[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (USN-1769-1)

[Sonja Tideman]

Synopsis: USN-1769-1 can now be patched using Ksplice
CVEs: CVE-2013-0190 CVE-2013-0268 CVE-2013-0290 CVE-2013-0311 CVE-2013-0349

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1769-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-0190: stack corruption with Xen 32-bit paravirtualied guests.

Incorrect manipulation of the stack pointer in the error path for iret
failure with a 32-bit paravirtualized guest could result in stack
corruption.  This could be triggered by an unprivileged user in the
guest to cause a denial-of-service.


* NULL pointer dereference in ACPI with cpuidle disabled.

The ACPI code does not correctly handle all cases where cpuidle is
disabled, leading to a kernel NULL pointer dereference.


* Denial-of-service in Extended Verification Module.

A missing NULL pointer check could lead to an NULL pointer dereference
and a kernel oops when removing an extended attribute from a file that
does not implement extended attributes.  This could allow an
unprivileged user to crash the system.


* Race condition in USB UHCI during initialization.

A race condition exists in the USB UHCI code that could cause the
interrupt handler to be called before all data structures are setup,
leading to potential invalid memory accesses.


* Memory leak in CIFS referral mount handling.

Allocated memory was not correctly freed in the CIFS referral mount
error handling path leading to a potential denial-of-service.


* Memory leak in ATH9K HTC layer skb allocation.

All SKBs which were allocated by the ATH9K HTC layer were not freed,
causing a memory leak.


* Memory corruption in ATH9K handling to flush command.

DMA activity wasn't stopped when handling a flush command, leading
to kernel memory corruption.


* CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.

Access to /dev/cpu/*/msr was protected only using filesystem
checks. A local uid 0 (root) user with all capabilities dropped
could use this flaw to execute arbitrary code in kernel mode.


* Use-after-free in XFS AIO handling.

An inode reference was released before all operations on it were complete.
This might lead to a use-after-free if the inode was freed.


* CVE-2013-0290: Denial of service in network datagram processing.

The datagram processing routine didn't properly handle message peeking, 
causing
an infinite loop followed by a system hang.


* CVE-2013-0311: Privilege escalation in vhost descriptor management.

Incorrect handling of vhost descriptors that crossed regions could allow
a privileged guest user to crash the host or possibly escalate
privileges inside the host.


* Memory leak in xHCI USB host request handler.

The USB xHCI subsystem fails to release kernel memory when transmitting
packets leading to a kernel memory leak.


* NULL pointer dereference in Bluetooth PDU handling.

A NULL pointer dereference may occur if PDUs are received after the control
channel was closed.


* Memory leak in RSA digital signature verification.

An internal buffer was not freed at the end of the verification process.


* Kernel crash on virtio console removal.

The kernel could access uninitialized data on device removal causing a
kernel crash.


* Fix stack overflow in kernel resource allocation.

Recursive calls in kernel/resource.c could lead to a stack overflow when
reserving regions.


* Off-by-one error in qlogic netxen NIC driver.

An off-by-one error in the qlogic netxen driver would trigger a kernel panic
on full size TSO packets.


* Use-after-free in IP loopback transmission handling.

The loopback driver didn't correctly handle a specific type of data, which
would allow a packet to be freed before being processed.


* Memory leak in memory mapped AF_PACKET transmission.

A memory leak in the memory mapped packet transmission code could result
in a denial-of-service against the system by a user with CAP_NET_RAW
capability.


* SCTP key leak in shared secret key setup.

The SCTP association key setup did not securely free the key memory
resulting in a possible leak of the key to an attacker.


* Kernel page mapping information leak in dmesg.

On x86 systems, an unprivileged process can easily determine whether an 
address
residing within the kernel address space is mapped or unmapped by examining
the error code reported to dmesg.[1]

[1] http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/


* CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak
from the kernel.


* Kernel crash under heavy load in VFS code.

Under heavy loads, a race condition in the VFS code can result in an
already-freed file pointer being picked up and reused, resulting in
various kernel panics.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.