[Ksplice][Debian 6.0 Updates] New updates available via Ksplice (2.6.32-48squeeze17)

[Oracle Ksplice]

Synopsis: 2.6.32-48squeeze17 can now be patched using Ksplice
CVEs: CVE-2013-7446 CVE-2015-7799 CVE-2015-7833 CVE-2015-7990 CVE-2015-8324

Systems running Debian 6.0 Squeeze can now use Ksplice to patch
against the latest Debian kernel update, 2.6.32-48squeeze17.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 6.0 Squeeze
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-7990: Race condition when sending a message on unbound RDS socket.

Incorrect locking when checking the state of a socket before sending a
message could lead to a NULL pointer dereference.  A local, un-privileged
user could use this flaw to cause a denial-of-service.


* Denial-of-service in ISDN PPP device opening.

Missing allocation failure checks could result in a NULL pointer
dereference when opening an ISDN PPP device.  A local user with access
to the device could use this flaw to crash the system.


* CVE-2015-7799: Denial-of-service in PPP compression slot parameters.

Missing validation of VJ compression slot parameters for a PPP device
could result in a NULL pointer dereference and kernel crash.  A local
user with access to the PPP device could use this flaw to crash the
system.


* Memory corruption when receiving datagram packets.

Incorrect reference counting can cause a double-free and kernel panic
when peeking received datagram packets, such as the UDP and netlink
protocols.


* Use-after-free in IPC semaphores during task exit.

Due to incorrect locking, two tasks with shared IPC semaphore references
could exit and simultaneously try to free the semaphores. This could lead
to a use-after-free and memory corruption, allowing a malicious local user
to cause denial of service.


* Invalid memory free in device resource management.

A logic error in the device resource management code could cause the
wrong pointer to be freed, possibly crashing the kernel. A malicious
local user with device configuration privileges could use this to cause
denial of service.


* Kernel crash in HFS B-tree insertion.

Inserting a new record in an HFS B-tree at position 0 could corrupt the
tree resulting in either filesystem corruption or a kernel crash.


* Out of bounds memory access in get_wchan().

A logic error when checking bounds of the current stack pointer in
get_wchan() could lead to out of bounds memory accesses.  A local,
un-privileged user could use this flaw to cause a kernel panic.


* Kernel BUG when unmapping a hugetlbfs page.

A logic error in the hugetlbfs when unmapping a page that is mapped both
with MAP_SHARED and MAP_PRIVATE could trigger a BUG() assertion.  A local,
un-privileged user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in Marvell 88SE64XX/88SE94XX task preparation.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when performing tasks on a Marvell 88SE64XX/88SE94XX
device under low memory conditions.


* Information leak when getting strings from the ethtool device.

A lack of cleaning an allocated buffer that is copied to user space on
ETHTOOL_GSTRINGS requests could leak information about the running kernel.
This could help an attacker to elevate privileges.


* CVE-2015-7833: Denial-of-service when probing USBvision device.

Incorrect input validation when probing a USBvision device could lead to
out of bounds memory accesses and kernel panic.  A local attacker with
physical access could use a fake USB device with handcrafted USB descriptor
to cause a denial-of-service.


* CVE-2015-8324: NULL pointer dereference in ext4.

Due to incorrect error handling when mounting a corrupt filesystem, it
was possible for the kernel to dereference a NULL pointer. A malicious
local user with mounting privileges could use this to cause denial of
service.


* Kernel BUG in IP multicast routing.

Due to a race condition when updating network device statistics for IP
multicast routing, a malicious local user may in rare circumstances be
able to cause a kernel crash.


* Information leak in RDS over TCP.

In low memory situations, an incoming RDS datagram may get corrupted and
potentially leak sensitive information to the userspace program receiving
the datagram.


* Information leak in HID core when connecting device.

In certain circumstances, connecting a HID device could cause an
uninitialised buffer to be printed to the kernel log. A malicious
local user with the ability to connect devices could use this to
obtain sensitive information from the kernel.


* Memory leaks in USBVision device driver.

Under multiple different circumstances, the USBVision device driver could
leak memory. A malicious local user could potentially use this to cause
denial of service.


* Kernel crash when probing USBVision device driver.

Missing input validation when probing for USBVision devices could in
certain circumstances cause the kernel to access invalid memory. A
malicious user with physical access to the machine could use this to
cause denial of service or worse.


* CVE-2013-7446: Use after free in Unix sockets.

Invalid reference counting in the kernel Unix socket subsystem can
trigger a use after free condition. A local unprivileged user could use
this flaw to bypass permission checks on Unix sockets or potentially
escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.