[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2015-12908)

[Oracle Ksplice]

Synopsis: FEDORA-2015-12908 can now be patched using Ksplice
CVEs: CVE-2015-5697

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-12908.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Heap overflow in Atheros ath9k driver.

The ath9k driver incorrectly used the bitmask operators that would
result in accessing beyond the bounds of the bitmask.  This could result
in heap memory corruption, crashing the kernel or potentially escalating
privileges.


* Kernel stack information leak in IEEE 802.15.4 LR-WPAN datagrams.

Missing stack structure initialization could result in leaking between 4
and 10 bytes of kernel stack contents to userspace when receiving a
datagram from an LR-WPAN socket.  A local, unprivileged user could use
this flaw to leak contents of the kernel stack.


* NULL pointer dereference in VIA VT6655 packet reception.

A race condition between receiving a packet and interrupt processing
could result in a NULL pointer dereference and kernel crash.


* Remote privilege escalation in Realtek RTL8712U USB driver.

Incorrect buffer sizing could result in a heap buffer overflow when
receiving a fragmented packet.  A remote user could use this flaw to
crash the system or potentially escalate privileges in rare conditions.


* Kernel crash in ext4 during truncate and write race.

Incorrect locking could result in a kernel crash when threads raced
between writing a journaled page and truncation.


* Multiple privilege escalations in DVB frontends.

Missing user input validation could allow a local user with access to
the device to trigger buffer overflows when reading or writing data.
This out of bounds access could result in an out-of-bounds access and
kernel crash or potentially escalate privileges.


* Information leak in syslog with security modules.

Incorrect ordering could cause do_syslog() to fail to call the security
hooks for syslog allowing an unprivileged user to access the syslog
without the required permissions.


* Filesystem corruption on Plan 9 9p filesystem during abort.

Aborted transactions were incorrectly handled resulting in corruption of
future requests.  This could corrupt the filesystem or provide incorrect
data to applications.


* CVE-2015-5697: information leak in RAID/LVM GET_BITMAP_FILE ioctl().

Missing initialization of the buffer used for reading bitmaps could
result in leaking up to 4095 of kernel heap memory to userspace.  A
local user with access to an MD device could use this flaw to gain
information about kernel layout.


* NULL pointer dereference in firmware loading events.

Missing NULL pointer checks could result in a NULL pointer dereference
and kernel crash when loading firmware and sending an event to
userspace.


* NULL pointer dereference in OS/2 HPFS filesystem remount.

Remounting an HPFS filesystem under low-memory conditions could result
in a NULL pointer dereference and kernel crash.


* Use-after-free in Plan 9 Resource Sharing Support writes.

Incorrect error handling during client writes could result in freeing a
buffer twice resulting in a use-after-free and kernel crash.


* Use-after-free in Emulex One Connect HCA protection domain allocation.

Incorrect handling of user context protection domains during allocation
could result in a use-after-free and kernel crash.


* SELinux mprotect() protections bypass for anonymous mappings.

Incorrect handling of anonymous shared mappings could allow a writable
mapping to be marked PROT_EXEC when the process was not permitted to do
so.


* BTRFS filesystem corruption on inline extent cloning.

Incorrect copying of inline extents could result in corruption of the
BTRFS filesystem or a kernel crash.  A local, unprivileged user could
use this flaw to crash the system.


* Use-after-free in BTRFS transaction commit.

Incorrect transaction commit handling could result in a use-after-free
condition and kernel crash.


* Denial-of-service in BTRFS extent_same ioctl().

A missing memory free() could result in a memory leak and memory
exhaustion when performing the extent_same ioctl() on a BTRFS
filesystem.  A local user with access to the filesystem device could use
this flaw to trigger a denial-of-service.


* BTRFS data loss during append writes and hard links.

Under specific conditions, appending to a file after creating a hard
link could result in loss of the appended data.


* Out-of-bounds access in DRM atomic iterators.

Missing range checks could result in an out-of-bounds access when
iterating over planes and controllers.  This could result in memory
corruption or a kernel crash.


* RAID0/RAID10 device corruption during discard.

Under specific conditions an I/O operation could corrupt when performing
a discard operation on a RAID0 or RAID10 device.


* NULL pointer dereference in USB XHCI endpoint creation.

Incorrect handling of cached rings during XHCI endpoint creation could
result in a NULL pointer dereference and kernel crash.


* NULL pointer dereference in USB gadget driver composite setup.

A race condition during composite gadget device setup could result in a
NULL pointer dereference and kernel crash if the configuration was not
yet installed.


* NULL pointer dereference in VIA VT665X BSS info change.

A missing NULL Pointer check could result in a NULL pointer dereference
and kernel crash when handling a BSS change on a VIA VT665X device.


* Denial-of-service in BTRFS inode cache during deletion.

Missing locking during inode unpinning could result in memory
corruption.  A local user with access to the BTRFS filesystem could use
this flaw to trigger a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.