[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (USN-1944-1)

[Oracle Ksplice]

Synopsis: USN-1944-1 can now be patched using Ksplice
CVEs: CVE-2013-2232 CVE-2013-2234 CVE-2013-4162 CVE-2013-4163

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1944-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free in DVB ring buffer.

Incorrect use of a lockless ring buffer could result in accessing
invalid data triggering a use-after-free and kernel crash.


* Data loss in filesystems due to missing writeback.

Incorrect handling of periodic writeback could cause filesystems to fail
to write data back to disk leading to corruption in the case of a crash
or power failure.


* Memory leak in LSI Megaraid controller management firmware interface.

Incorrect handling of scatter-gather lists with 0 sized entries could
result in a memory leak of DMA coherent memory.


* Buffer overflow in iSCSI target configfs.

An incorrect length check when configuring an iSCSI target via configfs can allow
kernel memory corruption and privilege escalation.


* Use-after-free in NFS lock daemon lock retry mechanism.

Missing locking could result in a race condition with the retry list
allowing the kernel to use a freed item resulting in a kernel crash.


* NULL pointer dereference in radeon HDMI handling.

Missing NULL pointer checks in the radeon HDMI handling could result in
a NULL pointer dereference and kernel crash.


* Use-after-free in ACPI memory hotplug failure.

Incorrect handling of memory hotplug failure could result in accessing a
stale pointer and triggering a kernel crash.


* Kernel panic in SunRPC RDMA transport marshalling.

The RDMA transport for the kernel SunRPC server does not validate chunk lists in
received packets allowing remote users to cause a kernel panic.


* Deadlock in btrfs snapshot deletion.

Missing lock tracking could result in deadlock when deleting a snapshot
causing the system to hang.


* Double free in MAC-VLAN based tap driver.

Due to incorrect error handling, the macvtap driver could free the same
page twice, possibly leading to kernel crashes. A malicious local user
could exploit this to cause denial of service.


* CVE-2013-2232: Memory corruption in IPv6 routing cache.

Connecting an IPv6 socket to an IPv4 destination can cause IPv4 routing
information to be placed in the IPv6 routing cache causing memory corruption
and a kernel panic.


* CVE-2013-2234: Information leak in IPsec key management.

An error in the AF_KEY implementation allows privileged users to leak contents of
the kernel stack to userspace.


* Race condition in neighbour (generic network address resolution) code.

Due to missing locking in neighbour code, attempting to destroy a neighbour
entry can cause a kernel crash. A malicious user could possibly exploit
this to cause denial of service.


* Deadlock in x25 ioctl error path.

Invalid error handling in the x25 ioctl code causes a lock to not be
released, leading to a deadlock.


* CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.

When pushing pending frames in IPv6 udp code, an incorrect function call can
be made. This allows local users to cause a denial of service (BUG and system
crash) via a crafted application that uses the UDP_CORK option in a
setsockopt system call.


* CVE-2013-4163: Kernel crash in IPv6 sockets with IPV6_MTU set.

Incorrect handling of IPv6 sockets with IPV6_MTU set could result in
a kernel BUG() and subsequent crash.


* Memory corruption in Plan 9 9p remote filesystem.

An off by one error could lead to memory access violations and memory
corruption when releasing pages in the 9p, leading to a kernel crash.


* Memory corruption in 8021q VLAN quality-of-service.

A race condition in 8021q VLAN quality-of-service management when
sending packets cause memory corruption and lead to a kernel panic.


* Use-after-free in SCSI unit attention handling.

Incorrect handling of commands during a retry due to unit attention
codes could result in a use-after-free and kernel crash.


* Kernel crash in NFS file open failure.

Incorrect handling of the return value from a failed open() call on an
NFS filesystem could result in dereferencing an invalid pointer and
triggering a kernel crash.


* NULL pointer dereference in XHCI host controller failure.

Missing NULL pointer checks could result in a kernel crash when a XHCI
host controller fails.


* NULL pointer dereference in USB XHCI doorbell.

A missing check for NULL could result in a kernel crash when handling
non-responsive XHCI peripherals.


* Denial-of-service in Moschip 7840/7820 USB serial driver.

Missing resource freeing would result in a memory leak when failing to
open the device allowing a user with sufficient privileges to exhaust
memory.


* Memory corruption in comedi read/write with concurrent ioctl.

Missing locking in the comedi driver could result in memory corruption
and a kernel crash.


* Kernel stack information leak in non-station 802.11 ethtool stats.

Missing initialization could allow a local user to gain kernel stack
information through ethtool statistics on a non-station 802.11
interface.


* Kernel crash in Intel WiFi with small beacon intervals.

Attempting to connect to an access point with a becaon interval less
than 16 could trigger a firmware bug causing a kernel crash.


* Deadlock in Xen event channel removal.

Incorrect locking in the Xen event channel driver could result in
deadlock and a system hang when unbinding a channel with the
IOCTL_EVTCHN_UNBIND ioctl.


* Livelock in filesystem mounting.

Incorrect locking in filesystem superblock handling could result in
livelock causing the filesystem to fail to mount and the mounting tasks
to hang.


* Use-after-free in IPv6 multicast routing namespace cleanup.

Incorrect locking could result in a use-after-free and kernel crash when
removing a network namespace.


* Kernel stack information leaks in PF_KEY sockets.

Missing initialization in a number of PF_KEY socket calls could result
in leaking kernel stack information to userspace.


* Kernel information leak in Class Based Queueing network scheduler.

Missing initialization in the CBQ network scheduler could result in
leaking kernel stack information to userspace.


* Kernel stack information leak in ATM network scheduler.

Missing initialization could cause kernel stack information to be leaked
from the ATM network scheduler to userspace.


* Kernel oops in simultaneous VIRTIO console open + unplug.

Missing synchronization could result in a crash if the device was opened
at the same time as the device was unplugged.


* Buffer overflow in CIFS credentials.

An incorrectly sized buffer could result in a buffer overflow, allowing
a malicious server to cause heap memory corruption.


* NULL pointer dereference in TerraTec DMX 6Fire USB driver.

Due to incorrect error handling, the 6Fire USB driver could crash
during device initialisation when the system is out of memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.