[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-7863)

Thu Jul 3 00:46:31 PDT 2014

Synopsis: FEDORA-2014-7863 can now be patched using Ksplice
CVEs: CVE-2014-0206 CVE-2014-4508 CVE-2014-4608 CVE-2014-4611 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-4667

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-7863.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-4652: Arbitrary memory disclosure in ALSA user controls.

Lack of synchronization between reads and writes to ALSA user controls
could lead to a kernel memory disclosure.

* CVE-2014-4653: Use after free in ALSA card controls.

Missing synchronization in ALSA card controls could lead to a control
being freed while being in use.

* CVE-2014-4654, CVE-2014-4655: Missing validity checks in ALSA user controls.

Missing validity checks when replacing user controls could lead to an attempt
to free something that is not a user control or a control that is not owned
by the process. Userspace was also allowed to to bypass user control count
by overflowing it.

* CVE-2014-4656: ALSA Control ID overflow.

Missing range checks in ALSA control IDs could lead to an integer overflow.

* NULL pointer dereference in Target Core Mod (TCM) when releasing a session.

A missing check for NULL before dereferencing a pointer in the TCM driver
when releasing a session could lead to a kernel panic.

* Information leak in QLogic Data Center Bridging (DCB).

A lack of structure initialization in the QLogic DCB driver discloses 2
bytes of kernel stack to userspace. This could be used by an attacker to
gather information about the running kernel and help in a potential attack.

* Use-after-free in UDP stack in the fast transmit path.

Incorrect locking in the UDP stack when using the lockless transmit path
can lead to a race-condition causing a use-after-free and kernel panic. An
attacker could use this flaw to cause a denial-of-service.

* CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.

Incorrect reference counting in the error path of sctp_unpack_cookie()
could corrupt the backlog reference counter, preventing any future SCTP
association. A remote attacker could use this flaw to cause a
denial-of-service.

* Memory leak in USB Modem class support when transmitting URBs.

A missing check to ensure that the suspend path is not running concurrently
when transmitting URBs to the USB modem can lead to a memory leak and
reference counters imbalance. A local, privileged user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.

* Use-after-free in HyperV guest driver when connecting to the host.

A logic error in the HyperV driver code when there's an error connecting to
the host leads to free-ing a page which hasn't been previously allocated,
potentially leading to use-after-free or double-free errors.

* CVE-2014-4608: Integer overflow in LZO when uncompressing blocks larger than 16MB.

Lack of input validation in the LZO library could cause an integer overflow
when uncompressing blocks larger than 16MB, potentially leading to kernel
code execution. A local attacker could use this flaw to elevate privileges.

* CVE-2014-4611: Integer overflow in LZ4 library when uncompressing large blocks.

Lack of input validation in the LZ4 library could cause an integer overflow
when uncompressing blocks larger than 16MB, potentially leading to kernel
code execution. A local attacker could use this flaw to elevate privileges

* CVE-2014-0206: Information leak in asynchronous I/O ring buffer.

It was found that the aio_read_events_ring() function of the Linux
kernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the
AIO ring head received from user space. A local, unprivileged user could
use this flaw to disclose random parts of the (physical) memory
belonging to the kernel and/or other processes.

* CVE-2014-4508: Denial-of-service in syscall audit code when using wrong syscall number.

A flaw in the error path of the entry point of a syscall leads to a kernel
panic if syscall auditing is enabled and the syscall number is larger than
the number of syscalls. A local, unprivileged user could use this flaw to
cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.