[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-1767-1)

[Sonja Tideman]

Synopsis: USN-1767-1 can now be patched using Ksplice
CVEs: CVE-2013-0190 CVE-2013-0216 CVE-2013-0217 CVE-2013-0268 
CVE-2013-0311 CVE-2013-0349 CVE-2013-1772

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1767-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial of service in Xen PVM.

A race condition in the Xen pv-ops spinlock code can cause deadlocks
which can cause a system to not be able to perform any work when a large
number of threads that use pv-ops spinlock are running.  This can be
exploited by an unprivileged user to cause a denial-of-service.


* Kernel panic on 802.11 driver unload.

The mac80211 wireless driver schedules an asynchronous job when unloading
leading to a use-after-free and kernel panic.


* NULL pointer dereference in USB Inside Out Edgeport serial driver.

A NULL pointer dereference may occur during disconnection of the driver
due to a missing check.


* NULL pointer dereference in ACPI with cpuidle disabled.

The ACPI code does not correctly handle all cases where cpuidle is
disabled, leading to a kernel NULL pointer dereference.


* Denial-of-service in Extended Verification Module.

A missing NULL pointer check could lead to an NULL pointer dereference
and a kernel oops when removing an extended attribute from a file that
does not implemented extended attributes.  This could allow an
unprivileged user to crash the system.


* Race condition in USB UHCI during initialization.

A race condition exists in the USB UHCI code that could cause the
interrupt handler to be called before all data structures are setup,
leading to potential invalid memory accesses.


* CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak
from the kernel.


* Memory leak in CIFS referral mount handling.

Allocated memory was not correctly freed in the CIFS referral mount
error handling path leading to a potential denial-of-service.


* Memory leak in ATH9K HTC layer skb allocation.

All SKBs which were allocated by the ATH9K HTC layer were not freed,
causing a memory leak.


* Memory corruption in ATH9K handling to flush command.

DMA activity wasn't stopped when handling a flush command, leading
to a memory corruption.


* Double free on ATH9K beacon generate failure.

An incorrect re-use of objects between beacon generation attempts would
lead to a system crash.


* Double free in radeon driver.

If certain memory allocations fail, the error path will free previously
allocated memory but leave a stale pointer around, which will be freed
for the second time later.


* CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.

Access to /dev/cpu/*/msr was protected only using filesystem
checks. A local uid 0 (root) user with all capabilities dropped
could use this flaw to execute arbitrary code in kernel mode.


* Use-after-free in XFS AIO handling.

An inode reference was released before all operations on it were complete.
This might lead to a use-after-free if the inode was freed.


* CVE-2013-1772: Buffer overflow when writing to /dev/kmsg.

The log_prefix function in the printk code does not properly remove
a prefix string from a syslog header, which allows local users to
cause a denial of service (buffer overflow and system crash) by
leveraging /dev/kmsg write access and triggering a call_console_drivers
function call.


* CVE-2013-0190: stack corruption with Xen 32-bit paravirtualied guests.

Incorrect manipulation of the stack pointer in the error path for iret
failure with a 32-bit paravirtualized guest could result in stack
corruption.  This could be triggered by an unprivileged user in the
guest to cause a denial-of-service.


* CVE-2013-0217: Denial of server in Xen backend driver.

A malicious guest can cause the host networking stack to consume large
amounts of CPU by sending malformed requests to the Xen backend driver.


* CVE-2013-0216: Memory leak in Xen net backend driver.

A malicious guest can cause a memory leak in the host networking stack by
sending malformed requests to the Xen backend driver, leading to a kernel
panic.


* Memory leak in xHCI USB host request handler.

The private date related to TX events in the USB request handler was
not freed.


* NULL pointer dereference in Bluetooth SMP.

A race condition in the Bluetooth SMP code can lead to a NULL
pointer dereference if SMP messages come in at unexpected times.


* Kernel crash on virtio console removal.

The kernel could access uninitialized data on device removal causing a
kernel crash.


* Fix stack overflow in kernel resource allocation.

Recursive calls in kernel/resource.c could lead to a stack overflow when
reserving regions.


* Off-by-one error in qlogic netxen NIC driver.

An off by one bug in the qlogic netxen driver would trigger a kernel panic
on full size TSO packets.


* Use-after-free in IP loopback transmission handling.

The loopback driver didn't correctly handle a specific type of data, which
would allow a packet to be freed before being processed.


* Memory leak in memory mapped AF_PACKET transmission.

A memory leak in the memory mapped packet transmission code could result
in a denial-of-service against the system by a user with CAP_NET_RAW
capability.


* SCTP key leak in shared secret key setup.

The SCTP association key setup did not securely free the key memory
resulting in a possible leak of the key to an attacker.


* CVE-2013-0311: Privilege escalation in vhost descriptor management.

Incorrect handling of vhost descriptors that crossed regions could allow
a privileged guest user to crash the host or possibly escalate
privileges inside the host.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.