[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (USN-1932-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Tue Aug 20 08:47:23 PDT 2013
Synopsis: USN-1932-1 can now be patched using Ksplice
CVEs: CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2851
Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1932-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Use-after-free in zram driver unloading.
When the zram driver is unloading, it incorrectly attempts to reset a zram device
after destroying it leading to a use-after-free condition and kernel panic.
* Use-after-free in freeing zram pages.
Incorrect locking the zram driver when freeing pages can trigger a use-after-free
or BUG_ON leading to a kernel panic.
* Double free in zram partial writes.
The zram driver does not correctly handle partial writes to zero filled memory
leading to a double free and kernel panic.
* Memory corruption in zram reading and writing.
Read and write requests from userspace to a zram device are not correctly validated
leading to kernel memory corruption and possible elevation of privileges.
* Use-after-free in zram sysfs interface.
Incorrect locking in the zram sysfs interface can cause a use-after-free and kernel
panic when reading from the 'mem_used_total' sysfs file while reseting a device.
* Race condition in cgroup event removal.
Incorrect reference counting when removing a cgroup event while the cgroup is
being unmounting can trigger a BUG_ON and kernel panic.
* NULL pointer dereference in XHCI container allocation.
A missing error check when allocating DMA memory for a XHCI container can cause
a NULL pointer dereference and kernel panic.
* Race condition in unloading cgroup kernel modules.
A race condition between unloading a cgroup kernel module and unmounting a cgroup
filesystem can trigger a reference counting error and cause a kernel panic.
* Kernel crash in OCFS inline extended attributes with reflinked files.
Incorrect allocation sizes for inline extended attributes during reflink
could result in a kernel BUG() and subsequent crash.
* CVE-2013-2851: Format string vulnerability is software RAID device names.
A format string vulnerability in partition registration allows local
users to execute kernel mode code by writing format string specifiers to
/sys/module/md_mod/parameters/new_array in order to create an invalid
/dev/md device name.
* Format string vulnerability in crypto subsystem.
A lack of sanitisation of a parameter when looking up crypto algorithms in the
kernel can trigger a format string vulnerability and cause a kernel panic
* CVE-2013-2148: Kernel information leak in file system notifications.
The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c
in the Linux kernel through 3.9.4 does not initialize a certain structure
member, which allows local users to obtain sensitive information from kernel
memory via a read operation on the fanotify descriptor.
* Format string vulnerability in power charger manager.
A lack of sanitisation of a parameter when notifying udev about power charger
events can trigger a format string vulnerability and cause a kernel panic.
* CVE-2013-2164: Kernel information leak in the CDROM driver.
An ioctl result returned to the user might contain sensetive kernel
information.
* Data corruption in ext4 filesystem on 32-bit systems.
A number of integer overflows when handling 64-bit integers in the ext4 filesystem
on 32-bit systems can cause data corruption and/or loss.
* CVE-2013-1059: NULL pointer dereference in CephFS authentication.
A lack of validation can allow a remote user to trigger a NULL pointer dereference
and kernel panic by attempting to authenticate with the "auth_none" Ceph
authentication.
* Integer overflow in HP filesystem mounting.
An integer overflow and kernel panic can be triggered by attempting to mount a
malformed HP filesystem.
* Memory corruption in TCP options mangling netfilter.
The xt_TCPOPTSTRIP netfilter module does not validate the contents of the TCP
header when mangling packets leading to remote kernel memory corruption and a
kernel panic.
* Information leak in IP virtual server socket options.
The IP virtual server socket family does not clear a kernel memory structure when
returning information via getsockopt(2), allowing a local CAP_SYS_ADMIN user to
leak the contents kernel memory to userspace.
* Deadlock in journalled ext3 filesystem unmounting.
The ext3 filesystem driver incorrectly handles flushing journalled data to disk
when unmounting an ext3 filesystem leading to a kernel deadlock and possible data
corruption.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-12.10-Updates
mailing list