============================================================================ Ubuntu Security Notice USN-1768-1 March 18, 2013 linux-lts-quantal vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS Summary: Several security issues were fixed in the kernel. Software Description: - linux-lts-quantal: Linux hardware enablement kernel from Quantal Details: Andrew Cooper of Citrix reported a Xen stack corruption in the Linux kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest kernel to crash, or operate erroneously. (CVE-2013-0190) A failure to validate input was discovered in the Linux kernel's Xen netback (network backend) driver. A user in a guest OS may exploit this flaw to cause a denial of service to the guest OS and other guest domains. (CVE-2013-0216) A memory leak was discovered in the Linux kernel's Xen netback (network backend) driver. A user in a guest OS could trigger this flaw to cause a denial of service on the system. (CVE-2013-0217) A flaw was discovered in the Linux kernel Xen PCI backend driver. If a PCI device is assigned to the guest OS, the guest OS could exploit this flaw to cause a denial of service on the host. (CVE-2013-0231) A flaw was reported in the permission checks done by the Linux kernel for /dev/cpu/*/msr. A local root user with all capabilities dropped could exploit this flaw to execute code with full root capabilities. (CVE-2013-0268) Tommi Rantala discovered a flaw in the a flaw the Linux kernels handling of datagrams packets when the MSG_PEEK flag is specified. An unprivileged local user could exploit this flaw to cause a denial of service (system hang). (CVE-2013-0290) A flaw was discovered in the Linux kernel's vhost driver used to accelerate guest networking in KVM based virtual machines. A privileged guest user could exploit this flaw to crash the host system. (CVE-2013-0311) A flaw was discovered in the Extended Verification Module (EVM) of the Linux kernel. An unprivileged local user code exploit this flaw to cause a denial of service (system crash). (CVE-2013-0313) An information leak was discovered in the Linux kernel's Bluetooth stack when HIDP (Human Interface Device Protocol) support is enabled. A local unprivileged user could exploit this flaw to cause an information leak from the kernel. (CVE-2013-0349) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: linux-image-3.5.0-26-generic 3.5.0-26.42~precise1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. References: http://www.ubuntu.com/usn/usn-1768-1 CVE-2013-0190, CVE-2013-0216, CVE-2013-0217, CVE-2013-0231, CVE-2013-0268, CVE-2013-0290, CVE-2013-0311, CVE-2013-0313, CVE-2013-0349 Package Information: https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-26.42~precise1