[Ksplice][Debian 8.0 Updates] New updates available via Ksplice (DSA-3426-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Mon Dec 21 08:39:21 PST 2015
Synopsis: DSA-3426-1 can now be patched using Ksplice
CVEs: CVE-2013-7446 CVE-2015-4001 CVE-2015-4002 CVE-2015-4003 CVE-2015-7799 CVE-2015-7833 CVE-2015-8104 CVE-2015-8374 CVE-2015-8543
Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-3426-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Debian 8.0 Jessie
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Denial of service when unmounting filesystem in user namespace.
A race condition can cause the audit subsystem to incorrectly audit
filesystems that have been unmounted, leading to a NULL pointer
dereference. This flaw could be used by a local user to trigger a kernel
panic.
* Kernel hang in btrfs driver when deleting a subvolume.
Incorrect locking in the btrfs filesystem driver could result in a mutex
being incorrectly held on return of btrfs_ioctl_snap_destroy(), leading to
kernel hang next time the mutex is to be locked.
* Multiple deadlocks in ALSA emux driver.
Incorrect locking in the ALSA emux driver could lead to AB-BA deadlocks in
the kernel under various conditions.
* Infinite loop in USB CDC class driver when parsing CDC headers.
Lack of input validation in the USB CDC class driver could lead to an
infinite loop when parsing CDC headers. A local attacker with physical
access could use a crafted USB device to cause a denial-of-service.
* Denial-of-service in Rados Block Device (RBD) driver on end I/O.
Incorrect logic in the RBD driver on end I/O could trigger a kernel
assertion and lead to a denial-of-service under certain conditions.
* Out-of-bounds memory access in Mellanox 4 ethernet driver.
A logic error in the Mellanox 4 ethernet on handling an error when starting
a port leads to an out of bounds memory access. A local attacker could use
this flaw to cause a denial-of-service.
* Use-after-free in the block multiqueue core driver.
Logic error in the block multiqueue core driver could lead to
use-after-free on concurrent CPU hotplug events. A local, privileged user
could use this flaw to cause a denial-of-service.
* Multiple divide-by-zero in the page write-back code.
Multiple logic errors in the page write-back code could lead to
divide-by-zero and denial-of-service under certain conditions.
* Memory leak and denial-of-service in the memory-failure subsystem.
A logic error in the memory-failure subsystem when handling transparent
huge page could result in a memory leak and to a machine check error
killing the application using the transparent huge page.
* Out-of-bounds memory access in the nilfs driver.
An off-by-one error when checking the btree level in the nilfs driver could
lead to out-of-bounds memory access. An attacker could use a specially
crafted nilfs image to cause a denial-of-service.
* Kernel hang in the ocfs2 driver when locking resources.
A race condition in the dlm_get_lock_resource() function in the ocfs2
driver could lead to a kernel hang on concurrent purge. A local attacker
could use this flaw to cause a denial-of-service.
* Permission bypass in filesystem namespace.
A logic error in the filesystem namespace subsystem allows a restricted
user to bypass mount restrictions and mount /proc or /sys if there is a
bind mount of part of /proc or /sys in its namespace.
* Memory corruption in Ceph crush mapper.
A flaw in the Ceph crush mapper could lead temporary buffers to overlap
when there are more OSDs than replicas. A local, privileged user could use
this flaw to cause memory corruption.
* Denial-of-service in netfilter when parsing netlink tuples.
Uninitialized struct fields on the stack when parsing netlink tuples in the
netfilter code could result in netfilter misbehaviour, where unintended
traffic could be sent to userspace.
* Denial-of-service when adding a new netfilter rule.
Incorrect input validation in the netfilter code could lead to out-of-bounds
memory accesses when adding a new rule. A local, privileged user could use
this flaw to cause a denial-of-service or potentially escalate privileges.
* XFS filesystem corruption during truncation.
Failure to write zeroed blocks to disk during truncation on an XFS
filesystem could result in failure to zero those blocks during a crash.
This could leave sensitive information on the disk.
* Use-after-free in USB gadget configfs filesystem.
Missing invalidation of a pointer during function removal could result
in a use-after-free and kernel crash.
* Denial-of-service in JBD2 journal recovery.
An integer overflow in the JBD2 journal could result in an out-of-bounds
memory access and kernel crash. A local user could use a maliciously
crafted filesystem to crash the system.
