[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2016-16a5625f33)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Feb 24 11:00:47 PST 2016 

Synopsis: FEDORA-2016-16a5625f33 can now be patched using Ksplice
CVEs: CVE-2015-7884 CVE-2016-2069

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-16a5625f33.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.


* Denial-of-service in ALSA SNDRV_SEQ_IOCTL_REMOVE_EVENTS ioctl().

A missing NULL pointer check in the SNDRV_SEQ_IOCTL_REMOVE_EVENTS
ioctl() handler could result in a NULL pointer dereference and kernel
crash.  A local user with access to an ALSA device could use this flaw
to crash the system.


* Denial-of-service in ALSA USB disconnection.

Incorrect handling of disconnection for USB audio devices could result
in a NULL pointer dereference and kernel crash.  A user with access to
the audio device could use this flaw to crash the system.


* Use-after-free in ALSA sequencer timers.

Multiple flaws could result in a use-after-free when adding and
removing timers in the ALSA sequencer.  A local user with access to the
device could use this flaw to crash the system, or potentially escalate
privileges.


* Privilege escalation in ALSA compatibility ioctl().

Incorrect handling of compatibility data structures could result in a
heap buffer overflow.  A local user with access to the ALSA devices
could use this flaw to trigger a kernel crash or potentially, escalate
privileges.


* Denial-of-service in ALSA timer management.

Incorrect timer reprogramming in the ALSA subsystem could result in
deadlock.  A local user with access to the device could use this flaw to
cause a denial-of-service.


* Denial-of-service in ALSA TLV controls.

Missing validation of user-supplied data could result in kernel warnings
being output to the kernel console.  A local user could use this flaw to
flood the kernel console, causing a denial-of-service.


* Use-after-free in Intel audio device removal.

Missing handling of deferred work during device removal could result in
a use-after-free.  A user with physical access to the device could use
this flaw to crash the system.


* Kernel crash in Wolfson 8974 audio codec probing.

A missing register map cache type could result in triggering a kernel
assertion when probing a Wolfson 8974 codec.


* Use-after-free when taking a reference on an IPv6 label.

A logic error in the IPv6 stack could lead to a use-after-free under
certain circumstances.  A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Denial-of-service in IPv6 stable_secret sysctl writing.

Missing initialization of a stack stored string could result in an
out-of-bounds access and kernel crash when writing to the stable_secret
sysctl.  A privileged user could use this flaw to crash the system under
specific conditions.


* Denial-of-service in SCTP protocol under memory pressure.

Failure to handle low memory conditions could result in a memory leak
and additional memory pressure on the system.  A malicious user could
use this flaw to crash the system under specific conditions.


* Denial-of-service in Connector callback implementation.

A reference counting imbalance of socket buffers could result in a
memory leak when processing Connector callbacks.  Under specific
conditions this could result in memory exhaustion and a system crash.


* Privilege escalation in network bridge startup.

A local, unprivileged user could create a new network namespace which
would call /sbin/bridge-stp in the initial namespace.  Under specific
conditions this could result in networking failure or potentially in
conjunction with other flaws to escalate privileges.


* Use-after-free in network destination cache removal.

A use-after-free when removing a network destination cache entry could
result in a kernel crash and denial-of-service.


* Denial-of-service in TCP congestion window reduction.

A divide-by-zero in the TCP congestion window reduction code could
result in a kernel crash under specific conditions.


* Out-of-bounds access in SCTP cookie_hmac_alg sysctl writing.

Missing initialization of a stack based string could result in an
unterminated read of the buffer.  Under specific conditions this could
trigger an out-of-bounds access and kernel crash.


* Use-after-free in IPv6 SYNACK retransmission.

Missing locking when retramsitting a SYNACK packet could result in a
use-after-free and kernel crash.  Under specific conditions, this could
result in a denial-of-service.


* Denial-of-service in packet generator allocation.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash.  A privileged, local user could use this flaw to crash
the system.


* Denial-of-service in SO_NO_CHECK sockets.

Incorrect handling of checksum offload for SO_NO_CHECK sockets could
result in network device drivers accessing invalid memory addresses and
triggering a kernel crash.  A local, unprivileged user could use this
flaw to crash the system under specific conditions.


* NULL pointer dereference in PhoNet packet reception.

Incorrect handling of shared socket buffers could result in a NULL
pointer dereference and kernel crash when receiving PhoNet packets.


* Undefined behaviour in Berkeley Packet Filter constant shifts.

Missing validation of constant shifts in a BPF program could result in
undefined behaviour, depending on the system.


* Information leak in HID core when connecting device.

In certain circumstances, connecting a HID device could cause an
uninitialised buffer to be printed to the kernel log. A malicious
local user with the ability to connect devices could use this to
obtain sensitive information from the kernel.


* Denial-of-service in Lustre filesystem echo client.

Missing validation of user-supplied pointers could result in the kernel
accessing an invalid address and faulting.  A local user could use this
flaw to crash the system.


* CVE-2015-7884: Information leak in Virtual Video Test Driver ioctl.

Missing initialization of an ioctl() structure field could result in a
leak of 16 bytes of kernel stack contents to user-space.


* Out-of-bounds access in Conexant IVTV driver.

An off-by-one error in the IVTV device probing could result in accessing
beyond the end of an array.  This could cause undefined behaviour on
accessing invalid data or under specific conditions, crashing the
system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-22-Updates mailing list