[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (DSA-3237-1)

[Oracle Ksplice]

Synopsis: DSA-3237-1 can now be patched using Ksplice
CVEs: CVE-2014-8159 CVE-2014-9715 CVE-2015-2041 CVE-2015-2042 CVE-2015-2150 CVE-2015-2922 CVE-2015-3331 CVE-2015-3339

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-3237-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak in ipv4 unicast reply.

Improper error handling in the ipv4 code could lead to leaked memory
when an error occurs while sending a unicast reply.  A malicious user
could use this to cause a denial of service.


* Kernel panic in transmission of tunnelled SCTP packets.

The kernel SCTP stack does not correctly allocate memory for SCTP
packets which are sent via a tunnel which can trigger an assertion and
kernel panic.


* Kernel panic caused by generating a MLD listener on devices with large MTUs.

Under certain circumstances, generating an MLD listener on devices
with a large maximum transmission unit may trigger an kernel panic
causing a denial-of-service.


* Memory corruption when expanding hard drive partition table.

A missing overflow check may allow a user to read and possibly write
data past the end of a kernel memory buffer causing memory corruption.


* Use-after-free in USB Video Class driver when removing a device.

Incorrect ordering when removing sysfs device when disconnecting a webcam
leads to use-after-free and potentially kernel panic.


* Memory corruption when loading a stale AES key.

A lack of key unregistering when the key size check fails leads to a stale
key still being in the keys list, causing a memory leak and a kernel panic
when the registering a new key.  A local attacker could use this flaw to
cause a denial-of-service.


* Btrfs filesystem corruption on aborted transactions.

Filesystem corruption may occur when a certain order of transactions
occurs and the underlying device supports discarded transactions.


* Use-after-free when reading from /proc/interrupts.

A lack of proper synchronization between the generic IRQ subsystem when
releasing an interrupt descriptor and reading the interrupt descriptor from
/proc/interrupts could lead to a use-after-free and potentially kernel
crash.


* Off-by-one in kernel bunzip2 decompressor.

The kernel bunzip2 decompressor does not correctly validate offsets when
decompressing data which can lead to an out-of-bound read and possible
kernel panic.


* Cluster deadlock during journal commit in OCFS2 filesystem.

Under certain circumstances, incorrect lock ordering could cause a
deadlock if one thread handles a buffer write at the same time as the
journal commit thread attempts to flush the buffer. If this happens,
the whole cluster will hang.


* Multiple out-of-bounds memory accesses in UDF filesystem driver.

A lack of input validation in the UDF filesystem driver leads to multiple
out-of-bounds memory accesses and potentially to a kernel panic.  An
attacker could use a specially crafted filesystem to cause a
denial-of-service.


* Use-after-free in cryptographic algorithms when handling backlogged requests.

A logic error in the cryptographic algorithms driver could lead to an early
return to userspace when a request is still pending.  A local attacker
could use this flaw by closing its sockets causing the pending requests to
use freed memory, leading to a user-after-free and kernel panic.


* Kernel panic when flushing SFF ATA devices.

Incorrect locking when flushing Small Form Factor ATA devices can
trigger a BUG_ON and kernel panic.


* Resource leak in GPIO during sysfs accesses.

Multiple call sites in the GPIO sysfs handling code failed to put
resources on exit.  This could result in failure to remove devices and
memory leaks.


* Userspace memory corruption on page walks.

Incorrect handling of mapped files that had not been written to could
result in reading incorrect data when performing a page walk such as
reading /proc/pid/mem.


* Use-after-free when unregistering Hyper-V device.

When unregistering a Hyper-V device, a message containing the name of the
device would be printed to the kernel log. However, the name had already
been freed. Dereferencing this buffer could in rare causes cause the
kernel to crash.


* Integer overflow in adjtimex syscall.

The adjtimex syscall does not validate the 'freq' argument which can
allow a malicious local user to set the clock frequency to an invalid
value.


* NULL pointer dereference in NFSv4 exception handling.

A missing check for NULL pointer could lead to a NULL pointer dereference
and kernel crash when handling exceptions in the NFSv4 code.  An attacker
could use this flaw to cause a denial-of-service.


* Kernel crash when setting invalid input parameters in netfilter.

A lack of input validation in the netfilter stack could lead to a kernel
crash.  A local, privileged user could use this flaw to cause a
denial-of-service.


* CVE-2015-2041: Information leak in 802.2 LLC sysctl interface.

The 802.2 Link Layer type 2 subsystem uses an incorrect length when
returning data to userspace from the sysctl interface, allowing
userspace processes to disclose the contents of kernel memory.


* CVE-2015-2042: Information leak in the Reliable Datagram Socket protocol.

A flaw in the handling of userspace tuning for the Reliable Datagram Socket
(RDS) protocol leads to an information leak when reading from the sysctl
files. A local, privileged user could use this flaw to gain knowledge about
the running kernel, potentially facilitating an attack.


* CVE-2015-2150: Denial-of-service in Xen PCI passthrough devices.

Incorrect restrictions to PCI device configuration could allow a
privileged user in a Xen guest to trigger a fatal NMI in the host.  A
privileged, local user could use this flaw to cause a denial-of-service.


* CVE-2014-8159: Privilege escalation in Infiniband userspace access.

Missing sanitization of userspace input to the Infiniband userspace
memory access subsystem could allow a local user with access to the
/dev/infiniband/uverbsX device nodes to crash the system or,
potentially, escalate their privileges on the system.


* CVE-2015-3331: Denial-of-service in Intel AES RFC4106 decryption.

Incorrect mapping of buffers in the Intel AES RFC4106 implementation
could result in a kernel crash.  A local, unprivileged user with access
to AF_ALG(aead) sockets could use this flaw to trigger a
denial-of-service.


* CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.

A flaw in the IPv6 stack allowed a remote attacker on the same network to
set the hop limit to a smaller value than the default one, preventing
devices on that network to send or receive.


* CVE-2015-3339: Privilege escalation due to race condition between execve and chown.

The execve() syscall can race with inode attribute changes made by chown().
This race condition could result in execve() setting uid/gid to the new
owner, leading to privilege escalation.


* CVE-2014-9715: Remote code execution in the netfilter connection tracking subsystem.

The netfilter connection tracking subsystem uses a too small type to store
the size and offset of an extension which could lead to memory corruptions.
A remote attacker could potentially use this flaw to cause a
denial-of-service or to gain code execution.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.