race could result in a use-after-free
triggering memory corruption or a kernel crash.


* NULL pointer dereference with invalid /proc/sys/kernel/core_pattern.

If /proc/sys/kernel/core_pattern contained only a single '|' character
then a NULL pointer dereference could crash the kernel.  This could only
be triggered by a local, privileged user.


* NULL pointer dereference in NFSv4.1 data server connection failure.

Failure to connect to an NFS data server could trigger a NULL pointer
dereference and kernel crash.


* Incorrect permission checks on networking sysctls.

Permission checks in the networking sysctl interface incorrectly use the
current uid/gid rather than the effective uid/gid which could allow an
unprivileged user to manipulate network settings using a setuid binary.


* NULL pointer dereference in MMC card removal.

Incorrect ordering of device removal could result in NULL pointer
dereference when removing an MMC card from the system.


* Kernel crash in btrfs backref checking.

Incorrect handling of backref checking for blocks could result in
hitting a kernel assertion and kernel crash.


* Use-after-free in btrfs reference handling.

Incorrect locking could lead to a use-after-free when processing btrfs
references.  This could result in a kernel crash or memory corruption.


* NULL pointer dereference in bcache write requests.

Missing initialization could cause a NULL pointer dereference when
writing a request from a bcache device, resulting in a kernel crash.


* Denial-of-service in ext4 extended attribute error handling.

Missing memory freeing in the error path of extended attribute handling
could cause a memory leak and denial of service under specific
circumstances.


* Memory corruption in Broadcom bnx2x GSO.

The Broadcom driver for NetXtremeII devices does not correctly handle cloned
packet data when GSO is enabled leading to memory corruption and a kernel panic.


* Use-after-free in IP TIME_WAIT sockets.

Incorrect reference counting in the kernel IP stack when handling receiving data
on TIME_WAIT sockets can trigger a use-after-free condition and cause a kernel
panic.


* Information leak in netlink connector.

When sending messages through the netlink connector, some elements of the message
are not initialised causing the contents of kernel memory to be exposed to
userspace.


* Deadlock in L2TP PPP packet transmission.

Invalid locking when transmitting packets over a L2TP PPP connection can trigger
a kernel deadlock when two processes send packets over the same connection.


* Memory leak in netem scheduler.

The netem network scheduler does not free memory when a network queue is reset
leading to a kernel memory leak.


* Information leak in FarSync network driver ioctl.

The SIOCWANDEV ioctl in the FarSync T-Series network driver does not initialise
memory before returning data to userspace, causing the contents of kernel memory
to be leaked to userspace.


* Information leak in Unix socket monitoring interface.

The Unix socket monitoring interface does not initialise memory when sending
information over a netlink socket causing the contents of kernel memory to be
leaked to userspace.


* Kernel panic in netlink kernel/userspace connector.

An incorrect length check when processing netlink messages in the kernel/
userspace connector can cause an out-of-bounds access and kernel panic.


* Information leak in wanXL IF_GET_IFACE ioctl.

The SBE wanXL network driver does not initialise memory when handling the
IF_GET_IFACE ioctl causing the contents of kernel memory to be leaked to
userspace.


* Denial-of-service in IPv4 CIPSO header validation.

The kernel IPv4 stack does not correctly handle malformed CIPSO headers in IPv4
packets leading to an infinite loop and kernel panic.


* CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.

The kernel IP stack does not correctly handle sending fragmented packets via a
device which has UDP Fragmentation Offload enabled leading to memory corruption
and a kernel panic.


* Use-after-free in temporary files on ext3 and ext4 filesystems.

When opening a file on an ext3 or ext4 filesystem using the __O_TMPFILE flag, the
kernel does not correctly manage reference counts leading to a use-after-free
condition and kernel panic.


* CVE-2013-4299: Information leak in device mapper persistent snapshots.

An information leak flaw was found in the way Linux kernel's device
mapper subsystem, under certain conditions, interpreted data written to
snapshot block devices. An attacker could use this flaw to read data
from disk blocks in free space, which are normally inaccessible.


* Denial-of-service in kernel huge page splitting.

A race condition in the kernel huge page implementation can trigger a BUG_ON and
kernel panic when splitting a huge page that has been marked MADV_DONTNEED.


* Denial-of-service in 802.11 radiotap packet parsing.

The kernel 802.11 radiotap interface does not correctly handle malformed packets
allowing a remote attacker to trigger an out-of-bounds read leading to a kernel
panic.


* CVE-2013-4348: Denial-of-service in kernel network flow dissector.

The network flow dissector used by the kernel scheduler does not validate IP
headers in IP-over-IP connections allowing a remote malicious user to trigger an
infinite loop and kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.