[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (3.2.63-2)

Mon Oct 20 07:22:09 PDT 2014

Synopsis: 3.2.63-2 can now be patched using Ksplice
CVEs: CVE-2014-3181 CVE-2014-3182 CVE-2014-3184 CVE-2014-3185 CVE-2014-3186 CVE-2014-3601 CVE-2014-5077 CVE-2014-5207 CVE-2014-5471 CVE-2014-5472 CVE-2014-6410 CVE-2014-6416 CVE-2014-6417 CVE-2014-6418

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.63-2.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Out-of-bounds memory access in high memory mappings.

Under specific conditions high memory mappings could result in accessing
beyond the end of a mapping resulting in dereferencing an invalid
address and crashing the system.

* Use-after-free in InfiniBand SCSI RDMA Protocol when unplugging a cable.

As a result of unplugging a cable, a SCSI command could be free while still
in use, resulting in a use-after-free and kernel panic. An attacker with
physical access could use this flaw to cause a denial-of-service.

* Kernel BUG in reiserfs when NFS changes file attributes.

Incorrect locking in the reiserfs code could lead to a race condition when
NFS changes a file attribute concurrently with the file being released,
leading to a kernel BUG and denial-of-service. A local, unprivileged user
could use this flaw to cause a denial-of-service.

* Information leak in Intel i915 graphics driver when copying execbuffer.

When copying an execbuffer to userspace, the Intel i915 graphics drivers
also exports internal structure that needs to be hidden from userspace.

* Denial-of-service in EXT4 block allocation.

Incorrect validation of request sizes could result in hitting a kernel
assertion and crashing the system.  A local, privileged user could use
this flaw to crash the system with a carefully crafted filesystem image.

* Deadlock in Sierra wireless serial device open error handling.

Incorrect error handling during device opening could result in a
deadlock, causing the kernel to hang.

* Integer overflow in Ceph filesystem snapshots.

An integer overflow in the Ceph filesystem snapshot handling could
result in failure to allocate sufficient heap space.  A malicious Ceph
node could use this to crash the system or possible gain code execution.

* Kernel panic in debugfs.

A race condition in the debugfs removal code could result in
memory corruption and a kernel panic. An unprivileged local user
could exploit this flaw to cause a denial-of-service

* Double free in flash translation layer while adding a device.

Invalid error handling in the MTD FTL driver while adding a MTD device
could result in a double free and kernel panic.

* Denial-of-service in Bluetooth sockets during task exit.

Invalid treatment of a Bluetooth socket (BTPROTO_L2CAP, BTPROTO_SCO,
or BTPROTO_RGCOMM) close could result in an unkillable process.  A
malicious user could exploit this to cause a denial-of-service.

* Denial-of-service in network sendmsg() calls.

Missing validation of msg_namelen on a sendmsg call could result in a
NULL pointer dereference.  A local, unprivileged user could use this
flaw to cause a denial-of-service.

* Invalid memory access in ADS1015 hardware monitor driver.

An invalid bounds check on an array index in the ads1015 driver
could lead to an invalid memory access.

* Invalid recovery during RAID1 and RAID10 recoveries.

Invalid treatment of a write error during recovery in raid1
and raid10 drivers could result in some sectors not being correctly
recovered.

* Incorrect SELinux label in cryptographic sockets.

The kernel does not correctly apply an SELinux label to cryptographic
control sockets. This can allow local users to bypass SELinux policies.

* Data corruption in trace ring buffer during reads.

A race condition while reading a trace file could cause the
ring buffer iterator to get corrupted, leading to a kernel
panic.

* Data corruption in btrfs checksums.

A race condition in btrfs could result in the same file extent
range having two versions of a checksum, causing data corruption.

* Use-after-free in AMD iommu mass device removal.

Incomplete cleanup during mass device remove in the AMD
iommu could result in a use-after-free.

* CVE-2014-3601: Denial-of-service in KVM page mapping.

The kvm map pages function miscalculates the number of pages in the case
of a mapping failure, which allows guest OS users to (1) cause a denial of
service (host OS memory corruption) or possibly have unspecified other
impact by triggering a large gfn value or (2) cause a denial of service
(host OS memory consumption) by triggering a small gfn value that leads to
permanently pinned pages.

* CVE-2014-5471, CVE-2014-5472: Privilege escalation in ISO filesystem implementation.

