[Ksplice-Fedora-19-updates] New updates available via Ksplice (FEDORA-2014-11008)
Oracle Ksplice
ksplice-support_ww at oracle.com
Tue Sep 30 02:55:15 PDT 2014
Synopsis: FEDORA-2014-11008 can now be patched using Ksplice
CVEs: CVE-2014-3181 CVE-2014-3182 CVE-2014-3184 CVE-2014-3185 CVE-2014-3186 CVE-2014-3601 CVE-2014-3631 CVE-2014-5471 CVE-2014-5472 CVE-2014-6410 CVE-2014-6416 CVE-2014-6417 CVE-2014-6418 CVE-2014-7145
Systems running Fedora 19 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-11008.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Fedora 19 install
these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2014-5471, CVE-2014-5472: Privilege escalation in ISO filesystem implementation.
The parse_rock_ridge_inode_internal() function in the ISO filesystem driver
does not correctly check relocated directories when processing Rock Ridge
child link tags. An attacker with physical access to the system could use a
specially crafted ISO image to cause a denial of service or, potentially,
escalate their privileges.
* CVE-2014-3601: Denial-of-service in KVM page mapping.
The kvm map pages function miscalculates the number of pages in the case
of a mapping failure, which allows guest OS users to (1) cause a denial of
service (host OS memory corruption) or possibly have unspecified other
impact by triggering a large gfn value or (2) cause a denial of service
(host OS memory consumption) by triggering a small gfn value that leads to
permanently pinned pages.
* CVE-2014-3182: Invalid memory read in HID Logitech driver.
The Logitech Unifying receivers full support driver is vulnerable
to an out-of-bounds read flaw. It could occur if a device offers a
malicious HID report with arbitrary device_index.
A malicious user with physical access to the system could use this
flaw to crash the system resulting in a denial-of-service.
* Denial-of-service in USB logging.
A bug in usbfs could cause usbcore to flood the log with error
messages. A malicious privileged user could exploit this to cause
a denial of service.
* Invalid memory access in ADS1015 hardware monitor driver.
An invalid bounds check on an array index in the ads1015 driver
could lead to an invalid memory access.
* Kernel panic in debugfs.
A race condition in the debugfs removal code could result in
memory corruption and a kernel panic. An unprivileged local user
could exploit this flaw to cause a denial-of-service
* Denial-of-service in 32 bits KVM guests on boot.
A flaw in the emulated interrupt controller could cause an end-of-interrupt
to be missed and subsequent masking of the interrupt to fail. This could
cause an interrupt storm in the guest leading to a denial-of-service.
* Data corruption on ext4 filesystem when discarding previously allocated blocks.
Incorrect clean up when discarding previously allocated blocks in the ext4
filesystem could lead to data corruption. An attacker could use this flaw
to cause a denial-of-service.
* Kernel panic in ext4 block free.
Improper error handling in the case of a block allocation failure
in ext4 could leads to a BUG_ON and kernel panic.
* Xen PVH guest crash while creating grant table.
A bug in the PVH grant table setup causes PVH guests to crash
when attempting to map pages for the grant table.
* Memory corruption in btrfs on 32-bit architectures.
The list management of the btrfs code incorrectly assumes that a pointer is
64 bits long, leading to overwriting adjacent memory with zeros when the
pointer size is smaller.
* Data corruption in btrfs compressed write.
Invalid error handling in btrfs when trying to allocate space
for a compressed extent could lead to data corruption where dirty
pages do not get written out.
* Kernel crash in btrfs corrupted block read.
When reading a corrupted block, an offset parameter doesn't get
properly updated, leading to checksum errors and a kernel BUG. An
attacker could exploit this using a specially crafted filesystem to
cause a denial-of-service.
* Memory leak in mei nfs driver send.
Missing error handling in the case of a send failure could
leak memory. This could be exploited by a malicious user to
cause a denial-of-service.
* Denial-of-service in jbd2 on corrupt journal recovery.
When the jbd2 code encounters a corrupt journal block during
journal recovery, it falls into an infinite loop. An attacker
could potentially exploit this flaw to cause a denial-of-service.
* CVE-2014-3185: Memory corruption in USB serial WhiteHEAD device driver.
The USB ConnectTech WhiteHEAT serial driver is vulnerable to a memory
corruption flaw. It could occur when reading completion commands via USB
Request Blocks buffers.
A local user with physical access to the system could use this flaw to
corrupt kernel memory area or crash the system kernel resulting in a
denial-of-service.
* Kernel crash in NFSD startup.
Invalid error handling in the case of a memory allocation failure
during nfsd startup leads to improper accounting, which could cause
a kernel crash on a subsequent nfsd startup retry.
* Possible incorrect permissions in NFSv4 close with delegation.
The check in NFSv4 for read/write, read-only, or write-only share
mode is invalid in the presence of delegations. This could lead to close
being done with the wrong state flags.
* Denial-of-service while reading /proc/PID/smap.
Improper use of the while_each_thread iterator in the memory
subsystem could lead to a soft-lockup when reading /proc/PID/smap.
