[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2259-1)

[Oracle Ksplice]

Synopsis: USN-2259-1 can now be patched using Ksplice
CVEs: CVE-2014-1739 CVE-2014-3144 CVE-2014-3153

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2259-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel oops in mpt2sas suspend.

A duplicate disable when suspending in mpt2sas can lead
to a kernel oops.  A malicious user could use this to
cause a denial of service.


* Kernel crash in VMWare Virtual GPU DMA.

Incorrect DMA boundary checks could allow userspace to perform DMA to
invalid addresses resulting in memory corruption, or possibly escalating
privileges.


* Divide-by-zero in TCP cubic congestion algorithm when computing delayed ack.

A logic error in the TCP cubic congestion algorithm could lead to a
divide-by-zero and kernel panic. A remote attacker could potentially use
this flaw to cause a denial-of-service.


* CVE-2014-3144: Multiple local denial of service vulnerabilities in netlink.

The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extension implementations
in the sk_run_filter function in net/core/filter.c failed to check whether
a certain length value is sufficiently large, which allows local users to
cause a denial of service (integer underflow and system crash) via crafted
BPF instructions.


* Use-after-free in netfilter xtables when copying counters to userspace.

A logic error in the netfilter ebtables, arp tables and IPv4/IPv6 tables
may lead to a use-after-free if there is an error when copying counters to
userspace as this will result in freeing the tables when they have already
been exposed to userspace. Any subsequent packet processing will lead to a
use-after-free and kernel panic.


* Improved fix for CVE-2014-3153: Local privilege escalation in futex requeueing.

Invalid parameters to the futex() syscall may break assumptions made in
the kernel and would leave dangling pointers that could be exploited
to gain root privileges.


* NULL pointer dereference in CAAM crypto driver.

A missing check for NULL after allocating a buffer could lead to a NULL
pointer dereference when the system is under memory pressure. An attacker
could use this flaw to cause a denial-of-service.


* CVE-2014-1739: Information leak in the media stack when enumerating media devices.

The ioctl() to enumerate media devices can copy to userspace 200 bytes of
kernel stack. A local user with write access to /dev/mediaX could use this
flaw to gather information about the running kernel.


* Use-after-free in NFSv4 daemon kernel implementation when releasing a state ID.

A lack of clean-up of a lock owner attached to a state ID when releasing
the state ID could lead to use-after-free and kernel panic in the NFSv4
daemon implementation.


* Memory corruption when accessing a huge TLB of a copy-on-write page.

A missing flush of the huge translation lookaside buffer for a page copied
after a write could lead to a memory corruption as it can lead a parent
process to access the child copied version of the page rather than the
original page. A local, unprivileged user could use this flaw to cause a
memory corruption or potentially elevate privileges.


* Out of bounds memory access in V4L2 OmniVision driver.

Incorrect use of an untrusted index coming from userspace leads to an out
of bounds memory access. A local, privileged user could use this flaw to
cause a kernel panic or potentially escalate privileges.


* Kernel BUG() in NFS daemon when setting ACL with no entries.

A logic error in the NFS daemon code could trigger a kernel BUG() when
setting ACL with no entries.


* NULL pointer dereference in the filesystem stack when checking ACL.

A missing check for NULL when checking if a filesystem ACL can be
represented using traditional UNIX permissions could lead to a kernel
panic. A remote attacker controlling a NFS server or a local unprivileged
user could use this flaw to cause a denial-of-service.


* Use-after-free in libceph when sending pages over TCP.

RADOS block devices do not handle properly sending pages with page_count 0
over TCP which will result in incorrectly free-ing the page while still in
use leading to a memory corruption and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.


* Divide-by-zero in mm page writeback.

When computing limits in page-writeback, some values were not
checked for zero, leading to a divide-by-zero error.


* Kernel panic in NFSv4 client allocation.

The kernel NFSv4 server does not initialise certain data structures when
allocating a new client. This can trigger a kernel panic when
initialising a new client fails.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.