The parse_rock_ridge_inode_internal() function in the ISO filesystem driver
does not correctly check relocated directories when processing Rock Ridge
child link tags. An attacker with physical access to the system could use a
specially crafted ISO image to cause a denial of service or, potentially,
escalate their privileges.

* CVE-2014-3182: Invalid memory read in HID Logitech driver.

The Logitech Unifying receivers full support driver is vulnerable
to an out-of-bounds read flaw. It could occur if a device offers a
malicious HID report with arbitrary device_index.

A malicious user with physical access to the system could use this
flaw to crash the system resulting in a denial-of-service.

* CVE-2014-3184: Invalid memory write in HID drivers.

Several HID drivers (Cherry Cymotion keyboard, KYE/Genius devices,
Logitech devices, Monterey Genius KB29E keyboard, Petalynx Maxtor
remote control, and Sunplus wireless desktop) are vulnerable to an
out-of-bounds write due to some off-by-one bugs.  This could occur if
a HID device report offers an invalid report descriptor size.

A local user with physical access to the system could use this flaw to
write past an allocated memory buffer.

* CVE-2014-3185: Memory corruption in USB serial WhiteHEAD device driver.

The USB ConnectTech WhiteHEAT serial driver is vulnerable to a memory
corruption flaw. It could occur when reading completion commands via USB
Request Blocks buffers.

A local user with physical access to the system could use this flaw to
corrupt kernel memory area or crash the system kernel resulting in a
denial-of-service.

* Possible incorrect permissions in NFSv4 close with delegation.

The check in NFSv4 for read/write, read-only, or write-only share
mode is  invalid in the presence of delegations.  This could lead to close
being done with the wrong state flags.

* CVE-2014-3181: Memory corruption in Apple Magic Mouse USB driver.

The Apple Magic Mouse USB driver does not correctly validate event data
allowing a malicious USB device to trigger kernel memory corruption and
potentially gain elevated privileges.

* CVE-2014-3186: Memory corruption in PicoLCD USB driver.

The PicoLCD USB driver does not correctly validate event data allowing a
malicious USB device to trigger kernel memory corruption and potentially
gain elevated privileges.

* CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.

Linux kernel built with the support for Stream Control Transmission
Protocol is vulnerable to a NULL pointer dereference flaw. It could occur
when simultaneous new connections are initiated between the same pair of
hosts. A remote user/program could use this flaw to crash the system kernel
resulting in denial-of-service.

* Invalid memory access in network vectored I/O.

Incorrect handling of a zero length I/O vector could result in
dereferencing an invalid pointer.  Under specific conditions this could
result in a kernel crash.

* Deadlock in SCTP packet transmission.

Incorrect locking during SCTP packet transmission could result in
deadlock and a kernel hang.

* CVE-2014-6410: Denial of service in UDF filesystem parsing.

The kernel UDF filesystem driver does not correctly validate indirect
inodes allowing a malicious user to cause a kernel panic by mounting a
UDF volume with deeply nested indirect inodes.

* CVE-2014-6416, CVE-2014-6417, CVE-2014-6418: Buffer overflow in libceph authorization.

An invalid hard-coded buffer size could lead to buffer overflows
and kernel panics during ticket authorization.

* Data corruption on ext4 filesystem when discarding previously allocated blocks.

Incorrect clean up when discarding previously allocated blocks in the ext4
filesystem could lead to data corruption. An attacker could use this flaw
to cause a denial-of-service.

* Denial-of-service in HW monitoring drivers.

Invalid boundary check in several hwmon drivers (gpio-fan, lm85,
lm78, and sis5595) could lead to invalid values being written out
for temperature limits.  A privileged user could exploit this to cause
a denial-of-service.

* CVE-2014-5207: Permission bypass in locked mount options in a container.

Various mount options weren't locked from within a container and could
allow a user in container with CAP_SYS_ADMIN to bypass intended
permissions, potentially leading to privilege escalation or container
escape.

* Buffer overflows in USB serial probes.

A failure to verify ports and/or endpoints in the USB serial code
could lead to writing off the end of an array, causing heap and/or
stack overflows.  A malicious user could exploit this to cause a
denial of service.

* NULL pointer dereference in NFSD ACL processing.

A missing NULL pointer check in nfsd when setting ACLs could
cause a NULL pointer dereference.  A malicious user could exploit
this to cause a denial-of-service.

* Kernel panic in ext4 block free.

Improper error handling in the case of a block allocation failure
in ext4 could leads to a BUG_ON and kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.