* Kernel panic on changing the number of rings in Intel PCI-Express Ethernet driver.
Internal structures were not re-initialized properly when changing the
number of rings on the Intel PCI-Express Gigabit Ethernet driver, leading
to a Kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service.
* Denial-of-service in SNDCTL_SEQ_OUTOFBAND OSS ioctl().
Incorrect locking could allow a local user with access to /dev/sequencer
to deadlock the system resulting in a denial-of-service.
* Memory corruption when replacing ECMP route on IPv6.
Replacing ECMP route on IPv6 replaces only the first matching route without
replacing the siblings, leading to a memory corruption. A local,
privileged user could use this flaw to cause a denial-of-service.
* NULL pointer dereference when handling IPv4 errors.
A missing check for NULL could lead to a NULL pointer dereference when
handling IP errors when the network device is being removed. An attacker
could use this flaw to cause a denial-of-service.
* Denial-of-service in SonicBlue Optimized MPEG File System mounting.
Missing mount option termination could allow a user with permission to
mount filesystems to trigger a denial-of-service by passing an
unrecognized mount option.
* Kernel crash when attaching a new queue discipline in the network scheduler.
A flaw in the networking scheduler could lead to a use-after-free when
attaching a new queue discipline to a network device. A local, privileged
user could use this flaw to cause a denial-of-service.
* CVE-2015-4003: Remote divide-by-zero in the ozwpan driver.
The oz_usb_handle_ep_data() in the ozwpan driver could allow remote
attackers to cause a divide-by-zero via a crafted packet.
* CVE-2015-4001, CVE-2015-4002: Remote denial-of-service in ozwpan driver.
Lack of input validation and incorrect uses of signed types in the ozwpan
could lead to a heap overflow. A remote attacker could use these flaws via
a crafted packet to cause a denial-of-service or potentially gain code
execution.
* Denial-of-service in userspace string handling.
An incorrect length check could result in accessing beyond a
validated buffer. A local, unprivileged user could use this flaw to
crash the kernel in specific conditions.
* Use-after-free in packet generation state.
Incorrect locking the network transformation (XFRM) subsystem can
trigger a use-after-free condition and kernel panic when generating
packets.
* NULL pointer dereference in CAIF and Unix sockets on receival.
Lack of checking that the socket has been destroyed in the recvmsg()
handlers for CAIF and Unix sockets could lead to a NULL pointer
dereference. A local, unprivileged user could use this flaw to cause a
denial-of-service.
* NULL pointer dereference in Btrfs when sending a snapshot.
A logic error in the Btrfs code when sending a snapshot could lead to a
NULL pointer dereference on concurrent snapshot deletion. A local,
privileged user could use this flaw to cause a denial-of-service.
* Kernel panic on Intel VT/d iommu in passthrough mode.
A flaw in the Intel VT/d iommu driver when configured in passthrough mode
could lead to an invalid pointer dereference on translation-disabled
devices. A local, privileged user could use this flaw to cause a
denial-of-service.
* Information leak in CFG80211 WiFi extension.
A lack of zeroing a stack allocated structure used for statistics in the
CFG80211 WiFi extension could result in information leaks from one device
to another. A local, unprivileged user could use this flaw to gain
knowledge about network traffic on other devices.
* Kernel hang in generic block driver.
The generic block driver was calling a function not intended to run in both
interrupt and process context. In certain cases, this could lead to the
kernel hanging.
* Infinite loop when bridging IGMP traffic.
Incorrect reference counting in the network bridge subsystem can trigger
an infinite loop when processing IGMP traffic causing further bridged
network traffic to be dropped.
* Use-after-free in network bridging when changing ports.
Incorrect locking when adding or removing bridge ports can trigger a
use-after-free condition. A privileged user could use this flaw to gain
kernel code execution.
* Denial of service in networking packet fanout.
Incorrect locking in the networking subsystem can trigger a
divide-by-zero and kernel panic when a userspace process uses the
PACKET_FANOUT socket option.
* Kernel panic in networking round-robin packet fanout.
Incorrect synchronization can trigger an out-of-bound read and kernel
panic when a userspace process uses the PACKET_FANOUT_LB socket option.
* Use-after-free when updating networking neighbors.
Incorrect locking in the generic networking subsystem can trigger a
use-after-free condition when updating stale network neighbor
information. This flaw can trigger kernel memory corruption.
