[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (USN-2138-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Mar 7 19:08:51 PST 2014 

Synopsis: USN-2138-1 can now be patched using Ksplice
CVEs: CVE-2013-4587 CVE-2013-6367 CVE-2013-6368 CVE-2013-6382 CVE-2013-7263 CVE-2013-7265 CVE-2013-7268 CVE-2014-0038 CVE-2014-1446 CVE-2014-1874

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2138-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-1874: Kernel panic in empty SELinux security contexts.

The SELinux subsystem does not correctly handle files with empty security contexts
leading to a kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service


* Kernel crash in bonding device updelay/downdelay setting.

Missing locking in the updelay/downdelay setting functions could result
in the kernel using a user-supplied value before validation.  A
privileged, local user could use this to cause a divide-by-zero error,
crashing the kernel.


* Possible buffer overruns in ISDN loop.

The isdnloop code was using strcpy on unvalidated user input which
might not be NUL terminated, leading to a potential buffer overrun.


* Deadlock in seqlock code.

Incorrectly calling a function while in process context and not
softirq context could lead to a seqlock deadlock in the IPv4 and
IPv6 code.


* CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.

The IPv4, IPv6 and PhoNet recvmsg(2) ioctls do not initialise the length a network
address causing the contents of kernel memory to be disclosed to userspace under
certain circumstances.


* CVE-2013-7268: Information leak in recvmsg handler.

Missing initialization in the network recvmsg handlers could leak kernel
memory into userspace.


* Information leak in IPv6 UDP stack when dequeuing error messages.

Lack of initialization in the IPv6 UDP stack could lead to leaking
information from the stack. A remote attacker could use this flaw to obtain
information about the running kernel.


* Denial-of-service in virtual function I/O IOMMU_MAP_DMA ioctl.

An incorrect assertion in the VFIO_IOMMU_MAP_DMA ioctl allows local
users with access to the /dev/vfio/vfio device to trigger a kernel
panic.


* Kyro video driver information leak and memory corruption.

The Kyro framebuffer video driver could copy more data than intended
which could cause memory corruption or leak kernel memory to userspace
which an attacker could use to cause a denial-of-service or read kernel
memory.


* Denial-of-service in NFSv4 client session delegation.

An incorrect assumption in the kernel NFSv4 client can cause the kernel to stop
processing all server responses when handling delegation responses.


* Memory corruption in block device TABLE_LOAD ioctl.

The kernel block device driver does not correctly handle large a large number of
targets in the DM_TABLE_LOAD_CMD ioctl leading to memory corruption and a kernel
panic.


* CVE-2013-4587: Privilege escalation via KVM vcpu id.

Missing checks of the KVM vcpu_id could allow a malicious user
to gain elevated privileges by sending in a vcpu_id greater than
255.


* CVE-2013-6367: Divide-by-zero in KVM LAPIC.

A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's
Local Advanced Programmable Interrupt Controller (LAPIC) implementation.
A privileged guest user could use this flaw to crash the host.


* CVE-2013-6382: Denial-of-service in XFS filesystem ioctls.

Multiple buffer underflows in the XFS implementation in the Linux kernel
could allow local users with the CAP_SYS_ADMIN capability to cause a
denial of service (memory corruption) or possibly have unspecified other
impact.


* Missing check in selinux for outbound IPSec packets.

A missing check in selinux allowed any outbound IPSec packets to pass
through. This flaw could lead a local, unprivileged user to send
unauthorized traffic.


* NULL pointer dereference in Huge TLB subsystem.

A missing check in the Huge TLB subsystem could lead to a NULL pointer dereference
and panic. An attacker could use this flaw to cause a denial-of-service.


* Deadlock in QLogic QLE InfiniBand driver.

Invalid locking in the QLogic PCIe QLE Infiniband host channel
adapter driver can cause a deadlock.


* Kernel crash in compressed RAM block device (ZRAM) under memory pressure.

Missing allocation checks could result in a NULL pointer deference when
writing to the 'reset' sysfs attribute for a zram device, triggerable by
a privileged user.


* Use-after-free in ext4 when creating new block.

Incorrect locking in ext4 could lead to a use-after-free and to kernel
crash when creating new block on ext4 filesystem.


* Denial-of-service in ext4 extent validation.

Incorrect handling of overlapping extents could result in failing kernel
assertion and crashing the system. A local, privileged user, could use a
carefully crafted filesystem to cause a denial-of-service.


* Denial-of-service in ext2 when writing quota.

A flaw in ext2 quota management could lead to use uninitialized memory. A
local, privileged user could use this to cause a denial-of-service.


* Denial-of-service in ext4 filesystem unmounting.

A race condition in ext4 could result in a use-after-free and kernel
crash. A local, privileged user could use this flaw to cause a
denial-of-service, or potentially escalate privileges.


* Out of bound memory access in Radio tap.

