[El-errata] New updates available via Ksplice (ELSA-2013-2585)

Sat Nov 30 09:05:05 PST 2013

Synopsis: ELSA-2013-2585 can now be patched using Ksplice
CVEs: CVE-2012-6545 CVE-2013-0343 CVE-2013-1928 CVE-2013-2164 CVE-2013-2234 CVE-2013-2888 CVE-2013-2889 CVE-2013-2892 CVE-2013-3231 CVE-2013-4345 CVE-2013-4591

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2013-2585.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2013-0343: Denial of service in IPv6 privacy extensions.

A malicious remote user can disable IPv6 privacy extensions by flooding the host
with malicious temporary addresses.

* CVE-2013-2888: Memory corruption in Human Input Device processing.

The kernel does not correctly validate the 'Report ID' field in HID data allowing
a malicious USB or Bluetooth device to cause memory corruption and gain kernel
code execution.

* CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.

An off-by-one flaw was found in the way the ANSI CPRNG implementation in
the Linux kernel processed non-block size aligned requests. This could lead
to random numbers being generated with less bits of entropy than expected
when ANSI CPRNG was used.

* CVE-2013-2889: Memory corruption in Zeroplus HID driver.

The Zeroplus game controller device driver does not correctly validate
data from devices allowing a malicious device to cause kernel memory
corruption and potentially gain kernel code execution.

* CVE-2013-2892: Memory corruption in Pantherlord Human Input Device processing.

Missing validation of HID report data could cause corruption of heap
memory.  A local user with physical access to the system could use this
flaw to crash the kernel resulting in DoS or potential privilege
escalation to gain root access via arbitrary code execution.

* CVE-2013-3231: Kernel stack information leak in LLC sockets.

Missing initialization could allow a local user to leak kernel stack
information when receiving messages.

* CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an Bluetooth RFCOMM socket.

* CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.

The compat control device call for VIDEO_SET_SPU_PALETTE was missing an error check
while converting the input arguments.  This could lead to leaking kernel
stack contents into userspace.

* CVE-2013-2164: Kernel information leak in the CDROM driver.

An ioctl result returned to the user might contain sensetive kernel
information.

* CVE-2013-2234: Information leak in IPsec key management.

An error in the AF_KEY implementation allows privileged users to leak contents of
the kernel stack to userspace.

* CVE-2013-4591: Privilege escalation in NFSv4 ACL handling.

The vendor fix for CVE-2012-2375 accidentally removed a check for small-sized
result buffers. A local, unprivileged user with access to an NFSv4 mount with
ACL support could use this flaw to crash the system or, potentially, escalate
their privileges on the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.