[Ksplice][Debian 6.0 Updates] New updates available via Ksplice (DLA-246-1)

[Oracle Ksplice]

Synopsis: DLA-246-1 can now be patched using Ksplice
CVEs: CVE-2011-5321 CVE-2012-6689 CVE-2014-3184 CVE-2014-8159 CVE-2014-9683 CVE-2014-9731 CVE-2015-1805 CVE-2015-2041 CVE-2015-2042 CVE-2015-2922 CVE-2015-3339 CVE-2015-4167

Systems running Debian 6.0 Squeeze can now use Ksplice to patch
against the latest Debian kernel update, DLA-246-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 6.0 Squeeze
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-9683: Out-of-bounds memory write in eCryptfs when decoding a file name.

A lack of input validation when decoding a file name in the eCryptfs driver
could lead to an out-of-bounds memory write of one zero byte, potentially
causing a kernel panic.  A local user could use a specially crafted
eCryptfs filesystem to cause a denial-of-service.


* CVE-2014-3184: Invalid memory write in HID drivers.

Several HID drivers (Cherry Cymotion keyboard, KYE/Genius devices,
Logitech devices, Monterey Genius KB29E keyboard, Petalynx Maxtor
remote control, and Sunplus wireless desktop) are vulnerable to an
out-of-bounds write due to some off-by-one bugs.  This could occur if
a HID device report offers an invalid report descriptor size.

A local user with physical access to the system could use this flaw to
write past an allocated memory buffer.


* CVE-2014-8159: Privilege escalation in Infiniband userspace access.

Missing sanitization of userspace input to the Infiniband userspace
memory access subsystem could allow a local user with access to the
/dev/infiniband/uverbsX device nodes to crash the system or,
potentially, escalate their privileges on the system.


* CVE-2015-2041: Information leak in 802.2 LLC sysctl interface.

The 802.2 Link Layer type 2 subsystem uses an incorrect length when
returning data to userspace from the sysctl interface, allowing
userspace processes to disclose the contents of kernel memory.


* CVE-2015-2042: Information leak in the Reliable Datagram Socket protocol.

A flaw in the handling of userspace tuning for the Reliable Datagram Socket
(RDS) protocol leads to an information leak when reading from the sysctl
files. A local, privileged user could use this flaw to gain knowledge about
the running kernel, potentially facilitating an attack.


* CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.

A flaw in the IPv6 stack allowed a remote attacker on the same network to
set the hop limit to a smaller value than the default one, preventing
devices on that network to send or receive.


* CVE-2015-3339: Privilege escalation due to race condition between execve and chown.

The execve() syscall can race with inode attribute changes made by chown().
This race condition could result in execve() setting uid/gid to the new
owner, leading to privilege escalation.


* CVE-2014-9731: Multiple out-of-bounds memory accesses in UDF filesystem driver.

A lack of input validation in the UDF filesystem driver leads to multiple
out-of-bounds memory accesses and potentially to a kernel panic.  An
attacker could use a specially crafted filesystem to cause a
denial-of-service.


* CVE-2015-1805: Memory corruption in handling of userspace pipe I/O vector.

Pipe I/O vector handling functions didn't handle failure of atomic accesses
correctly. This would allow a local unprivileged user to crash the system.


* Memory leak in SCTP authentication key management.

Incorrect reference counting when setting the SCTP_AUTH_KEY socket option
on an SCTP socket leads to a memory leak of sensitive keying materials.

A local, unprivileged user could use this flaw to exhaust the memory on the
system and cause a denial-of-service. An attacker with memory read access
could also later gain sensitive information about the keys.


* Kernel panic when receiving compressed PPP data.

The kernel Point-to-Point networking implementation does not correctly
handle decompressing large PPP packets which can trigger an assertion
failure and kernel panic.


* Use-after-free in the extended matches network classifier.

A logic error in the extended matches (ematch) network classifier could
lead to a use-after-free and kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Kernel panic in IPv4 forwarding of timewait sockets.

The kernel IPv4 stack does not correctly handle forwarding data from
timewait sockets which can trigger an assertion failure and kernel
panic.


* Memory corruption in SPI device ioctl.

An integer overflow in the kernel SPI driver can allow malformed ioctls
to trigger kernel memory corruption and allow a local user to gain
elevated privileges.


* Information leak in Infiniband Userspace events.

The Infiniband uverbs driver did not clear the events structure
resulting in leaking 4-8 bytes of kernel stack contents to userspace.


* Information leak in /proc/PID/pagemap.

/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user.  This could be used in
conjuction with flaws such as ROWHAMMER to elevate privileges.


* Stack information leak in POSIX timers creation.

A failure to properly initialize posix timers could lead
to kernel stack information being leaked to userspace.


* Data corruption on hfsplus filesystem when inserting node at position zero.

A logic error in the hfsplus filesystem driver leads to on-disk data
corruption when inserting a node at position zero.


* CVE-2012-6689: Netlink spoofing allows privilege elevation.

A local user may be able to elevate privileges by spoofing the source
of a netlink message.


* CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.

The kernel UDF filesystem driver, used by some CD-ROMs and DVDs, does
not validate overly long extended attributes which can trigger kernel
memory corruption and a kernel panic.


* Denial-of-service in SNDCTL_SEQ_OUTOFBAND OSS ioctl().

Incorrect locking could allow a local user with access to /dev/sequencer
to deadlock the system resulting in a denial-of-service.


* CVE-2011-5321: NULL pointer dereference in TTY subsystem.

Incorrect error handling could result in a NULL pointer dereference when
opening a TTY device.  A local, unprivileged user could use this flaw to
crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.