[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (USN-1671-1)

[Christine Spang]

Synopsis: USN-1671-1 can now be patched using Ksplice
CVEs: CVE-2012-4508 CVE-2012-5517

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1671-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference in Ceph crypto key handling.

The Ceph crypto key code does not correctly handle the case where the
crypto key payload is not correctly allocated and initialized, leading
to a NULL pointer dereference and kernel panic, as well as a memory
leak.


* Out-of-bounds writes in Ceph object storage daemon.

On 32-bit systems, several values in the Ceph object storage daemon can
overflow a kmalloc() size, leading to out-of-bounds writes.


* Integer overflow in kernel timekeeping code.

A flaw in the logarithmic_accumulation() timekeeping routine could cause
an integer overflow.


* Memory leak in IPsec and IP fragment reassembly.

The kernel IPsec implementation and IPv4/IPv6 stack do not correctly free
memory leading to a memory leak when processing fragmented packets.


* Crash in NAT handling of Real-time Transport Protocol (RTP) packets.

If an RTP packet arrives while the NAT connection tracking data structures
are locked, the kernel may crash while attempting to register the same
expectation callback twice on the same list.


* Memory leak in NFS4 file closing.

The NFS4 server subsystem does not correctly free memory when closing a
file handle which eventually leads to memory exhaustion and a kernel
panic.


* Logic error in NFS4 idmap parsing.

The NFS4 server subsystem does not correctly parse numeric identifiers in
NFS requests potentially allowing remote users to bypass file permissions.


* Deadlock in iSCSI SendTargets error path.

Invalid locking when failing to send a 'SendTargets' packet can lead
to a deadlock and kernel panic.


* Memory leak in Atheros 802.11n driver.

The Atheros 802.11n driver does not correctly free memory when failing
to send frames leading to memory exhaustion and a kernel panic.


* Userspace memory corruption and information leak in FireWire core.

The kernel writes too much data to the buffer supplied by the userspace
process calling ioctl() on a FireWire character device. In addition, the
extra data represents an information leak of kernel data.


* Kernel panic in multiple filesystems.

An out-of-bounds read can cause a kernel panic when opening a file on
GFS2, ISO 9660, Reiser, XFS or Posix shared memory filesystems.


* Memory leak in Cirrus Logic audio driver.

The Cirrus Logic driver does not correctly free memory when failing
to initialise an audio device.


* Kernel crash on unmount of Ceph filesystem.

Missing reference count manipulations could result in a kernel BUG() on
unmounting a Ceph filesystem.


* NULL pointer dereference in Ceph Metadata Server client.

Invalid range checking could result in a NULL pointer dereference and
kernel crash.


* Kernel crash in Ceph distributed filesystem core.

Incorrect range checking in the Ceph core could result in a
divide-by-zero and kernel crash.


* Use-after-free when unloading Radeon graphics driver.

A use-after-free condition can be triggered when unloading the
Radeon graphics driver.


* Kernel panic in Realtek HD audio driver.

An out-of-bounds read in the Realtek HD audio driver can cause a kernel
panic when initialising a device.


* Kernel panic in lockd server.

The kernel lockd server does not correctly handle stale file handles
leading to a kernel panic. A remote attacker could potentially use this
flaw to cause a remote denial of service.


* Memory corruption in SUNRPC procfs.

A stack buffer overflow can be triggered by reading the contents of the
"flush" procfs file, leading to a kernel panic.


* CVE-2012-4508: Stale data exposure in ext4.

A race condition in the usage of asynchronous IO and fallocate on an ext4
filesystem could lead to exposure of stale data from a deleted file. An
unprivileged local user could use this flaw to read privileged information.


* NULL pointer dereference in ring-buffer resizing.

The kernel ring-buffer implementation, used by the kernel tracing
subsystem, does not correctly handle resizing buffers on certain
SMP systems, leading to a NULL pointer dereference and kernel panic.


* Kernel panic in Intel PRO/Wireless 2200BG and 2915ABG network device
drivers.

The driver does not count space of radiotap fields when allocating skb for
radiotap packet. This may lead to a kernel panic e.g. when radiotap packets
are being transmitted.


* Memory corruption in general purpose allocator.

The kernel does not allocate the correct amount of metadata for the
general purpose allocator, leading to memory corruption under certain
workloads.


* Information leak in ioctl on x86_64.

If a 32-bit process passes an invalid pointer to the VIDEO_SET_SPU_PALETTE
ioctl() on a 64-bit kernel, the kernel may leak parts of the kernel stack
into the userspace process.


* CVE-2012-5517: NULL pointer dereference in memory hotplug.

A NULL pointer dereference can occur when a new node's hot-added
memory is propagated to other nodes zonelists. An unprivileged local
user can use this flaw to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.