[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-1529-1)

Jamie Iles jamie.iles at oracle.com
Sat Aug 11 11:40:59 PDT 2012 

Synopsis: USN-1529-1 can now be patched using Ksplice
CVEs: CVE-2012-2119 CVE-2012-2136 CVE-2012-2137 CVE-2012-2372 CVE-2012-2373 CVE-2012-3375 CVE-2012-3400

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1529-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.

A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS)
protocol implementation. A local, unprivileged user could use this flaw
to cause a denial of service.


* Use-after-free in device mapper RAID1 data-check.

Under specific hardware configurations, the device mapper code could
attempt to read requests after they had been freed resulting in possible
kernel crash.


* Use-after-free in device-mapper persistent data management.

Incorrect error handling on allocation in the persistent data management
could result in a use-after-free condition and kernel crash.


* CVE-2012-3375: Denial of service due to epoll resource leak in error path.

The upstream fix for CVE-2011-1083 introduced a flaw in the way
the Linux kernel's Event Poll (epoll) subsystem handled resource clean up
when an ELOOP error code was returned. A local, unprivileged user could use
this flaw to cause a denial of service.


* Use-after-free in l2tp_eth driver.

Incorrect module reference counts could result in the module being
unloaded whilst it was still in use and a use-after-free condition could
result in a kernel crash.


* CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.

The length of packet fragments to be sent wasn't validated before use,
leading to heap overflow. A user having access to TUN/TAP virtual
device could use this flaw to crash the system or to potentially
escalate their privileges.


* Memory corruption in device mapper RADI1 mirror recovery and discard.

A race condition in mirror recovery and discard could result in the
corruption of linked lists resulting in undefined behaviour.


* NULL pointer dereference in NFC raw socket closing.

Closing an NFC raw socket could result in a NULL pointer dereference and
kernel crash under specific conditions.


* Denial-of-service in file advisory locking.

The virtual filesystem layer did not gracefully handle an unexpected
file lease type resulting in a kernel BUG() and system crash,
triggerable by an unprivileged user.


* CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.

A buffer overflow flaw was found in the setup_routing_entry() function in the
KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts
(MSI) routing entry was handled. A local, unprivileged user could use this flaw
to cause a denial of service or, possibly, escalate their privileges.


* Use-after-free in l2tp_ip module.

Incorrect use of RCU could result in a use-after-free condition and
kernel crash in the l2tp_ip module.


* CVE-2012-2119: Stack overflow in KVM macvtap page pinning.

The vector length of pages passed to the host from the guest through
macvtap is not validated before the pages are pinned. A privileged
guest user could use this flaw to induce stack overflow on the
host with attacker non-controlled data but with attacker controlled length.


* Use-after-free in device mapper RAID5 mode.

Incorrect reference counting in the RAID5 mode for device mapper could
result in a use-after-free condition and kernel crash.


* Use-after-free in device-mapper array stop.

A race condition in flushing I/O for stopping a device mapper array
could result in a use-after free condition and kernel crash.


* Use-after-free due to race condition in madvise.

A race condition between munmap and madvise can cause a use-after-free
in the memory management system.


* CVE-2012-2373: denial-of-service in PAE page tables.

On a PAE system, a non-atomic load could be corrupted by a page fault
resulting in a kernel crash, triggerable by an unprivileged user.


* CVE-2012-3400: Buffer overflow in UDF parsing.

A bug in the kernel's UDF file system driver could be exploited by an
unprivileged local user to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-12.04-Updates mailing list