[Ksplice][Debian 6.0 Updates] New updates available via Ksplice (Debian 6.0.7)

[Vegard Nossum]

Synopsis: Debian 6.0.7 can now be patched using Ksplice
CVEs: CVE-2011-1083 CVE-2011-2695 CVE-2011-4347 CVE-2012-4398 
CVE-2012-4444 CVE-2012-4530 CVE-2012-4565 CVE-2013-0190 CVE-2013-0268

Systems running Debian 6.0 Squeeze can now use Ksplice to patch
against the latest Debian kernel update, Debian 6.0.7.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 6.0 Squeeze
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Data corruption in HP Smart Array SCSI driver.

An unhandled protocol error could result in data corruption when
configured in a multipath system.


* Denial of service in futexes located in special memory regions.

When using a futex located in a specially mapped memory region, such as the
gate area for example, the kernel thread trying to retrieve the page
mapping would be stuck in an infinite loop trying to acquire the mapping.


* Data corruption and exposure of encrypted data from eCryptFS files.

The ECRYPTFS_NEW_FILE crypt_stat flag was not cleared when extending a
file with truncate_upper. In some cases, this resulted in corruption
of data stored in eCryptFS, or userspace reads would see encrypted
file contents instead of the expected decrypted data.


* Kernel crash in oprofile NMI.

A race condition in the oprofile NMI can cause kernel crashes
if the KM_USER0 slot is in use when the oprofile NMI hits.


* Use-after-free in USB networking.

The USB networking driver had an internal race condition that could
cause a use-after-free when unlinking requests resulting in memory
corruption.


* Resource leak in USB networking driver.

The usbnet core incorrectly cleared a pointer to the underlying device
resulting in a resource leak when unlinking requests.


* Improved fix to CVE-2011-4347.

The vendor's original fix did not prevent devices from being assigned
without IOMMU protection which could allow a virtual machine to access
arbitrary host memory through a device.


* Memory corruption in IPsec frame handling.

The IPsec subsystem does not correctly handle frames with missing
MAC headers leading to memory corruption and a kernel crash.


* NULL pointer dereference with misconfigured USB FTDI devices.

A USB FTDI without a manufacturer string would result in a NULL pointer
dereference and kernel crash when the device was plugged in.


* Avoid bug caused by corrupted Ext4 filesystem.

When mounting an ext4 filesystem, the kernel was not checking for zero
length extents. This would cause a BUG_ON assertion failure in the log.


* NULL pointer dereferences in Bluetooth driver.

Fix two NULL pointer dereferences in hci_uart_tty_close.  The first
occurs if the driver doesn't find a device pointer associated with
the close and the second occurs due to a race condition between
closing the protocol driver and unregistering the device when a device
is disconnected.


* Denial of service in PHONET message sending.

The PHONET driver would attempt to allocate any packet size requested
from userspace. This could lead to memory exhaustion and OOM kills.


* Use-after-free in netlink receive queue.

A race between threads on consuming a buffer from the receive queue in
netlink_sendskb could result in a use-after-free.


* Use-after-free in socket error queue.

A race between threads on consuming a buffer from the socket error
queue in sock_queue_err_skb could result in a use-after-free.


* Buffer overflow in KS8851 network driver.

Insufficient buffer space when processing pending frames in ks_rcv
could result in a buffer overflow.


* Denial of service in the network GRED scheduler.

A kernel OOPS may occur in the GRED (Generic Random Early Detection)
network scheduler due to incorrect usage of the internal qdisc API.


* Use after free due to race condition in madvise.

A race condition between munmap and madvise can cause a use-after-free
in the memory management system.


* Use-after-free in SCSI request handling.

A use-after-free may occur if a SCSI request has no more references,
but is still rescheduled for completion.


* Fix ACPI oops when it is unable to initialize a power supply.

When the ACPI driver failed to initialize a power supply, the
failure wasn't getting returned causing the driver to mistakingly
believe the device was initialized.  This could lead to a kernel
oops.


* Data loss in ext4 filesystems.

An integer underflow in metadata block management could result in
allocation failure and data loss.


* Use-after-free in sctp.

In some circumstances, a sctp association could be used after it was
freed, leading to memory corruption and possibly a kernel oops.


* NULL pointer dereference in CIPSO socket options.

Adding a CIPSO option to a socket could result in a NULL pointer
dereference and kernel crash under specific conditions.


* Kernel crash in kaweth USB Ethernet driver.

Invalid memory allocation could cause the kernel to sleep in an atomic
state resulting in a kernel crash.


* Prevent potential indefinite hang in recvmsg when TCP offload is enabled.

In very specific circumstances, the recvmsg() system call will hang
indefinitely because it fails to detect that data has already been
delivered to the process.


* Kernel stack information leak in tun ioctls.

Incorrect initialisation of ioctl structures could result in leaking
stack bytes to a userspace process.


* NULL pointer dereference in futex requeuing.

A missing NULL pointer check could result in a kernel crash when
attempting to requeue a futex.


* NULL pointer dereference in non-pi futexes.

Incorrect configuration of futex addresses could lead to a NULL pointer
dereference and kernel crash.