A lack of input validation in the Radio tap iterator code could lead to out
of bound memory access. A local, privileged user, could use this to cause a
denial-of-service, or potentially escalate privileges.


* Disk corruption on ext4 filesystems due to physical block address corruption.

Incorrect calculation of physical block addresses could result in corruption
of the on-disk filesystem.


* Logic error in selinux when checking permissions on recv socket.

Due to a flaw in selinux permission checking, a logic error could lead to
forbidden data coming in.


* Denial-of-service in GFS2 filesystem when mounting.

Incorrect locking in the GFS2 filesystem could lead to a deadlock when
mounting more than once a partition. A local, privileged user, could use
this flaw to cause a denial-of-service.


* Information leak in socket monitoring interface.

For non-AF_INET6 sockets the kernel does not initialise fields in socket monitoring
data causing the contents of kernel memory being leaked to userspace.


* CVE-2014-1446: Information leak YAM radio modem ioctl.

The YAM radio modem driver does not initialise kernel memory when processing the
SIOCYAMGCFG ioctl, leading to the contents of kernel memory being leaked to
userspace.


* NULL pointer dereference in RDS socket binding.

A missing pointer validation can trigger a NULL pointer dereference and kernel
panic when binding an RDS socket.


* Use-after-free in logical link control stream sockets.

Receiving stream data on a LLC socket can trigger a use-after-free condition and
kernel panic if the MSG_PEEK flag is not used.


* Deadlock in bridge multicast 'hash_max' sysfs file.

Incorrect locking when changing the 'hash_max' setting via the sysfs interface
can trigger a deadlock and kernel panic.


* NULL pointer dereference in selinux code when checking inode permission.

A race condition in the selinux code could lead to a NULL pointer
dereference and kernel panic. A local, unprivileged user could use this
flaw by opening and closing files in parallel to cause a denial-of-service.


* Denial-of-service in ext4 when partition is full.

Incorrect locking in ext4 could lead to a use-after-free. An attacker could
use this to cause denial-of-service.


* Data corruption on NFS mounts during writeback.

Incorrect handling of inode writeback could result in data corruption of
NFS mounted filesystems under specific conditions.


* Denial-of-service in Raid10 subsystem when handling known bad blocks.

Incorrect calculation of the number of sectors handled in RAID10 could
potentially lead to a kernel crash. A local, privileged user could use a
specially crafted block device to cause a denial of service.


* NULL pointer dereference in Raid10 subsystem during recovery.

Incorrect locking in the Raid10 subsystem could result in a use-after-free
and NULL pointer dereference. A local, privileged user could a specially
crafted block device to cause a denial-of-service.


* Data corruption on NILFS2 with a filesystem nearly full.

Incorrect logic in the NILFS2 filesystem code could result in data
corruption under specific conditions.


* Denial-of-service in xHCI drivers when removing driver.

Lack of input validation in the xHCI driver when removing the driver could
lead to a kernel crash. A local, privileged user could use this flaw to
cause a denial-of-service.


* Deadlock in b43 WiFi driver when in soft access-point mode.

Incorrect locking in the b43 WiFi driver could lead to a deadlock. A local,
privileged user could use this flaw to cause a denial-of-service.


* CVE-2014-0038: Privilege escalation in X32 recvmmsg.

Missing pointer validation in the X32 ABI compatible version of the recvmmsg(2)
syscall allows users to write arbitrary data to arbitrary kernel memory. This allows
an unprivileged user to gain kernel code execution.


* Use-after-free in EDAC Intel E752X driver.

Incorrect reference counting in the EDAC Intel E752X driver could lead to a
user-after-free and kernel crash. A local, privileged user could use this
flaw to cause a denial-of-service.


* NULL pointer dereference in VIA Rhine driver when resetting the card.

A flaw in the VIA Rhine driver code could result in a NULL pointer
dereference when resetting the ethernet controller. A local, unprivileged
user could potentially use this flaw to cause a denial-of-service.


* CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.

A memory corruption flaw was discovered in the way KVM handled virtual
APIC accesses that crossed a page boundary. A local, unprivileged user
could use this flaw to crash the system or, potentially, escalate their
privileges on the system.


* XEN platform driver oops in PV driver support.

When the xen platform driver was disabled (using xen_platform_pci=0 or
xen_emul_unplug=never), the PV drivers still tried to load, which caused
a kernel bug.


* Kernel crash in device mapper for thin objects.

Thin device mapper objects were being used without initialization.


* Memory leak in SELinux when loading a policy.

A flaw in SELinux error path policy code loading leads to a memory leak. A
local, privileged user could use this flaw to cause a denial-of-service.


* Missing check in selinux for IPSec TCP SYN-ACK packets.

Due to a flaw in the selinux code, IPSec TCP SYN-ACK packets could pass-
through without permission checking. An attacker could use this to send or
receive unauthorized traffic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-12.10-Updates mailing list