[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (3.2.54-2)

Tue Feb 11 14:44:12 PST 2014

Synopsis: 3.2.54-2 can now be patched using Ksplice
CVEs: CVE-2013-2889 CVE-2013-2893 CVE-2013-2895 CVE-2013-2897 CVE-2013-2929 CVE-2013-4299 CVE-2013-4345 CVE-2013-4348 CVE-2013-4350 CVE-2013-4387 CVE-2013-4470 CVE-2013-4587 CVE-2013-4592 CVE-2013-6367 CVE-2013-6368 CVE-2013-6378 CVE-2013-6380 CVE-2013-6382 CVE-2013-6405 CVE-2013-7268 CVE-2014-1446

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.54-2.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Kernel panic in Hierarchical Token Bucket scheduler.

The kernel HTB scheduler does not validate priority levels causing an out-of-bounds
read leading to a kernel panic.

* Kernel crash in hidraw driver.

Improper deallocations of resources in the HID hidraw driver
could cause memory corruption and lead to a kernel crash.

* Use-after-free in Xen grant table callbacks.

Xen allows individual callbacks to be registered multiple times for individual
grant tables leading to a use-after-free condition and kernel panic.

* Memory leak in CephFS Object Storage Daemon client.

The Ceph filesystem does not release memory when a read or write operation to an
Object Storage Daemon fails causing a kernel memory leak.

* Denial-of-service in USB configuration parsing.

The generic USB driver does not correctly validate the length of USB configuration
blocks allowing a malicious USB device to cause a kernel panic.

* Kernel panic in HD PVR error handling.

Invalid error handling in the HD PVR probe function could lead to
uninitialized memory being accessed, leading to a kernel panic.

* Use-after-free in kernel cryptography subsystem.

The kernel cryptography subsystem incorrectly frees kernel memory when initializing
a cryptographic algorithm leading to a use-after-free condition and kernel panic.

* CVE-2013-2889: Memory corruption in Zeroplus HID driver.

The Zeroplus game controller device driver does not correctly validate
data from devices allowing a malicious device to cause kernel memory
corruption and potentially gain kernel code execution.

* CVE-2013-2893: Memory corruption in Logitech force feedback devices.

The Logitech force feedback driver does not correctly validate data from devices
allowing a malicious device to cause kernel memory corruption and potentially
gain kernel code execution.

* CVE-2013-2897: Memory corruption in multitouch HID driver.

The multitouch HID driver does not correctly validate data from devices allowing
a malicious device to cause kernel memory corruption and potentially gain kernel
code execution.

* CVE-2013-2895: NULL pointer dereference in Logitech DJ driver.

The Logitech DJ Unifying driver does not correctly validate data from devices
allowing a malicious device to leak the contents of kernel memory or trigger a
NULL pointer dereference causing a kernel panic.

* Kernel crash in max98095 audio codec driver.

Incorrect validation of user supplied data could allow a local user with
access to the codec device to trigger an out-of-bounds memory access and
kernel panic.

* Kernel crash in 88pm860x audio codec driver.

Missing validation of user supplied data could allow a local user with
access to the codec device to trigger an out of bounds memory access and
kernel panic.

* NULL pointer dereference in netpoll driver cleanup.

Incorrect locking could result in a NULL pointer dereference when
cleaning up a netpoll device as used in netconsole resulting in a kernel
crash.

* CVE-2013-4350: SCTP over IPv6 disables encryption.

When transporting SCTP data over an IPv6 link, an incorrect assumption in the
kernel IPv6 stack can disable IPv6 encryption leading to the SCTP data being
visible to malicious users on the network.

* CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.

The kernel IPv6 stack does not correctly handle queuing multiple UDP fragments
when using UDP Fragmentation Offloading allowing a local unprivileged user to
cause kernel memory corruption and potentially gain privileged code execution.

* NULL pointer dereference in cgroup.

Invalid sharing between two different cgroups in different mount
hierarchies could lead to a NULL pointer dereference and kernel
crash.

* Memory corruption in Broadcom bnx2x GSO.

The Broadcom driver for NetXtremeII devices does not correctly handle cloned
packet data when GSO is enabled leading to memory corruption and a kernel panic.

* Use-after-free in IP TIME_WAIT sockets.

Incorrect reference counting in the kernel IP stack when handling receiving data
on TIME_WAIT sockets can trigger a use-after-free condition and cause a kernel
panic.

* Information leak in netlink connector.

When sending messages through the netlink connector, some elements of the message
are not initialised causing the contents of kernel memory to be exposed to
userspace.

* Deadlock in L2TP PPP packet transmission.

Invalid locking when transmitting packets over a L2TP PPP connection can trigger
a kernel deadlock when two processes send packets over the same connection.

* Information leak in FarSync network driver ioctl.

