[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2015-9712)

Sun Jun 21 10:37:16 PDT 2015

Synopsis: FEDORA-2015-9712 can now be patched using Ksplice
CVEs: CVE-2015-1420

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-9712.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2015-1420: Buffer overflow in name_to_handle_at() system call.

Due to a race condition in the name_to_handle_at() system call, it is
possible for userspace to change the length of the buffer read by the
kernel after it has been allocated. This could lead to a buffer
overflow. A local user with CAP_DAC_READ_SEARCH privileges could
potentially use this to cause denial of service or possibly escalate
their privileges.

* Denial-of-service in KVM APIC accesses.

Missing validation of the APIC page could allow userspace to unmap the
page, resulting in a host crash when running the guest.

* Denial-of-service in SonicBlue Optimized MPEG File System mounting.

Missing mount option termination could allow a user with permission to
mount filesystems to trigger a denial-of-service by passing an
unrecognized mount option.

* Denial-of-service in SonicBlue Optimized MPEG File System superblock bitmap.

An integer overflow in the superblock parsing of an SonicBlue Optimized
MPEG File System could result in an out-of-bounds memory access and
memory corruption.  A local user with permission to mount filesystems
could use this flaw to trigger a denial-of-service, or possibly escalate
privileges with a maliciously crafted filesystem.

* BTRFS filesystem corruption with during chunk allocation.

Missing locking could result in corruption of the filesystem when
marking a block group read-only.

* NULL pointer dereference in Broadcom IEEE802.11n packet transmission+reception.

Missing NULL pointer checks could result in a NULL pointer dereference
when receiving and transmitting packets in the Broadcom IEEE802.11n
driver.

* Denial-of-service in userspace string handling.

An incorrect length check could result in accessing beyond a
validated buffer.  A local, unprivileged user could use this flaw to
crash the kernel in specific conditions.

* Use-after-free in USB gadget configfs filesystem.

Missing invalidation of a pointer during function removal could result
in a use-after-free and kernel crash.

* NULL pointer dereference in EXT4 journal restart failure.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when restarting the journal.  A local user could use a
maliciously crafted filesystem to crash the system.

* Denial-of-service in JBD2 journal recovery.

An integer overflow in the JBD2 journal could result in an out-of-bounds
memory access and kernel crash.  A local user could use a maliciously
crafted filesystem to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.