[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2015-c4ed00a68f)

[Oracle Ksplice]

Synopsis: FEDORA-2015-c4ed00a68f can now be patched using Ksplice
CVEs: CVE-2015-6937 CVE-2015-7515 CVE-2015-7833 CVE-2015-8374

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-c4ed00a68f.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-6937: NULL pointer dereference in RDS socket creation.

Failure to check for binding to a transport could result in a NULL
pointer dereference when creating an RDS socket.  A local, unprivileged
user could use this flaw to crash the system.


* CVE-2015-7515: Denial-of-service in the aiptek USB driver.

A flaw in the aiptek USB tablet driver could lead to an out-of-bounds
memory access when the interface has no endpoints.  An attacker with
physical access could use a specially crafted USB device to cause a
denial-of-service.


* CVE-2015-8374: Information leak when truncating a compressed and inlined extent on Btrfs.

An information leak vulnerability was found when truncating a file to a
smaller size which consists of an inline extent that is compressed. The
data between the new file size and the old file size was not discarded,
allowing another user to read it through the clone ioctl.


* CVE-2015-7833: Kernel crash when probing USBVision device driver.

Missing input validation when probing for USBVision devices could in
certain circumstances cause the kernel to access invalid memory. A
malicious user with physical access to the machine could use this to
cause denial of service or worse.


* NULL pointer dereference in PPP over Ethernet device releasing.

An incorrect check for disconnected PPP over Ethernet devices could
result in a NULL pointer dereference and kernel crash when closing the
device.


* Information leak in RDS over TCP.

In low memory situations, an incoming RDS datagram may get corrupted and
potentially leak sensitive information to the userspace program receiving
the datagram.


* Memory corruption in Mellanox MLX4 slave events.

Incorrect size arguments to memcpy() calls could result in memory
corruption of MLX4 devices, causing a kernel crash.


* Kernel BUG in IP multicast routing.

Due to a race condition when updating network device statistics for IP
multicast routing, a malicious local user may in rare circumstances be
able to cause a kernel crash.


* Out of bounds memory access in infra-red driver.

Incrementing a pointer instead of its value in the infra-red driver could
lead to an out of bounds memory access.  A local user could use this flaw
to cause a denial-of-service.


* NULL pointer dereference when destroying TCP or ICMP sockets.

A lack of NULL pointer check when about to release a TCP or ICMP socket
could lead to a NULL pointer dereference and kernel panic under low memory.
A local user could use this flaw to cause a denial-of-service.


* Use-after-free in the network destination cache.

A logic error could cause a use-after-free when releasing a network
destination cache object.  A local, unprivileged user could use this flaw
to cause a denial-of-service.


* NULL pointer dereference in 802.11 WiFi stack on channel switch.

A missing check for NULL in the mac 802.11 WiFi stack on channel switch
could lead to a NULL pointer dereference when those events are being
traced.  A local user with the capabilities to trace those events could use
this flaw to cause a NULL pointer dereference.


* Divide by zero in 802.11 WiFi-Direct stack on notification of absence.

A flaw in the Mac 802.11 WiFi-Direct stack could lead to a division by zero
in kernel upon receipt of a notification of absence with a zero interval.
A remote user in the physical range of the WiDi radio could use this flaw
to cause a denial-of-service.


* Memory leak when parsing SMPS mode when starting in Access Point mode.

A flaw in the NL80211 stack could lead to a memory leak of the ACL policy
when failing to parse the SMPS mode.  A local user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* Information leak in procfs wchan field.

The wchan field in the proc filesystem is exposing absolute kernel
addresses, giving away the address space layout randomization offset.  This
information can be used by an attacker to facilitate an attack.


* Memory corruption in Marvell mwifiex driver when reading the eeprom.

A flaw in the Marvell mwifiex driver could lead to memory corruptions when
reading the eeprom.  A local user could use this flaw to cause a
denial-of-service.


* Memory corruption in CAN driver when filling netlink packet.

A flaw in the CAN driver when writing device information on a netlink
socket can lead to memory corruption and kernel panic.  A local user could
use this flaw to cause a denial-of-service.


* Information leak when auditing tty copy to user.

The source buffer used to audit the tty copying data to user was mixed up
with the destination buffer given by userspace, allowing an unprivileged
user to cause a denial-of-service by giving an un-mapped address or causing
a read memory from the kernel.


* Denial-of-service when updating a negatively instantiated user cryptographic key.

A lack of checking the key was not negatively instantiated when updating a
user cryptographic key could lead to a BUG assertion to trigger.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Remote denial-of-service in the Transparent Inter Process Communication protocol.

A flaw int the Transparent Inter Process Communication (tipc) protocol
leads a kernel BUG assertion to trigger when receiving multicast packets
over UDP.  A remote user could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.