* Kernel crash in TCP fastopen connection.
Incorrect memory allocation flags could cause an assertion to fail when
connecting a fastopen socket and resulting in a kernel crash.
* Denial of service when processing OOTB SCTP packets.
A race condition between processing 'out-of-the-blue' OOTB packets and
removing a SCTP route can trigger a NULL pointer dereference and kernel
panic. A remote attacker could use this flaw to trigger a denial of
service.
* Multiple privilege escalations in DVB frontends.
Missing user input validation could allow a local user with access to
the device to trigger buffer overflows when reading or writing data.
This out of bounds access could result in a kernel crash or potentially
escalate privileges.
* Use-after-free in SPI transfers.
Missing locking could result in a use-after-free condition when
finalizing a transfer.
* Use-after-free in MTD block device.
Missing locking could result in a use-after-free when accessing an MTD
block device. A local user with access to the MTD device could use this
flaw to crash the system.
* Remote privilege escalation in Realtek RTL8712U USB driver.
Incorrect buffer sizing could result in a heap buffer overflow when
receiving a fragmented packet. A remote user could use this flaw to
crash the system or potentially escalate privileges in rare conditions.
* NULL pointer dereference in VIA VT6655 packet reception.
A race condition between receiving a packet and interrupt processing
could result in a NULL pointer dereference and kernel crash.
* Kernel stack information leak in IEEE 802.15.4 LR-WPAN datagrams.
Missing stack structure initialization could result in leaking between 4
and 10 bytes of kernel stack contents to userspace when receiving a
datagram from an LR-WPAN socket. A local, unprivileged user could use
this flaw to leak contents of the kernel stack.
* Stack buffer overflow in regulator device registration.
Insufficient buffer sizing could result in a stack buffer overflow when
registering a regulator device.
* Kernel crash in ext4 during truncate and write race.
Incorrect locking could result in a kernel crash when threads raced
between writing a journaled page and truncation.
* NULL pointer dereference in Amateur Radio ROSE protocol.
A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when killing a ROSE device.
* Privilege escalation when writing to setuid files.
A logic error in the file I/O subsystem can cause the setuid bit to be
set on world-writable files when root modifies a file. This could allow
unprivileged users to elevate privileges by modifying a setuid file.
* Filesystem corruption on Plan 9 9p filesystem during abort.
Aborted transactions were incorrectly handled resulting in corruption of
future requests. This could corrupt the filesystem or provide incorrect
data to applications.
* Heap overflow in Atheros ath9k driver.
The ath9k driver incorrectly used the bitmask operators that would
result in accessing beyond the bounds of the bitmask. This could result
in heap memory corruption, crashing the kernel or potentially escalating
privileges.
* Kernel crash in LZ4 decompression.
Incorrect handling of invalid LZ4 data could result in accessing invalid
memory and a page fault.
* BTRFS data loss during append writes and hard links.
Under specific conditions, appending to a file after creating a hard
link could result in loss of the appended data.
* NULL pointer dereference in OS/2 HPFS filesystem remount.
Remounting an HPFS filesystem under low-memory conditions could result
in a NULL pointer dereference and kernel crash.
* NULL pointer dereference in block layer during block I/O.
Under certain circumstances, trying to submit I/O requests on a block
device using integrity checks could result in a NULL pointer dereference.
* Denial-of-service in BTRFS extent_same ioctl().
A missing memory free() could result in a memory leak and memory
exhaustion when performing the extent_same ioctl() on a BTRFS
filesystem. A local user with access to the filesystem device could use
this flaw to trigger a denial-of-service.
* Use-after-free in BTRFS transaction commit.
Incorrect transaction commit handling could result in a use-after-free
condition and kernel crash.
* BTRFS filesystem corruption on inline extent cloning.
Incorrect copying of inline extents could result in corruption of the
BTRFS filesystem or a kernel crash. A local, unprivileged user could
use this flaw to crash the system.
* Denial-of-service in network device queue allocation.
A kernel assertion could be triggered from user-space when adding a
network device. A local, privileged user could use this flaw to crash
the system.
* Denial-of-service in Distributed Switch Architecture device probing.
Missing range checks when probing a DSA device from a Device Tree could
result in an out-of-bounds access. Malicious firmware or a privileged
user could use this flaw to crash the system.
