[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (3.2.51-1)

[Oracle Ksplice]

Synopsis: 3.2.51-1 can now be patched using Ksplice
CVEs: CVE-2013-0343 CVE-2013-2888 CVE-2013-2892 CVE-2013-2896 CVE-2013-2899

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.51-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash on Wireless P2P device connection.

If a P2P wireless device is present and a new one gets connected,
the Kernel will crash because of a bad check of a network device
internals.


* Kernel crash when unregistering VLAN interfaces.

If a VLAN interface was registered after the AP, on unregistering
the system will crash because because it is not prepared to deal
with AP's being closed before to remove their VLANs.


* Privilege escalation in XFS file truncation.

Truncating a non-zero sized file on an XFS filesystem did not clear the
SUID/SGID bits, allowing a local user with write access to the file to
possibly escalate privileges.


* Kernel hang on USB audio.

An attacker with physical access to the machine, could make the Kernel
hang with a malicious USB device due to two vulnerabilities in functions
parse_uac2_sample_rate_range() and parse_audio_format_rates_v2() that
causes an overflow.


* Kernel panic in Broadcom 43xx wireless driver.

A kernel panic can be triggered when unloading the legacy
Broadcom wireless driver when no firmware is present.


* Kernel panic in XHCI initialization error handling.

Incorrect initialization of kernel data structures could result in
accessing invalid addresses and a subsequent kernel panic when driver
initialization fails.


* Kernel panic when GPU acceleration is disabled.

When GPU acceleration is disabled, the related data is freed, but a
subsequent cleanup call after this will cause a kernel panic.


* Kernel panic in Bluetooth L2CAP processing.

The Bluetooth L2CAP driver does not correctly validate the length of received
frames causing the driver to read invalid memory and trigger a kernel panic.


* Race condition on Swap while waiting on discard I/O completion.

When reading the swap cache page it can get into a race condition
leading to a system deadlock.


* Kernel crash on IPv6 cork release.

When copying cork options on IPV6, the target memory space
for those is not zeroed, which could lead to a Kernel crash
as it could contain garbage when invoking the free routines.


* Kernel crash on ip_tunnel due to garbage data on IPCB.

If the link failure routine is called and IPCB is not
cleared, it will lead to a Kernel crash due to the existence
of garbage data.


* Memory leak on L2TP PPP header.

When adding a PPP header, it leaks two bytes of uninitialized memory
at the end of the socket buffer data buffer.


* Denial-of-service in ncpfs.

A bug in ncpfs caused rmdir to no longer work.  This could be exploited
by a malicious user to cause a denial-of-service.


* Use-after-free in zram driver unloading.

When the zram driver is unloading, it incorrectly attempts to reset a zram device
after destroying it leading to a use-after-free condition and kernel panic.


* Memory corruption in zram reading and writing.

Read and write requests from userspace to a zram device are not correctly validated
leading to kernel memory corruption and possible elevation of privileges.


* Use-after-free in zram sysfs interface.

Incorrect locking in the zram sysfs interface can cause a use-after-free and kernel
panic when reading from the 'mem_used_total' sysfs file while reseting a device.


* Memory corruption in Bluetooth L2CAP MTU control.

An integer underflow and memory corruption can be triggered by reducing the MTU
of an L2CAP socket and then sending a large L2CAP packet.


* NULL pointer dereference in XHCI container allocation.

A missing error check when allocating DMA memory for a XHCI container can cause
a NULL pointer dereference and kernel panic.


* Use-after-free in DVB ring buffer.

Incorrect use of a lockless ring buffer could result in accessing
invalid data triggering a use-after-free and kernel crash.


* Missing permission checks in perf monitoring of setuid processes.

An invalid security check when executing a new process can allow unprivileged
users to monitor setuid processes using the kernel performance event subsystem.


* Kernel deadlock when removing a Frame Relay device.

Incorrect locking when removing a Frame Relay DLCI device can cause a deadlock
and kernel panic.


