[Ksplice-Fedora-19-updates] New updates available via Ksplice (FEDORA-2014-5609)

Wed May 7 08:05:23 PDT 2014

Synopsis: FEDORA-2014-5609 can now be patched using Ksplice
CVEs: CVE-2014-0155 CVE-2014-2851

Systems running Fedora 19 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-5609.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 19 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Memory leak in SCTP stack on COOKIE ECHO error path.

A memory leak in SCTP stack on COOKIE ECHO handling when memory is
constrained could lead to a memory leak. A remote attacker could use this
flaw to exhaust the memory on the system and cause a denial-of-service.

* Denial-of-service in Bridge code on receiving malformed MFD queries.

A lack of input validation in the bridge code when handling MFD queries
could lead to multi-cast ports being shut down. A remote attacker could use
this flaw to cause a denial-of-service.

* Memory leak in TIPC code when sending a message on a closed connection.

Incorrect reference counting in the error path of tipc_conn_sendmsg() when
the connection is found to be closed could lead to a memory leak. A local,
unprivileged user could use this flaw to exhaust the memory on the system
and cause a denial-of-service.

* Denial-of-service in IPv4 fragmentation code on evicting fragments.

A race condition in the IPv4 fragmentation code could lead to a kernel
crash under specific conditions. A local, privileged user could use this
flaw to cause a denial-of-service.

* Deadlock in Stochastic Fairness Queueing packet scheduling algorithm.

Incorrect locking in the Stochastic Fairness Queueing scheduling algorithm
could lead to a memory allocation which might sleep with interrupts
disabled, causing a deadlock.

* Deadlock in TCP stack on software checksum calculation.

A logic error in the TCP stack when the NIC has no support for RX checksum
could lead to a deadlock under specific conditions.

* NULL pointer dereference in VXLAN code when handling ARP requests.

A lack of input validation in the VXLAN code could lead to a NULL pointer
dereference when memory is constrained. A remote attacker could use this
flaw to cause a denial-of-service.

* Denial-of-service in TIPC stack on failed subscriptions.

Incorrect locking in the TIPC stack could lead to a spinlock recursion and
denial-of-service. A remote authenticated attacker could use this flaw to
cause a denial-of-service.

* Memory leak in IP tunnel stack when dropping a multi-cast packet.

Incorrect reference counting in the IP tunnel code could lead to a memory
leak when dropping a multi-cast packet. A local, unprivileged user could
use this flaw to cause a denial-of-service by exhausting the host memory.

* Double-free in virtio-net on packet transmission.

Incorrect logic in the virtio-net driver could lead to a double-free under
specific circumstances. A local user could use this flaw to cause a kernel
crash or potentially escalate privileges.

* Deadlocks in IPv6 stack when updating statistic counters.

Incorrect locking in various places in the IPv6 stack could lead to a
deadlock when updating statistic counters.

* Memory corruption in ISDN loop driver.

A lack of input validation in various places of the ISDN loop driver could
lead to out of bounds memory accesses. A local, unprivileged user could use
these flaws to cause a denial-of-service or potentially escalate
privileges.

* CVE-2014-0155: Denial-of-service on KVM host when handling end of interrupts.

A lack of input validation in KVM hosts when handling redirection table of
an emulated interrupt controller could lead to a crash of the host. A
local, privileged user of a guest could use this flaw to cause a
denial-of-service via a specifically crafted redirection table entry.

* CVE-2014-2851: Integer overflow when initializing a ping socket.

Incorrect reference counting in the error path of ping_init_sock() leads to
a memory leak and could result in an reference integer overflow and
use-after-free. A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially to escalate privileges.

* Denial-of-service when exiting processes.

A race condition when a process is exiting can lead to a process not releasing
kernel resources. A local unprivileged user could use this flaw to exhaust
kernel resources and cause a kernel panic.

* NULL pointer dereference when exiting a process.

Kernel networking resources are released in the incorrect order when exiting a
process, leading to a possible NULL pointer dereference and kernel panic.

* NULL pointer dereference in PID namespaces.

The kernel does not validate a pointer when looking up a PID namespace for a
given process which leads to a NULL pointer dereference and kernel panic.

* Denial-of-service in XFS directory lookup.

The XFS file-system driver incorrectly hashes directory entries when listing a
directory causing directory entries to be hidden. An local unprivileged user
can use this flaw to force the file-system to be remounted read-only.

* Deadlock in nested btrfs transactions.

Invalid reference counting when handling nested btrfs transactions can lead to
a deadlock and kernel panic.

* Data corruption in ext4 extents lookup.

The ext4 file-system driver does not validate a return value when mapping
extents based files leading to possible data corruption.

* Data corruption in ext4 when handling partial clusters.

Data corruption can be triggered on ext4 bigalloc filesystems by punching holes
in files with partial clusters.

* Data corruption when deleting sparse files on ext4 filesystem.

The ext4 file-system driver does not correctly handle deleting sparse files on
ext4 bigalloc file-systems leading to data corruption.

* Memory corruption when creating large files on jffs2 images.

An integer overflow in the jffs2 file-system driver when calculating the size
of a large file can trigger kernel memory corruption and kernel panic.

* Use-after-free in jffs2 garbage collection.

A logic error can cause a use-after-free and kernel panic when reserving space
on a jffs2 file-system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.