[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (3.2.46-1)

[Jamie Iles]

Synopsis: 3.2.46-1 can now be patched using Ksplice
CVEs: CVE-2013-3232

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.46-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak in PPPoL2TP messaging.

The PPPoL2TP tunneling protocol does not decrement a reference counter when a user
calls sendmsg on a PPPoL2TP socket causing a kernel memory leak.


* Kernel crash when closing TUN/TAP device.

Under certain circumstances, closing a TUN/TAP device could lead to a
kernel crash. An unprivileged local user could use this to carry out
a denial of service attack.


* Deadlock in SELinux xfrm networking.

The SELinux security module uses an invalid combination of flags to allocate
memory when validating users of the xfrm module leading to a deadlock.


* Use after free in generic journaling layer (JBD2).

Incorrect reference counting can lead to a use-after-free in the JBD2
subsystem. A malicious user could potentially use the flaw to crash the
kernel.


* Information leak in debugfs for i915.

The i915 driver can leak kernel address information, which could
be used by a malicious user to target kernel memory corruption
attacks.


* Kernel hang when unmounting ext4 filesystems mounted in 'journal' mode.

Under certain circumstances, mounting and unmounting an ext4 filesystem
quickly can lead to a kernel hang. A local user with sufficient
privileges could use this to carry out a denial-of-service attack.


* Memory leak in rtlwifi allocation failures.

A memory leak in the rtlwifi driver could result in a memory leak
and system crash.


* Use after free due to directory read race in sysfs.

A race between reading and seeking a directory may occur due
to missing locking when executing the seek.


* Use after free on sysfs failure on readdir.

Errors in readdir weren't handled properly and internal structures were released
without being cleared, trigerring a use after free when they were later used
again.


* Buffer overflow when removing a PNFS device.

The buffer allocated for the removal command was too small, writing
too much data into it would have caused a buffer overflow.


* Deadlock in VFS mounting.

A deadlock can be triggered by performing a path lookup in 'getcwd' while
mounting a VFS filesystem.


* Btrfs filesystem reports no free space when there is.

When doing I/O with large amounts of data fragmentation, the global block
reserve calculations are too low leading with 'no free space' errors.


* Leak in Reiser filesystem inode allocation.

The Reiser filesystem does not correctly handle deleting extended attributes
of files which contain '.' or '..' leading to inodes to be leaked on the
underlying device.


* Race condition in virtual memory subsystem.

It is possible to trigger a race condition between two processes with a
shared memory space that triggers a kernel panic (BUG_ON).


* NULL pointer dereference in Intel 10GbE PCI Express driver.

The Intel 10GbE driver creates kernel data structures in an incorrect order
when loading causing a NULL pointer dereference and kernel panic.


* Denial-of-service in kernel key instantiation.

A memory leak in the kernel key instantiation functions could allow a
local user to trigger a denial-of-service.


* Use after free in 802.1Q vlan tag deletion.

A vlan data structure may be used even after it was released due to wrong
release order.


* NULL pointer dereference in UNIX socket security management.

An incorrect ordering between marking a UNIX socket as dead and releasing
it can cause a NULL pointer dereference when the security subsystem tries
to verify permissions on that socket.


* Buffer overflow in AoE block driver SKB allocation.

The SKB size allocated for usage in the AoE driver was too small and
may cause buffer overflow.


* Invalid free in CAN networking.

The Controller Area Networking subsystem incorrectly frees scheduled jobs
leading to a kernel panic.


* Use-after-free in kernel module loading.

A race condition in the kobject subsystem can cause a use-after-free condition
and kernel panic when loading kernel modules.


* Buffer overflow in HFS+ filesystem.

An implicit truncation of an inode's size could lead to a buffer overflow
that is exploitable by local users with write access to an HFS+ filesystem.


* Use-after-free in Async I/O debug prints.

An async I/O ring may be released before a debug print regarding that
ring, causing a use-after-free.


* Kernel crash in cgroup process attachment.

Incorrect initialization could cause the kernel to crash on memory
allocation failure when under heavy memory pressure.


* Use-after-free in sysfs read/write accesses.

A race condition between read/write accesses and readdir calls on sysfs
directories could result in a use-after-free and kernel crash.


* Use-after-free in frame buffer console fonts.

Changing framebuffer consoles did not correctly font data resulting in
use-after-free and kernel crash.


* Denial-of-service in dcache shrinking.

Removing entries from the dcache when there are a large number of open
files could result in a soft-lockup of the system.


* Kernel crash in performance monitoring system.

Due to an incorrect bit mask, a user could write to a reserved CPU bit
and crash the kernel.


* Kernel stack leak when receiving Netrom packets when message name isn't set.

A part of the stack will leak when an attempt to receive packets from a
Netrom socket that doesn't have the name field set.


* CVE-2013-3232: Kernel stack information leak in amateur radio NET/ROM driver.

Missing initialization could allow a local user to leak kernel stack
information when receiving messages from a NET/ROM socket.


* Memory leak in tree auditing subsystem.

Incorrect reference counting in error situations in the auditing subsystem
could lead to memory leaks. This could potentially be used by a local,
unprivileged user to cause a denial-of-service.


* NULL pointer dereference in ALSA driver.

A NULL pointer derference in the ALSA HDA driver can lead to
a kernel Oops.


* Denial-of-service in CIFS inode handling.

In some cases, CIFS inode ops that had already been set were being reset,
leading to a kernel oops.  This could be used by a malicious user to cause
a denial of service.


* Denial-of-service in md buffered I/O interface.

It is possible for the dm-bufio code to deadlock on vmalloc.  This could
be used to cause a denial-of-service.


* Unchecked user input used in open source Radeon driver.

The Radeon driver didn't check user memory before copying it, which could
potentially be used to create a kernel exploit.


* Heap buffer overflow in btrfs tree search ioctl.

Incorrect handling of large items could result in a buffer overflow
allowing a privileged, local user to corrupt kernel memory.


* Invalid memory access in USB cxacru driver.

A potential array underflow in the USB cxacru driver could cause an
invalid kernel memory access.


* NULL pointer dereference in MMU notifier.

A race condition could lead to a NULL pointer dereference in the mmu
notifier code.


* Kernel panic in mm pagewalk.

Invalid assumptions in the mm pagewalk code could cause a kernel
panic.  This can be triggered by simply cat'ing /proc/<pid>/smaps
while an application has a VM_PFNMAP range.


* Kernel crash in IP virtual server SIP persistence engine.

Use of uninitialized memory in the SIP persistence engine could result
in a kernel crash.


* Information leak in SCTP keys.

SCTP keys were not be zeroed before being freed, which could allow
the keying material to be leaked.


* Kernel panic on removal of the network bonding device module.

A race condition between removal of a network bonding device module and the
removal of the actual bond devices may cause a kernel panic.


* Race condition in network device unregistration.

Missing synchronization could result in the kernel seeing stale handler
pointers resulting in a use-after-free.


* Kernel crash in SCTP protocol handler.

Due to a bug in the SCTP protocol handler, packets containing duplicate
cookie chunks will lead to inconsistent data structures. A remote
attacker could use this to crash the kernel.


* Buffer overflow in CIFS options handling.

In some cases, insufficient memory was being allocated for the CIFS
mount options, leading to a buffer overflow.


* NULL pointer dereference in Mantis DVB driver.

A missing NULL pointer check allowed a NULL pointer dereference
to occur in the Mantis DVB driver code.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.