[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-1809-1)

[Vegard Nossum]

Synopsis: USN-1809-1 can now be patched using Ksplice
CVEs: CVE-2013-0913 CVE-2013-0914 CVE-2013-1796 CVE-2013-1797 
CVE-2013-1798 CVE-2013-1848 CVE-2013-1860 CVE-2013-1873

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1809-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-1860: Buffer overflow in Wireless Device Management driver.

A malicious USB device can cause a buffer overflow and gain kernel code 
execution
by sending malformed Wireless Device Management packets.


* Kernel panic in fsyncing read-only RAID devices.

An unprivileged user can cause a kernel panic (BUG_ON) by causing an fsync
on a RAID device mounted read-only.


* Denial of service in kernel connector subsystem.

The kernel connector subsystem does not correctly validate privileges 
allowing
an unprivileged user to block connector notifications for all local users.


* NULL pointer dereference in CIFS filesystem mounting.

The CIFS filesystem does not correctly handle attempts to mount paths which
contain symlinks causing a NULL pointer dereference and kernel panic.


* NULL pointer dereference TTY buffer allocation management.

A logic error during TTY buffer flushing could lead to a NULL pointer
dereference. This could potentially be exploitable by a local user.


* NULL pointer dereference in pipe closing.

The pipe subsystem does not correctly handle processes opening pipes for 
neither
reading nor writing leading to a NULL pointer dereference and kernel panic.


* NULL pointer dereference in ALSA sequence timer.

The ALSA driver does not correctly handle failing to initialise a sequence
timer object leading to a NULL pointer dereference.


* CVE-2013-1848: Format string vulnerability in ext3 mounting.

The ext3 file-system driver incorrectly uses an argument from userspace as a
format string allowing local users with the ability to mount ext3 
filesystems
to corrupt kernel memory and gain privileged execution.


* Kernel oops in Dallas's 1-wire (W1) bus search.

Due to faulty logic, trying to initiate a search for Dallas's 1-wire
(W1) bus devices over the netlink protocol would lead to a kernel oops.
This could be triggreed by a local user with CAP_NET_ADMIN privileges.


* Memory leak in keyctl instantiation.

The error path when handling KEYCTL_INSTANTIATE requests does not 
correctly free
allocated memory allowing an unprivileged user to leak kernel memory.


* Kernel memory corruption in B.A.T.M.A.N. Advanced Meshing Protocol.

Missing sanity checks could allow a local user with CAP_NET_RAW
privileges to corrupt kernel memory by passing a kernel pointer
to the read() system call.


* Memory leak in PPPoL2TP messaging.

The PPPoL2TP tunneling protocol does not decrement a reference counter 
when a user
calls sendmsg on a PPPoL2TP socket causing a kernel memory leak.


* Denial of service in RDS socket allocation.

The RDS networking module does not correctly validate arguments from 
userspace
allowing an unprivileged user to exhaust kernel memory and trigger the OOM
killer.


* Kernel crash when closing TUN/TAP device.

Under certain circumstances, closing a TUN/TAP device could lead to a
kernel crash. An unprivileged local user could use this to carry out
a denial of service attack.


* CVE-2013-1873: Information leaks in networking.

A number of system calls in the dcbnl, rtnl and bridge modules allow 
unprivileged
local users to leak the contents of kernel memory.


* Use-after-free in virtio net host kernel accelerator.

A user-controlled variable was being used without sanitation. A malicious
guest VM could use this to cause a use-after-free and subsequent kernel
crash.


* Deadlock in SELinux xfrm networking.

The SELinux security module uses an invalid combination of flags to allocate
memory when validating users of the xfrm module leading to a deadlock.


* Information leak in UDF filesystem exported over NFS.

An UDF filesystem exported over NFS can leak information from the kernel
heap to a userspace process due to improper initialisation.


* Information leak in ISO9660 filesystem exported over NFS.

An ISO9660 filesystem exported over NFS can leak informtion from the
kernel heap to a userspace process due to improper initialisation.


* Kernel crash in SCTP protocol handler.

Due to a bug in the SCTP protocol handler, packets containing duplicate
cookie chunks will lead to inconsistent data structures. A remote
attacker could use this to crash the kernel.


* Use after free in generic journaling layer (JBD2).

Incorrect reference counting can lead to a use-after-free in the JBD2
subsystem. A malicious user could potentially use the flaw to crash the
kernel.


* CVE-2013-0913: Kernel heap overflow in Intel i915 driver.

An integer overflow in the Intel i915 driver when relocating buffers can 
allow
a local user to overflow the kernel heap and gain privileged code execution.


* Kernel hang when unmounting ext4 filesystems mounted in 'journal' mode.

Under certain circumstances, mounting and unmounting an ext4 filesystem
quickly can lead to a kernel hang. A local user with sufficient
privileges could use this to carry out a denial-of-service attack.


* CVE-2013-0914: Information leak in signal handlers.

A logic error in the handling of signal handlers allows a child process to
leak information about the memory layout of parent processes.


* CVE-2013-1796: Buffer overflow in KVM system time MSR.

The KVM paravirtualised MSR driver does not correctly validate system timer
arguments allowing a guest virtual machine to corrupt host kernel memory by
providing an unaligned MSR value.


* CVE-2013-1798: Information leak in KVM APIC driver.

The KVM paravirtualised APIC driver does not correctly validate arguments
from the guest virtual machine when querying the APIC device allowing a
malicious guest virtual machine read kernel memory from the host.


* CVE-2013-1797: Use-after-free in KVM system time.

The KVM paravirtualised MSR driver does not pin guest memory associated with
paravirtualised timers allowing a guest virtual machine to crash the host by
unmapping memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.