[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-1646-1)

[Jamie Iles]

Synopsis: USN-1646-1 can now be patched using Ksplice
CVEs: CVE-2012-0957 CVE-2012-4508 CVE-2012-4565

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1646-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel panic in ttyprintk driver.

Writing a specially crafted string to /dev/ttyprintk can cause the to
kernel access memory beyond the end of an allocated buffer and
trigger a kernel panic.


* Memory corruption in Comedi data acquisition driver.

A local user can cause kernel memory corruption by passing an invalid
pointer to an ioctl causing a kernel panic and potentially privilege
escalation.


* Kernel panic in s626 Comedi driver.

A local user can leak kernel memory or cause a kernel panic by passing
an invalid pointer to an ioctl.


* Data loss/corruption in ext4 filesystem after crash.

The fdatasync() did not flush inode metadata when the fdatasync() system
call was used on a file where only the file's size changed. This could
lead to data loss/corruption in applications following a system crash.


* Divide-by-zero in library code.

Calling gcd(a, b) with either a = 0 or b = 0 would lead to a divison-by-zero
and subsequent kernel crash.


* Userspace memory corruption and information leak in FireWire core.

The kernel writes too much data to the buffer supplied by the userspace
process calling ioctl() on a FireWire character device. In addition, the
extra data represents an information leak of kernel data.


* Crash on malformed IPv4 packets in netfilter connection tracking.

The header lengths of IPv4 packets were not validated before the packet
was passed on to TCP options parsing, resulting in an assertion failure
(BUG_ON) in the TCP options parsing code.


* Crash in NAT handling of Real-time Transport Protocol (RTP) packets.

If an RTP packet arrives while the NAT connection tracking data structures
are locked, the kernel may crash while attempting to register the same
expectation callback twice on the same list.


* NULL pointer dereference in NAT handling for bridging/IP Virtual Servers.

Incoming frames on bridge devices can cause a NULL pointer dereference when
IPVS incorrectly causes a NAT reply to reset the frame's bridge pointer to
NULL.


* NULL pointer dereference in SUNRPC over TCP.

When mounting an NFS v4.1 filesystem over TCP, the kernel will crash when
attempting to call an undefined callback.


* Memory corruption in Amplicon PC36AT/PCI236 Comedi drivers.

If the kernel fails to attach a PC236 device, it could make writes to
unmapped memory addresses and potentially crash the machine.


* Memory leak in NFS4 file closing.

The NFS4 server subsystem does not correctly free memory when closing a
file handle which eventually leads to memory exhaustion and a kernel
panic.


* Kernel panic in Intel PRO/Wireless 2200BG and 2915ABG network device drivers.

The driver does not count space of radiotap fields when allocating skb for
radiotap packet. This may lead to a kernel panic e.g. when radiotap packets
are being transmitted.


* Information leak in ioctl on x86_64.

If a 32-bit process passes an invalid pointer to the VIDEO_SET_SPU_PALETTE
ioctl() on a 64-bit kernel, the kernel may leak parts of the kernel stack
into the userspace process.


* Kernel panic in TTY driver.

An invalid assumption in the TTY driver can lead to a kernel
panic (BUG_ON) when reading data from a TTY using the normal
line discipline.


* Kernel panic in coredumping.

An unprivileged user can cause a double-free when constructing a
coredump under low-memory conditions.


* Use-after-free in IP over Infiniband.

A use-after-condition condition can be triggered when processing
multicast IP packets over an Infiniband device.


* Use-after-free in Infiniband RDMA driver.

A use-after-free condition triggered in the Infiniband RDMA driver
when resetting an Infiniband device.


* Deadlock in iSCSI SendTargets error path.

Invalid locking when failing to send a 'SendTargets' packet can lead
to a deadlock and kernel panic.


* Deadlock in page unmapping.

Invalid locking in the memory management subsystem can cause a deadlock
and kernel hang when unmapping pages from a process' address space.


* Kernel panic in IPv4 ARP and IPv6 Neighbor Discovery.

An invalid assumption in the IP stack can lead to a kernel panic when
failing to send an IPv4 ARP or IPv6 Neighbor Discovery packet.


* Kernel panic when sending RDS ping responses.

Incorrect locking in the RDS implementation can cause a kernel panic
when responding to RDS ping packets. A remote attacker could potentially
use this flaw to cause a remote denial of service.


* Kernel panic in multiple filesystems.

An out-of-bounds read can cause a kernel panic when opening a file on
GFS2, ISO 9660, Reiser, XFS or Posix shared memory filesystems.


* CVE-2012-4508: Stale data exposure in ext4.

A race condition in the usage of asynchronous IO and fallocate on an ext4
filesystem could lead to exposure of stale data from a deleted file. An
unprivileged local user could use this flaw to read privileged information.


* Memory leak in Cirrus Logic audio driver.

The Cirrus Logic driver does not correctly free memory when failing
to initialise an audio device.


* Use-after-free when unloading Radeon graphics driver.

A use-after-free condition can be triggered when unloading the
Radeon graphics driver.


* Kernel panic in Realtek HD audio driver.

An out-of-bounds read in the Realtek HD audio driver can cause a kernel
panic when initialising a device.


* Kernel panic in lockd server.

The kernel lockd server does not correctly handle stale file handles
leading to a kernel panic. A remote attacker could potentially use this
flaw to cause a remote denial of service.


* Memory corruption in SUNRPC procfs.

A stack buffer overflow can be triggered by reading the contents of the
"flush" procfs file, leading to a kernel panic.


* CVE-2012-0957: Information leak in uname syscall.

A process running under a UNAME26 personality can disclose the contents
of kernel memory via the uname syscall.


* Memory corruption in general purpose allocator.

The kernel does not allocate the correct amount of metadata for the
general purpose allocator, leading to memory corruption under certain
workloads.


* NULL pointer dereference in AC97 sound driver.

A NULL pointer dereference and kernel panic can be triggered when
initialising an AC97 device under low-memory conditions.


* CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.

The TCP Illinois congestion control algorithm does not correctly handle a
zero number of RTTs when reading TCP stats, leading to a divide-by-zero
and kernel panic. A remote attacker could potentially use this flaw to
cause a remote denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.