[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2038-1)

Wed Dec 4 17:06:28 PST 2013

Synopsis: USN-2038-1 can now be patched using Ksplice
CVEs: CVE-2013-0343 CVE-2013-2015 CVE-2013-2140 CVE-2013-2888 CVE-2013-2889 CVE-2013-2892 CVE-2013-2893 CVE-2013-2895 CVE-2013-2896 CVE-2013-2897 CVE-2013-2899 CVE-2013-4350 CVE-2013-4387

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2038-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2013-0343: Denial of service in IPv6 privacy extensions.

A malicious remote user can disable IPv6 privacy extensions by flooding the host
with malicious temporary addresses.

* CVE-2013-2888: Memory corruption in Human Input Device processing.

The kernel does not correctly validate the 'Report ID' field in HID data allowing
a malicious USB or Bluetooth device to cause memory corruption and gain kernel
code execution.

* CVE-2013-2140: Arbitrary sector discard in Xen block device.

A missing check for invalid blocks would allow the discard of
sectors even if they were marked read-only or not allowed by
permissions.

* Kernel panic in Hierarchical Token Bucket scheduler.

The kernel HTB scheduler does not validate priority levels causing an out-of-bounds
read leading to a kernel panic.

* Use-after-free in Xen grant table callbacks.

Xen allows individual callbacks to be registered multiple times for individual
grant tables leading to a use-after-free condition and kernel panic.

* Memory leak in CephFS Object Storage Daemon client.

The Ceph filesystem does not release memory when a read or write operation to an
Object Storage Daemon fails causing a kernel memory leak.

* Denial-of-service in USB configuration parsing.

The generic USB driver does not correctly validate the length of USB configuration
blocks allowing a malicious USB device to cause a kernel panic.

* CVE-2013-2889: Memory corruption in Zeroplus HID driver.

The Zeroplus game controller device driver does not correctly validate
data from devices allowing a malicious device to cause kernel memory
corruption and potentially gain kernel code execution.

* CVE-2013-2893: Memory corruption in Logitech force feedback devices.

The Logitech force feedback driver does not correctly validate data from devices
allowing a malicious device to cause kernel memory corruption and potentially
gain kernel code execution.

* CVE-2013-2897: Memory corruption in multitouch HID driver.

The multitouch HID driver does not correctly validate data from devices allowing
a malicious device to cause kernel memory corruption and potentially gain kernel
code execution.

* CVE-2013-2895: NULL pointer dereference in Logitech DJ driver.

The Logitech DJ Unifying driver does not correctly validate data from devices
allowing a malicious device to leak the contents of kernel memory or trigger a
NULL pointer dereference causing a kernel panic.

* Kernel crash in max98095 audio codec driver.

Incorrect validation of user supplied data could allow a local user with
access to the codec device to trigger an out-of-bounds memory access and
kernel panic.

* Kernel crash in 88pm860x audio codec driver.

Missing validation of user supplied data could allow a local user with
access to the codec device to trigger an out of bounds memory access and
kernel panic.

* NULL pointer dereference in netpoll driver cleanup.

Incorrect locking could result in a NULL pointer dereference when
cleaning up a netpoll device as used in netconsole resulting in a kernel
crash.

* CVE-2013-4350: SCTP over IPv6 disables encryption.

When transporting SCTP data over an IPv6 link, an incorrect assumption in the
kernel IPv6 stack can disable IPv6 encryption leading to the SCTP data being
visible to malicious users on the network.

* CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.

The kernel IPv6 stack does not correctly handle queuing multiple UDP fragments
when using UDP Fragmentation Offloading allowing a local unprivileged user to
cause kernel memory corruption and potentially gain privileged code execution.

* NULL pointer dereference in cgroup.

Invalid sharing between two different cgroups in different mount
hierarchies could lead to a NULL pointer dereference and kernel
crash.

* CVE-2013-2015: Denial-of-service in no-journal mode ext4 filesystems.

A user with physical access to a machine could use a carefully
constructed filesystem to hang the system.

* CVE-2013-2892: Memory corruption in Pantherlord Human Input Device processing.

Missing validation of HID report data could cause corruption of heap
memory.  A local user with physical access to the system could use this
flaw to crash the kernel resulting in DoS or potential privilege
escalation to gain root access via arbitrary code execution.

* CVE-2013-2896: NULL pointer dereference in N-Trig HID driver.

The N-Trig touch-screen device driver does not correctly validate data from
devices allowing a malicious device to trigger a NULL pointer dereference causing
a kernel panic.

* CVE-2013-2899: NULL pointer dereference in PicoLCD device driver.

The PicoLCD HID driver does not correctly validate data from devices allowing a
malicious device to trigger a NULL pointer dereference causing a kernel panic.

* NULL pointer dereference in HID report field setting.

Missing NULL pointer checks could result in a NULL pointer dereference
when a driver populated the results of field enquiries.

* Use-after-free in kernel cryptography subsystem.

The kernel cryptography subsystem incorrectly frees kernel memory when initializing
a cryptographic algorithm leading to a use-after-free condition and kernel panic.

* Kernel panic in HD PVR error handling.

Invalid error handling in the HD PVR probe function could lead to
uninitialized memory being accessed, leading to a kernel panic.

* Kernel crash in hidraw driver.

Improper deallocations of resources in the HID hidraw driver
could cause memory corruption and lead to a kernel crash.

* Kernel crash in perf_event_open syscall.

Improper directory reference counting could lead to a NULL
pointer dereference and kernel crash when doing a perf_event_open
syscall.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.