[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-1793-1)

Sonja Tideman sonja.tideman at oracle.com
Mon Apr 8 20:04:26 PDT 2013 

Synopsis: USN-1793-1 can now be patched using Ksplice
CVEs: CVE-2013-0914 CVE-2013-1767 CVE-2013-1792 CVE-2013-2546

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1793-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-0914: Information leak in signal handlers.

A logic error in the handling of signal handlers allows a child process to
leak information about the memory layout of parent processes.


* CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.

If a tempfs mount that was originally mounted with the mpol=M
option is remounted it reuses the already freed mempolicy object.


* CVE-2013-1792: Denial-of-service in user keyring management.

A race condition in installing a user keyring could allow a local,
unprivileged user to crash the machine causing a denial-of-service.


* CVE-2013-2546, 2547, 2548: Information leaks in crypto report API.

Invalid memory copying and a failure to properly initilize all structure
data fields could result in kernel memory disclosures in the crypto
algorithm report API.


* Use-after-free in OMAP display driver.

Incorrect locking in the OMAP display driver could lead to dereferencing
of invalid memory addresses and subsequent kernel crashes.


* Use-after-free in ext4 AIO handling.

An inode reference was released before all operations on it were
complete.  This might lead to a use-after-free if the inode was freed.


* Memory corruption in ext4 block preallocation.

Incorrect locking in ext4 block preallocation could lead to memory
corruption and undefined behaviour.


* Deadlock in compressed RAM (zram) block device driver.

Writing to a compressed RAM block device could invoke the page reclaim
mechanism during memory allocation. Page reclaim would in turn try to
grab a lock which was already locked by the compressed RAM block device
driver and consequently deadlock.


* Memory leak in NFS client destruction.

Memory was incorrectly freed when destroy an NFS client resulting in a
possible denial-of-service.


* NULL pointer dereference in comedi subdevice character device.

Missing NULL pointer checks could result in a kernel crash when
accessing sub-devices that don't support asynchronous operations.


* Kernel page mapping information leak in dmesg.

On x86 systems, an unprivileged process can easily determine whether an 
address
residing within the kernel address space is mapped or unmapped by examining
the error code reported to dmesg.[1]

[1] http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/


* NULL pointer dereference in USB serial disconnect.

When an USB serial device is disconnected, a missing lock could lead
to a null pointer dereference with another function using the freed
data from the disconnected device.


* Denial-of-service in nanosleep implementation.

Failure to clean up correctly timers when performing a clock_nanosleep()
call using CPU_TIMER would result in a reference count leak on the
calling task.  This could allow an unprivileged, local user to trigger a
denial-of-service attack.


* Kernel crash in NFSv4.1 in XDR decode.

Invalid assumptions when decoding XDR messages can lead to the
NFSv4 code using uninitialized memory, leading to a kernel crash.


* Kernel crash in target lun configuration.

Missing bounds checks for the mapped_lun attribute in the target lun
configfs filesystem could result in a kernel crash.


* Kernel deadlock in Xen pv-spinlocks.

A race condition can lead to a deadlock where a CPU gets stuck
waiting forever for a lock.


* Use-after-free in direct I/O AIO handling.

An inode reference was released before all operations on it were
complete.  This might lead to a use-after-free if the inode was freed.


* Use-after-free in OCFS2 AIO handling.

An inode reference was released before all operations on it were
complete.  This might lead to a use-after-free if the inode was freed.


* Incorrect access control lists on reflinked OCFS2 inodes.

Incorrect management of reflinked inodes meant that the new inode did
not correctly receive the access control lists from the parent
directory.


* Out-of-bounds read in binary sysctl helpers.

An invalid check for NULL in binary sysctl's could result in a
dereference of an invalid pointer leading to a kernel crash.


* Stale data access in networked block device.

The network block device did not sync and cleanup correctly on shutdown.
This meant that on attaching another backing image stale data could
still be accessed.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-12.04-Updates mailing list