[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (3.5.0-43.66)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Nov 7 22:16:42 PST 2013 

Synopsis: 3.5.0-43.66 can now be patched using Ksplice
CVEs: CVE-2013-0343 CVE-2013-1819 CVE-2013-2015 CVE-2013-2888 CVE-2013-2889 CVE-2013-2892 CVE-2013-2893 CVE-2013-2895 CVE-2013-2896 CVE-2013-2899 CVE-2013-4350 CVE-2013-4387

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.5.0-43.66.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-2888: Memory corruption in Human Input Device processing.

The kernel does not correctly validate the 'Report ID' field in HID data allowing
a malicious USB or Bluetooth device to cause memory corruption and gain kernel
code execution.


* CVE-2013-0343: Denial of service in IPv6 privacy extensions.

A malicious remote user can disable IPv6 privacy extensions by flooding the host
with malicious temporary addresses.


* Kernel panic in Atheros AR9001/AR9002 transmit.

The Atheros wireless driver does not correctly manage packet data on AR9001 and
AR9002 devices leading to an assertion failure and kernel panic.


* Kernel crash in 88pm860x audio codec driver.

Missing validation of user supplied data could allow a local user with
access to the codec device to trigger an out of bounds memory access and
kernel panic.


* Kernel crash in max98095 audio codec driver.

Incorrect validation of user supplied data could allow a local user with
access to the codec device to trigger an out-of-bounds memory access and
kernel panic.


* NULL pointer dereference in USB device controller removal.

The USB gadget driver does not validate a pointer when removing a USB gadget
device leading to a NULL pointer dereference and kernel panic.


* CVE-2013-2889: Memory corruption in Zeroplus HID driver.

The Zeroplus game controller device driver does not correctly validate
data from devices allowing a malicious device to cause kernel memory
corruption and potentially gain kernel code execution.


* CVE-2013-2893: Memory corruption in Logitech force feedback devices.

The Logitech force feedback driver does not correctly validate data from devices
allowing a malicious device to cause kernel memory corruption and potentially
gain kernel code execution.


* CVE-2013-2895: NULL pointer dereference in Logitech DJ driver.

The Logitech DJ Unifying driver does not correctly validate data from devices
allowing a malicious device to leak the contents of kernel memory or trigger a
NULL pointer dereference causing a kernel panic.


* Memory leak in CephFS Object Storage Daemon client.

The Ceph filesystem does not release memory when a read or write operation to an
Object Storage Daemon fails causing a kernel memory leak.


* Use-after-free in IPv6 options processing.

The kernel IPv6 implementation incorrectly uses freed memory when processing
received IPv6 packets leading to a use-after-free condition and kernel panic.


* Memory leak in RealTek 8139 device driver.

The RealTek 8139 ethernet device driver does not free kernel memory when dropping
packets leading to a kernel panic.


* Kernel panic in Hierarchical Token Bucket scheduler.

The kernel HTB scheduler does not validate priority levels causing an out-of-bounds
read leading to a kernel panic.


* User memory corruption in SCSI SG_IO ioctl.

If a process performing a SG_IO ioctl on a SCSI device is interrupted by a signal,
the kernel may continue the ioctl in the address space of another process leading
to memory corruption.


* CVE-2013-2899: NULL pointer dereference in PicoLCD device driver.

The PicoLCD HID driver does not correctly validate data from devices allowing a
malicious device to trigger a NULL pointer dereference causing a kernel panic.


* CVE-2013-2896: NULL pointer dereference in N-Trig HID driver.

The N-Trig touch-screen device driver does not correctly validate data from
devices allowing a malicious device to trigger a NULL pointer dereference causing
a kernel panic.


* NULL pointer dereference in HID report field setting.

Missing NULL pointer checks could result in a NULL pointer dereference
when a driver populated the results of field enquiries.


* CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.

The kernel IPv6 stack does not correctly handle queuing multiple UDP fragments
when using UDP Fragmentation Offloading allowing a local unprivileged user to
cause kernel memory corruption and potentially gain privileged code execution.


* Denial-of-service in USB configuration parsing.

The generic USB driver does not correctly validate the length of USB configuration
blocks allowing a malicious USB device to cause a kernel panic.


* Use-after-free in Xen grant table callbacks.

Xen allows individual callbacks to be registered multiple times for individual
grant tables leading to a use-after-free condition and kernel panic.


* CVE-2013-2892: Memory corruption in Pantherlord Human Input Device processing.

Missing validation of HID report data could cause corruption of heap
memory.  A local user with physical access to the system could use this
flaw to crash the kernel resulting in DoS or potential privilege
escalation to gain root access via arbitrary code execution.


* Use-after-free in kernel cryptography subsystem.

The kernel cryptography subsystem incorrectly frees kernel memory when initializing
a cryptographic algorithm leading to a use-after-free condition and kernel panic.


* Revert fix for "CVE-2013-1819: Denial-of-service in XFS filesystems".

The original vendor patch for CVE-2013-1819 was not needed on older kernels
and causes errors when attempting to grow filesystems with the xfs_growfs
tool leading to potential data-loss. This reverts the patch.


* Information leak in ICEnsemble ICE1712 (Envy24) sound driver.

Missing range checks could result in leaking the contents of kernel heap
memory to userspace.


* NULL pointer dereference in netpoll driver cleanup.

Incorrect locking could result in a NULL pointer dereference when
cleaning up a netpoll device as used in netconsole resulting in a kernel
crash.


* CVE-2013-4350: SCTP over IPv6 disables encryption.

When transporting SCTP data over an IPv6 link, an incorrect assumption in the
kernel IPv6 stack can disable IPv6 encryption leading to the SCTP data being
visible to malicious users on the network.


* Kernel panic in HD PVR error handling.

Invalid error handling in the HD PVR probe function could lead to
uninitialized memory being accessed, leading to a kernel panic.


* NULL pointer dereference in Exynos4 video driver.

A race condition in the error path on entity unregistration
could lead to a NULL pointer dereference and kernel crash.


* NULL pointer dereference in cgroup.

Invalid sharing between two different cgroups in different mount
hierarchies could lead to a NULL pointer dereference and kernel
crash.


* Memory corruption in Marvel 802.11n driver.

Failure to properly initialize a variable when unsetting a
previously-set multicast list in the Marvel 802.11n driver
could cause memory corruption and a kernel crash.


* CVE-2013-2015: Denial-of-service in no-journal mode ext4 filesystems.

A user with physical access to a machine could use a carefully
constructed filesystem to hang the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-12.10-Updates mailing list