[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (3.2.0-51.77)

[Jamie Iles]

Synopsis: 3.2.0-51.77 can now be patched using Ksplice
CVEs: CVE-2013-2852

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.2.0-51.77.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash on Wireless P2P device connection.

If a P2P wireless device is present and a new one gets connected,
the Kernel will crash because of a bad check of a network device
internals.


* Buffer overflow in CIFS options handling.

In some cases, insufficient memory was being allocated for the CIFS
mount options, leading to a buffer overflow.


* Kernel crash when unregistering VLAN interfaces.

If a VLAN interface was registered after the AP, on unregistering
the system will crash because because it is not prepared to deal
with AP's being closed before to remove their VLANs.


* Privilege escalation in XFS file truncation.

Truncating a non-zero sized file on an XFS filesystem did not clear the
SUID/SGID bits, allowing a local user with write access to the file to
possibly escalate privileges.


* Kernel hang on USB audio.

An attacker with physical access to the machine, could make the Kernel
hang with a malicious USB device due to two vulnerabilities in functions
parse_uac2_sample_rate_range() and parse_audio_format_rates_v2() that
causes an overflow.


* Kernel panic in Broadcom 43xx wireless driver.

A kernel panic can be triggered when unloading the legacy
Broadcom wireless driver when no firmware is present.


* XHCI raise a Kernel panic due to unitialised list head.

The list_for_each_entry_safe macro, assumes list heads are
initialized (not NULL), and dereferences their 'next' pointer,
causing a kernel panic if this is not yet initialized.


* Kernel panic when GPU acceleration is disabled.

When GPU acceleration is disabled, the related data is freed, but a
subsequent cleanup call after this will cause a kernel panic.


* Kernel hang on initialization of Radeon driver.

The current radeon driver initialization routines, when using KMS,
are written so that the IRQ installation routine is called before
initializing the WB buffer and the CP rings. This behavior leads to a
Kernel hang.


* Kernel panic in Bluetooth L2CAP processing.

The Bluetooth L2CAP driver does not correctly validate the length of received
frames causing the driver to read invalid memory and trigger a kernel panic.


* CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.

Format string vulnerability in the b43_request_firmware function
in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4
allows local users to gain privileges by leveraging root access and
including format string specifiers in an fwpostfix modprobe parameter,
leading to improper construction of an error message.


* Race condition on Swap while waiting on discard I/O completion.

When reading the swap cache page it can get into a race condition
leading to a system deadlock.


* Kernel crash on IPv6 cork release.

When copying cork options on IPV6, the target memory space
for those is not zeroed, which could lead to a Kernel crash
as it could contain garbage when invoking the free routines.


* Kernel crash on ip_tunnel due to garbage data on IPCB.

If the link failure routine is called and IPCB is not
cleared, it will lead to a Kernel crash due to the existence
of garbage data.


* Kernel oops when using MSG_CMSG_COMPAT in socket interfaces.

>From user space is possible to use MSG_CMSG_COMPAT in the 'send'
and 'receive' socket family interfaces. This is not a standard
feature that when used from user space leads to a Kernel oops.


* NULL pointer dereference in SCTP socket destruction.

When a SCTP socket is destroyed, it can contains invalid references
as the routine can be invoked during the socket initialization.


* Information leak in AF_PACKET getname() call.

The getname() syscall does not correctly sanitize memory when called on an
AF_PACKET socket causing the contents of kernel memory to be disclosed to
userspace.


* Memory leak on L2TP PPP header.

When adding a PPP header, it leaks two bytes of uninitialized memory
at the end of the socket buffer data buffer.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.