[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (USN-1756-1)

[Sasha Levin]

Synopsis: USN-1756-1 can now be patched using Ksplice
CVEs: CVE-2013-0216 CVE-2013-0217 CVE-2013-0268 CVE-2013-0311 CVE-2013-0349 CVE-2013-1773

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1756-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak in CIFS referral mount handling.

Allocated memory was not correctly freed in the CIFS referral mount
error handling path leading to a potential denial-of-service.


* Memory leak in ATH9K HTC layer skb allocation.

All SKBs which were allocated by the ATH9K HTC layer were not freed,
causing a memory leak.


* Double free on ATH9K beacon generate failure.

An incorrect re-use of objects between beacon generation attempts would
lead to a system crash.


* CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.

Access to /dev/cpu/*/msr was protected only using filesystem
checks. A local uid 0 (root) user with all capabilities dropped
could use this flaw to execute arbitrary code in kernel mode.


* CVE-2013-0217: Denial-of-service in Xen backend driver.

A malicious guest can cause the host networking stack to consume large
amounts of CPU by sending malformed requests to the Xen backend driver.


* CVE-2013-0216: Memory leak in Xen net backend driver.

A malicious guest can cause a memory leak in the host networking stack by
sending malformed requests to the Xen backend driver, leading to a kernel
panic.


* Memory leak in xHCI USB host request handler.

The private date related to TX events in the USB request handler was
not freed.


* Kernel crash on virtio console removal.

The kernel could access uninitialized data on device removal causing a
kernel crash.


* Fix stack overflow in kernel resource allocation.

Recursive calls in kernel/resource.c could lead to a stack overflow when
reserving regions.


* Use-after-free in IP loopback transmission handling.

The loopback driver didn't correctly handle a specific type of data, which
would allow a packet to be freed before being processed.


* Memory leak in memory mapped AF_PACKET transmission.

A memory leak in the memory mapped packet transmission code could result
in a denial-of-service against the system by a user with CAP_NET_RAW
capability.


* SCTP key leak in shared secret key setup.

The SCTP association key setup did not securely free the key memory
resulting in a possible leak of the key to an attacker.


* Out-of-bounds read in netfilter bridge.

A fragmented IP header can cause an out-of-bounds read and kernel panic when
filtering bridged ethernet traffic.


* CVE-2013-0311: Privilege escalation in vhost descriptor management.

Incorrect handling of vhost descriptors that crossed regions could allow
a privileged guest user to crash the host or possibly escalate
privileges inside the host.


* CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.

Unicode conversion functions used in the VFAT filesystem were vulnerable
to buffer overruns.  Carefully constructed VFAT partitions mounted with
the utf8 option could allow an attacker to corrupt kernel memory and
possibly execute code in kernel mode.


* CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak
from the kernel.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.