[Ksplice][Ubuntu-13.04-Updates] New updates available via Ksplice (USN-1935-1)

[Oracle Ksplice]

Synopsis: USN-1935-1 can now be patched using Ksplice
CVEs: CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2851 CVE-2013-4125 CVE-2013-4127

Systems running Ubuntu 13.04 Raring can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1935-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.04 Raring
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Race condition in unloading cgroup kernel modules.

A race condition between unloading a cgroup kernel module and unmounting a cgroup
filesystem can trigger a reference counting error and cause a kernel panic.


* Race condition in cgroup event removal.

Incorrect reference counting when removing a cgroup event while the cgroup is
being unmounting can trigger a BUG_ON and kernel panic.


* NULL pointer dereference in XHCI container allocation.

A missing error check when allocating DMA memory for a XHCI container can cause
a NULL pointer dereference and kernel panic.


* Missing permission checks in perf monitoring of setuid processes.

An invalid security check when executing a new process can allow unprivileged
users to monitor setuid processes using the kernel performance event subsystem.


* Data corruption in ext4 filesystem online resizing.

For ext4 filesystems with block sizes equal to 1K, an invalid calculation when
backing up data during an online resize can cause file system corruption.


* Kernel crash in OCFS inline extended attributes with reflinked files.

Incorrect allocation sizes for inline extended attributes during reflink
could result in a kernel BUG() and subsequent crash.


* CVE-2013-2851: Format string vulnerability is software RAID device names.

A format string vulnerability in partition registration allows local
users to execute kernel mode code by writing format string specifiers to
/sys/module/md_mod/parameters/new_array in order to create an invalid
/dev/md device name.


* Format string vulnerability in crypto subsystem.

A lack of sanitisation of a parameter when looking up crypto algorithms in the
kernel can trigger a format string vulnerability and cause a kernel panic


* Integer overflow in HP filesystem mounting.

An integer overflow and kernel panic can be triggered by attempting to mount a
malformed HP filesystem.


* Deadlock in journalled ext3 filesystem unmounting.

The ext3 filesystem driver incorrectly handles flushing journalled data to disk
when unmounting an ext3 filesystem leading to a kernel deadlock and possible data
corruption.


* Memory corruption in TCP options mangling netfilter.

The xt_TCPOPTSTRIP netfilter module does not validate the contents of the TCP
header when mangling packets leading to remote kernel memory corruption and a
kernel panic.


* Data corruption in ext4 filesystem on 32-bit systems.

A number of integer overflows when handling 64-bit integers in the ext4 filesystem
on 32-bit systems can cause data corruption and/or loss.


* CVE-2013-2164: Kernel information leak in the CDROM driver.

An ioctl result returned to the user might contain sensetive kernel
information.


* Format string vulnerability in power charger manager.

A lack of sanitisation of a parameter when notifying udev about power charger
events can trigger a format string vulnerability and cause a kernel panic.


* Truncated packet denial-of-service in SUNRPC server.

Truncated packets received by the kernel SunRPC are not handled correctly allowing
remote attackers to cause a kernel panic by sending truncated packets.


* CVE-2013-1059: NULL pointer dereference in CephFS authentication.

A lack of validation can allow a remote user to trigger a NULL pointer dereference
and kernel panic by attempting to authenticate with the "auth_none" Ceph
authentication.


* Buffer overflow in iSCSI target configfs.

An incorrect length check when configuring an iSCSI target via configfs can allow
kernel memory corruption and privilege escalation.


* Kernel panic in SunRPC RDMA transport marshalling.

The RDMA transport for the kernel SunRPC server does not validate chunk lists in
received packets allowing remote users to cause a kernel panic.


* CVE-2013-2148: Kernel information leak in file system notifications.

The fill_event_metadata function in fs/notify/fanotify/fanotify_user.c
in the Linux kernel through 3.9.4 does not initialize a certain structure
member, which allows local users to obtain sensitive information from kernel
memory via a read operation on the fanotify descriptor.


* CVE-2013-4127: Use-after-free in virtio networking.

Incorrect memory management in the virtio networking driver can cause a use-after
-free condition and kernel panic when flushing DMA requests.


* Use-after-free in DVB ring buffer.

Incorrect use of a lockless ring buffer could result in accessing
invalid data triggering a use-after-free and kernel crash.


* Data loss in filesystems due to missing writeback.

Incorrect handling of periodic writeback could cause filesystems to fail
to write data back to disk leading to corruption in the case of a crash
or power failure.


* Memory leak in LSI Megaraid controller management firmware interface.

Incorrect handling of scatter-gather lists with 0 sized entries could
result in a memory leak of DMA coherent memory.


* NULL pointer dereference in LSI MPT Fusion SAS 3.0 probing.

With some enclosures where LUN 0 is created after the other LUN's or not
at all, incorrect initialization could lead to a NULL pointer
dereference in the discovery process.


* Deadlock in CIFS file reopening.

Incorrect locking in the CIFS filesystem can cause a deadlock when attempting to
repoen a file for reading or writing on a CIFS filesystem .


* Use-after-free in NFS lock daemon lock retry mechanism.

Missing locking could result in a race condition with the retry list
allowing the kernel to use a freed item resulting in a kernel crash.


* Use-after-free in zram driver unloading.

When the zram driver is unloading, it incorrectly attempts to reset a zram device
after destroying it leading to a use-after-free condition and kernel panic.


* Use-after-free in freeing zram pages.

Incorrect locking the zram driver when freeing pages can trigger a use-after-free
or BUG_ON leading to a kernel panic.


* Memory corruption in zram reading and writing.

Read and write requests from userspace to a zram device are not correctly validated
leading to kernel memory corruption and possible elevation of privileges.


* Use-after-free in zram sysfs interface.

Incorrect locking in the zram sysfs interface can cause a use-after-free and kernel
panic when reading from the 'mem_used_total' sysfs file while reseting a device.


* Information leak in IP virtual server socket options.

The IP virtual server socket family does not clear a kernel memory structure when
returning information via getsockopt(2), allowing a local CAP_SYS_ADMIN user to
leak the contents kernel memory to userspace.


* CVE-2013-4125: Remote denial of service in IPv6 ECMP routing.

The kernel IPv6 networking stack does not correctly handle Router Advertisements
which contain equal-cost multi-path (ECMP) routes, allowing a remote attacker to
trigger a kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.