[Ksplice][EL7-Updates] New updates available via Ksplice (RHSA-2014:1971-1)

Thu Dec 11 11:38:45 PST 2014

Synopsis: RHSA-2014:1971-1 can now be patched using Ksplice
CVEs: CVE-2013-2929 CVE-2014-1739 CVE-2014-3181 CVE-2014-3182 CVE-2014-3184 CVE-2014-3185 CVE-2014-3186 CVE-2014-3631 CVE-2014-3673 CVE-2014-3687 CVE-2014-3688 CVE-2014-4027 CVE-2014-4652 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-5045 CVE-2014-6410 CVE-2014-7825 CVE-2014-7826

Systems running Red Hat Enterprise Linux 7 can now use Ksplice to
patch against the latest Red Hat Security Advisory, RHSA-2014:1971-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on RHEL 7 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-7825, CVE-2014-7826: Perf DoS and local privilege escalation.

A missing validation of syscall id range allows an attacker to trigger a
kernel panic, or leverage it into gaining root privileges if root was
doing perf tracing at that time.

* CVE-2014-4656: ALSA Control ID overflow.

Missing range checks in ALSA control IDs could lead to an integer overflow.

* CVE-2014-4654, CVE-2014-4655: Missing validity checks in ALSA user controls.

Missing validity checks when replacing user controls could lead to an attempt
to free something that is not a user control or a control that is not owned
by the process. Userspace was also allowed to to bypass user control count
by overflowing it.

* CVE-2014-4652: Arbitrary memory disclosure in ALSA user controls.

Lack of synchronization between reads and writes to ALSA user controls
could lead to a kernel memory disclosure.

* CVE-2014-3688: Remote denial-of-service in SCTP stack by memory exhaustion.

A flaw in the SCTP stack could allow a remote attacker to force a SCTP
server to allocate big amounts of memory and trigger the kernel
out-of-memory killer, leading to a denial-of-service.

* CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.

The ptrace subsystem incorrectly checked the state of the fs.suid_dumpable
sysctl allowing a user to ptrace attach to a process if it had dropped
privileges to that user.

* CVE-2014-3687: Remote denial-of-service in SCTP stack.

A flaw in the SCTP stack when receiving duplicate ASCONF chunks leads to a
kernel panic. A remote attacker could use this flaw to cause a
denial-of-service.

* CVE-2014-3673: Remote denial-of-service in SCTP stack.

A flaw in the SCTP stack when receiving malformed ASCONF chunks leads to a
kernel panic. A remote attacker could use this flaw to cause a
denial-of-service.

* CVE-2014-3184: Invalid memory write in HID drivers.

Several HID drivers (Cherry Cymotion keyboard, KYE/Genius devices,
Logitech devices, Monterey Genius KB29E keyboard, Petalynx Maxtor
remote control, and Sunplus wireless desktop) are vulnerable to an
out-of-bounds write due to some off-by-one bugs.  This could occur if
a HID device report offers an invalid report descriptor size.

A local user with physical access to the system could use this flaw to
write past an allocated memory buffer.

* CVE-2014-3181: Memory corruption in Apple Magic Mouse USB driver.

The Apple Magic Mouse USB driver does not correctly validate event data
allowing a malicious USB device to trigger kernel memory corruption and
potentially gain elevated privileges.

* CVE-2014-3186: Memory corruption in PicoLCD USB driver.

The PicoLCD USB driver does not correctly validate event data allowing a
malicious USB device to trigger kernel memory corruption and potentially
gain elevated privileges.

* CVE-2014-5045: Denial-of-service in virtual filesystem core when trying to unmount a symlink.

Trying to unmount a symlink file on a mounted filesystem would increase the
reference counter for the mount point, preventing any further unmounting. A
local, privileged user could use this flaw to prevent any mount point to be
unmounted.

* CVE-2014-6410: Denial of service in UDF filesystem parsing.

The kernel UDF filesystem driver does not correctly validate indirect
inodes allowing a malicious user to cause a kernel panic by mounting a
UDF volume with deeply nested indirect inodes.

* CVE-2014-1739: Information leak in the media stack when enumerating media devices.

The ioctl() to enumerate media devices can copy 200 bytes of kernel stack
to userspace. A local user with write access to /dev/mediaX could use this
flaw to gather information about the running kernel.

* CVE-2014-3631: Kernel panic in keyring garbage collection.

The kernel does not correctly handle removing a large amount of
cryptographic keys from the kernel keyring which can lead to a NULL
pointer dereference and kernel panic.

* CVE-2014-3182: Invalid memory read in HID Logitech driver.

The Logitech Unifying receivers full support driver is vulnerable
to an out-of-bounds read flaw. It could occur if a device offers a
malicious HID report with arbitrary device_index.

A malicious user with physical access to the system could use this
flaw to crash the system resulting in a denial-of-service.

* Kernel bug in network stack generic segmentation offload.

A logic error in the network stack when using both generic segmentation
offload (GSO) and generic receive offload could potentially trigger a
BUG_ON() assertion, leading to a denial-of-service.

* CVE-2014-3185: Memory corruption in USB serial WhiteHEAD device driver.

The USB ConnectTech WhiteHEAT serial driver is vulnerable to a memory
corruption flaw. It could occur when reading completion commands via USB
Request Blocks buffers.

A local user with physical access to the system could use this flaw to
corrupt kernel memory area or crash the system kernel resulting in a
denial-of-service.

* CVE-2014-4027: Information leak in iSCSI Target ramdisk transport.

Due to incorrect initialization of one of the data structures used by
the iSCSI Target ramdisk transport, local users could obtain sensitive
information from the ramdisk memory that they should not have access
to.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.