[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (3.5.0-28.48)

Sonja Tideman sonja.tideman at oracle.com
Wed May 1 20:58:01 PDT 2013 

Synopsis: 3.5.0-28.48 can now be patched using Ksplice
CVEs: CVE-2012-6548 CVE-2012-6549 CVE-2013-0913 CVE-2013-0914 
CVE-2013-1796 CVE-2013-1797 CVE-2013-1798 CVE-2013-1848 CVE-2013-1860 
CVE-2013-1873

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.5.0-28.48.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak in NFS client destruction.

Memory was incorrectly freed when destroying an NFS client resulting in a
possible denial-of-service.


* NULL pointer dereference in CIFS filesystem mounting.

The CIFS filesystem does not correctly handle attempts to mount paths which
contain symlinks causing a NULL pointer dereference and kernel panic.


* Incorrect access control lists on reflinked OCFS2 inodes.

Incorrect management of reflinked inodes meant that the new inode did
not correctly receive the access control lists from the parent
directory.


* Out-of-bounds read in binary sysctl helpers.

An invalid check for NULL in binary sysctl's could result in a
dereference of an invalid pointer leading to a kernel crash.


* Deadlock in compressed RAM (zram) block device driver.

Writing to a compressed RAM block device could invoke the page reclaim
mechanism during memory allocation. Page reclaim would in turn try to
grab a lock which was already locked by the compressed RAM block device
driver and consequently deadlock.


* Kernel panic in fsyncing read-only RAID devices.

An unprivileged user can cause a kernel panic (BUG_ON) by causing an fsync
on a RAID device mounted read-only.


* NULL pointer dereference in session keyring.

A NULL pointer dereference and kernel panic can be triggered when 
attempting to
copy a session keyring from one process into its parent process.


* NULL pointer dereference in pipe closing.

The pipe subsystem does not correctly handle processes opening pipes for 
neither
reading nor writing leading to a NULL pointer dereference and kernel panic.


* Memory leak in keyctl instantiation.

The error path when handling KEYCTL_INSTANTIATE requests does not 
correctly free
allocated memory allowing an unprivileged user to leak kernel memory.


* NULL pointer dereference in ALSA sequence timer.

The ALSA driver does not correctly handle failing to initialise a sequence
timer object leading to a NULL pointer dereference.


* CVE-2013-1848: Format string vulnerability in ext3 mounting.

The ext3 file-system driver incorrectly uses an argument from userspace as a
format string allowing local users with the ability to mount ext3 
filesystems
to corrupt kernel memory and gain privileged execution.


* CVE-2013-1860: Buffer overflow in Wireless Device Management driver.

A malicious USB device can cause a buffer overflow and gain kernel code 
execution
by sending malformed Wireless Device Management packets.


* Denial of service in kernel connector subsystem.

The kernel connector subsystem does not correctly validate privileges 
allowing
an unprivileged user to block connector notifications for all local users.


* Deadlock in SELinux xfrm networking.

The SELinux security module uses an invalid combination of flags to allocate
memory when validating users of the xfrm module leading to a deadlock.


* Memory leak in PPPoL2TP messaging.

The PPPoL2TP tunneling protocol does not decrement a reference counter 
when a user
calls sendmsg on a PPPoL2TP socket causing a kernel memory leak.


* Denial of service in RDS socket allocation.

The RDS networking module does not correctly validate arguments from 
userspace
allowing an unprivileged user to exhaust kernel memory and trigger the OOM
killer.


* Kernel crash on tun packet transmission.

Incorrect handling of a socket buffer in the tun device transmission
functions could result in a use-after-free condition and kernel crash.


* CVE-2013-1873: Information leaks in networking.

A number of system calls in the dcbnl, rtnl and bridge modules allow 
unprivileged
local users to leak the contents of kernel memory.


* Use-after-free in virtio net host kernel accelerator.

A user-controlled variable was being used without sanitation. A malicious
guest VM could use this to cause a use-after-free and subsequent kernel
crash.


* CVE-2012-6548: Information leak in UDF export.

A malicious can disclose the contents of kernel memory by exporting
a filehandle from a UDF filesystem.


* CVE-2012-6549: Information leak in isofs export.

The isofs_export_encode_fh function does not initialize a certain
structure member, which allows local users to obtain sensitive
information from kernel heap memory via a crafted application.


* Use after free in generic journaling layer (JBD2).

Incorrect reference counting can lead to a use-after-free in the JBD2
subsystem. A malicious user could potentially use the flaw to crash the
kernel.


* Information link in debugfs for i915.

The i915 driver can leak kernel address information, which could
be used by a malicious user to target kernel memory corruption
attacks.


* CVE-2013-0913: Kernel heap overflow in Intel i915 driver.

An integer overflow in the Intel i915 driver when relocating buffers can 
allow
a local user to overflow the kernel heap and gain privileged code execution.


* Kernel hang when unmounting ext4 filesystems mounted in 'journal' mode.

Under certain circumstances, mounting and unmounting an ext4 filesystem
quickly can lead to a kernel hang. A local user with sufficient
privileges could use this to carry out a denial-of-service attack.


* Kernel crash in SCTP protocol handler.

Due to a bug in the SCTP protocol handler, packets containing duplicate
cookie chunks will lead to inconsistent data structures. A remote
attacker could use this to crash the kernel.


* CVE-2013-0914: Information leak in signal handlers.

A logic error in the handling of signal handlers allows a child process to
leak information about the memory layout of parent processes.


* CVE-2013-1796: Buffer overflow in KVM system time MSR.

The KVM paravirtualised MSR driver does not correctly validate system timer
arguments allowing a guest virtual machine to corrupt host kernel memory by
providing an unaligned MSR value.


* CVE-2013-1798: Information leak in KVM APIC driver.

The KVM paravirtualised APIC driver does not correctly validate arguments
from the guest virtual machine when querying the APIC device allowing a
malicious guest virtual machine read kernel memory from the host.


* CVE-2013-1797: Use-after-free in KVM system time.

The KVM paravirtualised MSR driver does not pin guest memory associated with
paravirtualised timers allowing a guest virtual machine to crash the host by
unmapping memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-12.10-Updates mailing list