[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (3.2.57-3)

[Oracle Ksplice]

Synopsis: 3.2.57-3 can now be patched using Ksplice
CVEs: CVE-2013-4483 CVE-2014-0055 CVE-2014-0069 CVE-2014-0077 CVE-2014-0101 CVE-2014-0131 CVE-2014-1874 CVE-2014-2309 CVE-2014-2523 CVE-2014-2678

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.57-3.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak in socket monitoring interface.

For non-AF_INET6 sockets the kernel does not initialize fields in socket monitoring
data causing the contents of kernel memory being leaked to userspace.


* NULL pointer dereference in RDS socket binding.

A missing pointer validation can trigger a NULL pointer dereference and kernel
panic when binding an RDS socket.


* Use-after-free in logical link control stream sockets.

Receiving stream data on a LLC socket can trigger a use-after-free condition and
kernel panic if the MSG_PEEK flag is not used.


* Deadlock in bridge multicast 'hash_max' sysfs file.

Incorrect locking when changing the 'hash_max' setting via the sysfs interface
can trigger a deadlock and kernel panic.


* Data loss using ext4 with journaling.

Incorrect handling of errors from the journal layer could result in
deadlock between ext4 and jbd2, eventually resulting in data loss.


* Use-after-free in ext4 when creating new block.

Incorrect locking in ext4 could lead to a use-after-free and to kernel
crash when creating new block on ext4 filesystem.


* Denial-of-service in ext4 extent validation.

Incorrect handling of overlapping extents could result in failing kernel
assertion and crashing the system. A local, privileged user, could use a
carefully crafted filesystem to cause a denial-of-service.


* Denial-of-service in ext2 when writing quota.

A flaw in ext2 quota management could lead to use uninitialized memory. A
local, privileged user could use this to cause a denial-of-service.


* Denial-of-service in ext4 filesystem unmounting.

A race condition in ext4 could result in a use-after-free and kernel
crash. A local, privileged user could use this flaw to cause a
denial-of-service, or potentially escalate privileges.


* Out of bound memory access in Radio tap.

A lack of input validation in the Radio tap iterator code could lead to out
of bound memory access. A local, privileged user, could use this to cause a
denial-of-service, or potentially escalate privileges.


* Disk corruption on ext4 filesystems due to physical block address corruption.

Incorrect calculation of physical block addresses could result in corruption
of the on-disk filesystem.


* Logic error in selinux when checking permissions on recv socket.

Due to a flaw in selinux permission checking, a logic error could lead to
forbidden data coming in.


* NULL pointer dereference in selinux code when checking inode permission.

A race condition in the selinux code could lead to a NULL pointer
dereference and kernel panic. A local, unprivileged user could use this
flaw by opening and closing files in parallel to cause a denial-of-service.


* Denial-of-service in Raid10 subsystem when handling known bad blocks.

Incorrect calculation of the number of sectors handled in RAID10 could
potentially lead to a kernel crash. A local, privileged user could use a
specially crafted block device to cause a denial of service.


* NULL pointer dereference in Raid10 subsystem during recovery.

Incorrect locking in the Raid10 subsystem could result in a use-after-free
and NULL pointer dereference. A local, privileged user could a specially
crafted block device to cause a denial-of-service.


* Data corruption on NILFS2 with a filesystem nearly full.

Incorrect logic in the NILFS2 filesystem code could result in data
corruption under specific conditions.


* Missing check in selinux for IPSec TCP SYN-ACK packets.

Due to a flaw in the selinux code, IPSec TCP SYN-ACK packets could pass-
through without permission checking. An attacker could use this to send or
receive unauthorized traffic.


* Memory leak in SELinux when loading a policy.

A flaw in SELinux error path policy code loading leads to a memory leak. A
local, privileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in Radeon driver on resume from suspend.

A missing check in the Radeon driver code could lead to a NULL pointer
dereference and kernel oops. A local, privileged user could use this flaw to
cause a denial-of-service.


* NULL pointer dereference in MAX17040 fuel gauge driver on probing.

A missing check in the MAX17040 fuel gauge driver could result in a NULL
pointer dereference. A local, privileged user could use this flaw to cause
a denial-of-service.


* CVE-2014-1874: Denial-of-service in SELinux on empty security context.

Incorrect input validation in the SELinux subsystem could lead to a NULL
pointer dereference. A local, privileged user could use this flaw to cause
a denial-of-service.


* Information leak in mac80211 when transferring fragmented packet.

A flaw in the mac80211 stack could result in leaking 8 bytes of plain text
in the air. An attacker, physically in the range of the WiFi network, could
use this flaw to obtain sensitive informations.


* Deadlock in memory management subsystem when setting page_dirty bit.

Incorrect locking in the memory management could lead to a deadlock when
setting the dirty bit. An attacker could use this flaw to cause a
denial-of-service.


* Out of bounds memory access in raw char device driver upon binding.

Incorrect input validation in the raw character device driver could lead to
out of bounds memory access, potentially leading to kernel crash. A local,
privileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in VFS subsystem when allocating a file descriptor.

A flaw in the VFS subsystem could result in OOM killer being triggered and
potentially result in a denial-of-service. An attacker could use this flaw
to cause a denial-of-service.


* Use-after-free in STE DMA driver tasklet.

