[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (DSA-2972-1)

[Oracle Ksplice]

Synopsis: DSA-2972-1 can now be patched using Ksplice
CVEs: CVE-2014-1739 CVE-2014-3153 CVE-2014-3917 CVE-2014-4508 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-4699

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-2972-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-4699: Privilege escalation in ptrace() RIP modification.

Missing validation of the RIP value could allow an unprivileged user to
cause the CPU to fetch instructions from a non-canonical address.  On
some CPUs this could result in a denial-of-service or potentially allow
escalation of privileges.


* Memory leak in SCTP stack on COOKIE ECHO error path.

A memory leak in SCTP stack on COOKIE ECHO handling when memory is
constrained could lead to a memory leak. A remote attacker could use this
flaw to exhaust the memory on the system and cause a denial-of-service.


* Denial-of-service in Bridge code on receiving malformed MFD queries.

A lack of input validation in the bridge code when handling MFD queries
could lead to multi-cast ports being shut down. A remote attacker could use
this flaw to cause a denial-of-service.


* Deadlocks in IPv6 stack when updating statistic counters.

Incorrect locking in various places in the IPv6 stack could lead to a
deadlock when updating statistic counters.


* Memory corruption in ISDN loop driver.

A lack of input validation in various places of the ISDN loop driver could
lead to out of bounds memory accesses. A local, unprivileged user could use
these flaws to cause a denial-of-service or potentially escalate
privileges.


* Use-after-free in jffs2 garbage collection.

A logic error can cause a use-after-free and kernel panic when reserving space
on a jffs2 file-system.


* Memory corruption when creating large files on jffs2 images.

An integer overflow in the jffs2 file-system driver when calculating the size
of a large file can trigger kernel memory corruption and kernel panic.


* Data corruption in ext4 when handling partial clusters.

Data corruption can be triggered on ext4 bigalloc filesystems by punching holes
in files with partial clusters.


* Memory corruption when sending Infiniband QLogic HTX diagnostic packets.

An integer overflow when sending diagnostic packets over a Infiniband QLogic
HTX device can trigger memory corruption and a kernel panic.


* NULL pointer dereference when creating Infiniband NetEffect queue pairs.

A NULL pointer is dereferenced when creating a queue pair for a Infiniband
NetEffect RNIC device, causing a kernel panic.


* Deadlock in nested btrfs transactions.

Invalid reference counting when handling nested btrfs transactions can lead to
a deadlock and kernel panic.


* Memory corruption in NFSv4.1 extended attributes.

Missing bounds checking in the NFSv4.1 server when encoding extended file
attributes could lead to memory corruption and kernel panic.


* Kernel crash in OCFS2 distributed lock manager migration.

When recovering from a lock migration, the OCFS2 filesystem could
incorrectly dereference a dangling pointer resulting in a kernel crash.


* Kernel hang in OCFS2 during lock migration recovery.

Due to a logic error and a race condition in the OCFS2 filesystem, it is
possible for two nodes to be confused about who is the new master in a
recovery situation. This can cause the whole cluster to hang.


* Double-free in OCFS2 block writing.

Under specific conditions, the OCFS2 filesystem could perform a
double-free on a buffer head resulting in a kernel crash.


* Kernel panic when recovering iSCSI target connections.

An invalid pointer is dereferenced when recovering a dropped iSCSI connection,
triggering a kernel panic.


* Denial-of-service when exiting processes.

A race condition when a process is exiting can lead to a process not releasing
kernel resources. A local unprivileged user could use this flaw to exhaust
kernel resources and cause a kernel panic.


* Machine check exception in b43 wireless driver.

An improper access to a register in the b43 wireless driver can
lead to a CPU exception and kernel panic.


* Kernel panic in ext4 FIBMAP ioctl.

An integer overflow when mapping blocks from a ext4 filesystem via the FIBMAP
ioctl can trigger a kernel panic.


* Data corruption in ext4 unaligned asynchronous IO.

A race condition between reading the size of an inode and performing an
asynchronous file write can trigger data corruption on an ext4 filesystem.


* Soft lockup in huge page code when releasing huge TLB pool.

A missing call to the scheduler when releasing a huge TLB pool could lead
to a soft lockup. A local, privileged user could use this flaw to cause a
denial-of-service.


* Deadlock in USB serial driver when unloading the module.

Incorrect locking between module removal and sysfs callbacks in the USB
serial driver could lead to a deadlock. A local, privileged user could use
this flaw to cause a denial-of-service.


* Duplicate inode allocation in btrfs.

Due to an off-by-one programming error during file creation, an inode that
was already in use would be allocated for the new file. A malicious local
user could use this to prevent other users from creating new files.


* Use-after-free in netfilter xtables when copying counters to userspace.

