[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (USN-1554-1)

[Samson Yeung]

Synopsis: USN-1554-1 can now be patched using Ksplice
CVEs: CVE-2012-2372

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1554-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.

A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS)
protocol implementation. A local, unprivileged user could use this flaw
to cause a denial of service.


* Log corruption in UBIFS.

When fixing up the UBIFS log, it could corrupt the log which may prevent
later mounts of the UBIFS filesystem.


* Memory corruption in device mapper RADI1 mirror recovery and discard.

A race condition in mirror recovery and discard could result in the
corruption of linked lists resulting in undefined behaviour.


* NULL pointer dereference on remote control device removal.

Under certain circumstance, removing a usb remote control can cause
the lirc daemon to dereference a NULL pointer leading to a kernel oops.


* Use-after-free in SCSI request handling.

A use-after-free may occur if a SCSI request has no more references,
but is still rescheduled for completion.


* Information leak via incomplete copies in USB.

Copies of non-contiguous isochronous buffers in the USB subsystem may
leak kernel memory to a potential attacker.


* Out-of-bound values allowed by fcntl_setlease.

A missing bounds check in fcntl_setlease may allow out-of-bounds values
due to an incorrect cast from a long to an integer.


* Denial-of-service in rpciod.

rpciod could deadlock when trying to allocate memory for a new socket
resulting in a system hang and denial-of-service.


* Data loss in ext4 filesystems.

An integer underflow in metadata block management could result in
allocation failure and data loss.


* NULL pointer dereference in SFB packet scheduling.

A missing NULL pointer check in options parsing could result in a
NULL pointer dereference and system crash.


* Use-after-free in sctp.

In some circumstances, a sctp association could be used after it was
freed, leading to memory corruption and possibly a kernel oops.


* Use-after-free in CAIF module unloading.

Incorrect ordering of freeing internal data structures may cause a
use-after-free when removing the CAIF module.


* NULL pointer dereference in CIPSO socket options.

Adding a CIPSO option to a socket could result in a NULL pointer
dereference and kernel crash under specific conditions.


* NULL pointer dereference in caif tty driver.

A missing NULL pointer check could result in a kernel crash when opening
the tty device.


* Kernel stack information leak in tun ioctls.

Incorrect initialisation of ioctl structures could result in leaking
stack bytes to a userspace process.


* NULL pointer dereference in futex requeuing.

A missing NULL pointer check could result in a kernel crash when
attempting to requeue a futex.


* NULL pointer dereference in non-pi futexes.

Incorrect configuration of futex addresses could lead to a NULL pointer
dereference and kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.