[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2109-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Feb 21 09:57:20 PST 2014 

Synopsis: USN-2109-1 can now be patched using Ksplice
CVEs: CVE-2013-2897 CVE-2013-2929 CVE-2013-4345 CVE-2013-4348 CVE-2013-4587 CVE-2013-6367 CVE-2013-6380 CVE-2013-6382 CVE-2013-7263 CVE-2013-7265 CVE-2013-7268

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2109-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Deadlock in selinux/netlabel on connect().

Incorrect locking in the selinux/netlabel glue code could lead to a
deadlock. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Use-after free in NFS client file locking.

If a file locking operation is denied by a NFS server, the kernel NFS client does
not correctly free memory leading to a use-after-free condition and kernel panic
when retrying the file lock operation.


* Use-after-free in Ralink rt2x00 device removal.

Incorrect checks for device presence could result in a use-after-free
and kernel crash when removing an active WiFi USB dongle from the
system.


* Memory leak in ext4 filesystem when expanding inode with extended attributes.

A flaw in the ext4 inode expanding code could result in a buffer header
memory leak. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Information leak in audit subsystem when retrieving audit status.

Missing initialization in the audit subsystem causes values on the stack to
be leaked to userspace. An attacker could use this flaw to retrieve
information about the running kernel.


* Memory corruption in block core on control group queue initialization failure.

Incorrect error handling could result in memory corruption and a kernel
crash when queue initialization fails.


* Denial-of-service in loop block subsystem when unloading the loop module.

A logic error in the error path when allocating a block queue in the loop
module could result in a NULL pointer dereference. A local, privileged user
could use this flaw to cause a denial-of-service.


* NULL pointer dereference in GPMI Nand controller when DMA operations on-going.

A race condition in the GPMI Nand controller driver could result in a NULL
pointer dereference and kernel crash. A local, privileged user could use
this flaw to cause a denial-of-service.


* Information leak in procfs and debugfs filesystems.

The kernel incorrectly uses the effective uid instead of the real uid when
displaying pointers in the procfs and debugfs filesystems. This allows local
unprivileged users to use setuid binaries to leak the layout of kernel memory.


* Memory leak in pseudo terminal filesystem.

The pseudo terminal filesystem, /dev/pts, does not free memory when it is
unmounted leading to a kernel memory leak and possible kernel panic.


* Out-of-bounds write in iscsi-target when computing checksums.

Incorrect length checking in iscsi-target code could lead to a one byte
out-of-bounds write. An attacker could use this to cause a
denial-of-service or potentially, escalate privileges.


* Kernel crash in compressed RAM block device (ZRAM) under memory pressure.

Missing allocation checks could result in a NULL pointer deference when
writing to the 'reset' sysfs attribute for a zram device, triggerable by
a privileged user.


* Denial-of-service in cpuset subsystem when changing cpuset.

Incorrect locking when changing cpuset of a running test could result in a
deadlock. A local, privileged user could use this flaw to cause a
denial-of-service.


* CVE-2013-6367: Divide-by-zero in KVM LAPIC.

A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's
Local Advanced Programmable Interrupt Controller (LAPIC) implementation.
A privileged guest user could use this flaw to crash the host.


* Kernel crash in bonding device updelay/downdelay setting.

Missing locking in the updelay/downdelay setting functions could result
in the kernel using a user-supplied value before validation.  A
privileged, local user could use this to cause a divide-by-zero error,
crashing the kernel.


* CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.

An off-by-one flaw was found in the way the ANSI CPRNG implementation in
the Linux kernel processed non-block size aligned requests. This could lead
to random numbers being generated with less bits of entropy than expected
when ANSI CPRNG was used.


* CVE-2013-6380: Denial-of-service in Adaptec RAID driver.

Incorrect memory allocations in the Adaptec RAID driver could result in
dereferencing an invalid pointer allowing a local user with the
CAP_SYS_ADMIN privilege to crash the system.


* CVE-2013-6382: Denial-of-service in XFS filesystem ioctls.

Multiple buffer underflows in the XFS implementation in the Linux kernel
could allow local users with the CAP_SYS_ADMIN capability to cause a
denial of service (memory corruption) or possibly have unspecified other
impact.


* CVE-2013-4348: Denial-of-service in kernel network flow dissector.

The network flow dissector used by the kernel scheduler does not validate IP
headers in IP-over-IP connections allowing a remote malicious user to trigger an
infinite loop and kernel panic.


* CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.

The ptrace subsystem incorrectly checked the state of the fs.suid_dumpable
sysctl allowing a user to ptrace attach to a process if it had dropped
privileges to that user.


* Denial-of-service in NFSv4 client session delegation.

An incorrect assumption in the kernel NFSv4 client can cause the kernel to stop
processing all server responses when handling delegation responses.


* Incorrect credentials checking in iscsi-target with CHAP authentication.

A flaw in the username checking in iscsi-target CHAP authentication causes
all username with the correct username as prefix to be accepted.


* Memory corruption in block device TABLE_LOAD ioctl.

The kernel block device driver does not correctly handle large a large number of
targets in the DM_TABLE_LOAD_CMD ioctl leading to memory corruption and a kernel
panic.


* CVE-2013-4587: Privilege escalation in KVM when creating VCPU.

A lack of input validation in the KVM code when creating a VCPU could lead
to an out-of-bounds memory write. A local user could use this flaw to cause
a kernel crash or potentially escalate privileges.


* Improved fixed to CVE-2013-2897: Memory corruption in multitouch HID driver.

The original vendor fix did not cover all cases for which the multitouch
HID driver does not correctly validate data from devices, allowing a
malicious device to cause kernel memory corruption and potentially gain
kernel code execution.


* Deadlock in QIB QLogic driver during SDMA transfer.

Incorrect locking in the QIB QLogic driver could lead to a deadlock in
specific conditions. A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Denial-of-service in System V message queue send path.

Incorrect comparison between signed and unsigned integer could lead
msgsnd() to bypass msgmax message queue limit and lead to a kernel crash. A
local, privileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in ISDN Loop driver when starting a card.

A lack of input validation in the ISDN Loop driver could lead to a buffer
overflow. Using a specially crafted ioctl, a local attacker could use this
flaw to cause a kernel crash or potentially executes arbitrary code in
kernel mode.


* Deadlock in UDP stack on connect().

Incorrect locking the UDP connect() code could lead to a deadlock or memory
corruption. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Information leak in IPv6 UDP stack when dequeuing error messages.

Lack of initialization in the IPv6 UDP stack could lead to leaking
information from the stack. A remote attacker could use this flaw to obtain
information about the running kernel.


* Denial-of-service in IPv4 stack on sending UDP/ICMP or connecting to TCP socket.

Incorrect locking in various places of the TCP stack could lead to a
deadlock under specific conditions.


* NULL pointer dereference in ftrace hash count checks.

Missing checks for empty hashes in ftrace subsystem could lead to a NULL
dereference and kernel crash.


* CVE-2013-7268: Information leak in recvmsg handler.

Missing initialization in the network recvmsg handlers could leak kernel
memory into userspace.


* CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.

The IPv4, IPv6 and PhoNet recvmsg(2) ioctls do not initialise the length a network
address causing the contents of kernel memory to be disclosed to userspace under
certain circumstances.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-12.04-Updates mailing list