[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-1941-1)

[Oracle Ksplice]

Synopsis: USN-1941-1 can now be patched using Ksplice
CVEs: CVE-2013-1059 CVE-2013-2164 CVE-2013-2232 CVE-2013-2234 CVE-2013-2851 CVE-2013-4162 CVE-2013-4163

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1941-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference in USB XHCI doorbell.

A missing check for NULL could result in a kernel crash when handling
non-responsive XHCI peripherals.


* NULL pointer dereference in XHCI host controller failure.

Missing NULL pointer checks could result in a kernel crash when a XHCI
host controller fails.


* Denial-of-service in Moschip 7840/7820 USB serial driver.

Missing resource freeing would result in a memory leak when failing to
open the device allowing a user with sufficient privileges to exhaust
memory.


* Use-after-free in zram sysfs interface.

Incorrect locking in the zram sysfs interface can cause a use-after-free and kernel
panic when reading from the 'mem_used_total' sysfs file while reseting a device.


* Deadlock in btrfs snapshot deletion.

Missing lock tracking could result in deadlock when deleting a snapshot
causing the system to hang.


* Format string vulnerability in crypto subsystem.

A lack of sanitisation of a parameter when looking up crypto algorithms in the
kernel can trigger a format string vulnerability and cause a kernel panic


* Memory corruption in Bluetooth L2CAP MTU control.

An integer underflow and memory corruption can be triggered by reducing the MTU
of an L2CAP socket and then sending a large L2CAP packet.


* Memory corruption in comedi read/write with concurrent ioctl.

Missing locking in the comedi driver could result in memory corruption
and a kernel crash.


* CVE-2013-1059: NULL pointer dereference in CephFS authentication.

A lack of validation can allow a remote user to trigger a NULL pointer dereference
and kernel panic by attempting to authenticate with the "auth_none" Ceph
authentication.


* Use-after-free in SCSI unit attention handling.

Incorrect handling of commands during a retry due to unit attention
codes could result in a use-after-free and kernel crash.


* Data loss in filesystems due to missing writeback.

Incorrect handling of periodic writeback could cause filesystems to fail
to write data back to disk leading to corruption in the case of a crash
or power failure.


* Use-after-free in DVB ring buffer.

Incorrect use of a lockless ring buffer could result in accessing
invalid data triggering a use-after-free and kernel crash.


* CVE-2013-2232: Memory corruption in IPv6 routing cache.

Connecting an IPv6 socket to an IPv4 destination can cause IPv4 routing
information to be placed in the IPv6 routing cache causing memory corruption
and a kernel panic.


* Buffer overflow in iSCSI target configfs.

An incorrect length check when configuring an iSCSI target via configfs can allow
kernel memory corruption and privilege escalation.


* Use-after-free in freeing zram pages.

Incorrect locking the zram driver when freeing pages can trigger a use-after-free
or BUG_ON leading to a kernel panic.


* Use-after-free in ACPI memory hotplug failure.

Incorrect handling of memory hotplug failure could result in accessing a
stale pointer and triggering a kernel crash.


* CVE-2013-2851: Format string vulnerability is software RAID device names.

A format string vulnerability in partition registration allows local
users to execute kernel mode code by writing format string specifiers to
/sys/module/md_mod/parameters/new_array in order to create an invalid
/dev/md device name.


* Kernel deadlock when removing a Frame Relay device.

Incorrect locking when removing a Frame Relay DLCI device can cause a deadlock
and kernel panic.


* Kernel panic when removing a Frame Relay device.

Using the DLCI ioctl to remove a Frame Relay device on a socket that is not a
Frame Relay device can cause an invalid memory access and kernel panic.


* Integer overflow in HP filesystem mounting.

An integer overflow and kernel panic can be triggered by attempting to mount a
malformed HP filesystem.


* Use-after-free in NFS lock daemon lock retry mechanism.

Missing locking could result in a race condition with the retry list
allowing the kernel to use a freed item resulting in a kernel crash.


* NULL pointer dereference in XHCI container allocation.

A missing error check when allocating DMA memory for a XHCI container can cause
a NULL pointer dereference and kernel panic.


* Kernel crash in OCFS inline extended attributes with reflinked files.

Incorrect allocation sizes for inline extended attributes during reflink
could result in a kernel BUG() and subsequent crash.


* Missing permission checks in perf monitoring of setuid processes.

An invalid security check when executing a new process can allow unprivileged
users to monitor setuid processes using the kernel performance event subsystem.


* Memory leak in LSI Megaraid controller management firmware interface.

Incorrect handling of scatter-gather lists with 0 sized entries could
result in a memory leak of DMA coherent memory.


* CVE-2013-2164: Kernel information leak in the CDROM driver.

An ioctl result returned to the user might contain sensetive kernel
information.


* Use-after-free in zram driver unloading.

When the zram driver is unloading, it incorrectly attempts to reset a zram device
after destroying it leading to a use-after-free condition and kernel panic.


* CVE-2013-2234: Information leak in IPsec key management.

An error in the AF_KEY implementation allows privileged users to leak contents of
the kernel stack to userspace.


* Kernel crash in NFS file open failure.

Incorrect handling of the return value from a failed open() call on an
NFS filesystem could result in dereferencing an invalid pointer and
triggering a kernel crash.


* Memory corruption in zram reading and writing.

Read and write requests from userspace to a zram device are not correctly validated
leading to kernel memory corruption and possible elevation of privileges.


* Data corruption in ext4 filesystem on 32-bit systems.

A number of integer overflows when handling 64-bit integers in the ext4 filesystem
on 32-bit systems can cause data corruption and/or loss.


* Deadlock in x25 ioctl error path.

Invalid error handling in the x25 ioctl code causes a lock to not be
released, leading to a deadlock.


* Deadlock in IPv6 multicast.

Incorrect lock handling in the IPv6 multicast code could lead to a
deadlock and system hang.


* CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.

 When pushing pending frames in IPv6 udp code, an incorrect function call can
be made. This allows local users to cause a denial of service (BUG and system
crash) via a crafted application that uses the UDP_CORK option in a
setsockopt system call.


* CVE-2013-4163: Kernel crash in IPv6 sockets with IPV6_MTU set.

Incorrect handling of IPv6 sockets with IPV6_MTU set could result in
a kernel BUG() and subsequent crash.


* Memory corruption in Plan 9 9p remote filesystem.

An off by one error could lead to memory access violations and memory
corruption when releasing pages in the 9p, leading to a kernel crash.


* Memory corruption in 8021q VLAN quality-of-service.

A race condition in 8021q VLAN quality-of-service management when
sending packets cause memory corruption and lead to a kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.