[Ksplice][Ubuntu-13.10-Updates] New updates available via Ksplice (USN-2075-1)

[Oracle Ksplice]

Synopsis: USN-2075-1 can now be patched using Ksplice
CVEs: CVE-2013-2929 CVE-2013-2930 CVE-2013-4345 CVE-2013-4348 CVE-2013-4513 CVE-2013-6378 CVE-2013-6380

Systems running Ubuntu 13.10 Saucy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2075-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.10 Saucy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Deadlock in block device caching.

The block device cache subsystem allocates memory with incorrect options
potentially causing a deadlock and kernel panic.


* Infinite loop in cgroup task attaching.

A race condition when attaching threads into an existing cgroup can trigger an
infinite loop if the cgroup is exiting leading to a kernel panic.


* Denial of service in 802.11 packet transmission.

An invalid rate parameter in packets received over an 802.11 wireless interface
can trigger a divide-by-zero error and kernel panic.


* Deadlock in JFS inode allocation.

When failing to allocate new inodes on a JFS filesystem, the JFS filesystem
driver incorrectly unlocks inodes leading to a deadlock and kernel panic.


* Memory leak in ecrypt filesystem initialization.

When initializing a ecrypt filesystem the ecryptfs driver does not free memory
when decrypting the session key causing a kernel memory leak.


* Kernel panic in RAID5 buffer merging.

The kernel RAID5 driver does not correctly manage buffers when merging multiple
requests leading to a kernel panic in the kernel SCSI driver.


* NULL pointer dereference in pSCSI device initialization.

A NULL pointer dereference and kernel panic can be triggered when the pass-
through SCSI driver fails to lookup a host.


* CVE-2013-4513: Memory corruption in USB-over-WiFi host driver.

The Ozmo USB-over-WiFi driver does not fully validate userspace arguments allowing a malicious local user to trigger kernel memory corruption and gain elevated privileges.


* Privilege escalation in AAC RAID compatibility ioctl().

Missing permission checks could allow a local, unprivileged user to
escalate privileges with the AAC RAID driver.


* Kernel panic in procfs pagemap reading.

If a process contains memory ranges not managed by the kernel then a local user
can trigger a kernel panic by reading the contents of /proc/*/pagemap.


* Memory corruption in DRM ioctl.

The DRM driver incorrectly allocated memory when processing a ioctl from userspace allowing a malicious local user to trigger kernel memory corruption and gain elevated privileges.


* CVE-2013-4348: Denial-of-service in kernel network flow dissector.

The network flow dissector used by the kernel scheduler does not validate IP
headers in IP-over-IP connections allowing a remote malicious user to trigger an
infinite loop and kernel panic.


* Buffer overrun in the tracing subsystem.

An incorrect bounds check in the kernel tracing subsystem could lead to
writing past the end of a buffer. A privileged local user can use this
flaw to crash the kernel or potentially gain additional privileges.


* Use of uninitialized memory in USB hub configuration.

In low memory situations, due to incorrect error handling, configuring
a USB hub could lead to use of uninitialized memory and a kernel crash.
A person with physical access to the machine could use this flaw to
cause denial of service.


* CVE-2013-6380: Denial-of-service in Adaptec RAID driver.

Incorrect memory allocations in the Adaptec RAID driver could result in
dereferencing an invalid pointer allowing a local user with the
CAP_SYS_ADMIN privilege to crash the system.


* CVE-2013-2930: Incorrect permissions check in perf ftrace feature.

Incorrect permissions checks could allow a local, unprivileged user to
enable ftrace through the perf subsystem.  This could allow the user to
gain information to bypass ASLR or crash the system.


* Kernel crash in compressed RAM block device (ZRAM) under memory pressure.

Missing allocation checks could result in a NULL pointer deference when
writing to the 'reset' sysfs attribute for a zram device, triggerable by
a privileged user.


* Use-after-free in Ralink rt2x00 device removal.

Incorrect checks for device presence could result in a use-after-free
and kernel crash when removing an active WiFi USB dongle from the
system.


* CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.

The ptrace subsystem incorrectly checked the state of the fs.suid_dumpable
sysctl allowing a user to ptrace attach to a process if it had dropped
privileges to that user.


* CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.

Incorrect validation of user supplied data in the Marvell 8xxx Libertas
WLAN driver could allow a privileged user to trigger an invalid pointer
dereference and crash the system.


* CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.

An off-by-one flaw was found in the way the ANSI CPRNG implementation in
the Linux kernel processed non-block size aligned requests. This could lead
to random numbers being generated with less bits of entropy than expected
when ANSI CPRNG was used.


* Kernel crash in SCTP traffic control with duplicate cookies.

An incorrect assertion could cause the kernel to crash when performing
SCTP traffic control and duplicate cookies.


* Use-after-free on IPC race condition.

When IPC_RMID races with other shm operations there is potential for
use-after-free of the shm object associated file.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.