[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-6122)

Wed May 14 06:06:51 PDT 2014

Synopsis: FEDORA-2014-6122 can now be patched using Ksplice
CVEs: CVE-2014-0181 CVE-2014-0196 CVE-2014-1737 CVE-2014-1738

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-6122.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.

The floppy driver would leak internal memory addresses to userspace,
and would allow unprivileged userspace code to overwrite those
addresses, allowing for a local privilege escalation and gaining
of root.

* Kernel panic when inserting function tracer.

Missing synchronization across CPUs can cause a kernel panic when inserting a
function tracer.

* Kernel panic when hotplugging a PCI USB controller card.

A race condition in the USB subsystem can trigger a kernel panic when
hotplugging a PCI USB controller card.

* Memory corruption in NFSv4.1 extended attributes.

Missing bounds checking in the NFSv4.1 server when encoding extended file
attributes could lead to memory corruption and kernel panic.

* Memory leak in NFSv4.1 extended attributes.

The kernel NFSv4.1 server does not correctly release memory when destroying a
security context causing a kernel memory leak.

* Memory corruption when sending Infiniband QLogic HTX diagnostic packets.

An integer overflow when sending diagnostic packets over a Infiniband QLogic
HTX device can trigger memory corruption and a kernel panic.

* NULL pointer deference when creating Infiniband NetEffect queue pairs.

A NULL pointer is dereferenced when creating a queue pair for a Infiniband
NetEffect RNIC device causing a kernel panic.

* Kernel panic in Infiniband SRP DMA.

A kernel panic can be triggered when transferring data over DMA to a device
supporting Infiniband SCSI RDMA.

* Kernel panic when recovering iSCSI target connections.

An invalid pointer is dereferenced when recovering a dropped iSCSI connection,
triggering a kernel panic.

* Use-after-free when closing non-buffered block devices.

The kernel incorrectly frees memory when closing a non-buffered handle to a
block device triggering a use-after-free condition and kernel panic.

* Kernel panic when unmapping non-linear memory mappings.

Due to incorrect locking, an assertion failure and kernel panic can be
triggered when unmapping a non-linear memory mapping.

* Kernel panic in ext4 FIBMAP ioctl.

An integer overflow when mapping blocks from a ext4 filesystem via the FIBMAP
ioctl can trigger a kernel panic.

* Data corruption in ext4 when resizing filesystem.

A race condition between resizing a ext4 filesystem and mapping a file extent
can cause filesystem corruption and loss of data.

* CVE-2014-0196: Pseudo TTY device write buffer handling race.

A race in how the pseudo ttyp (pty) device handled device writes when
two threads/processes wrote to the same pty, the buffer end could be
overwritten. An attacker could use this to cause a denial-of-service or
gain root privileges.

* Data corruption in ext4 unaligned asynchronous IO.

A race condition between reading the size of an inode and performing an
asynchronous file write can trigger data corruption on an ext4 filesystem.

* CVE-2014-0181: Incorrect namespace permission check in netlink sockets.

The kernel uses an incorrect set of permissions when querying netlink sockets
from different namespaces, allowing unprivileged users to disclose information
about networking in privileged namespaces.

* Use-after-free in Empia 28xx-based TV devices.

Incorrect reference counting when capturing an audio stream from Empia
28xx-based TV devices can trigger a use-after-free and kernel panic.

* Kernel panic in Infiniband Connection Manager Abstraction.

The kernel Infiniband driver dereferences an invalid pointer when resolving the
link layer address of clients leading to a kernel panic.

* Memory corruption in OCFS2 file and directory creation.

The kernel OCFS2 filesystem driver incorrectly frees memory when creating
files, directories, symlinks and devices on a OCFS2 volume leading to kernel
panic.

* Kernel panic in SCSI Block Command parsing.

The kernel does not correctly initialise data structures when parsing a SCSI
COMPARE_AND_WRITE command leading to a kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.