[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1824-1)

[Eduardo Silva]

Synopsis: USN-1824-1 can now be patched using Ksplice
CVEs: CVE-2012-6549 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928 CVE-2013-2634

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1824-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-1928: Kernel information leak in 
compat_ioctl/VIDEO_SET_SPU_PALETTE.

The compat control device call for VIDEO_SET_SPU_PALETTE was missing an 
error check
while converting the input arguments.  This could lead to leaking kernel
stack contents into userspace.


* CVE-2013-2634: kernel leak in the data center bridging (dcb) component.

The dcb netlink interface leaks stack memory in various places.


* CVE-2012-6549: Information leak in isofs export.

The isofs_export_encode_fh function does not initialize a certain
structure member, which allows local users to obtain sensitive
information from kernel heap memory via a crafted application.


* CVE-2013-1826: invalid return on xfrm_user could lead to privilege 
escalation.

An invalid return type from XFRM (user) could allow to execute user code in
Kernel context (privilege escalation).


* CVE-2013-1860: Buffer overflow in Wireless Device Management driver.

A malicious USB device can cause a buffer overflow and gain kernel code 
execution
by sending malformed Wireless Device Management packets.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.