* NULL pointer dereference in USB XHCI endpoint creation.
Incorrect handling of cached rings during XHCI endpoint creation could
result in a NULL pointer dereference and kernel crash.
* RAID0/RAID10 device corruption during discard.
Under specific conditions an I/O operation could corrupt when performing
a discard operation on a RAID0 or RAID10 device.
* Denial of service when freeing Xen netback driver grants.
A logic error in the Xen netback driver can trigger an assertion failure
and kernel panic when freeing grants used in zerocopy transfers.
* Kernel panic when queueing commands to IBM Power RAID driver.
A race condition caused by incorrect locking in the IBM Power RAID
driver can trigger a kernel panic when removing devices from a RAID
controller.
* Memory corruption in IBM Power RAID driver.
Incorrect logic in the IBM Power RAID tracing support can trigger an
out-of-bounds write causing kernel memory corruption and a kernel panic.
* Kernel panic in IP virtual server syncing.
A logic error in the kernel IP virtual server support can trigger a
kernel panic when synchronizing a connection using version 0 of the sync
protocol.
* Memory leak when attaching hook to AF_PACKET sockets.
Incorrect reference counting in the AF_PACKET socket implementation can
cause a memory leak when attaching a packet hook to a AF_PACKET socket.
This flaw can be triggered by local user with CAP_NET_RAW capabilities.
* Kernel panic when encoding NFSv4 security label.
The kernel NFSv4 server does not correctly support encoding security
labels in file attributes which can trigger an assertion failure and
kernel panic. A remote attacker could use this flaw to cause a denial of
service.
* Deadlock in USB XHCI memory cleanup.
Incorrect locking the USB XHCI controller can trigger a deadlock when
removing a USB device.
* Deadlock when reclaiming pages from page cache.
The pagecache does not correctly handle reclaiming pages from the
filesystem cache which can lead to a deadlock under low memory
conditions.
* Use-after-free in filesystem notification marking.
Incorrect locking in the filesystem notification (fsnotify) subsystem
can trigger a use-after-free condition and kernel panic when marking
groups.
* Kernel BUG in Xen front-end block device driver.
A logic error in the Xen front-end block device driver could in certain
circumstances cause a kernel BUG while freeing the block device.
* Infinite loop during connection teardown iSCSI library code.
Incorrect locking in the iSCSI library code could cause the kernel to
enter an infinite loop.
* Double free in FibreChannel library code.
In certain circumstances, receiving a local port request could cause a
double free and subsequent kernel crash.
* Kernel BUG in FibreChannel library code during SCSI device reset.
Incorrect locking in FibreChannel library code could cause a reschedule
while a spinlock was held, thus potentially causing either a kernel
assertion failure or a deadlock. A malicious local user with access to
the SCSI device could use this to cause denial of service.
* Kernel hang in VMware Virtual GPU DRM driver.
In certain low-memory situations, incorrect locking in the VMware
Virtual GPU driver could cause a kernel hang. A malicious user with
access to the device could use this to cause denial of service.
* Use-after-free in IPC semaphores during task exit.
Due to incorrect locking, two tasks with shared IPC semaphore references
could exit and simultaneously try to free the semaphores. This could lead
to a use-after-free and memory corruption, allowing a malicious local user
to cause denial of service.
* Information leak in signalfd syscall.
The kernel does not fully initialize data when sending a signal to
process which leaks the contents of kernel memory to the receiving
process.
* Information leak in sigqueue syscall.
The kernel does not fully initialize data when sending a signal to
process which leaks the contents of kernel memory to the receiving
process.
* Denial-of-service in BTRFS inode cache during deletion.
Missing locking during inode unpinning could result in memory
corruption. A local user with access to the BTRFS filesystem could use
this flaw to trigger a denial-of-service.
* NULL pointer dereference in firmware loading events.
Missing NULL pointer checks could result in a NULL pointer dereference
and kernel crash when loading firmware and sending an event to
userspace.
* Kernel crash in IPC semaphores when waiting on semaphore array.
A missing memory barrier could allow certain memory accesses to happen
outside the intended critical section. A malicious local user could
potentially use this to cause invalid memory accesses and denial of
service.
* Kernel warnings during perf event migration.