A flaw in the STE DMA driver results in a use-after-free and potentially to
a kernel crash.


* Denial-of-service in cgroup subsystem when adding a cgroup to a task.

Incorrect locking in the cgroup subsystem could lead to list corruptions
and kernel crash under specific conditions. A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Kernel panic in ath9k transmit.

A race condition in the ath9k xmit driver code could lead
to multiple frees on the same object, causing an invalid memory
access and a kernel panic.


* Use-after-free in i7 EDAC driver when iterating PCI devices.

Due to incorrect reference counting in the i7 EDAC driver, a use-after-free
could result in a kernel crash and denial-of-service.


* Deadlock in EHCI USB2 controller driver when handling an interrupt.

Incorrect locking in the EHCI driver code could lead to a deadlock,
resulting in a denial-of-service under specific conditions.


* Denial-of-service in perf subsystem when hotplugging CPU.

Incorrect locking in the perf subsystem could lead to use-after-free and
kernel crash when hotplugging a CPU. A local, privileged user could use
this flaw to cause a denial-of-service.


* Quota file corruption in ocfs2.

Improper caching of quota file structures could result in
corruption of the quota file.


* Information leak in mac80211 QoS-null frames.

Uninitialized memory in QoS-null frames in the mac80211 code
could leak information.


* Data corruption in ocfs2 sync.

The ocfs2 file system was syncing the wrong range.  This could
allow data to not be correctly synced and therefore cause
corruption.


* Data corruption in vmxnet3 netpoll driver.

A race condition in the vmxnet3 poll driver can lead to data
corruption and kernel panics.


* NULL pointer dereference in Huge TLB subsystem.

A missing check in the Huge TLB subsystem could lead to a NULL pointer dereference
and panic. An attacker could use this flaw to cause a denial-of-service.


* Deadlock in the tg3 ethernet driver when changing the MTU.

Incorrect locking in the tg3 ethernet driver could lead to a deadlock when
changing the MTU. A local, privileged user could use this flaw to cause a
denial-of-service.


* CVE-2014-0101: SCTP Null Pointer Dereference vulnerability.

The SCTP module failed to validate fields before making an authenticate
call, which a remote attacker could use to cause a denial-of-service.


* CVE-2014-2523: Remote crash via DCCP conntrack.

A flaw in the dccp protocol could allow a remote user to cause a crash
resulting in a denial-of-service.


* Denial-of-service in KVM with nested VMs.

A missing check in the KVM MMU code could lead to a kernel crash. A local,
privileged user could use this flaw to cause a denial-of-service.


* CVE-2014-0069: Incorrect handling of bad iovecs in CIFS.

A flaw in how CIFS handled iovecs could be used by an unprivileged local
user with access to crash the system or leak kernel memory.


* CVE-2014-0055: Kernel panic when receiving packets in virtio networking.

When receiving packets, missing data validation can cause the virtual networking
subsystem to dereference an invalid pointer causing a kernel panic.


* CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.

A missing check in the wireless RDS protocol leads to a NULL pointer
dereference when there is no device. A local, unprivileged user could use
this flaw to cause a NULL pointer dereference and denial-of-service.


* CVE-2014-2309: Denial-of-service in ICMPv6 route code.

The ip6_route_add function does not properly count the addition of routes,
which allows remote attackers to cause a denial of service (memory
consumption) via a flood of ICMPv6 Router Advertisement packets.


* Information leak in btrfs code when creating a snapshot.

Due to incorrect privilege checks in btrfs code, no restriction was
enforced on subvolumes snapshots. A local, unprivileged user could use this
flaw to have access to parts of the filesystem which were otherwise
protected by Unix permissions.


* Data corruption of ext4 immutable files when updating inode flags.

A race condition in the ext4 file system when updating the inode flags of
an immutable file could open a small window of time where the immutable
flag is not set. Provided very good timing, a local, unprivileged user
could use this flaw to modify an immutable file.


* CVE-2014-0077: Kernel panic when receiving short packets in virtio networking.

Missing data validation when receiving truncated packets in the virtual networking
subsystem can cause the kernel to dereference an invalid pointer triggering a
kernel panic.


* CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.

The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10
does not properly manage a reference count, which allows local users to
cause a denial of service (memory consumption or system crash) via a
crafted application.


* Race condition in swap subsystem between swapon()/swapoff().

A race condition in the swap subsystem could lead to a use-after-free
and potentially kernel crash. A local, privileged user could use this
flaw to cause a denial-of-service.


* Denial-of-service in HPFS+ filesystem directory lseek() operations.

Incorrect locking could result in hitting a race condition during
lseek() calls on a directory.  A local, unprivileged user could use this
to cause a denial-of-service.


* CVE-2014-0131: Information leak in skb_segment function.

Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c
allows attackers to obtain sensitive information from kernel memory by
leveraging the absence of a certain orphaning operation.


* NULL pointer dereference in e1000e network driver.

The e1000e driver could unconditionally access optional function
pointers resulting in a NULL pointer dereference and kernel crash.


* NULL pointer dereference in Realtek RTL8192CE/RTL8188CE 802.11n PCIe driver.

A NULL pointer dereference in the Realtek RTL8192CE/RTL8188CE 802.11n
PCIe driver could result in a system crash when bringing up the wireless
network adapter.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.