A logic error in the netfilter ebtables, arp tables and IPv4/IPv6 tables
may lead to a use-after-free if there is an error when copying counters to
userspace as this will result in freeing the tables when they have already
been exposed to userspace. Any subsequent packet processing will lead to a
use-after-free and a kernel panic.


* Divide-by-zero in TCP cubic congestion algorithm when computing delayed ack.

A logic error in the TCP cubic congestion algorithm could lead to a
divide-by-zero and kernel panic. A remote attacker could potentially use
this flaw to cause a denial-of-service.


* Kernel crash in VMWare Virtual GPU DMA.

Incorrect DMA boundary checks could allow userspace to perform DMA to
invalid addresses resulting in memory corruption, or possibly escalating
privileges.


* NULL pointer dereference in CAAM crypto driver.

A missing check for NULL after allocating a buffer could lead to a NULL
pointer dereference when the system is under memory pressure. An attacker
could use this flaw to cause a denial-of-service.


* Kernel oops in mpt2sas suspend.

A duplicate disable when suspending in mpt2sas can lead
to a kernel oops.  A malicious user could use this to
cause a denial of service.


* CVE-2014-1739: Information leak in the media stack when enumerating media devices.

The ioctl() to enumerate media devices can copy 200 bytes of kernel stack
to userspace. A local user with write access to /dev/mediaX could use this
flaw to gather information about the running kernel.


* Kernel panic in NFSv4 client allocation.

The kernel NFSv4 server does not initialize certain data structures when
allocating a new client. This can trigger a kernel panic when
a new client fails to initialize.


* NULL pointer dereference in the filesystem stack when checking ACL.

A missing check for NULL when checking if a filesystem ACL can be
represented using traditional UNIX permissions could lead to a kernel
panic. A remote attacker controlling a NFS server or a local unprivileged
user could use this flaw to cause a denial-of-service.


* Divide-by-zero in mm page writeback.

When computing limits in page-writeback, some values were not
checked for zero, leading to a divide-by-zero error.


* Kernel BUG() in NFS daemon when setting ACL with no entries.

A logic error in the NFS daemon code could trigger a kernel BUG() when
setting ACL with no entries.


* Out of bounds memory access in V4L2 OmniVision driver.

Incorrect use of an untrusted index coming from userspace leads to an out
of bounds memory access. A local, privileged user could use this flaw to
cause a kernel panic or potentially escalate privileges.


* Memory corruption when accessing a huge TLB of a copy-on-write page.

A missing flush of the huge translation lookaside buffer for a page copied
after a write could lead to a memory corruption as it can lead a parent
process to access the child copied version of the page rather than the
original page. A local, unprivileged user could use this flaw to cause a
memory corruption or potentially elevate privileges.


* Use-after-free in libceph when sending pages over TCP.

RADOS block devices do not handle properly sending pages with page_count 0
over TCP which will result in incorrectly free-ing the page while still in
use leading to a memory corruption and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.


* Use-after-free in NFSv4 daemon kernel implementation when releasing a state ID.

A lack of clean-up of a lock owner attached to a state ID when releasing
the state ID could lead to use-after-free and kernel panic in the NFSv4
daemon implementation.


* CVE-2014-4652: Arbitrary memory disclosure in ALSA user controls.

Lack of synchronization between reads and writes to ALSA user controls
could lead to a kernel memory disclosure.


* CVE-2014-4653: Use after free in ALSA card controls.

Missing synchronization in ALSA card controls could lead to a control
being freed while being in use.


* CVE-2014-4654, CVE-2014-4655: Missing validity checks in ALSA user controls.

Missing validity checks when replacing user controls could lead to an attempt
to free something that is not a user control or a control that is not owned
by the process. Userspace was also allowed to to bypass user control count
by overflowing it.


* CVE-2014-4656: ALSA Control ID overflow.

Missing range checks in ALSA control IDs could lead to an integer overflow.


* CVE-2014-4508: Denial-of-service in syscall audit code when using wrong syscall number.

A flaw in the error path of the entry point of a syscall leads to a kernel
panic if syscall auditing is enabled and the syscall number is larger than
the number of syscalls. A local, unprivileged user could use this flaw to
cause a denial-of-service.


* CVE-2014-3153: Local privilege escalation in futex requeueing.

Invalid parameters to the futex() syscall may break assumptions made in
the kernel and would leave dangling pointers that could be exploited
to gain root privileges.


* CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.

Linux kernel built with the system-call auditing support is vulnerable to a
kernel crash or information disclosure flaw caused by out of bounds memory
access.  When system call audit rules are present on a system, an
unprivileged user could use this flaw to leak kernel memory or cause a
denial-of-service.


* Information leak in mcp ram disk.

A failure to clear out mcp ramdisk pages could allow sensitive
information to be leaked via reads from a ramdisk_mcp.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.