[Ksplice][Fedora-17-updates] New updates available via Ksplice (FEDORA-2013-6034)

[Phil Turnbull]

Synopsis: FEDORA-2013-6034 can now be patched using Ksplice
CVEs: CVE-2013-0914 CVE-2013-1929

Systems running Fedora 17 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-6034.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 17 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash in B.A.T.M.A.N. advanced meshing protocol.

A missing bounds check in B.A.T.M.A.N. packet processing could lead to
out-of-bounds memory accesses. A remote attacker could potentially use
this to crash the kernel if this protocol is in use.


* Kernel crash in SCTP protocol handler.

Due to a bug in the SCTP protocol handler, packets containing duplicate
cookie chunks will lead to inconsistent data structures. A remote
attacker could use this to crash the kernel.


* Use-after-free in virtio net host kernel accelerator.

A user-controlled variable was being used without sanitation. A
malicious guest VM could use this to cause a use-after-free and
subsequent kernel crash.


* Use-after-free in TCP fragmentation handling.

Under certain circumstances, MTU reduction on listening TCP sockets
may lead to prematurely freeing the socket. An attacker could use
this to crash the kernel.


* Locking imbalance in POSIX message queues.

When remounting an mqueue filesystem, an incorrect assumption about
the writability of the filesystem could lead to a locking imbalance
and a subsequent kernel hang.


* Use after free in generic journaling layer (JBD2).

Incorrect reference counting can lead to a use-after-free in the JBD2
subsystem. A malicious user could potentially use the flaw to crash the
kernel.


* Kernel hang when unmounting ext4 filesystems mounted in 'journal' mode.

Under certain circumstances, mounting and unmounting an ext4 filesystem
quickly can lead to a kernel hang. A local user with sufficient
privileges could use this to carry out a denial-of-service attack.


* NULL pointer dereference when closing Bluetooth SCO sockets.

Sockets which are in the middle of a connection process and were being
closed wouldn't stop the connection process properly, and would trigger
a NULL pointer dereference.


* Use after free due to directory read race in sysfs.

A race between reading and seeking a directory may occur due
to missing locking when executing the seek.


* Use after free on sysfs failure on readdir.

Errors in readdir weren't handled properly and internal structures were
released without being cleared, trigerring a use after free when they
were later used again.


* CVE-2013-1929: Buffer overflow in TG3 VPD firmware parsing.

Incorrect length checks when parsing the firmware could cause a buffer
overflow and corruption of memory.


* Buffer overflow when removing a PNFS device.

The buffer allocated for the removal command was too small, writing
too much data into it would have caused a buffer overflow.


* Missing security check when spoofing PIDs in user namespace.

Spoofing PIDs inside a user namespace without a PID namespace didn't
require admin priviliges.


* Privilege escalation in creation of user namespaces in a chroot.

Creating a user namespace inside a chroot may change the way permissions
apply on files under the root of the filesystem.


* Use after free in loop device destruction.

A loop device may still be used after it was freed due to wrong
reference counting.


* Use after free in 802.1Q vlan tag deletion.

A vlan data structure may be used even after it was released due to
wrong release order.


* NULL pointer dereference in UNIX socket security management.

An incorrect ordering between marking a UNIX socket as dead and
releasing it can cause a NULL pointer dereference when the security
subsystem tries to verify permissions on that socket.


* Buffer overflow in AoE block driver SKB allocation.

The SKB size allocated for usage in the AoE driver was too small and
may cause buffer overflow.


* NULL pointer dereference in CPSW ethernet driver error check.

An incorrect check may cause NULL pointer dereference as it won't
evaluate as expected.


* CVE-2013-0914: Information leak in signal handlers.

A logic error in the handling of signal handlers allows a child process
to leak information about the memory layout of parent processes.


* Leak in Reiser filesystem inode allocation.

The Reiser filesystem does not correctly handle deleting extended
attributes of files which contain '.' or '..' leading to inodes to be
leaked on the underlying device.


* Kernel panic in Nouveau graphics driver.

The Nouveau graphics driver does not correctly handle IOCTLs which
contain zero channels leading to dereferencing an invalid pointer and
kernel panic.


* NULL pointer dereference in DRM graphics framework.

A NULL pointer dereference and kernel panic can be triggered when
failing to open DRM procfs files.


* Race condition in virtual memory subsystem.

It is possible to trigger a race condition between two processes with a
shared memory space that triggers a kernel panic (BUG_ON).


* Buffer overflow in Marvell wireless driver.

A buffer overflow can be triggered in the Marvell WiFi-Ex driver by a
large number of channels when scanning wireless networks.


* Use-after-free when cloning SunRPC client.

A reference counting error in the SunRPC client can cause a
use-after-free condition and kernel panic when cloning an existing client.


* Memory leak in multi-homed NFSv4 client.

A kernel memory leak can be triggered in the NFSv4 client when
communicating with a multi-homed NFSv4 server.


* Use-after-free in multi-homed NFSv4 client.

A use-after-free condition and kernel panic can be triggered in the
NFSv4 client when communicating with a multi-homed NFSv4 server.


* Invalid free in CAN networking.

The Controller Area Networking subsystem incorrectly frees scheduled
jobs leading to a kernel panic.


* Memory corruption in receiving IPC messages.

The local IPC mechanism in the kernel incorrectly frees an invalid
pointer when failing to receive a message leading to memory corruption
and a kernel panic.


* Kernel panic in GFS2 file locking.

Attempting to lock a remote file on a GFS2 cluster that has been
withdrawn can trigger an assertion failure and kernel panic.


* NULL pointer dereference in GFS2 resource group.

The GFS2 filesystem does not correctly handle failing to allocate a new
resource group leading to a NULL pointer dereference and kernel panic.


* Use-after-free in kernel module loading.

A race condition in the kobject subsystem can cause a use-after-free
condition and kernel panic when loading kernel modules.


* Deadlock in TTY workqueue flushing.

Invalid locking in the TTY subsystem can lead to a deadlock and kernel
panic when flushing the TTY workqueue.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.