[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1899-1)

[Sonja Tideman]

ynopsis: USN-1899-1 can now be patched using Ksplice
CVEs: CVE-2012-3552 CVE-2012-4461 CVE-2012-4508 CVE-2013-1773 
CVE-2013-1826 CVE-2013-2852

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1899-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak in tkill() and tgkill() system calls.

Due to a lack of proper initialisation, the tkill() and tgkill() system
calls may leak data from the kernel stack to an unprivileged local user.


* CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless 
driver.

Format string vulnerability in the b43_request_firmware function
in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4
allows local users to gain privileges by leveraging root access and
including format string specifiers in an fwpostfix modprobe parameter,
leading to improper construction of an error message.


* Denial-of-service in nanosleep implementation.

Failure to clean up correctly timers when performing a clock_nanosleep()
call using CPU_TIMER would result in a reference count leak on the
calling task.  This could allow an unprivileged, local user to trigger a
denial-of-service attack.


* Kernel panic in coredumping.

An unprivileged user can cause a double-free when constructing a
coredump under low-memory conditions.


* Memory corruption in general purpose allocator.

The kernel does not allocate the correct amount of metadata for the
general purpose allocator, leading to memory corruption under certain
workloads.


* Fix stack overflow in kernel resource allocation.

Recursive calls in kernel/resource.c could lead to a stack overflow when
reserving regions.


* Invalid memory access in cgroup file system.

If cgroup_create_file() fails, no dentry get is performed, but
the corresponding dentry put gets performed anyhow, leading to an
invalid memory access and a kernel oops.


* Kernel hang in device probing.

The kernel can hang when probing devices in parallel on a single
CPU machine.


* Deadlock in page unmapping.

Invalid locking in the memory management subsystem can cause a deadlock
and kernel hang when unmapping pages from a process' address space.


* NULL pointer dereference in ALSA sequence timer.

The ALSA driver does not correctly handle failing to initialise a sequence
timer object leading to a NULL pointer dereference.


* NULL pointer dereference in AC97 sound driver.

A NULL pointer dereference and kernel panic can be triggered when
initialising an AC97 device under low-memory conditions.


* CVE-2012-4461: Kernel panic KVM XSAVE support.

On machines without XSAVE instruction support a malicious guest can cause
a host kernel panic via the SET_SREGS ioctl.


* Kernel panic in s626 Comedi driver.

A local user can leak kernel memory or cause a kernel panic by passing
an invalid pointer to an ioctl.


* Memory corruption in Comedi data acquisition driver.

A local user can cause kernel memory corruption by passing an invalid
pointer to an ioctl causing a kernel panic and potentially privilege
escalation.


* NULL pointer dereference in comedi subdevice character device.

Missing NULL pointer checks could result in a kernel crash when
accessing sub-devices that don't support asynchronous operations.


* Unnecessary warning about partition ioctl.

Don't warn about ioctls when the user has raw IO capabilities.


* Kernel panic in Broadcom 5709 driver.

A kernel panic can be triggered when a Broadcom 5709 device is under
heavy load.


* Data corruption and kernel panics caused by cryptd.

A race condition in the cryptd subsystem could lead to data corruption
or kernel panics.


* Kernel panic in Broadcom 43xx wireless driver.

A kernel panic can be triggered when unloading the legacy
Broadcom wireless driver when no firmware is present.


* Use-after-free in IP over Infiniband.

A use-after-condition condition can be triggered when processing
multicast IP packets over an Infiniband device.


* Buffer overflow in QuickNet Internet LineJack input handling.

The QuickNet Internet LineJack driver didn't properly check input from
userspace, which has made it possible to pass it strings which are not
properly NULL terminated, leading to a buffer overflow.


* Information leak in Bluetooth socket options.

The HCI_FILTER socket option allows malicious users to disclose
the contents of kernel memory.


* Race condition in epoll subsystem.

A race condition in the epoll subsystem can lead to missing epoll events
when sending a EPOLL_CTL_MOD command.


