[Ksplice][Ubuntu-12.10-Updates] New updates available via Ksplice (USN-2223-1)

Tue May 27 10:23:04 PDT 2014

Synopsis: USN-2223-1 can now be patched using Ksplice
CVEs: CVE-2013-4483 CVE-2014-0055 CVE-2014-0077 CVE-2014-0101 CVE-2014-0131 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2678 CVE-2014-2851

Systems running Ubuntu 12.10 Quantal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2223-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.10 Quantal
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.

The floppy driver would leak internal memory addresses to userspace,
and would allow unprivileged userspace code to overwrite those
addresses, allowing for a local privilege escalation and gaining
of root.

* CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.

A missing check in the wireless RDS protocol leads to a NULL pointer
dereference when there is no device. A local, unprivileged user could use
this flaw to cause a NULL pointer dereference and denial-of-service.

* CVE-2014-0055: Kernel panic when receiving packets in virtio networking.

When receiving packets, missing data validation can cause the virtual networking
subsystem to dereference an invalid pointer causing a kernel panic.

* CVE-2014-2523: Remote crash via DCCP conntrack.

A flaw in the dccp protocol could allow a remote user to cause a crash
resulting in a denial-of-service.

* CVE-2014-0131: Information leak in skb_segment function.

Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c
allows attackers to obtain sensitive information from kernel memory by
leveraging the absence of a certain orphaning operation.

* Kernel panic in ath9k transmit.

A race condition in the ath9k xmit driver code could lead
to multiple frees on the same object, causing an invalid memory
access and a kernel panic.

* Use-after-free in firewire.

An error in a failure path in the firewire code could result in an
use-after-free error and kernel panic.

* NULL pointer dereference in NFS async code.

A NULL pointer check in the NFS delegation code could lead
to a NULL pointer dereference and kernel panic.

* Quota file corruption in ocfs2.

Improper caching of quota file structures could result in
corruption of the quota file.

* CVE-2014-0101: NULL pointer dereference in SCTP protocol.

A flaw was found in the way Linux kernel processed authenticated
COOKIE_ECHO chunks in SCTP protocol. A remote attacker could use this flaw
to cause a denial-of-service by sending a maliciously prepared SCTP
handshake in order to trigger a NULL pointer dereference on the server.

* Information leak in mac80211 QoS-null frames.

Uninitialized memory in QoS-null frames in the mac80211 code
could leak information.

* Data corruption in ocfs2 sync.

The ocfs2 file system was syncing the wrong range.  This could
allow data to not be correctly synced and therefore cause
corruption.

* General protection fault in proc filesystem.

A race condition in the proc filesystem could lead to a
GPF when accessing /proc/$PID/map_files.  A local unprivileged
user could use this to cause a denial-of-service.

* Data corruption in vmxnet3 netpoll driver.

A race condition in the vmxnet3 poll driver can lead to data
corruption and kernel panics.

* NULL pointer dereference in drm TTM code.

The TTM code didn't check that a TTM driver had an invalidate_caches()
function and tried to call it, leading to a NULL pointer dereference
and kernel panic.

* Denial-of-service in HPFS+ filesystem directory lseek() operations.

Incorrect locking could result in hitting a race condition during
lseek() calls on a directory.  A local, unprivileged user could use this
to cause a denial-of-service.

* CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.

The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10
does not properly manage a reference count, which allows local users to
cause a denial of service (memory consumption or system crash) via a
crafted application.

* Data corruption of ext4 immutable files when updating inode flags.

A race condition in the ext4 file system when updating the inode flags of
an immutable file could open a small window of time where the immutable
flag is not set. Provided very good timing, a local, unprivileged user
could use this flaw to modify an immutable file.

* Information leak in packet filter JIT engine.

An incorrect bound is used when validating Berkeley Packet Filter programs
allowing a malicious user to read the contents kernel memory.

* CVE-2014-2851: Privilege escalation in IPv4 ping sockets.

Incorrect reference counting could result in an integer overflow causing
a use-after-free condition and crashing the kernel, or possible
escalating privileges.

* CVE-2014-2309: Denial-of-service in ICMPv6 route code.

The ip6_route_add function does not properly count the addition of routes,
which allows remote attackers to cause a denial of service (memory
consumption) via a flood of ICMPv6 Router Advertisement packets.

* CVE-2014-0077: Kernel panic when receiving short packets in virtio networking.

Missing data validation when receiving truncated packets in the virtual networking
subsystem can cause the kernel to dereference an invalid pointer triggering a
kernel panic.

* Kernel BUG on SCSI isci hard reset timeout.

The isci code was incorrectly generating a kernel BUG() in the
case of a hard reset timeout.

* NULL pointer dereference in SCSI storvsc.

Invalid error handling in storvsc initialization could cause
a NULL pointer dereference leading to a kernel panic.

* Data corruption in btrfs compressed extents.

When using a mix of compressed file extents and prealloc extents, it
is possible to fill a page of a file with random, garbage data from
some unrelated previous use of the page.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.