[Ksplice][Virtuozzo 4 Updates] New updates available via Ksplice (2.6.18-348.3.1.el5.028stab106.2)

Fri Apr 5 13:26:28 PDT 2013

Synopsis: 2.6.18-348.3.1.el5.028stab106.2 can now be patched using Ksplice
CVEs: CVE-2012-1568 CVE-2012-2100 CVE-2012-2313 CVE-2012-2319 CVE-2012-2372 CVE-2012-3375 CVE-2012-3400 CVE-2012-3412 CVE-2012-3430 CVE-2012-3552 CVE-2012-4444 CVE-2012-4508

Systems running Virtuozzo 4 or the OpenVZ RHEL 5 kernel can now use
Ksplice to patch against the latest Parallels Virtuozzo Containers
kernel security update, 2.6.18-348.3.1.el5.028stab106.2.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Virtuozzo 4 or
OpenVZ on RHEL 5 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2012-3375: Denial of service due to epoll resource leak in error path.

The upstream fix for CVE-2011-1083 introduced a flaw in the way
the Linux kernel's Event Poll (epoll) subsystem handled resource clean up
when an ELOOP error code was returned. A local, unprivileged user could use
this flaw to cause a denial of service.

* Arithmetic overflow in clock source calculations.

An insufficiently designed calculation in the CPU accelerator in the
previous kernel caused an arithmetic overflow in the sched_clock()
function when system uptime exceeded 208.5 days. This overflow led to
a kernel panic on the systems using the Time Stamp Counter (TSC) or
Virtual Machine Interface (VMI) clock source. This update corrects the
aforementioned calculation so that this arithmetic overflow and kernel
panic can no longer occur under these circumstances.

* Arithmetic overflow in clock source calculations on 32 bit kernels.

An insufficiently designed calculation in the CPU accelerator in the
previous kernel caused an arithmetic overflow in the sched_clock()
function when system uptime exceeded 208.5 days. This overflow led to
a kernel panic on the systems using the Time Stamp Counter (TSC) or
Virtual Machine Interface (VMI) clock source. This update corrects the
aforementioned calculation so that this arithmetic overflow and kernel
panic can no longer occur under these circumstances.

* ext4 filesystem corruption on fallocate.

Attempting to fallocate() a file over 4GB with insufficient space on an
ext4 filesystem could result in corruption of the filesystem image.

* CVE-2012-2313: Privilege escalation in the dl2k NIC.

The D-LINK dl2k network card was missing permission checks in the ioctl
handling function. This would allow an unprivileged user to reconfigure
the low-level link device and trigger a denial-of-service.

* Kernel panic when overcommiting memory with NFSd.

When using shmem objects over NFSd and overcommiting, the kernel may
panic due to a NULL pointer dereference in the memory management
subsystem.

* CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.

A buffer overflow flaw was found in the hfsplus_bnode_read() function in
the HFS+ file system implementation.  This could lead to a denial of
service if a user browsed a specially-crafted HFS+ file system, for
example, by running "ls".

* CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.

A malicious remote user may trigger a denial-of-service in hosts using the SFC
NIC by reducing the size of the TCP MSS and causing the victim to run out
of resources while processing the packets.

* CVE-2012-3430: kernel information leak in RDS sockets.

Calling recvfrom() on an RDS socket could result in leaking the contents
of kernel stack memory to userspace.

* CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.

The sanity check added in the original CVE-2009-4307 fix relied on undefined
compiler behaviour, which meant that it worked only on specific architectures
and didn't work on x86 for example.

This fix replaces the check with a standards compliant check which works on
all architectures.

* CVE-2012-4508: Stale data exposure in ext4.

A race condition in the usage of asynchronous IO and fallocate on an ext4
filesystem could lead to exposure of stale data from a deleted file. An
unprivileged local user could use this flaw to read privileged information.

* CVE-2012-3552: Denial-of-service in IP options handling.

Missing locking around IP options for a socket could allow an attacker
to trigger a use-after-free condition resulting in a kernel crash.
Under certain conditions this could be exploitable by a remote user.

* CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.

A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS)
protocol implementation. A local, unprivileged user could use this flaw
to cause a denial of service.

* NULL pointer dereference in TUN device checkpoint and restore.

Missing NULL pointer checks could lead to a NULL pointer dereference
during checkpoing and restore for TUN devices (OpenVZ bug #2459).

* Kernel panic in SMB extended attributes.

The kernel SMB server implementation does not correctly parse extended
attribute names in QUERY_ALL_EAS requests leading to an out-of-bounds read
and kernel crash.

* Kernel panic in ext3 indirect blocks.

The ext3 filesystem does not correctly handle corrupted indirect blocks
leading to a kernel panic when closing files.

* CVE-2012-1568: A predictable base address with shared libraries and ASLR.

Address space layout randomization (ASLR) is a security method which
involves randomly arranging the positions of key data areas,
usually including the base of the executable and position of libraries,
heap, and stack, in a process's address space.

When running a binary with a lot of shared libraries, predictable base
address is used for one of the loaded libraries. This flaw could be
used to bypass ASLR.

* CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.

Accepting overlapping fragmented IPv6 packets can lead to OS fingerprinting,
IDS/IPS insertion/evasion, firewall evasion.

* CVE-2012-3400: Buffer overflow in UDF parsing.

A bug in the kernel's UDF file system driver could be exploited by an
unprivileged local user to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.