[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (USN-1787-1)

[Sasha Levin]

Synopsis: USN-1787-1 can now be patched using Ksplice
CVEs: CVE-2013-0914 CVE-2013-1767 CVE-2013-1772 CVE-2013-1792

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1787-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-1772: Buffer overflow when writing to /dev/kmsg.

The log_prefix function in the printk code does not properly remove
a prefix string from a syslog header, which allows local users to
cause a denial of service (buffer overflow and system crash) by
leveraging /dev/kmsg write access and triggering a call_console_drivers
function call.


* Denial-of-service in nanosleep implementation.

Failure to clean up correctly timers when performing a clock_nanosleep()
call using CPU_TIMER would result in a reference count leak on the
calling task.  This could allow an unprivileged, local user to trigger a
denial-of-service attack.


* Kernel deadlock in Xen pv-spinlocks.

A race condition can lead to a deadlock where a CPU gets stuck
waiting forever for a lock.


* CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.

If a tempfs mount that was originally mounted with the mpol=M
option is remounted it reuses the already freed mempolicy object.


* Kernel crash in target lun configuration.

Missing bounds checks for the mapped_lun attribute in the target lun
configfs filesystem could result in a kernel crash.


* Out-of-bounds read in binary sysctl helpers.

An invalid check for NULL in binary sysctl's could result in a
dereference of an invalid pointer leading to a kernel crash.


* Race condition in ext4 block preallocation.

Incorrect locking in ext4 block preallocation could lead to memory
corruption and undefined behaviour.


* NULL pointer dereference in comedi subdevice character device.

Missing NULL pointer checks could result in a kernel crash when
accessing sub-devices that don't support asynchronous operations.


* CVE-2013-1792: Denial-of-service in user keyring management.

A race condition in installing a user keyring could allow a local,
unprivileged user to crash the machine causing a denial-of-service.


* NULL pointer dereference in CIFS filesystem mounting.

The CIFS filesystem does not correctly handle attempts to mount paths which
contain symlinks causing a NULL pointer dereference and kernel panic.


* NULL pointer dereference in pipe closing.

The pipe subsystem does not correctly handle processes opening pipes for neither
reading nor writing leading to a NULL pointer dereference and kernel panic.


* CVE-2013-0914: Information leak in signal handlers.

A logic error in the handling of signal handlers allows a child process to
leak information about the memory layout of parent processes.


* Kernel page mapping information leak in dmesg.

On x86 systems, an unprivileged process can easily determine whether an address
residing within the kernel address space is mapped or unmapped by examining
the error code reported to dmesg.[1]

[1] http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.