[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2015-0515)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Jan 15 06:02:58 PST 2015 

Synopsis: FEDORA-2015-0515 can now be patched using Ksplice
CVEs: CVE-2014-8989 CVE-2014-9420 CVE-2014-9428 CVE-2014-9529

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-0515.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.

A flaw in the iso9660 file system support could lead to an infinite
recursion loop when parsing continuation entries.  An unprivileged user
could use this flaw to crash the system resulting in a denial-of-service.


* CVE-2014-9428: Remote denial-of-service in BATMAN routing protocol.

A flaw in the fragmentation code of the BATMAN routing protocol driver
could lead to a denial-of-service. A remote attacker could use this flaw to
cause a denial-of-service.


* CVE-2014-9529: Use-after-free when garbage collecting keys.

A logic error when garbage collecting cryptographic keys leads to a
user-after-free and kernel panic. A local user could use this flaw to crash
the kernel and cause a denial-of-service.


* CVE-2014-8989: Group based restrictions bypass in user namespace.

A flaw in the user namespace subsystem could lead to a potential Unix group
privilege escalation when un-sharing parts of a process execution context.
An attacker could use this flaw to gain extra Unix group privileges on a
system.


* Data corruption in RAID on concurrent writes during unplug.

Lack of synchronization in bitmap_unplug() could lead to data corruption
under certain circumstances.


* Data loss in f2fs filesystem driver when writing files.

A logic error in the f2fs driver causes the use of an uninitialized stack
variable to decide if a page should be zeroed.  This could cause data loss.


* Use-after-free in NFSv4 when getting a layout header.

Incorrect reference counting in the NFSv4 when releasing a layout could
cause a use-after-free and kernel panic.  An attacker could use this flaw
to cause a denial-of-service.


* Leak of sensitive cryptographic materials in Multiple Devices driver.

A lack of cleaning up temporary cryptographic materials on the stack could
potentially allow an attacker to gain sensitive cryptographic information.


* NULL pointer dereference in Multiple Devices (md) when handling partial blocks.

A missing check for NULL pointer in the Multiple Devices (md) driver when
managing partial blocks could lead to a NULL pointer dereference and kernel
panic.  A local attacker could use this flaw to cause a denial-of-service.


* Use-after-free in Multiple Devices (md) thin provisioning on removal.

Incorrect locking in the Multiple Devices (md) driver on device removal
could lead to a use-after-free and kernel panic.  A local user could use
this flaw to cause a denial-of-service.


* Out-of-bounds memory access in ISO filesystem when printing ER records.

A missing input validation when printing ER records on the iso9660 driver
could lead to an out-of-bounds memory write, potentially leading to a
kernel panic.  A local attacker could use a corrupted ISO file to cause a
denial-of-service.


* Memory corruption when loading a stale AES key.

A lack of key unregistering when the key size check fails leads to a stale
key still being in the keys list, causing a memory leak and a kernel panic
when the registering a new key.  A local attacker could use this flaw to
cause a denial-of-service.


* Memory leak in mac80211 when free-ing management frame keys.

A logic error in the mac80211 driver when releasing station management keys
causes two management keys not to be released, leading to a memory leak.  A
local user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.


* Use-after-free in umount when appending to an existing unmounted list.

A logic error when unmounting leaves a released mount point the unmounted
list, causing a kernel panic later when we access this released mount
point.  A local user could use this flaw to cause a denial-of-service.


* Use-after-free in thermal initialization error path.

Wrong ordering when releasing resources in the thermal management
initialization function leads to a use-after-free and kernel panic.


* Denial-of-service when using force umount() from a namespace.

A force unmount() affects the underlying superblock and not just the mount
namespace so it should be restricted to the global root user.  A privileged
user in a user namespace could force the shutdown of a superblock in a more
privileged mount namespace, leading to a denial-of-service.


* Kernel BUG() in audit subsystem when sending events from atomic context.

Incorrect flags to allocate memory when sending events in the audit
subsystem could lead to a sleep() while in atomic context, leading to a
kernel BUG().  An attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in cryptographic algorithms when handling backlogged requests.

A logic error in the cryptographic algorithms driver could lead to an early
return to userspace when a request is still pending.  A local attacker
could use this flaw by closing its sockets causing the pending requests to
use freed memory, leading to a user-after-free and kernel panic.


* Memory leak of process namespace on child_reaper concurrent exit.

Incorrect reference counting in the pid namespace code could prevent a
namespace from being released, causing a memory leak.  A local user could
use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Multiple out-of-bounds memory accesses in UDF filesystem driver.

A lack of input validation in the UDF filesystem driver leads to multiple
out-of-bounds memory accesses and potentially to a kernel panic.  An
attacker could use a specially crafted filesystem to cause a
denial-of-service.


* Out-of-bounds memory write in eCryptfs when decoding a file name.

A lack of input validation when decoding a file name in the eCryptfs driver
could lead to an out-of-bounds memory write of one zero byte, potentially
causing a kernel panic.  A local user could use a specially crafted
eCryptfs filesystem to cause a denial-of-service.


* Data loss on Btrfs on concurrent fsync() on different sub-volumes.

A lack of synchronization between two concurrent fsync() operations on
different sub-volumes leads to data loss.


* Data corruption in Btrfs when un-pinning from the extent cache.

A logic error in the Btrfs driver when un-pinning from the extent cache
causes some checksums not to be re-written on disk, leading to data
corruption on certain circumstances.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-20-Updates mailing list