In certain circumstances, perf could attempt to stop or restart an event
on the wrong CPU. A malicious local user with perf access privileges
could cause warnings to appear in the kernel log.
* Disable modification of LDT by userspace processes.
The seldom-used modify_ldt syscall allowing processes to modify their local
descriptor table has several vulnerabilities allowing local unprivileged
users to elevate privileges.
This update disables by default the modify_ldt syscall and introduces a new
sysctl 'ksplice_modify_ldt' to allow administrators to re-enable it.
Re-enabling the syscall will make the machine vulnerable.
To re-enable modify_ldt, run the following command as root:
sysctl ksplice_modify_ldt=1
To disable, run:
sysctl ksplice_modify_ldt=0
This mitigates CVE-2015-3290, CVE-2015-3291 and CVE-2015-5157.
* Denial-of-service in IP datagram socket connection.
Missing locking when creating an IP datagram socket could result in list
corruption. A local, unprivileged user could use this flaw to trigger a
denial-of-service.
* Denial-of-service in Netlink mmapped socket release.
Incorrect locking could result in deadlock when releasing a netlink
socket that was mmapped. A local, unprivileged user could use this flaw
to crash the system.
* NULL pointer dereference in Batman address translation.
Multiple missing NULL pointer checks could result in a kernel crash when
manipulating the address translation table.
* Kernel crash in Batman translation table removal.
Missing locking could result in memory corruption when removing entries
from the translation table. Under specific conditions, this could
result in a kernel crash.
* Kernel crash in 80211 mesh network transmission.
Incorrect handling of peering state could result in a kernel crash when
transmitting frames on a network with fixed mesh paths and all stations
had not yet completed peering.
* Invalid memory free in device resource management.
A logic error in the device resource management code could cause the
wrong pointer to be freed, possibly crashing the kernel. A malicious
local user with device configuration privileges could use this to cause
denial of service.
* Denial-of-service in unshare() with CLONE_VM.
A logic error in unshare() could allow a local user with access to
/proc/PID/maps to prevent unshare() calls from succeeding, resulting in
a denial-of-service.
* Denial-of-service in multiqueue block pending request list sysfs attribute.
Missing bounds checking could result in overfilling a sysfs buffer when
displaying the pending requests for a multiqueue block device. A local
user with access to the sysfs attributes could use this flaw to trigger
a denial-of-service under specific conditions.
* Denial of service when mounting currupt XFS filesystem.
Missing validation of disk blocks in the XFS filesystem could cause
filesystem junk entries and break userspace expectations of filesystem
semantics. A malicious local user with mounting privileges could
potentially use this to cause denial of service.
* Filesystem corruption in BTRFS transaction completion.
Incorrect handling of aborted transactions could result in filesystem
corruption under specific conditions.
* Invalid memory accesses in accelerated GHASH crypto algorithm.
Due to an incorrectly specified context size, the kernel would allocate
too little memory for the GHASH context and possibly access invalid
memory. A local user could potentially use this to cause denial of
service or escalate privileges.
* Kernel crash in HFS B-tree insertion.
Inserting a new record in an HFS B-tree at position 0 could corrupt the
tree resulting in either filesystem corruption or a kernel crash.
* Remote information leak in the RPC over RDMA sub-system.
The Linux NFS server could return garbage data in the payload of inline
RDMA read replies if the client didn't provide a reply chunk or a write
list. A remote attacker could use this flaw to gain information about the
running kernel.
* Invalid memory access in B.A.T.M.A.N. Advanced Meshing protocol when transmitting.
A flaw in the B.A.T.M.A.N. Advanced Meshing driver when transmitting a
socket buffer without a header properly set could lead out of bounds memory
accesses in the socket buffer. A local, un-privileged user could use this
flaw to cause a denial-of-service.
* NULL pointer dereference in MMC request completions.
A race condition in MMC request completion could result in a NULL
pointer dereference and kernel crash under specific conditions.
* Use-after-free in MD block driver array stopping.
Failure to flush a workqueue during array stop could result in a
use-after-free and kernel crash.
* Data loss when reshaping RAID10 volume.
A logic error when calculating metadata can trigger data loss when
resizing a RAID10 volume.
* Kernel hang in IPv6 multicast router addition.
Incorrect handling of IPv6 multicast router iteration could result in
failure to acquire a lock and a kernel deadlock.
* Kernel crash in memory mapped netlink sockets with TAP devices.