* Kernel panic when removing a Frame Relay device.

Using the DLCI ioctl to remove a Frame Relay device on a socket that is not a
Frame Relay device can cause an invalid memory access and kernel panic.


* Data loss in filesystems due to missing writeback.

Incorrect handling of periodic writeback could cause filesystems to fail
to write data back to disk leading to corruption in the case of a crash
or power failure.


* Kernel crash in OCFS inline extended attributes with reflinked files.

Incorrect allocation sizes for inline extended attributes during reflink
could result in a kernel BUG() and subsequent crash.


* Format string vulnerability in crypto subsystem.

A lack of sanitisation of a parameter when looking up crypto algorithms in the
kernel can trigger a format string vulnerability and cause a kernel panic


* Integer overflow in HP filesystem mounting.

An integer overflow and kernel panic can be triggered by attempting to mount a
malformed HP filesystem.


* Buffer overflow in iSCSI target configfs.

An incorrect length check when configuring an iSCSI target via configfs can allow
kernel memory corruption and privilege escalation.


* Data corruption in ext4 filesystem on 32-bit systems.

A number of integer overflows when handling 64-bit integers in the ext4 filesystem
on 32-bit systems can cause data corruption and/or loss.


* Double free in MAC-VLAN based tap driver.

Due to incorrect error handling, the macvtap driver could free the same
page twice, possibly leading to kernel crashes. A malicious local user
could exploit this to cause denial of service.


* Deadlock in x25 ioctl error path.

Invalid error handling in the x25 ioctl code causes a lock to not be
released, leading to a deadlock.


* Deadlock in IPv6 multicast.

Incorrect lock handling in the IPv6 multicast code could lead to a
deadlock and system hang.


* Memory corruption in Plan 9 9p remote filesystem.

An off by one error could lead to memory access violations and memory
corruption when releasing pages in the 9p, leading to a kernel crash.


* Use-after-free in NFS lock daemon lock retry mechanism.

Missing locking could result in a race condition with the retry list
allowing the kernel to use a freed item resulting in a kernel crash.


* Use-after-free in ACPI memory hotplug failure.

Incorrect handling of memory hotplug failure could result in accessing a
stale pointer and triggering a kernel crash.


* Deadlock in btrfs snapshot deletion.

Missing lock tracking could result in deadlock when deleting a snapshot
causing the system to hang.


* Use-after-free in SCSI unit attention handling.

Incorrect handling of commands during a retry due to unit attention
codes could result in a use-after-free and kernel crash.


* Memory corruption in comedi read/write with concurrent ioctl.

Missing locking in the comedi driver could result in memory corruption
and a kernel crash.


* NULL pointer dereference in USB XHCI doorbell.

A missing check for NULL could result in a kernel crash when handling
non-responsive XHCI peripherals.


* Denial-of-service in Moschip 7840/7820 USB serial driver.

Missing resource freeing would result in a memory leak when failing to
open the device allowing a user with sufficient privileges to exhaust
memory.


* Use-after-free in IPv6 multicast routing namespace cleanup.

Incorrect locking could result in a use-after-free and kernel crash when
removing a network namespace.


* Kernel information leak in Class Based Queueing network scheduler.

Missing initialization in the CBQ network scheduler could result in
leaking kernel stack information to userspace.


* Kernel stack information leaks in PF_KEY sockets.

Missing initialization in a number of PF_KEY socket calls could result
in leaking kernel stack information to userspace.


* Kernel stack information leak in ATM network scheduler.

Missing initialization could cause kernel stack information to be leaked
from the ATM network scheduler to userspace.


* Kernel oops in simultaneous VIRTIO console open + unplug.

Missing synchronization could result in a crash if the device was opened
at the same time as the device was unplugged.


* Buffer overflow in CIFS credentials.

An incorrectly sized buffer could result in a buffer overflow, allowing
a malicious server to cause heap memory corruption.


* NULL pointer dereference in Intel wireless driver.