* Use-after-free in freed page LRU handling.

A race condition between MMU notifier release and page unmapping may cause
the memory manager to access a page which was already freed.


* Memory corruption in FUSE handling of vectored responses.

An incorrect check of the size of the response vector could lead to an
overflow and corruption of memory after the vector.


* Race-condition in VFS file operations.

A race condition when performing scatter-gather IO on a file can lead
to data corruption.


* Unreported error can cause unusable mount in NFS.

An unreported error can cause a mount to seem to succeed but have
completely unusable values for block sizes, maxfilesize, etc.


* NUMA memory policy kernel panic.

A kernel panic can be triggered when querying a task's NUMA memory policy
via procfs.


* UDF data corruption fix.

Files stored in ICB (inode) can be partially overwritten with all
zeros.


* NULL pointer dereference in DCCP sockets.

A NULL pointer dereference can be triggered by querying or setting the
socket options of a DCCP socket that has no associated CCID.


* Denial of service in TCP sockets.

Splicing data to a TCP socket in out-of-memory conditions could result
stalls and a denial of service.


* Denial of service in TCP SYN+FIN messages.

SYN+FIN attacks can cause a denial of service with machines trying
to respond to the invalid messages.  This update will drop TCP
messages with both SYN and FIN set instead of trying to process
them.


* Kernel information leak in X86 ptrace TLS regset.

The TLS lookup could run off the end of the descriptor list reading from
kernel memory.


* CVE-2011-1083: Algorithmic denial of service in epoll.

A flaw was found in the way the Linux kernel's Event Poll (epoll)
subsystem handled large, nested epoll structures. A local,
unprivileged user could use this flaw to cause a denial of service.


* Use of undefined memory in ISCSI driver.

The ISCSI driver could access undefined memory when parsing OEM
parameters for single-controller devices resulting in undefined
behaviour.


* Divide-by-zero in NTP.

Integer overflow in NTP when setting the time could result in a
divide-by-zero and kernel panic.


* Kernel crash in UDF filesystem.

A possible overflow in the partition table length can cause an invalid
length to not be detected, later leading to a read beyond the end of a
buffer and a kernel crash.


* Data loss/corruption in ext3 filesystem after crash.

The fdatasync syscall does not flush inode metadata when used on a file 
where
only the file's size changed. This could lead to data loss/corruption in
applications following a system crash.


* CVE-2013-0190: stack corruption with Xen 32-bit paravirtualied guests.

Incorrect manipulation of the stack pointer in the error path for iret
failure with a 32-bit paravirtualized guest could result in stack
corruption.  This could be triggered by an unprivileged user in the
guest to cause a denial-of-service.


* Information leak in HP Smart Array SCSI driver.

Certain on-stack data structures with uninitialised members could leak
data from the kernel stack to userspace in the ioctl() system call of
the HP Smart Array SCSI driver.


* Kernel crash in HP Smart Array SCSI driver.

A missing size check in the HP Smart Array SCSI driver could lead to a
kernel crash as the result of reading beyond the end of the command buffer.


* Kernel panic in HP Smart Array SCSI driver.

Replacing a physical SCSI device in the HP Smart Array could crash the
kernel due to an assignment of invalid SCSI addresses to the new device.


* Live lock in TTY subsystem when TTY auditing is enabled.

A race condition where audit is disabled at the same time as the kernel
is flushing the TTY audit buffer could lead to a live lock and subsequent
kernel hang.


* Deadlock in Intel C600 SAS controller driver.

Incorrect locking during port configuration could lead to a deadlock.


* NULL pointer dereference in Intel C600 SAS controller driver.

Unplugging a SAS device causes a NULL pointer dereference.


* CVE-2012-4398: Denial-of-service in kernel module loading.

A deadlock could occur in the Out of Memory (OOM) killer.  A process
could trigger this deadlock by consuming a large amount of memory, and
then causing request_module() to be called.  A local, unprivileged user
could use this flaw to cause a denial of service.


* CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.

The TCP Illinois congestion control algorithm does not correctly handle a
zero number of RTTs when reading TCP stats, leading to a divide-by-zero
and kernel panic. A remote attacker could potentially use this flaw to
cause a remote denial of service.


* CVE-2012-4530: Kernel information leak in binfmt execution.

Execution of a carefully crafted sequence of scripts could allow an
unprivileged user to leak kernel stack information to userspace.


* CVE-2011-2695: Off-by-one errors in the ext4 filesystem.

Multiple off-by-one errors in the ext4 subsystem in the Linux kernel
before 3.0-rc5 allow local users to cause a denial of service (BUG_ON
and system crash) by accessing a sparse file in extent format with a
write operation involving a block number corresponding to the largest
possible 32-bit unsigned integer.


* CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data 
overlaps.

Accepting overlapping fragmented IPv6 packets can lead to OS fingerprinting,
IDS/IPS insertion/evasion, firewall evasion.


* CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.

Access to /dev/cpu/*/msr was protected only using filesystem
checks. A local uid 0 (root) user with all capabilities dropped
could use this flaw to execute arbitrary code in kernel mode.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.