Incorrect handling of packets for a memory mapped netlink socket could
result in a kernel crash. A local, privileged user could use this flaw
to crash the system.
* Privilege escalation in CIFS copy offload ioctl.
Under specific conditions, an attacker with access to a CIFS filesystem
mounted with version >= 2.0 could use this flaw to gain code execution
inside the kernel and escalate privileges.
* Use-after-free in ZRAM compressor creation.
Incorrect error handling when creating a ZRAM compressor could result in
a use-after-free and kernel crash.
* Kernel hang when disconnecting from the backend in Xen netfront driver.
Failure to check that an interface is running before calling
napi_synchronise() in the Xen netfront driver could lead to a kernel hang.
* Out of bounds memory access in the UBI driver.
A lack of input validation when parsing a UBI image could cause out of
bounds memory accesses and lead to a kernel crash. A local user able to
mount a special handcrafted image could use this flaw to cause a
denial-of-service.
* Kernel BUG when unmapping a hugetlbfs page.
A logic error in the hugetlbfs when unmapping a page that is mapped both
with MAP_SHARED and MAP_PRIVATE could trigger a BUG() assertion. A local,
un-privileged user could use this flaw to cause a denial-of-service.
* Mark unused space between __ex_table_end and rodata as non-executable.
Unused space between the end of the __ex_table and the start of rodata had
incorrect RWX protection, which could potentially be used to inject code in
a running kernel and facilitate exploits.
* Sensitive information leak in process coredumps.
Filesystem handling code in coredump writing had a number of flaws that
could allow a local attacker to read the contents of a coredump for a
process that they did not own. This could leak potentially sensitive
information to a user that should not have access.
* Remote denial-of-service when receiving socket buffers with partial checksums.
A flaw in the socket buffer code dealing with partial checksums causes out
of bounds memory accesses on the socket buffer and kernel panic. A remote
attacker could use this flaw to cause a denial-of-service.
* Kernel BUG when passing a socket buffer allocated from pfmemalloc on a user socket.
A flaw in the socket buffer management when dealing with socket buffers
allocated from pfmemalloc could lead to a kernel BUG() assertion to trigger
under certain circumstances. A local, un-privileged user could use this
flaw to cause a denial-of-service.
* NULL pointer dereference in the Point to point over ethernet protocol.
A flaw in the Point to point over ethernet driver could lead to a NULL
pointer dereference and kernel panic when flushing the device. A local,
un-privileged user could use this flaw to cause a denial-of-service.
* Information leak when getting strings from the ethtool device.
A lack of cleaning an allocated buffer that is copied to user space on
ETHTOOL_GSTRINGS requests could leak information about the running kernel.
This could help an attacker to elevate privileges.
* Denial-of-service when allocating from offline NUMA node in Openvswitch driver.
A flaw in the Openvswitch driver when allocating from the cache for an
offline NUMA node leads to a VM_BUG_ON() assertion to trigger and kernel
panic. An attacker could use this flaw to cause a denial-of-service.
* Kernel hang in Multiple devices driver when destroying a device.
Incorrect lock ordering when destroying a RAID device could lead to a
deadlock and kernel hang.
* Use-after-free when finishing a context switch.
Lack of proper memory barriers in the finish_task_switch() code could lead
to use-after-free and kernel panic under certain circumstances. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* NULL pointer dereference in the Multiple devices driver when switching from cleaner policy.
A flaw in the Multiple devices driver could lead to a NULL pointer
dereference in certain circumstances. A local attack could use this flaw
to cause a denial-of-service.
* Kernel crash when using ahash driver without import/export callback.
Ahash drivers are required to provide import/export callbacks to be
registered with the ahash crypto sub-system, otherwise they could lead to a
kernel crash under certain circumstances. A local, un-privileged user
could use this flaw to cause a denial-of-service.
* Use-after-free in Btrfs filesystem when iterating extended refs.
A flaw in the Btrfs filesystem code when iterating over extended refs leads
to a use-after-free and kernel panic. A local, un-privileged user could
use this flaw to cause a denial-of-service.
* Use-after-free in Rados block device driver on failure to probe.
A flaw in the Rados block device driver leads to double-free if there's an
error when probing the parent device. A local, privileged user could use
this flaw to cause a denial-of-service.