The SIOCWANDEV ioctl in the FarSync T-Series network driver does not initialise
memory before returning data to userspace, causing the contents of kernel memory
to be leaked to userspace.

* Kernel panic in netlink kernel/userspace connector.

An incorrect length check when processing netlink messages in the kernel/
userspace connector can cause an out-of-bounds access and kernel panic.

* Information leak in wanXL IF_GET_IFACE ioctl.

The SBE wanXL network driver does not initialise memory when handling the
IF_GET_IFACE ioctl causing the contents of kernel memory to be leaked to
userspace.

* Denial-of-service in IPv4 CIPSO header validation.

The kernel IPv4 stack does not correctly handle malformed CIPSO headers in IPv4
packets leading to an infinite loop and kernel panic.

* CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.

The kernel IP stack does not correctly handle sending fragmented packets via a
device which has UDP Fragmentation Offload enabled leading to memory corruption
and a kernel panic.

* Buffer overrun in the tracing subsystem.

An incorrect bounds check in the kernel tracing subsystem could lead to
writing past the end of a buffer. A privileged local user can use this
flaw to crash the kernel or potentially gain additional privileges.

* Deadlock in JFS inode allocation.

When failing to allocate new inodes on a JFS filesystem, the JFS filesystem
driver incorrectly unlocks inodes leading to a deadlock and kernel panic.

* Denial-of-service in ext4 extended attribute error handling.

Missing memory freeing in the error path of extended attribute handling
could cause a memory leak and denial of service under specific
circumstances.

* Denial-of-service in 802.11 radiotap packet parsing.

The kernel 802.11 radiotap interface does not correctly handle malformed packets
allowing a remote attacker to trigger an out-of-bounds read leading to a kernel
panic.

* CVE-2013-4299: Information leak in device mapper persistent snapshots.

An information leak flaw was found in the way Linux kernel's device
mapper subsystem, under certain conditions, interpreted data written to
snapshot block devices. An attacker could use this flaw to read data
from disk blocks in free space, which are normally inaccessible.

* Memory leak in ecrypt filesystem initialization.

When initializing a ecrypt filesystem the ecryptfs driver does not free memory
when decrypting the session key causing a kernel memory leak.

* Memory corruption in DRM ioctl.

The DRM driver incorrectly allocated memory when processing a ioctl from userspace
allowing a malicious local user to trigger kernel memory corruption and gain elevated
privileges.

* NULL pointer dereference in pSCSI device initialization.

A NULL pointer dereference and kernel panic can be triggered when the pass-
through SCSI driver fails to lookup a host.

* Missing capability check in AAC RAID compatibility ioctl.

A missing capability check in the AAC RAID compatibility ioctl allows local users
to gain elevated privileges.

* CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.

The ptrace subsystem incorrectly checked the state of the fs.suid_dumpable
sysctl allowing a user to ptrace attach to a process if it had dropped
privileges to that user.

* CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.

An off-by-one flaw was found in the way the ANSI CPRNG implementation in
the Linux kernel processed non-block size aligned requests. This could lead
to random numbers being generated with less bits of entropy than expected
when ANSI CPRNG was used.

* CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.

A flaw was found in the way IOMMU memory mappings were handled when
moving memory slots. A malicious user on a KVM host who has the ability to
assign a device to a guest could use this flaw to crash the host.

* CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.

Incorrect validation of user supplied data in the Marvell 8xxx Libertas
WLAN driver could allow a privileged user to trigger an invalid pointer
dereference and crash the system.

* CVE-2013-6380: Denial-of-service in Adaptec RAID driver.

Incorrect memory allocations in the Adaptec RAID driver could result in
dereferencing an invalid pointer allowing a local user with the
CAP_SYS_ADMIN privilege to crash the system.

* CVE-2013-6382: Denial-of-service in XFS filesystem ioctls.

Multiple buffer underflows in the XFS implementation in the Linux kernel
could allow local users with the CAP_SYS_ADMIN capability to cause a
denial of service (memory corruption) or possibly have unspecified other
impact.

* CVE-2013-4348: Denial-of-service in kernel network flow dissector.

The network flow dissector used by the kernel scheduler does not validate IP
headers in IP-over-IP connections allowing a remote malicious user to trigger an
infinite loop and kernel panic.

* Deadlock in selinux/netlabel on connect().

Incorrect locking in the selinux/netlabel glue code could lead to a
deadlock. A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Memory leak in ext4 filesystem when expanding inode with extended attributes.

A flaw in the ext4 inode expanding code could result in a buffer header
memory leak. A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Information leak in audit subsystem when getting status from audit netlink.

A missing field assignment in the receive loop of audit causes an
information leak. A local user with CAP_AUDIT_CONTROL could use this flaw
to obtain information on the running kernel.

* Memory corruption in block core on control group queue initialization failure.

Incorrect error handling could result in memory corruption and a kernel
crash when queue initialization fails.

