[Ksplice][Ubuntu-13.04-Updates] New updates available via Ksplice (USN-1974-1)

[Oracle Ksplice]

Synopsis: USN-1974-1 can now be patched using Ksplice
CVEs: CVE-2013-4205

Systems running Ubuntu 13.04 Raring can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1974-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.04 Raring
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel oops in VIRTIO console with splice().

A splice() with no buffers to a VIRTIO console device would result in a
kernel oops, triggerable by a local user with permissions to access the
serial device.


* Use-after-free in ext4 metadata error path.

If an error is encountered when writing dirty ext4 metadata to disk, a use-after-
free condition can be triggered causing a kernel panic.


* NULL pointer dereference in Keyspan USB-to-serial driver.

A NULL pointer dereference and kernel panic can be triggered if a memory
allocation fails when attaching a Keyspan USB device.


* System hang in zram swap free under high memory pressure.

Incorrect locking in the zram swap freeing path could result in a system
hang when the system is under high memory pressure.


* Improved fix to "Filesystem corruption on ext4 truncation.".

An incorrect fix in the upstream patch resulted in the fixed code never
being called allowing filesystem corruption to still occur.


* Kernel crash in simultaneous VIRTIO console splice().

Missing locking could result in a kernel crash when multiple processes
tried to splice to and from a VIRTIO console device.


* Use-after-free in IPv6 multicast routing namespace cleanup.

Incorrect locking could result in a use-after-free and kernel crash when
removing a network namespace.


* Heap buffer overflow when reading "pagemap" procfs file.

The kernel does not correctly allocate a temporary buffer when reading from the
"pagemap" procfs file, leading to a kernel heap overflow and possible code
execution.


* Kernel information leak in Class Based Queueing network scheduler.

Missing initialization in the CBQ network scheduler could result in
leaking kernel stack information to userspace.


* CVE-2013-4205: Denial-of-service in user namespaces.

Unbound creation of user namespaces could result a memory leak allowing
a local, unprivileged user to crash the machine by repeatedly creating
new user namespaces.


* NULL pointer dereference in XHCI host controller failure.

Missing NULL pointer checks could result in a kernel crash when a XHCI
host controller fails.


* Deadlock in NILFS2 segment buffer processing.

Incorrect reference counting in the NILFS2 filesystem driver when processing
segment buffers can trigger a deadlock causing a kernel panic.


* Use-after-free in SCSI unit attention handling.

Incorrect handling of commands during a retry due to unit attention
codes could result in a use-after-free and kernel crash.


* Denial-of-service in memory policy management with mbind().

Incorrect handling of memory policies during mbind() calls could result
in leaking memory policies allowing a local user to cause a
denial-of-service.


* Kernel stack information leaks in PF_KEY sockets.

Missing initialization in a number of PF_KEY socket calls could result
in leaking kernel stack information to userspace.


* Kernel oops in simultaneous VIRTIO console open + unplug.

Missing synchronization could result in a crash if the device was opened
at the same time as the device was unplugged.


* Kernel crash in NFS file open failure.

Incorrect handling of the return value from a failed open() call on an
NFS filesystem could result in dereferencing an invalid pointer and
triggering a kernel crash.


* Kernel stack information leak in non-station 802.11 ethtool stats.

Missing initialization could allow a local user to gain kernel stack
information through ethtool statistics on a non-station 802.11
interface.


* Kernel stack information leak in ATM network scheduler.

Missing initialization could cause kernel stack information to be leaked
from the ATM network scheduler to userspace.


* NULL pointer dereference in USB XHCI doorbell.

A missing check for NULL could result in a kernel crash when handling
non-responsive XHCI peripherals.


* Buffer overflow in CIFS credentials.

An incorrectly sized buffer could result in a buffer overflow, allowing
a malicious server to cause heap memory corruption.


* Denial-of-service in Moschip 7840/7820 USB serial driver.

Missing resource freeing would result in a memory leak when failing to
open the device allowing a user with sufficient privileges to exhaust
memory.


* Memory corruption in comedi read/write with concurrent ioctl.

Missing locking in the comedi driver could result in memory corruption
and a kernel crash.


* Kernel crash in Intel WiFi with small beacon intervals.

Attempting to connect to an access point with a becaon interval less
than 16 could trigger a firmware bug causing a kernel crash.


* Use-after-free in ACPI sysfs attributes.

Missing locking in two sysfs attributes could cause a use-after-free and
kernel crash when accessing the attributes at the same time as device
hotplug or hot-unplug.


* Data corruption in virtual memory TLB invalidation.

Under certain conditions the kernel does not correctly invalidate the TLB when
unmapping virtual memory causing user-mode processes to use stale data.


* Improved fix for 'Unlimited stack ASLR bypass on 64-bit systems'.

The original update for 'Unlimited stack ASLR bypass on 64-bit systems' did not
correctly handle randomising the stack causing compatibility issues with some
existing user-mode programs. This update corrects the issue.


* Kernel crash during simultaneous iee80211 channel switch and removal.

Removing a WiFi device during a channel switch could result in a NULL
pointer dereference and kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.