[El-errata] ELSA-2012-2021 Important: Oracle Linux 6 Unbreakable Enterprise kernel security and bugfix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Sat Jun 23 22:25:35 PDT 2012 

Oracle Linux Security Advisory ELSA-2012-2021

The following updated rpms for Oracle Linux 6 have been uploaded to the 
Unbreakable Linux Network:

i386:
kernel-uek-2.6.39-100.10.1.el6uek.i686.rpm
kernel-uek-debug-2.6.39-100.10.1.el6uek.i686.rpm
kernel-uek-debug-devel-2.6.39-100.10.1.el6uek.i686.rpm
kernel-uek-devel-2.6.39-100.10.1.el6uek.i686.rpm
kernel-uek-doc-2.6.39-100.10.1.el6uek.noarch.rpm
kernel-uek-firmware-2.6.39-100.10.1.el6uek.noarch.rpm

x86_64:
kernel-uek-firmware-2.6.39-100.10.1.el6uek.noarch.rpm
kernel-uek-doc-2.6.39-100.10.1.el6uek.noarch.rpm
kernel-uek-2.6.39-100.10.1.el6uek.x86_64.rpm
kernel-uek-devel-2.6.39-100.10.1.el6uek.x86_64.rpm
kernel-uek-debug-devel-2.6.39-100.10.1.el6uek.x86_64.rpm
kernel-uek-debug-2.6.39-100.10.1.el6uek.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-uek-2.6.39-100.10.1.el6uek.src.rpm


Users with Oracle Linux Premier Support can now use Ksplice to patch
against this Security Advisory.

We recommend that all users of  Oracle Linux 6 install these updates.

Users of Ksplice Uptrack can install these updates by running :

# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.

Description of changes:

* CVE-2012-2123: Privilege escalation when assigning permissions using 
fcaps.

If a process increases permissions using fcaps, all of the dangerous
personality flags which are cleared for suid apps are not cleared. This has
allowed programs that gained elevated permissions using fcaps to disable
the address space randomization of other processes.


* CVE-2012-2121: Memory leak in KVM device assignment.

KVM uses memory slots to track and map guest regions of memory.  When device
assignment is used, the pages backing these slots are pinned in memory 
and mapped
into the iommu.  The problem is that when a memory slot is destroyed the 
pages
for the associated memory slot are neither unpinned nor unmapped from 
the iommu.


* Memory corruption in KVM device assignment slot handling.

A race condition in the KVM device assignment slot handling caused by
missing locks around the unmapping of memory slots could cause a memory
corruption.


* CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.

The length of packet fragments to be sent wasn't validated before use,
leading to heap overflow. A user having access to TUN/TAP virtual
device could use this flaw to crash the system or to potentially
escalate their privileges.


* CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.

A buffer overflow flaw was found in the setup_routing_entry() function 
in the
KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts
(MSI) routing entry was handled. A local, unprivileged user could use 
this flaw
to cause a denial of service or, possibly, escalate their privileges.


* CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.

CVE-2012-1179: Denial of service in page mapping of the hugepage subsystem.

In some cases, the hugepage subsystem would allocate new PMDs when not
expected by the memory management subsystem. A privileged user in the
KVM guest can use this flaw to crash the host, an unprivileged local
user could use this flaw to crash the system.

CVE-2012-2373: Denial of service in PAE page tables.

On a PAE system, a non-atomic load could be corrupted by a page fault
resulting in a kernel crash, triggerable by an unprivileged user.


* Regression in handling of bind() with AF_UNSPEC family sockets.

Legacy applications used to bind() with AF_UNSPEC instead of AF_INET. Allow
them to continue doing so, but verify that the address is indeed INADDR_ANY.


[2.6.39-100.10.1.el6uek]
- thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE (Andrea 
Arcangeli)
   [Orabug: 14217003]

[2.6.39-100.9.1.el6uek]
- mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race
   condition (Andrea Arcangeli) [Bugdb: 13966] {CVE-2012-2373}
- mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode
   (Andrea Arcangeli)  {CVE-2012-1179}
- KVM: Fix buffer overflow in kvm_set_irq() (Avi Kivity) [Bugdb: 13966]
   {CVE-2012-2137}
- net: sock: validate data_len before allocating skb in 
sock_alloc_send_pskb()
   (Jason Wang) [Bugdb: 13966] {CVE-2012-2136}
- KVM: lock slots_lock around device assignment (Alex Williamson) [Bugdb:
   13966] {CVE-2012-2121}
- KVM: unmap pages from the iommu when slots are removed (Alex Williamson)
   [Bugdb: 13966] {CVE-2012-2121}
- KVM: introduce kvm_for_each_memslot macro (Xiao Guangrong) [Bugdb: 13966]
- fcaps: clear the same personality flags as suid when fcaps are used (Eric
   Paris) [Bugdb: 13966] {CVE-2012-2123}

[2.6.39-100.8.1.el6uek]
- net: ipv4: relax AF_INET check in bind() (Eric Dumazet) [Orabug: 14054411]

More information about the El-errata mailing list