* Use-after-free in Infiniband Connected Mode Service ID Resolution.
Incorrect handling of Service ID Resolution requests could result in a
use-after-free condition and kernel crash.
* Denial-of-service in software RAID5 stripe cleaning.
Incorrect locking during stripe cleaning could result in an infinite
loop and system crash. A local, unprivileged user with write access to
a filesystem on a RAID5 device could use this flaw to crash the system.
* Denial-of-service in ISDN PPP device opening.
Missing allocation failure checks could result in a NULL pointer
dereference when opening an ISDN PPP device. A local user with access
to the device could use this flaw to crash the system.
* CVE-2015-7799: Denial-of-service in PPP compression slot parameters.
Missing validation of VJ compression slot parameters for a PPP device
could result in a NULL pointer dereference and kernel crash. A local
user with access to the PPP device could use this flaw to crash the
system.
* Information leak when reading from mmapped netlink sockets.
The netlink subsystem does not correcty handle reading fragmented
netlink packets which can lead to the contents of kernel memory being
leaked to userspace.
* Memory corruption in the XHCI driver on init command timeout.
A flaw in the XHCI driver causes a uninitialized timer to be deleted on
init command timeout, leading to memory corruption. A local, privileged
user could use this flaw to cause a denial-of-service.
* Divide by zero in Intel power state driver when scaling the frequency.
A logic error in the Intel power state driver could lead to a divide by
zero when timers are being delayed for too long. A local, un-privileged
user could use this flaw to cause a denial-of-service.
* Memory leak in btrfs file system on issuing a balance ioctl.
A lack of releasing allocated resources when the argument check fails in
the btrfs file system balance ioctl leads to a memory leak. A local,
privileged user could use this flaw to exhaust the kernel memory and cause
a denial-of-service.
* Kernel stack overflow in Replicated Block Device driver when mapping an image.
Unlimited recursion in the Replicated Block Device driver when mapping and
image with a long chain could lead to a stack overflow. A local user with
ability to mount handcrafted RBD images could use this flaw to cause a
denial-of-service or potentially escalate privileges.
* CVE-2015-8104: KVM host denial-of-service in debug exception.
A guest could cause a denial-of-service on a KVM host by triggering a
debug exception to fire during an existing debug exception. This could
cause the host to get trapped in an infinite loop causing a
denial-of-service. A privileged user in a guest could use this flaw to
crash the host.
* Information leak in Digi Neo and Classic PCI driver.
Missing initialization of on-stack structures could result in an
information leak of 16 bytes to user-space.
* Memory corruption in Mellanox MLX4 slave events.
Incorrect size arguments to memcpy() calls could result in memory
corruption of MLX4 devices, causing a kernel crash.
* NULL pointer dereference in PPP over Ethernet device releasing.
An incorrect check for disconnected PPP over Ethernet devices could
result in a NULL pointer dereference and kernel crash when closing the
device.
* Remotely triggered session loss in CIFS during file size setting.
Incorrect fallback for servers that did not support a file size setting
operation could result in a session drop under specific conditions.
* NULL pointer dereference in XHCI device removal.
Premature clearing of an XHCI structure could result in a NULL pointer
dereference when adding and removing USB devices.
* Memory leaks in USBVision device driver.
Under multiple different circumstances, the USBVision device driver could
leak memory. A malicious local user could potentially use this to cause
denial of service.
* CVE-2013-7446: Use after free in Unix sockets.
Invalid reference counting in the kernel Unix socket subsystem can
trigger a use after free condition. A local unprivileged user could use
this flaw to bypass permission checks on Unix sockets or potentially
escalate privileges.
* CVE-2015-8374: Information leak when truncating a compressed and inlined extent on Btrfs.
An information leak vulnerability was found when truncating a file to a
smaller size which consists of an inline extent that is compressed. The
data between the new file size and the old file size was not discarded,
allowing another user to read it through the clone ioctl.
* CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.
It was discovered that a local user permitted to create raw sockets could
cause a denial-of-service by specifying an invalid protocol number for the
socket.
* Improved fix to CVE-2015-7833: Denial-of-service when probing USBvision device.
Incorrect input validation when probing a USBvision device could lead to
out of bounds memory accesses and kernel panic. A local attacker with
physical access could use a fake USB device with handcrafted USB descriptor
to cause a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Debian-8.0-Updates
mailing list