* Denial-of-service in loop block subsystem when unloading the loop module.

A logic error in the error path when allocating a block queue in the loop
module could result in a NULL pointer dereference. A local, privileged user
could use this flaw to cause a denial-of-service.

* NULL pointer dereference in GPMI Nand controller when DMA operations on-going.

A race condition in the GPMI Nand controller driver could result in a NULL
pointer dereference and kernel crash. A local, privileged user could use
this flaw to cause a denial-of-service.

* Out-of-bounds write in iscsi-target when computing checksums.

Incorrect length checking in iscsi-target code could lead to a one byte
out-of-bounds write. An attacker could use this to cause a
denial-of-service or potentially, escalate privileges.

* Incorrect credentials checking in iscsi-target with CHAP authentication.

A flaw in the username checking in iscsi-target CHAP authentication causes
all usernames with the correct username as prefix to be accepted.

* Denial-of-service in cpuset subsystem when changing cpuset.

Incorrect locking when changing cpuset of a running test could result in a
deadlock. A local, privileged user could use this flaw to cause a
denial-of-service.

* Use-after free in NFS client file locking.

If a file locking operation is denied by a NFS server, the kernel NFS client does
not correctly free memory leading to a use-after-free condition and kernel panic
when retrying the file lock operation.

* Kernel crash in bonding device updelay/downdelay setting.

Missing locking in the updelay/downdelay setting functions could result
in the kernel using a user-supplied value before validation.  A
privileged, local user could use this to cause a divide-by-zero error,
crashing the kernel.

* CVE-2013-4587: Privilege escalation via KVM vcpu id.

Missing checks of the KVM vcpu_id could allow a malicious user
to gain elevated privileges by sending in a vcpu_id greater than
255.

* CVE-2013-6367: Divide-by-zero in KVM LAPIC.

A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's
Local Advanced Programmable Interrupt Controller (LAPIC) implementation.
A privileged guest user could use this flaw to crash the host.

* CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.

A memory corruption flaw was discovered in the way KVM handled virtual
APIC accesses that crossed a page boundary. A local, unprivileged user
could use this flaw to crash the system or, potentially, escalate their
privileges on the system.

* CVE-2014-1446: Information leak YAM radio modem ioctl.

The YAM radio modem driver does not initialise kernel memory when processing the
SIOCYAMGCFG ioctl, leading to the contents of kernel memory being leaked to
userspace.

* Use-after-free in Ralink rt2x00 device removal.

Incorrect checks for device presence could result in a use-after-free
and kernel crash when removing an active WiFi USB dongle from the
system.

* Deadlock in QLogic QLE InfiniBand driver.

Invalid locking in the QLogic PCIe QLE Infiniband host channel
adapter driver can cause a deadlock.

* Information leak in procfs and debugfs filesystems.

The kernel incorrectly uses the effective uid instead of the real uid when
displaying pointers in the procfs and debugfs filesystems. This allows local
unprivileged users to use setuid binaries to leak the layout of kernel memory.

* Memory leak in devpts.

Failure to properly free everything when a devpts filesystem
is unmounted causes a memory leak.  This could be seen when
shutting down a Linux container.

* Denial-of-service in NFSv4 client session delegation.

An incorrect assumption in the kernel NFSv4 client can cause the kernel to stop
processing all server responses when handling delegation responses.

* Kernel crash in compressed RAM block device (ZRAM) under memory pressure.

Missing allocation checks could result in a NULL pointer deference when
writing to the 'reset' sysfs attribute for a zram device, triggerable by
a privileged user.

* Memory corruption in block device TABLE_LOAD ioctl.

The kernel block device driver does not correctly handle large a large number of
targets in the DM_TABLE_LOAD_CMD ioctl leading to memory corruption and a kernel
panic.

* Possible buffer overruns in ISDN loop.

The isdnloop code was using strcpy on unvalidated user input which
might not be NUL terminated, leading to a potential buffer overrun.

* CVE-2013-6405: Information leak in recv() system calls.

Kernel stack information could be leaked to userspace when receving from
a socket and the sockaddr had not been updated.

* Information leak of port number in IPv6.

Uninitialized data could leak the port number in a sockaddr
in ipv6.

* Deadlock in seqlock code.

Incorrectly calling a function while in process context and not
softirq context could lead to a seqlock deadlock in the IPv4 and
IPv6 code.

* NULL pointer dereference in ftrace.

Missing checks for empty hashes in ftrace_ops could lead
to a NULL pointer dereference and kernel crash.

* Memory leak in virtio scsi.

The virtio scsi could could leak memory when its queue gets full.

* Buffer overflow in IPC msg passing.

Invalid size checking can lead to a buffer overflow and kernel crash
when msg_ctlmax gets set to -1.

* CVE-2013-7268: Information leak in recvmsg handler.

Missing initlization in the network recvmsg handlers could leak
kernel memory into userspace.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.