[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (3.2.65-1)

[Oracle Ksplice]

Synopsis: 3.2.65-1 can now be patched using Ksplice
CVEs: CVE-2014-3647 CVE-2014-4608 CVE-2014-7825 CVE-2014-7826 CVE-2014-7842 CVE-2014-8134 CVE-2014-9420

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.65-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash in Ultra Wideband device registration.

Use of unintialized data could result in a kernel crash when registering
an ultra wideband device.


* Invalid memory access in libceph with large replies.

A failure to correctly allocate new messages with large replies
from the mon in libceph could result in a buffer overrun.


* NULL pointer dereference in XHCI initialization failure.

Incorrect cleanup during XHCI initialization failure could result in a
NULL pointer dereference and kernel crash.


* Kernel hang in PI futex requeueing.

A missing queue unlock operation could result in returning to userspace
with preemption disabled.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* NULL pointer dereference in iSCSI target memory allocation failure.

Incorrect error handling on allocation failure when copying a parameter
list could result in a NULL pointer dereference and kernel crash.


* Privilege escalation in iSCSI PDU sending.

Missing bounds checks could allow a user with privileges to send PDUs to
an iSCSI device to overflow a buffer and potentially escalate
privileges.


* Kernel hang in block device buffer with large disks.

32-bit systems with disks larger than 4TB could result in an integer
overflow when accessing block devices.  This could cause an infinite
loop and kernel hang.


* NULL pointer defereference in CPU hotplug cache management.

Incorrect handling of hotplug removal could result in a NULL pointer
dereference and kernel crash.


* Data corruption in NILFS with files during mmap().

Incorrect handling of dirty pages with NILFS mmapped files could result
in failure to write to disk correctly.  This could result in data
corruption when remounting the filesystem or after eviction from the
page cache.


* Invalid permissions during mm migration.

A race condition between mm migration completion and mprotect could
allow an entry to marked as write that should have only read permissions.


* Use-after-free in perf subsystem on fork error path.

A flaw in the perf subsystem could lead to releasing a perf event on fork
failure while it is still in use, leading to a use-after-free and kernel
panic. A local attacker could use this flaw to cause a denial-of-service.


* Buffer overflow in dm-crypt crypto handling.

Incorrect buffer allocation in the dm-crypt subsystem could result in
accessing beyond the end of an allocation resulting in memory corruption
and a kernel crash.


* Ext2 filesystem corruption while getting XIP memory.

A bug in the ext2 code could result in an accounting error where ext2
thought 0 blocks had been allocated but 1 had really been allocated.
This could result in a loop whereby all blocks get allocated.  A
malicious user could exploit this by causing a denial-of-service where
all ext2 blocks are exhausted.


* Kernel crash in ext4 with extended attributes.

A missing check for an extended attribute entry's value offset
could cause a kernel crash.  A malicious user could use this to
cause a denial-of-service by mounting a filesystem with a custom
crafted extended attribute.


* Use-after-free in Synopsys DesignWare SPI master during module unload.

Missing cleanup could result in continued DMA transfers and a
use-after-free when the module was unloaded.


* Improved fix to CVE-2014-4608: Memory corruption in kernel lzo decompressor.

The original upstream fix for CVE-2014-4608 did not cover all cases and
was still exploitable.


* Kernel panic in ext4 in cases of filesystem corruption.

It is possible in the case of a corrupted ext4 filesystem for the
boot loader inode to become visible.  Ext4 did not correctly deal
with this case, leading to corruption of an in-memory orphan list
and subsequent kernel panic.  A malicious user could exploit this
by mounting a carefully constructed ext4 filesystem to cause a denial
of service.


* Denial-of-service in ecryptfs extended attribute setting.

A missing NULL pointer check could result in a kernel crash when setting
an extended attribute on an ecryptfs filesystem.  A local, unprivileged
user could use this flaw to trigger a denial-of-service.


* Use after free in netlink socket and PPP ioctl.

Incorrect reference counting in netlink sendmsg and the PPPIOCDETACH
ioctl can trigger a use-after-free condition and cause kernel memory
corruption.