* Denial-of-service in /proc/fs/fscache/stats.

A memory leak in /proc/fs/fscache/stats could allow an unprivileged user
to leak memory and cause a denial-of-service.


* Memory leak in ext4 extended attributes.

The ext4 filesystem driver does not correctly release kernel memory if
setting an extended attribute on a file fails.


* Incorrect extended attribute handling with device nodes on ext4


ext4 device nodes were incorrectly initialized with extended attribute
operations which could result in incorrect access control lists.


* Data loss/corruption in ext4 filesystem after crash.

The fdatasync() did not flush inode metadata when the fdatasync() system
call was used on a file where only the file's size changed. This could
lead to data loss/corruption in applications following a system crash.


* Race condition in ext4 block preallocation.

Incorrect locking in ext4 block preallocation could lead to memory
corruption and undefined behaviour.


* CVE-2012-4508: Stale data exposure in ext4.

A race condition in the usage of asynchronous IO and fallocate on an ext4
filesystem could lead to exposure of stale data from a deleted file. An
unprivileged local user could use this flaw to read privileged information.


* Denial-of-service in no-journal mode ext4 filesystems.

A user with physical access to a machine could use a carefully
constructed filesystem to hang the system.


* Denial-of-service in udf writes.

A memory leak that occurs while allocating blocks during udf
writes could lead to a denial-of-service.


* Memory leak in CIFS referral mount handling.

Allocated memory was not correctly freed in the CIFS referral mount
error handling path leading to a potential denial-of-service.


* Buffer overflow in HFS+ filesystem.

An implicit truncation of an inode's size could lead to a buffer overflow
that is exploitable by local users with write access to an HFS+ filesystem.


* SUNRPC kernel panic during NFSv4 mounting.

Incorrect directory cache handling could result in hitting a kernel
BUG_ON() and crashing the system when mounting an NFSv4 filesystem.


* Kernel panic in packet ring-buffer.

An invalid assumption between the kernel and a userspace process can lead
to a kernel panic when destroying packets in a ring-buffer.


* Kernel panic in packet scheduler.

A missing bounds check in the network packet scheduler can lead to
a kernel panic.


* Kernel crash with keepalive on raw TCP sockets.

Its possible to use RAW sockets to get a crash in
tcp_set_keepalive() / sk_reset_timer() when attempting
to set TCP keepalive on a RAW socket.


* CVE-2012-3552: Denial-of-service in IP options handling.

Missing locking around IP options for a socket could allow an attacker
to trigger a use-after-free condition resulting in a kernel crash.
Under certain conditions this could be exploitable by a remote user.


* NULL pointer dereference in UNIX socket security management.

An incorrect ordering between marking a UNIX socket as dead and releasing
it can cause a NULL pointer dereference when the security subsystem tries
to verify permissions on that socket.


* Denial-of-service in SCTP message sending.

The SCTP protocol implementation did not correctly release memory when
passed an invalid source buffer.  This could allow an unprivileged user
to cause a denial-of-service.


* SCTP key leak in shared secret key setup.

The SCTP association key setup did not securely free the key memory
resulting in a possible leak of the key to an attacker.


* Information leak in SCTP keys.

SCTP keys were not be zeroed before being freed, which could allow
the keying material to be leaked.


* Crash on malformed IPv4 packets in netfilter connection tracking.

The header lengths of IPv4 packets were not validated before the packet
was passed on to TCP options parsing, resulting in an assertion failure
(BUG_ON) in the TCP options parsing code.


* Stack overflow in ISDN loop device initialisation.

Incorrect string handling could result in a kernel stack overflow and
kernel crash when reporting the driver revision.


* Improved fix to CVE-2013-1773.

The original Ubuntu fix for CVE-2013-1773 did not include all upstream
patches resulting in incorrect behaviour of pathconf() + statfs() on a
VFAT filesystem.


* Improved fix to CVE-2013-1826.

The original Ubuntu fix for CVE-2013-1826 did not include all upstream
fixes resulting in a kernel stack information leak.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.