A NULL pointer dereference can be trigged in the iwlwifi driver when
doing a channel switch.  This can lead to a kernel panic.


* Use-after-free in ext4 metadata error path.

If an error is encountered when writing dirty ext4 metadata to disk, a use-after-
free condition can be triggered causing a kernel panic.


* Heap buffer overflow when reading "pagemap" procfs file.

The kernel does not correctly allocate a temporary buffer when reading from the
"pagemap" procfs file, leading to a kernel heap overflow and possible code
execution.


* NULL pointer dereference in Keyspan USB-to-serial driver.

A NULL pointer dereference and kernel panic can be triggered if a memory
allocation fails when attaching a Keyspan USB device.


* Deadlock in NILFS2 segment buffer processing.

Incorrect reference counting in the NILFS2 filesystem driver when processing
segment buffers can trigger a deadlock causing a kernel panic.


* Kernel panic in Atheros AR9001/AR9002 transmit.

The Atheros wireless driver does not correctly manage packet data on AR9001 and
AR9002 devices leading to an assertion failure and kernel panic.


* Improved fix for 'Unlimited stack ASLR bypass on 64-bit systems'.

The original update for 'Unlimited stack ASLR bypass on 64-bit systems' did not
correctly handle randomising the stack causing compatibility issues with some
existing user-mode programs. This update corrects the issue.


* CVE-2013-0343: Denial of service in IPv6 privacy extensions.

A malicious remote user can disable IPv6 privacy extensions by flooding the host
with malicious temporary addresses.


* CVE-2013-2888: Memory corruption in Human Input Device processing.

The kernel does not correctly validate the 'Report ID' field in HID data allowing
a malicious USB or Bluetooth device to cause memory corruption and gain kernel
code execution.


* CVE-2013-2892: Memory corruption in Pantherlord Human Input Device processing.

Missing validation of HID report data could cause corruption of heap
memory.  A local user with physical access to the system could use this
flaw to crash the kernel resulting in DoS or potential privilege
escalation to gain root access via arbitrary code execution.


* Integer overflow in NFSv4.1 memory allocation.

Missing range checks could result in integer overflow when allocating
memory leading to potential heap corruption.


* Information leak in ICEnsemble ICE1712 (Envy24) sound driver.

Missing range checks could result in leaking the contents of kernel heap
memory to userspace.


* Memory leak in ZRAM initialization failure.

Missing error handling would result in a memory leak in the ZRAM module
initialization could result in a memory leak.


* Information leak in AF_PACKET getname() call.

The getname() syscall does not correctly sanitize memory when called on an
AF_PACKET socket causing the contents of kernel memory to be disclosed to
userspace.


* NULL pointer dereference in SCTP socket destruction.

When a SCTP socket is destroyed, it can contains invalid references
as the routine can be invoked during the socket initialization.


* Kernel oops when using MSG_CMSG_COMPAT in socket interfaces.

>From user space is possible to use MSG_CMSG_COMPAT in the 'send'
and 'receive' socket family interfaces. This is not a standard
feature that when used from user space leads to a Kernel oops.


* System hang in JFS journal management.

Race conditions in the journaling filesystem could result in a system
hang under specific conditions triggered by xfstests.


* CVE-2013-2899: NULL pointer dereference in PicoLCD device driver.

The PicoLCD HID driver does not correctly validate data from devices allowing a
malicious device to trigger a NULL pointer dereference causing a kernel panic.


* CVE-2013-2896: NULL pointer dereference in N-Trig HID driver.

The N-Trig touch-screen device driver does not correctly validate data from
devices allowing a malicious device to trigger a NULL pointer dereference causing
a kernel panic.


* NULL pointer dereference in HID report field setting.

Missing NULL pointer checks could result in a NULL pointer dereference
when a driver populated the results of field enquiries.


* Kernel panic in removable memory sysfs interface.

When showing the contents of the /sys/devices/system/memory/memory*/removable
sysfs file, the kernel does not validate that all memory sections are present
causing a kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.