* Kernel panic using sysfs soft-connect on USB gadget controller.

The USB gadget controller code did not verify that the gadget driver
was correctly loaded with the soft connect interface.  This caused
a NULL pointer dereference and kernel panic.


* NFSD4 kernel crash on invalid operation number.

Invalid handling of an invalid operation number in the nfsd4 code
could lead to a kernel crash.  A malicious user could exploit this to
cause a denial-of-service.


* Stack information leak in POSIX timers creation.

A failure to properly initialize posix timers could lead
to kernel stack information being leaked to userspace.


* NULL pointer dereference in Ext4 new inode creation.

Improper error handling in ext4 during the creation of a new inode
could lead to a NULL pointer dereference and kernel panic.


* Use-after-free in IEEE80211 stack when defragmenting a packet.

A flaw in the IEEE80211 stack upon receiving a fragmented packet leads to a
use-after-free and kernel panic when updating the network statistics. An
attacker could use this flaw to cause a denial-of-service.


* Divide-by-zero with UART baud rate setting.

The serial driver did not deal correctly in some scenarios
with setting the baud rate to 38400.  This caused an invalid
baud rate to be returned and a kernel WARNING.


* Denial-of-service in audit watch sub-system on inode cache eviction.

A lack of pinning the inode being watched in the audit sub-system leads the
watch rule to being ignored if the inode being watched is evicted from the
cache. A local user could use this flaw to bypass audit watch rules.


* Memory corruption in Realtek 2x00 WiFi driver when re-transmitting a frame.

A logic error in the Realtek 2x00 WiFi driver consumes 4 bytes of a socket
buffer at each retransmission, leading to a kernel panic. A remote attacker
could potentially use this flaw to cause a denial-of-service.


* Information leak in Firewire stack when doing an ioctl.

A uninitialized variable on the stack could be leaked to userspace when
doing an ioctl() on a Firewire char device. An attacker could use this flaw
to gain knowledge about the running kernel in order to facilitate an
attack.


* Memory leak when unbinding Electronic System Design CAN-USB driver.

Private structures used by the Electronic System Design (ESD) CAN-USB
driver are not properly released when un-binding the driver. A local,
privileged user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.


* CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.

A flaw in the iso9660 file system support could lead to an infinite
recursion loop when parsing continuation entries.  An unprivileged user
could use this flaw to crash the system resulting in a denial-of-service.


* Improved fix for CVE-2014-3647: Denial-of-service in guest KVM when changing RIP to non-canonical address.

The original vendor fix for CVE-2014-3647 was incomplete and did not
properly validate potentially non-canonical addresses. This allows a
privileged guest user to causes a denial-of-service in the guest.


* Denial of service in generic filesystem mounting.

The generic filesystem mounting implementation does not correctly
validate filesystem parameters leading to a division by zero and kernel
panic.


* Kernel oops while setting xattr in EVM security.

A failure to check the xattr value length could result in a kernel oops
while doing a setfattr with security.evm.  A malicious user could exploit
this to cause a denial-of-service.


* CVE-2014-7825, CVE-2014-7826: Perf DoS and local privilege escalation.

A missing validation of syscall id range allows an attacker to trigger a
kernel panic, or leverage it into gaining root privileges if root was
doing perf tracing at that time.


* CVE-2014-8134: Information leak in 32-bit KVM guests.

A bug in the espfix handling code could result in leaking high bits of
the kernel stack pointer when returning to a userspace with a 16 bit
stack.  A local unprivileged user could potentially use this flaw to
leak kernel stack addresses.


* Memory corruption in SUNRPC stack when handling channel reply receive.

Incorrect locking in the SUNRPC stack when handling a channel reply receive
could lead to race condition when looking up a request buffer, potentially
leading to a memory corruption and kernel panic.  An attacker could use
this flaw to cause a denial-of-service.


* CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.

A malicious nested L2 KVM guest can cause the L1 guest to crash by
triggering a race condition when accessing MMIO memory. A local attacker
could use this flaw to cause a denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.