[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (3.2.0-60.91)

Thu Mar 6 19:35:51 PST 2014

Synopsis: 3.2.0-60.91 can now be patched using Ksplice
CVEs: CVE-2013-6368 CVE-2014-1446 CVE-2014-1874

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.2.0-60.91.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-1874: Kernel panic in empty SELinux security contexts.

The SELinux subsystem does not correctly handle files with empty security contexts
leading to a kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service

* Information leak in socket monitoring interface.

For non-AF_INET6 sockets the kernel does not initialize fields in socket monitoring
data causing the contents of kernel memory being leaked to userspace.

* CVE-2014-1446: Information leak YAM radio modem ioctl.

The YAM radio modem driver does not initialise kernel memory when processing the
SIOCYAMGCFG ioctl, leading to the contents of kernel memory being leaked to
userspace.

* NULL pointer dereference in RDS socket binding.

A missing pointer validation can trigger a NULL pointer dereference and kernel
panic when binding an RDS socket.

* Use-after-free in logical link control stream sockets.

Receiving stream data on a LLC socket can trigger a use-after-free condition and
kernel panic if the MSG_PEEK flag is not used.

* Deadlock in bridge multicast 'hash_max' sysfs file.

Incorrect locking when changing the 'hash_max' setting via the sysfs interface
can trigger a deadlock and kernel panic.

* CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.

A memory corruption flaw was discovered in the way KVM handled virtual
APIC accesses that crossed a page boundary. A local, unprivileged user
could use this flaw to crash the system or, potentially, escalate their
privileges on the system.

* Data loss using ext4 with journaling.

Incorrect handling of errors from the journal layer could result in
deadlock between ext4 and jbd2, eventually resulting in data loss.

* Use-after-free in ext4 when creating new block.

Incorrect locking in ext4 could lead to a use-after-free and to kernel
crash when creating new block on ext4 filesystem.

* Denial-of-service in ext4 extent validation.

Incorrect handling of overlapping extents could result in failing kernel
assertion and crashing the system. A local, privileged user, could use a
carefully crafted filesystem to cause a denial-of-service.

* Denial-of-service in ext2 when writing quota.

A flaw in ext2 quota management could lead to use uninitialized memory. A
local, privileged user could use this to cause a denial-of-service.

* Denial-of-service in ext4 filesystem unmounting.

A race condition in ext4 could result in a use-after-free and kernel
crash. A local, privileged user could use this flaw to cause a
denial-of-service, or potentially escalate privileges.

* Out of bound memory access in Radio tap.

A lack of input validation in the Radio tap iterator code could lead to out
of bound memory access. A local, privileged user, could use this to cause a
denial-of-service, or potentially escalate privileges.

* Disk corruption on ext4 filesystems due to physical block address corruption.

Incorrect calculation of physical block addresses could result in corruption
of the on-disk filesystem.

* Logic error in selinux when checking permissions on recv socket.

Due to a flaw in selinux permission checking, a logic error could lead to
forbidden data coming in.

* NULL pointer dereference in selinux code when checking inode permission.

A race condition in the selinux code could lead to a NULL pointer
dereference and kernel panic. A local, unprivileged user could use this
flaw by opening and closing files in parallel to cause a denial-of-service.

* Denial-of-service in Raid10 subsystem when handling known bad blocks.

Incorrect calculation of the number of sectors handled in RAID10 could
potentially lead to a kernel crash. A local, privileged user could use a
specially crafted block device to cause a denial of service.

* NULL pointer dereference in Raid10 subsystem during recovery.

Incorrect locking in the Raid10 subsystem could result in a use-after-free
and NULL pointer dereference. A local, privileged user could a specially
crafted block device to cause a denial-of-service.

* Data corruption on NILFS2 with a filesystem nearly full.

Incorrect logic in the NILFS2 filesystem code could result in data
corruption under specific conditions.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.