[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2541-1)

[Oracle Ksplice]

Synopsis: USN-2541-1 can now be patched using Ksplice
CVEs: CVE-2013-6885 CVE-2014-7822 CVE-2014-8559 CVE-2014-9419 CVE-2015-1421

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2541-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory corruption when expanding hard drive partition table.

A missing overflow check may allow a user to read and possibly write
data past the end of a kernel memory buffer causing memory corruption.


* Use-after-free in USB Video Class driver when removing a device.

Incorrect ordering when removing sysfs device when disconnecting a webcam
leads to use-after-free and potentially kernel panic.


* Out-of-bounds memory write in eCryptfs when decoding a file name.

A lack of input validation when decoding a file name in the eCryptfs driver
could lead to an out-of-bounds memory write of one zero byte, potentially
causing a kernel panic.  A local user could use a specially crafted
eCryptfs filesystem to cause a denial-of-service.


* Memory corruption when loading a stale AES key.

A lack of key unregistering when the key size check fails leads to a stale
key still being in the keys list, causing a memory leak and a kernel panic
when the registering a new key.  A local attacker could use this flaw to
cause a denial-of-service.


* Btrfs filesystem corruption on aborted transactions.

Filesystem corruption may occur when a certain order of transactions
occurs and the underlying device supports discarded transactions.


* CVE-2014-9419: Address leak on context switch bypasses ASLR.

A flaw in the context switch code could lead to leaking another thread's
local storage area.  A local, unprivileged user could use this flaw to gain
information about another process address space mappings and bypass address
space layout randomization.


* Off-by-one in kernel bunzip2 decompressor.

The kernel bunzip2 decompressor does not correctly validate offsets when
decompressing data which can lead to an out-of-bound read and possible
kernel panic.


* Cluster deadlock during journal commit in OCFS2 filesystem.

Under certain circumstances, incorrect lock ordering could cause a
deadlock if one thread handles a buffer write at the same time as the
journal commit thread attempts to flush the buffer. If this happens,
the whole cluster will hang.


* Use-after-free in cryptographic algorithms when handling backlogged requests.

A logic error in the cryptographic algorithms driver could lead to an early
return to userspace when a request is still pending.  A local attacker
could use this flaw by closing its sockets causing the pending requests to
use freed memory, leading to a user-after-free and kernel panic.


* Kernel panic when flushing SFF ATA devices.

Incorrect locking when flushing Small Form Factor ATA devices can
trigger a BUG_ON and kernel panic.


* CVE-2015-1421: Privilege escalation in SCTP INIT collisions.

Missing reference counting could result in a use-after-free during an
INIT collision when establishing an SCTP socket.  A remote attacker
could use this flaw to trigger a denial-of-service or potentially gain
privileges.


* Kernel hang due to locking imbalance in VFS path lookup.

Due to a missing unlock operation in certain failure cases during VFS
path lookups, an unprivileged user could potentially trigger a kernel
hang as the object in question would never be unlocked properly.


* CVE-2014-7822: Incorrect parameter validation in splice() system call.

An incorrect parameter validation in the splice() system call could allow
a local, unprivileged user to use this flaw to write past the maximum
file size, and thus crash the system.


* Use-after-free when reading from /proc/interrupts.

A lack of proper synchronization between the generic IRQ subsystem when
releasing an interrupt descriptor and reading the interrupt descriptor from
/proc/interrupts could lead to a use-after-free and potentially kernel
crash.


* Multiple out-of-bounds memory accesses in UDF filesystem driver.

A lack of input validation in the UDF filesystem driver leads to multiple
out-of-bounds memory accesses and potentially to a kernel panic.  An
attacker could use a specially crafted filesystem to cause a
denial-of-service.


* CVE-2014-8559: Deadlock when renaming and deleting concurrently.

Incorrect locking in the filesystem subsystem can trigger a deadlock and
kernel panic when renaming files in a directory while concurrently
deleting files in the same directory.


* CVE-2013-6885: Denial-of-service on AMD processors.

Under a highly specific and detailed set of internal timing conditions, a
locked instruction may trigger a timing sequence whereby the write to a
write combined memory type is not flushed, causing the locked instruction
to stall indefinitely. A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Kernel panic caused by generating a MLD listener on devices with large MTUs.

Under certain circumstances, generating an MLD listener on devices
with a large maximum transmission unit may trigger an kernel panic
causing a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.