[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (USN-1932-1)

[Oracle Ksplice]

Synopsis: USN-1932-1 can now be patched using Ksplice
CVEs: CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2851

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1932-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free in zram driver unloading.

When the zram driver is unloading, it incorrectly attempts to reset a zram device
after destroying it leading to a use-after-free condition and kernel panic.


* Use-after-free in freeing zram pages.

Incorrect locking the zram driver when freeing pages can trigger a use-after-free
or BUG_ON leading to a kernel panic.


* Double free in zram partial writes.

The zram driver does not correctly handle partial writes to zero filled memory
leading to a double free and kernel panic.


* Memory corruption in zram reading and writing.

Read and write requests from userspace to a zram device are not correctly validated
leading to kernel memory corruption and possible elevation of privileges.


* Use-after-free in zram sysfs interface.

Incorrect locking in the zram sysfs interface can cause a use-after-free and kernel
panic when reading from the 'mem_used_total' sysfs file while reseting a device.


* Race condition in cgroup event removal.

Incorrect reference counting when removing a cgroup event while the cgroup is
being unmounting can trigger a BUG_ON and kernel panic.


* NULL pointer dereference in XHCI container allocation.

A missing error check when allocating DMA memory for a XHCI container can cause
a NULL pointer dereference and kernel panic.


* Race condition in unloading cgroup kernel modules.

A race condition between unloading a cgroup kernel module and unmounting a cgroup
filesystem can trigger a reference counting error and cause a kernel panic.


* Kernel crash in OCFS inline extended attributes with reflinked files.

Incorrect allocation sizes for inline extended attributes during reflink
could result in a kernel BUG() and subsequent crash.


* CVE-2013-2851: Format string vulnerability is software RAID device names.

A format string vulnerability in partition registration allows local
users to execute kernel mode code by writing format string specifiers to
/sys/module/md_mod/parameters/new_array in order to create an invalid
/dev/md device name.


* Format string vulnerability in crypto subsystem.

A lack of sanitisation of a parameter when looking up crypto algorithms in the
kernel can trigger a format string vulnerability and cause a kernel panic


* CVE-2013-2148: Kernel information leak in file system notifications.

The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c
in the Linux kernel through 3.9.4 does not initialize a certain structure
member, which allows local users to obtain sensitive information from kernel
memory via a read operation on the fanotify descriptor.


* Format string vulnerability in power charger manager.

A lack of sanitisation of a parameter when notifying udev about power charger
events can trigger a format string vulnerability and cause a kernel panic.


* CVE-2013-2164: Kernel information leak in the CDROM driver.

An ioctl result returned to the user might contain sensetive kernel
information.


* Data corruption in ext4 filesystem on 32-bit systems.

A number of integer overflows when handling 64-bit integers in the ext4 filesystem
on 32-bit systems can cause data corruption and/or loss.


* CVE-2013-1059: NULL pointer dereference in CephFS authentication.

A lack of validation can allow a remote user to trigger a NULL pointer dereference
and kernel panic by attempting to authenticate with the "auth_none" Ceph
authentication.


* Integer overflow in HP filesystem mounting.

An integer overflow and kernel panic can be triggered by attempting to mount a
malformed HP filesystem.


* Memory corruption in TCP options mangling netfilter.

The xt_TCPOPTSTRIP netfilter module does not validate the contents of the TCP
header when mangling packets leading to remote kernel memory corruption and a
kernel panic.


* Information leak in IP virtual server socket options.

The IP virtual server socket family does not clear a kernel memory structure when
returning information via getsockopt(2), allowing a local CAP_SYS_ADMIN user to
leak the contents kernel memory to userspace.


* Deadlock in journalled ext3 filesystem unmounting.

The ext3 filesystem driver incorrectly handles flushing journalled data to disk
when unmounting an ext3 filesystem leading to a kernel deadlock and possible data
corruption.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.