[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (USN-2071-1)

[Oracle Ksplice]

Synopsis: USN-2071-1 can now be patched using Ksplice
CVEs: CVE-2013-2930 CVE-2013-4345 CVE-2013-4348 CVE-2013-4513 CVE-2013-6383

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2071-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel panic in NFS client when handling duplicated inodes.

If a NFS server incorrectly provides duplicate inodes for separate files, a NULL
pointer dereference can be triggered in the kernel NFS client leading to a kernel
panic.


* Deadlock in JFS inode allocation.

When failing to allocate new inodes on a JFS filesystem, the JFS filesystem
driver incorrectly unlocks inodes leading to a deadlock and kernel panic.


* Denial-of-service in 802.11 radiotap packet parsing.

The kernel 802.11 radiotap interface does not correctly handle malformed packets
allowing a remote attacker to trigger an out-of-bounds read leading to a kernel
panic.


* Memory leak in ecrypt filesystem initialization.

When initializing a ecrypt filesystem the ecryptfs driver does not free memory
when decrypting the session key causing a kernel memory leak.


* Memory corruption in DRM ioctl.

The DRM driver incorrectly allocated memory when processing a ioctl from userspace
allowing a malicious local user to trigger kernel memory corruption and gain elevated
privileges.


* NULL pointer dereference in pSCSI device initialization.

A NULL pointer dereference and kernel panic can be triggered when the pass-
through SCSI driver fails to lookup a host.


* CVE-2013-4513: Memory corruption in USB-over-WiFi host driver.

The Ozmo USB-over-WiFi driver does not fully validate userspace arguments allowing
a malicious local user to trigger kernel memory corruption and gain elevated privileges.


* CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.

A missing capability check in the AAC RAID compatibility ioctl allows local users
to gain elevated privileges.


* CVE-2013-4348: Denial-of-service in kernel network flow dissector.

The network flow dissector used by the kernel scheduler does not validate IP
headers in IP-over-IP connections allowing a remote malicious user to trigger an
infinite loop and kernel panic.


* Use-after free in NFS client file locking.

If a file locking operation is denied by a NFS server, the kernel NFS client does
not correctly free memory leading to a use-after-free condition and kernel panic
when retrying the file lock operation.


* Use-after-free in Ralink rt2x00 device removal.

Incorrect checks for device presence could result in a use-after-free
and kernel crash when removing an active WiFi USB dongle from the
system.


* CVE-2013-2930: Incorrect permissions check in perf ftrace feature.

Incorrect permissions checks could allow a local, unprivileged user to
enable ftrace through the perf subsystem.  This could allow the user to
gain information to bypass ASLR or crash the system.


* Buffer overrun in the tracing subsystem.

An incorrect bounds check in the kernel tracing subsystem could lead to
writing past the end of a buffer. A privileged local user can use this
flaw to crash the kernel or potentially gain additional privileges.


* Information leak in procfs and debugfs filesystems.

The kernel incorrectly uses the effective uid instead of the real uid when
displaying pointers in the procfs and debugfs filesystems. This allows local
unprivileged users to use setuid binaries to leak the layout of kernel memory.


* Memory leak in pseudo terminal filesystem.

The pseudo terminal filesystem, /dev/pts, does not free memory when it is
unmounted leading to a kernel memory leak and possible kernel panic.


* Use of uninitialized memory in USB hub configuration.

In low memory situations, due to incorrect error handling, configuring
a USB hub could lead to use of uninitialized memory and a kernel crash.
A person with physical access to the machine could use this flaw to
cause denial of service.


* CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.

An off-by-one flaw was found in the way the ANSI CPRNG implementation in
the Linux kernel processed non-block size aligned requests. This could lead
to random numbers being generated with less bits of entropy than expected
when ANSI CPRNG was used.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.