[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (USN-1720-1)

[Phil Turnbull]

Synopsis: USN-1720-1 can now be patched using Ksplice
CVEs: CVE-2012-4508 CVE-2013-0190

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1720-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in SCTP message sending.

The SCTP protocol implementation did not correctly release memory when
passed an invalid source buffer.  This could allow an unprivileged user
to cause a denial-of-service.


* NULL pointer dereference in IRDA SIR network device.

An invalid check in the IRDA SIR network device driver could result in
calling a NULL pointer and crashing the kernel.


* NULL pointer dereference in NFSv2 and NFSv3 in server cloning.

A race condition that occurs when nfs_clone_server gets an error
can lead to a NULL pointer dereference in nfs_clone_server.


* Buffer overflow with NFSv4 read encoding.

If the argument and reply in nfsd4_encode_read exceed the maximum
payload size, then the rq_pages array can overflow.


* Invalid memory access in cgroup file system.

If cgroup_create_file() fails, no dentry get is performed, but
the corresponding dentry put gets performed anyhow, leading to an
invalid memory access and a kernel oops.


* Out-of-bounds read in FireWire packet processing.

The FireWire driver does not correctly parse fragmented multicast and
broadcast packets leading to an out-of-bounds read and kernel panic.


* CVE-2012-4508: Stale data exposure in ext4.

A race condition in the usage of asynchronous IO and fallocate on an
ext4 filesystem could lead to exposure of stale data from a deleted
file. An unprivileged local user could use this flaw to read privileged
information.


* Memory leak in ext4 extended attributes.

The ext4 filesystem driver does not correctly release kernel memory if
setting an extended attribute on a file fails.


* Memory corruption in extent tree for ext4.

When the depth of the extent tree in ext4 is greater then one,
the interior node is not correctly updates leading to memory
corruption with the extent tree.


* Kernel panic in jbd2 driver.

A race condition in the jbd2 filesystem driver when writing a journal to
disk can trigger a kernel panic.


* Denial-of-service in udf writes.

A memory leak that occurs while allocating blocks during udf
writes could lead to a denial-of-service.


* Kernel panic on 802.11 driver unload.

The mac80211 wireless driver schedules an asynchronous job when
unloading leading to a use-after-free and kernel panic.


* Kernel crash in GFS2 cluster filesystem.

A race condition in the GFS2 cluster filesystem where data buffers were
not locked during buffer list manipulation could make the kernel crash.


* NULL pointer dereference in xhci.

If xhci has to bail out due to OOM while allocating ring segments due,
the ring segments are left in a bad state. This could lead to a NULL
pointer dereference when xhci tries to free them or it could lead to
a use-after-free if a caller believes the ring segments are valid.
Either could potentially also cause a kernel crash.


* CVE-2013-0190: stack corruption with Xen 32-bit paravirtualied guests.

Incorrect manipulation of the stack pointer in the error path for iret
failure with a 32-bit paravirtualized guest could result in stack
corruption. This could be triggered by an unprivileged user in the
guest to cause a denial-of-service.


* Race condition in USB UHCI during initialization.

A race condition exists in the USB UHCI code that could cause the
interrupt handler to be called before all data structures are setup,
leading to potential invalid memory accesses.


* NULL pointer dereference in ACPI with cpuidle disabled.

The ACPI code does not correctly handle all cases where cpuidle is
disabled, leading to a kernel NULL pointer dereference.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.