[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (USN-1648-1)

[Jamie Iles]

Synopsis: USN-1648-1 can now be patched using Ksplice
CVEs: CVE-2012-0957 CVE-2012-4565

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1648-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Crash in NAT handling of Real-time Transport Protocol (RTP) packets.

If an RTP packet arrives while the NAT connection tracking data structures
are locked, the kernel may crash while attempting to register the same
expectation callback twice on the same list.


* Userspace memory corruption and information leak in FireWire core.

The kernel writes too much data to the buffer supplied by the userspace
process calling ioctl() on a FireWire character device. In addition, the
extra data represents an information leak of kernel data.


* Crash on malformed IPv4 packets in netfilter connection tracking.

The header lengths of IPv4 packets were not validated before the packet
was passed on to TCP options parsing, resulting in an assertion failure
(BUG_ON) in the TCP options parsing code.


* NULL pointer dereference in NAT handling for bridging/IP Virtual Servers.

Incoming frames on bridge devices can cause a NULL pointer dereference when
IPVS incorrectly causes a NAT reply to reset the frame's bridge pointer to
NULL.


* Data loss/corruption in ext4 filesystem after crash.

The fdatasync() did not flush inode metadata when the fdatasync() system
call was used on a file where only the file's size changed. This could
lead to data loss/corruption in applications following a system crash.


* Kernel panic in lockd server.

The kernel lockd server does not correctly handle stale file handles
leading to a kernel panic. A remote attacker could potentially use this
flaw to cause a remote denial of service.


* Divide-by-zero in library code.

Calling gcd(a, b) with either a = 0 or b = 0 would lead to a divison-by-zero
and subsequent kernel crash.


* Kernel panic in IPv4 ARP and IPv6 Neighbor Discovery.

An invalid assumption in the IP stack can lead to a kernel panic when
failing to send an IPv4 ARP or IPv6 Neighbor Discovery packet.


* Kernel panic when sending RDS ping responses.

Incorrect locking in the RDS implementation can cause a kernel panic
when responding to RDS ping packets. A remote attacker could potentially
use this flaw to cause a remote denial of service.


* Denial of service with net sched cbq configuration.

It is possible to setup the net scheduler class based queuing
configuration that leads to an infinite loop in cbq_classify().


* CVE-2012-0957: Information leak in uname syscall.

A process running under a UNAME26 personality can disclose the contents
of kernel memory via the uname syscall.


* Kernel crash in packet scheduler.

Invalid start times can be assigned to a class in the Quick Fair Queue
(QFQ) scheduler.  This can lead to data structure corruption which may
result in a crash.


* Deadlock in page unmapping.

Invalid locking in the memory management subsystem can cause a deadlock
and kernel hang when unmapping pages from a process' address space.


* Memory corruption in SUNRPC procfs.

A stack buffer overflow can be triggered by reading the contents of the
"flush" procfs file, leading to a kernel panic.


* NULL pointer dereferences in xfrm code.

A unexpected return of a NULL pointer in two functions in the xfrm
code could cause a NULL pointer dereference.  This could lead to a
privilege escalation if an attacker has CAP_NET_ADMIN and is able
to map address 0.


* Denial of service in TCP IOAT DMA.

When the receive wait queue is zero and the sk_async_wait_queue is
non-empty, a recv() syscall can cause sk_wait_data() to block
forever.


* Guest crash when attaching a netxen NIC to a VM.

If the root bus is null when attaching a netxen NIC to a VM
the guest will crash due to a NULL pointer dereference.


* Memory corruption in general purpose allocator.

The kernel does not allocate the correct amount of metadata for the
general purpose allocator, leading to memory corruption under certain
workloads.


* Kernel crash with keepalive on raw TCP sockets.

Its possible to use RAW sockets to get a crash in
tcp_set_keepalive() / sk_reset_timer() when attempting
to set TCP keepalive on a RAW socket.


* Memory corruption in Amplicon PC36AT/PCI236 Comedi drivers.

If the kernel fails to attach a PC236 device, it could make writes to
unmapped memory addresses and potentially crash the machine.


* CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.

The TCP Illinois congestion control algorithm does not correctly handle a
zero number of RTTs when reading TCP stats, leading to a divide-by-zero
and kernel panic. A remote attacker could potentially use this flaw to
cause a remote denial of service.


* NULL pointer dereference in AC97 sound driver.

A NULL pointer dereference and kernel panic can be triggered when
initialising an AC97 device under low-memory conditions.


* Information leak in ioctl on x86_64.

If a 32-bit process passes an invalid pointer to the VIDEO_SET_SPU_PALETTE
ioctl() on a 64-bit kernel, the kernel may leak parts of the kernel stack
into the userspace process.


* Kernel information leaks in network transformation subsystem.

This fixes several cases where xfrm_user code could lead kernel
memory to user space.


* Use-after-free when unloading Radeon graphics driver.

A use-after-free condition can be triggered when unloading the
Radeon graphics driver.


* Out-of-bounds accesses in filesystem export handles.

Incorrect checking of file handle lengths when exporting a filesystem
over NFS could result in an out-of-bounds access and kernel crash.


* Use-after-free in Realtek 8169 driver unload.

Failure to unregister the kernels network interrupt coalescing
structures on device removal could result in a use-after-free and kernel
crash on module removal.


* Kernel hang in PPP over Ethernet on virtual device removal.

Removing a virtual Ethernet device whilst a zombied PPPOE instance is
running can cause a kernel hang as a result of invalid reference
counting.


* Memory corruption in 802.1q VLAN untagging.

Use of a stale pointer could result in memory corruption and a kernel
crash when performing VLAN untagging.


* Kernel crash in IT8712/IT8512 infrared remote driver.

A race condition in device creation could result in using memory before
initialisation causing a kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.