[Ksplice][Debian 6.0 Updates] New updates available via Ksplice (DSA-2668-1)

[Vegard Nossum]

Synopsis: DSA-2668-1 can now be patched using Ksplice
CVEs: CVE-2012-3552 CVE-2012-4461 CVE-2012-4508 CVE-2012-6537 
CVE-2012-6539 CVE-2012-6540 CVE-2012-6542 CVE-2012-6544 CVE-2012-6545 
CVE-2012-6546 CVE-2012-6548 CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 
CVE-2013-1767 CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796 
CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928 CVE-2013-2634 
CVE-2013-3222 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3228 
CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235

Systems running Debian 6.0 Squeeze can now use Ksplice to patch
against the latest Debian Security Advisory, DSA-2668-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 6.0 Squeeze
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-3235: Kernel stack information leak in TIPC protocl.

Missing initialization could allow a local user to leak stack
information when receiving messages on a Transparent Inter Process
Communication (TIPC) socket.


* CVE-2013-3229: Kernel stack information leak in IUCV sockets.

Missing initialization could allow a local user to leak kernel stack
information when receiving messages from an iUCV socket.


* CVE-2013-3223: Kernel stack information leak in amateur radio drivers.

Missing initialization could allow a local user to leak kernel stack
information when receiving messages.


* CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.

Receiving messages from a bluetooth socket whilst the socket is
simultaneously being shut down could leak kernel stack bytes to
userspace allowing a local user to gain information about the running
kernel.


* CVE-2013-3228: Kernel stack information leak in IRDA sockets.

Missing initialization could allow a local user to leak kernel stack
information when receiving messages.


* CVE-2013-3234: Kernel stack information leak in ROSE protocol.

Missing initialization could allow a local user to leak kernel stack
information when receiving from a ROSE socket.


* CVE-2013-3222: Kernel stack information leak in ATM sockets.

Missing data clearing operations could allow an unprivileged user to
leak kernel stack memory to userspace.


* CVE-2013-3231: Kernel stack information leak in LLC sockets.

Missing initialization could allow a local user to leak kernel stack
information when receiving messages.


* CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.

Missing data clearing operations could allow a local user to leak kernel
stack memory to userspace.


* CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an Bluetooth RFCOMM socket.


* CVE-2012-6544: Information leak in Bluetooth socket options.

The HCI_FILTER socket option allows malicious users to disclose
the contents of kernel memory.


* CVE-2012-4508: Stale data exposure in ext4.

A race condition in the usage of asynchronous IO and fallocate on an ext4
filesystem could lead to exposure of stale data from a deleted file. An
unprivileged local user could use this flaw to read privileged information.


* CVE-2012-6548: Information leak in UDF export.

A malicious can disclose the contents of kernel memory by exporting
a filehandle from a UDF filesystem.


* CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.

Linux kernel built with XFRM framework support is vulnerable to a NULL 
pointer
dereference flaw. It occurs while accessing XFRM state via 
xfrm_state_netlink
routine.


* CVE-2012-6540: Information leak in IP Virtual Server socket options.

A malicious user can disclose the contents of kernel memory by calling
getsockopt() on an IP virtual server socket.


* CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an Bluetooth L2CAP socket.


* CVE-2012-6549: Information leak in isofs export.

The isofs_export_encode_fh function does not initialize a certain
structure member, which allows local users to obtain sensitive
information from kernel heap memory via a crafted application.


* CVE-2013-1928: Kernel information leak in 
compat_ioctl/VIDEO_SET_SPU_PALETTE.

The compat control device call for VIDEO_SET_SPU_PALETTE was missing an 
error check
while converting the input arguments.  This could lead to leaking kernel
stack contents into userspace.


* CVE-2013-1798: Information leak in KVM APIC driver.

The KVM paravirtualised APIC driver does not correctly validate arguments
from the guest virtual machine when querying the APIC device allowing a
malicious guest virtual machine read kernel memory from the host.


* CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak
from the kernel.


* CVE-2013-0914: Information leak in signal handlers.

A logic error in the handling of signal handlers allows a child process to
leak information about the memory layout of parent processes.


* CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.

If a tempfs mount that was originally mounted with the mpol=M
option is remounted it reuses the already freed mempolicy object.


* CVE-2013-2634: kernel leak in the data center bridging (dcb) component.

The dcb netlink interface leaks stack memory in various places.


* CVE-2013-1796: Buffer overflow in KVM system time MSR.

The KVM paravirtualised MSR driver does not correctly validate system timer
arguments allowing a guest virtual machine to corrupt host kernel memory by
providing an unaligned MSR value.


* CVE-2012-6539: Information leak in socket compatibility ioctl.

The SIOCGIFCONF socket option allows malicious users to disclose the
contents of kernel memory.


* CVE-2012-6546: Information leak in ATM sockets.

An malicious user can disclose the contents of kernel memory by calling
getsockname() on an ATM socket.


* CVE-2012-6537: Kernel information leaks in network transformation 
subsystem.

This fixes several cases where xfrm_user code could lead kernel
memory to user space.


* CVE-2013-1860: Buffer overflow in Wireless Device Management driver.

A malicious USB device can cause a buffer overflow and gain kernel code 
execution
by sending malformed Wireless Device Management packets.


* CVE-2012-6542: Information leak in LLC socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an LLC socket.


* CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport 
serial driver.

A NULL pointer dereference may occur during disconnection of the driver
due to a missing check.


* CVE-2013-1792: Denial-of-service in user keyring management.

A race condition in installing a user keyring could allow a local,
unprivileged user to crash the machine causing a denial-of-service.


* CVE-2012-4461: Kernel panic KVM XSAVE support.

On machines without XSAVE instruction support a malicious guest can cause
a host kernel panic via the SET_SREGS ioctl.


* Denial-of-service in no-journal mode ext4 filesystems.

A user with physical access to a machine could use a carefully
constructed filesystem to hang the system.


* CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.

Unicode conversion functions used in the VFAT filesystem were vulnerable
to buffer overruns.  Carefully constructed VFAT partitions mounted with
the utf8 option could allow an attacker to corrupt kernel memory and
possibly execute code in kernel mode.


* CVE-2012-3552: Denial-of-service in IP options handling.

Missing locking around IP options for a socket could allow an attacker
to trigger a use-after-free condition resulting in a kernel crash.
Under certain conditions this could be exploitable by a remote user.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.