[Ksplice][Ubuntu-13.04-Updates] New updates available via Ksplice (USN-2073-1)

Fri Jan 3 09:16:11 PST 2014

Synopsis: USN-2073-1 can now be patched using Ksplice
CVEs: CVE-2013-2930 CVE-2013-4470 CVE-2013-4513

Systems running Ubuntu 13.04 Raring can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2073-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.04 Raring
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Use-after-free in IP TIME_WAIT sockets.

Incorrect reference counting in the kernel IP stack when handling receiving data
on TIME_WAIT sockets can trigger a use-after-free condition and cause a kernel
panic.

* Deadlock in L2TP PPP packet transmission.

Invalid locking when transmitting packets over a L2TP PPP connection can trigger
a kernel deadlock when two processes send packets over the same connection.

* Information leak in FarSync network driver ioctl.

The SIOCWANDEV ioctl in the FarSync T-Series network driver does not initialise
memory before returning data to userspace, causing the contents of kernel memory
to be leaked to userspace.

* Information leak in Unix socket monitoring interface.

The Unix socket monitoring interface does not initialise memory when sending
information over a netlink socket causing the contents of kernel memory to be
leaked to userspace.

* Kernel panic in netlink kernel/userspace connector.

An incorrect length check when processing netlink messages in the kernel/
userspace connector can cause an out-of-bounds access and kernel panic.

* Information leak in wanXL IF_GET_IFACE ioctl.

The SBE wanXL network driver does not initialise memory when handling the
IF_GET_IFACE ioctl causing the contents of kernel memory to be leaked to
userspace.

* Denial-of-service in IPv4 CIPSO header validation.

The kernel IPv4 stack does not correctly handle malformed CIPSO headers in IPv4
packets leading to an infinite loop and kernel panic.

* Deadlock in JFS inode allocation.

When failing to allocate new inodes on a JFS filesystem, the JFS filesystem
driver incorrectly unlocks inodes leading to a deadlock and kernel panic.

* Memory leak in ecrypt filesystem initialization.

When initializing a ecrypt filesystem the ecryptfs driver does not free memory
when decrypting the session key causing a kernel memory leak.

* Memory corruption in DRM ioctl.

The DRM driver incorrectly allocated memory when processing a ioctl from userspace allowing a malicious local user to trigger kernel memory corruption and gain elevated privileges.

* NULL pointer dereference in pSCSI device initialization.

A NULL pointer dereference and kernel panic can be triggered when the pass-
through SCSI driver fails to lookup a host.

* Random process segmentation fault on KVM vhost.

Under repeated vhost start/stops with LUNs, could lead to a random
process segmentation fault on the KVM host.

* CVE-2013-4513: Memory corruption in USB-over-WiFi host driver.

The Ozmo USB-over-WiFi driver does not fully validate userspace arguments allowing a malicious local user to trigger kernel memory corruption and gain elevated privileges.

* Privilege escalation in AAC RAID compatibility ioctl().

Missing permission checks could allow a local, unprivileged user to
escalate privileges with the AAC RAID driver.

* CVE-2013-2930: Incorrect permissions check in perf ftrace feature.

Incorrect permissions checks could allow a local, unprivileged user to
enable ftrace through the perf subsystem.  This could allow the user to
gain information to bypass ASLR or crash the system.

* Denial of service in 802.11 packet transmission.

An invalid rate parameter in packets received over an 802.11 wireless interface
can trigger a divide-by-zero error and kernel panic.

* Kernel panic in RAID5 buffer merging.

The kernel RAID5 driver does not correctly manage buffers when merging multiple
requests leading to a kernel panic in the kernel SCSI driver.

* Memory corruption in Broadcom bnx2x GSO.

The Broadcom driver for NetXtremeII devices does not correctly handle cloned
packet data when GSO is enabled leading to memory corruption and a kernel panic.

* CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.

The kernel IP stack does not correctly handle sending fragmented packets via a
device which has UDP Fragmentation Offload enabled leading to memory corruption
and a kernel panic.

* Information leak in netlink connector.

When sending messages through the netlink connector, some elements of the message are not initialised causing the contents of kernel memory to be exposed to userspace.

* Denial-of-service in 802.11 radiotap packet parsing.

The kernel 802.11 radiotap interface does not correctly handle malformed packets
allowing a remote attacker to trigger an out-of-bounds read leading to a kernel
panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.