[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-7033)

[Oracle Ksplice]

Synopsis: FEDORA-2014-7033 can now be patched using Ksplice
CVEs: CVE-2014-3153 CVE-2014-3917

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-7033.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-3153: Local privilege escalation in futex requeueing.

Invalid parameters to the futex() syscall may break assumptions made in
the kernel and would leave dangling pointers that could be exploited
to gain root privileges.


* Use-after-free in netfilter xtables when copying counters to userspace.

A logic error in the netfilter ebtables, arp tables and IPv4/IPv6 tables
may lead to a use-after-free if there is an error when copying counters to
userspace as this will result in freeing the tables when they have already
been exposed to userspace. Any subsequent packet processing will lead to a
use-after-free and kernel panic.


* Memory leak in RAID1 pool allocation failure.

A logic error in the RAID1 filesystem driver can trigger a memory leak and
subsequent kernel panic when allocating a pool fails.


* Memory leak in userspace probes when disabling a probe.

A missing de-allocation routine when disabling a userspace probe causes a
memory leak. A local, un-privileged user could use this flaw to exhaust the
memory on the system and cause a denial-of-service.


* Kernel BUG() in transparent huge page code between split and zap.

A missing lock could lead to a race condition in the transparent huge page
code between splitting and zapping a transparent huge page, leading to a
kernel BUG().


* Soft lockup in huge page code when releasing huge TLB pool.

A missing call to the scheduler when releasing a huge TLB pool could lead
to a soft lockup. A local, privileged user could use this flaw to cause a
denial-of-service.


* Deadlock in USB serial driver when unloading the module.

Incorrect locking between module removal and sysfs callbacks in the USB
serial driver could lead to a deadlock. A local, privileged user could use
this flaw to cause a denial-of-service.


* Deadlock in VMWare graphic card driver when destroying a hardware context.

Incorrect locking in the VMWare graphic card driver when destroying a
hardware context could lead to a deadlock. A local user could potentially
use this flaw to cause a denial-of-service.


* Memory corruption in VMWare graphic driver when doing a DMA transfer.

A missing bound check in the VMWare graphic driver code could lead to
memory corruption. A local user could use this flaw to cause a
denial-of-service.


* Remote denial-of-service in bridge driver when filtering packets.

A logic error in the bridge driver when filtering packets could lead to a
double-free of the dropped socket buffer, potentially leading to a kernel
panic. A remote user could use this flaw to cause a denial-of-service.


* Use-after-free in IPv6 generic routing encapsulation driver on device removal.

Lack of reference counting between the IPv6 generic routing encapsulation
driver and its use of a tunnel net device could lead to a use-after-free a
kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service or potentially escalate privileges.


* Divide-by-zero in TCP cubic congestion algorithm when computing delayed ack.

A logic error in the TCP cubic congestion algorithm could lead to a
divide-by-zero and kernel panic. A remote attacker could potentially use
this flaw to cause a denial-of-service.


* Denial-of-service in Heavy-hitter filter packet scheduling algorithm.

Incorrect locking in the Heavy-hitter filter packet scheduling driver in
the error path of changing the queue discipline could lead to a deadlock. A
local, privileged user could use this flaw to cause a denial-of-service.


* Out-of-bounds memory write in USB network control model class driver.

A logic error in the code checking boundaries before sending a USB packet
in the network control model class driver could lead to an off-by-one
memory write under specific conditions, potentially leading to a kernel
panic.


* NULL pointer dereference in IPv6 netlink validation callback.

A missing check for NULL in the IPv6 netlink validation callback leads to a
NULL pointer dereference. A local, privileged user could use this flaw to
cause a kernel panic and denial-of-service.


* Memory leak in BATMAN routing protocol on processing an originator message.

A missing call to a de-allocation routine in BATMAN routing protocol on
processing an originator message for an outgoing interface can lead to a
memory leak. An attacker could potentially use this flaw to exhaust the
memory on the system and cause a denial-of-service.


* Memory leak in BATMAN routing protocol when removing an interface.

A missing call to a de-allocation routine when removing an interface in the
BATMAN routing protocol could lead to a memory leak. A local, privileged
user could use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Memory corruption when computing the size of IPv6 headers.

A logic error when calculating the size of the IPv6 header when IPv6
extensions are used could lead to a memory corruption and kernel panic.


* Use-after-free in the PHY network driver on HW initialization failure.

A logic error in the PHY network driver on HW initialization failure could
lead to a use-after-free and kernel panic. A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference in BATMAN when printing information to debugfs.

A missing check for NULL in the debugfs callback for the "originators"
debugfs file could lead to a NULL pointer dereference and kernel panic. A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Memory leak in BATMAN routing protocol code when sending fragmented packets.

Incorrect reference counting in the BATMAN routing code when sending a
fragmented packet leads to a memory leak. An attacker could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.

Linux kernel built with the system-call auditing support is vulnerable to a
kernel crash or information disclosure flaw caused by out of bounds memory
access.  When system call audit rules are present on a system, an
unprivileged user could use this flaw to leak kernel memory or cause a
denial-of-service.


* Buffer overflow in SCSI megaraid driver when servicing an ioctl.

Lack of input validation in the SCSI megaraid driver could lead to a buffer
overflow and kernel panic. A local, privileged user could use this flaw to
cause a denial-of-service or potentially gain kernel code execution.


* Audit bypass with process namespaces with PPID based filters.

The audit logging used the PPID from inside the namespace rather than
the ID from the initial namespace.  This could allow malicious processes
to bypass audit rules.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.