[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-9139)

Mon Aug 4 17:36:54 PDT 2014

Synopsis: FEDORA-2014-9139 can now be patched using Ksplice
CVEs: CVE-2014-4171 CVE-2014-5077

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-9139.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.

Linux kernel built with the support for Stream Control Transmission
Protocol is vulnerable to a NULL pointer dereference flaw. It could occur
when simultaneous new connections are initiated between the same pair of
hosts. A remote user/program could use this flaw to crash the system kernel
resulting in denial-of-service.

* Denial-of-service in Intel high definition audio driver on suspend resume path.

A flaw in the Intel high definition audio driver leads the power management
stack to dereference invalid pointers if the Intel high definition audio
driver fails to load because of missing symbols. A local, privileged user
could use this flaw to cause a kernel panic and denial-of-service.

* NULL pointer dereference in three-wire uart protocol support.

A flaw in the three-wire uart protocol (Bluetooth H5) leads to a NULL
pointer dereference when a non-link packet is found in the receive queue. A
remote attacker could inject specially crafted packets in the air to cause
a denial-of-service.

* Memory leak in tracing subsystem when an event directory is removed.

A missing call to free_event_filter() when removing an event file directory
in the tracing subsystem leads to a memory leak. A local, privileged user
could use this flaw to exhaust the memory on the system and cause a
denial-of-service.

* Deadlock in Xen console driver on resume path.

Incorrect locking in the Xen console driver on suspend could lead to a
deadlock. A local, privileged user could use this flaw to cause a
denial-of-service.

* Memory corruption in quota subsystem when shrinking its cache.

Missing locks when iterating over the free dquot list could lead to memory
corruptions and kernel panic. A local user could use this flaw to cause a
denial-of-service.

* Information leak in the Stream Control Transmission protocol.

Failing to check the error code from proc_dointvec() when handling a write
on the sysfs auth_enable could lead to leaking 4 bytes of kernel memory to
userspace. A local, privileged user could use this flaw to cause a
denial-of-service.

* Memory leak in 8021q stack when re-ordering vlan headers.

When re-ordering vlan headers, a socket buffer wasn't properly released if
creating a copy-on-write socket buffer failed. This could cause a
denial-of-service by exhausting the memory on the system.

* NULL pointer dereference in Broadcom BN2X ethernet driver under memory pressure.

Under memory pressure, an allocation in the Broadcom BN2X could fail and
leads to a NULL pointer dereference as the return value isn't checked. An
attacker could use this flaw to cause a denial-of-service.

* Denial-of-service in TCP stack when pushing during TCP repair.

A flaw in the TCP stack when pushing during a TCP repair could trigger a
divide-by-zero fault. A local, privileged user could use this flaw to cause
a denial-of-service.

* Memory corruption in transparent inter-process communication protocol.

A missing initialization to NULL of a pointer to the next packet in the
TIPC stack could lead to an invalid memory access and packet corruption
when re-assembling the packet. A remote user could use this flaw to cause a
denial-of-service.

* Information leak in the stream control transmission protocol stack.

Some structures exchanged between user space and kernel space in the stream
control transmission protocol stack contain holes which may be left
uninitialized. A local, unprivileged user could use this flaw to obtain
information about the running kernel.

* Memory leak in sunvnet ethernet driver when removing the module.

The vnet ethernet driver wasn't releasing the resources it had allocated at
creation time, leading to memory leaks. A local, privileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.

* Out of bounds memory access in the DNS resolver when querying.

A logic error in the DNS resolver could lead to an out of bound read of one
byte, possibly causing a kernel panic. A local, unprivileged user could use
this flaw to cause a denial-of-service.

* Multiple use-after-free in xen-netback driver.

Multiple use-after-free have been found in the xen-netback due to incorrect
operations on socket buffer fragments under specific conditions. An
attacker could use these flaws to cause a denial-of-service.

* Memory leak in the Radeon display driver when retrieving the display modes.

The EDID of a display device could be allocated multiple times under
specific conditions, leading the first one allocated to be unreachable and
leaked. A local, privileged user could use this flaw to exhaust the memory
on the system and cause a denial-of-service.

* Deadlock in the time stamp counter driver on CPU removal.

A logic error in the time stamp counter driver leads to a deadlock on CPU
removal. A local, privileged user could use this flaw to cause a
denial-of-service.

* Integer overflow in the random char device driver when calculating entropy.

A logic error in the random char device driver could lead to an incorrect
entropy being calculated under specific conditions. This could weaken the
entropy of the random char device driver.

* Divide by zero when reading sched procfs file.

A 64 bits type is truncated to 32 bits after having been tested for
non-zero, which could still leave the resulting 32 bits type as zero and
cause a divide-by-zero in-kernel when reading /proc/<pid>/sched procfs
file. A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Memory corruption in asynchronous IO driver under heavy load.

Incorrect locking in the asynchronous IO driver could lead to memory
corruptions. A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Denial-of-service in virtual filesystem core when trying to unmount a symlink.

Trying to unmount a symlink file on a mounted filesystem would increase the
reference counter for the mount point, preventing any further unmounting. A
local, privileged user could use this flaw to prevent any mount point to be
unmounted.

* Use-after-free in point to point protocol when removing a filter.

A logic error in the point to point protocol driver could lead to leave
free pointers when removing a pass or active filter, potentially causing a
kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service.

* Kernel bug in network stack generic segmentation offload.

A logic error in the network stack when using both generic segmentation
offload (GSO) and generic receive offload could potentially trigger a
BUG_ON() assertion, leading to a denial-of-service.

* CVE-2014-4171: Denial-of-service in shared memory when faulting into a hole while it's punched.

A flaw in the shared memory fault implementation could lead to a kernel
hang if the fault happens to be in a hole which is being punched or
sliced. A local, privileged user could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.