A malicious privileged user could exploit this to cause a
denial-of-service.
* Invalid ACL reporting in NFS.
An incorrect error check in the ACL listing could result in
ACLs being incorrectly reported.
* CVE-2014-3184: Invalid memory write in HID drivers.
Several HID drivers (Cherry Cymotion keyboard, KYE/Genius devices,
Logitech devices, Monterey Genius KB29E keyboard, Petalynx Maxtor
remote control, and Sunplus wireless desktop) are vulnerable to an
out-of-bounds write due to some off-by-one bugs. This could occur if
a HID device report offers an invalid report descriptor size.
A local user with physical access to the system could use this flaw to
write past an allocated memory buffer.
* Denial-of-service in HW monitoring drivers.
Invalid boundary check in several hwmon drivers (gpio-fan, lm85,
lm78, and sis5595) could lead to invalid values being written out
for temperature limits. A privileged user could exploit this to cause
a denial-of-service.
* Data corruption in btrfs checksums.
A race condition in btrfs could result in the same file extent
range having two versions of a checksum, causing data corruption.
* Data corruption in ext4 inode disksize.
Incorrect error handling in block allocation in ext4 could result
in an inode being assigned an invalid disksize. An attacker could use
this to cause a denial-of-service.
* CVE-2014-3631: Kernel panic in keyring garbage collection.
The kernel does not correctly handle removing a large amount of
cryptographic keys from the kernel keyring which can lead to a NULL
pointer dereference and kernel panic.
* CVE-2014-3181: Memory corruption in Apple Magic Mouse USB driver.
The Apple Magic Mouse USB driver does not correctly validate event data
allowing a malicious USB device to trigger kernel memory corruption and
potentially gain elevated privileges.
* CVE-2014-3186: Memory corruption in PicoLCD USB driver.
The PicoLCD USB driver does not correctly validate event data allowing a
malicious USB device to trigger kernel memory corruption and potentially
gain elevated privileges.
* CVE-2014-6410: Denial of service in UDF filesystem parsing.
The kernel UDF filesystem driver does not correctly validate indirect
inodes allowing a malicious user to cause a kernel panic by mounting a
UDF volume with deeply nested indirect inodes.
* Use-after-free in AMD iommu mass device removal.
Incomplete cleanup during mass device remove in the AMD
iommu could result in a use-after-free.
* Memory leak in ALSA SOC pcm update.
A missing release in dpcm runtime updates could result in a memory
leak. A malicious user could exploit this to cause a
denial-of-service.
* Denial of service in bq2415 power driver.
An invalid call sequence in the bq2415 power driver caused it
to sleep while in atomic context, leading to possible deadlock.
This could be exploited to cause a denial-of-service.
* Data corruption in trace ring buffer during reads.
A race condition while reading a trace file could cause the
ring buffer iterator to get corrupted, leading to a kernel
panic.
* Denial-of-service in Bluetooth sockets during task exit.
Invalid treatment of a Bluetooth socket (BTPROTO_L2CAP, BTPROTO_SCO,
or BTPROTO_RGCOMM) close could result in an unkillable process. A
malicious user could exploit this to cause a denial-of-service.
* Invalid recovery during RAID1 and RAID10 recoveries.
Invalid treatment of a write error during recovery in raid1
and raid10 drivers could result in some sectors not being correctly
recovered.
* CVE-2014-6416, CVE-2014-6417, CVE-2014-6418: Buffer overflow in libceph authorization.
An invalid hard-coded buffer size could lead to buffer overflows
and kernel panics during ticket authorization.
* CVE-2014-7145: NULL pointer dereference in CIFS SMB2 error handling.
Invalid error handling in the cifs smb2 code could result in
a NULL pointer dereference and kernel panic.
* Double free in flash translation layer while adding a device.
Invalid error handling in the MTD FTL driver while adding a MTD device
could result in a double free and kernel panic.
* Use-after-free in keyring associative array garbage collection.
The keyring garbage collection was incorrectly using a data
structure after it had potentially been freed, leading to an
use-after-free and potential kernel panic.
* Data corruption in XFS when extending EOF.
Invalid dirty buffer handling in XFS could result in data
corruption when one process extends the EOF while another
process attempts to write via direct I/O to the same file.
A malicious user could use this to cause a denial-of-service.
* XFS page cache corruption with O_DIRECT operations.
XFS reads and writes with O_DIRECT can zero out partial ranges in a page in
a cache. This page can stay in the cache, causing normal, buffered reads to
read zeros instead of the actual content.
* Denial-of-service in libceph TCP send and receive page.
A miscalculation in the libceph code could cause an invalid message
length to be passed in ceph_tcp_{send,recv}page, which causes various
assertions to fire. This could be used by a malicious user to cause
a denial-of-service attack.
* Invalid memory access in libceph with large replies.
A failure to correctly allocate new messages with large replies
from the mon in libceph could result in a buffer overrun.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Fedora-19-Updates
mailing list