[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (3.2.0-68.102)

Oracle Ksplice ksplice-support_ww at oracle.com
Sat Aug 30 00:39:25 PDT 2014 

Synopsis: 3.2.0-68.102 can now be patched using Ksplice
CVEs: CVE-2014-3917 CVE-2014-4171 CVE-2014-4508 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-4667 CVE-2014-5077

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.2.0-68.102.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out-of-bounds memory access in high memory mappings.

Under specific conditions high memory mappings could result in accessing
beyond the end of a mapping resulting in dereferencing an invalid
address and crashing the system.


* Use-after-free in InfiniBand SCSI RDMA Protocol when unplugging a cable.

As a result of unplugging a cable, a SCSI command could be free while still
in use, resulting in a use-after-free and kernel panic. An attacker with
physical access could use this flaw to cause a denial-of-service.


* Denial-of-service in EXT4 block allocation.

Incorrect validation of request sizes could result in hitting a kernel
assertion and crashing the system.  A local, privileged user could use
this flaw to crash the system with a carefully crafted filesystem image.


* Deadlock in Sierra wireless serial device open error handling.

Incorrect error handling during device opening could result in a
deadlock, causing the kernel to hang.


* Memory leaks in Sierra wireless serial driver on disconnect and resume.

Missing resource freeing could result in a memory leak on repeated
device closing or system resume, eventually resulting in a system crash.
A local user with access to the device could use this flaw to trigger a
denial-of-service.


* Kernel oops in mac80211 debugfs access.

An invalid check of the netdev state during a debugfs read
or write for mac80211 can cause a kernel oops.


* Use-after-free in USB host xHCI driver when releasing the device.

Incorrect ordering of de-allocation routines when releasing a xHCI device
could lead to a use-after-free and kernel panic. A local, privileged user
could use this flaw to cause a denial-of-service.


* Information leak in Infiniband Chelsio T4 driver.

Missing initialization could result in a 4-byte information leak when
creating a control queue.


* Integer overflow in ID radix tree.

An integer overflow in the ID to pointer radix tree could result in
incorrect ID's being returned.  This could result in undefined behaviour
in kernel subsystems using the IDR tree.


* Memory leak in NFS filesystem when releasing a lock stateid.

A flaw in the NFS filesystem code when releasing a lock stateid results in
the lock owner not being free'ed, resulting in a memory leak. A local,
unprivileged user could use this flaw to exhaust the memory on the system
and cause a denial-of-service.


* Use-after-free in BTRFS extent writing.

A double-free in BTRFS extent writing could result in a use-after-free
under specific conditions, resulting in memory corruption.


* CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.

Linux kernel built with the system-call auditing support is vulnerable to a
kernel crash or information disclosure flaw caused by out of bounds memory
access.  When system call audit rules are present on a system, an
unprivileged user could use this flaw to leak kernel memory or cause a
denial-of-service.


* Use-after-free in memory management subsystem when releasing a VMA.

Incorrect ordering of de-allocation routines when releasing a VMA could
lead to a use-after-free and kernel panic. A local, unprivileged user could
use this flaw to cause a denial-of-service.


* CVE-2014-4652: Arbitrary memory disclosure in ALSA user controls.

Lack of synchronization between reads and writes to ALSA user controls
could lead to a kernel memory disclosure.


* CVE-2014-4654, CVE-2014-4655: Missing validity checks in ALSA user controls.

Missing validity checks when replacing user controls could lead to an attempt
to free something that is not a user control or a control that is not owned
by the process. Userspace was also allowed to to bypass user control count
by overflowing it.


* CVE-2014-4653: Use after free in ALSA card controls.

Missing synchronization in ALSA card controls could lead to a control
being freed while being in use.


* CVE-2014-4656: ALSA Control ID overflow.

Missing range checks in ALSA control IDs could lead to an integer overflow.


* Denial-of-service with TKIP on Ralink USB devices.

The rt2x00 driver cannot atomically get a TKIP key, so disable TKIP
support.  Otherwise, it can lead to a kernel BUG().  A malicious user
could exploit this to cause a denial-of-service.


* CVE-2014-4508: Denial-of-service in syscall audit code when using wrong syscall number.

A flaw in the error path of the entry point of a syscall leads to a kernel
panic if syscall auditing is enabled and the syscall number is larger than
the number of syscalls. A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Use-after-free in mbind vma merge.

A bug in the mm code could result in a use-after-free when doing
a vma merge, leading to a kernel crash.


* Denial-of-service in gpu drm ioctl.

Invalid argument checking in the gpu drm driver code allows a NULL
pointer dereference to occur when a specially crafted invalid ioctl
command is sent.  A malicious, privileged user could exploit this
to cause a denial-of-service.


* Use-after-free in Target Core Module (TCM) when accessing sysfs.

A pointer is not cleared after being free'ed when removing a device
symlink, leading to a use-after-free later when reading the ALUA attributes
from the sysfs. A local, privileged user could use this flaw to cause a
denial-of-service.


* Use-after-free in SCSI device removal.

Missing synchronization on removing a SCSI device could lead to
asynchronous work running after device removal completed triggering a
kernel crash.


* CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.

Incorrect reference counting in the error path of sctp_unpack_cookie()
could corrupt the backlog reference counter, preventing any future SCTP
association. A remote attacker could use this flaw to cause a
denial-of-service.


* Information leak in mcp ram disk.

A failure to clear out mcp ramdisk pages could allow sensitive
information to be leaked via reads from a ramdisk_mcp.


* CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.

Linux kernel built with the support for Stream Control Transmission
Protocol is vulnerable to a NULL pointer dereference flaw. It could occur
when simultaneous new connections are initiated between the same pair of
hosts. A remote user/program could use this flaw to crash the system kernel
resulting in denial-of-service.


* NULL pointer dereference in USB gadget with empty string descriptors.

A NULL pointer dereference can occur if user space sends in an empty set
of strings to the USB gadget string descriptors.  This could cause a
kernel crash.


* NULL pointer dereference when probing non-FTDI devices.

If a users forces a non-FTDI device to be probed by the USB
serial FTDI code, it causes a NULL pointer dereference.  This can
lead to a kernel crash.


* Invalid memory reference in NFSv4 symlink decoding.

A bug in how the nfsd decoded the data for a symlink operation
could lead to the nfsd code writing to an invalid memory location.


* Deadlock in Xen console driver on resume path.

Incorrect locking in the Xen console driver on suspend could lead to a
deadlock. A local, privileged user could use this flaw to cause a
denial-of-service.


* Divide by zero when reading sched procfs file.

A 64 bits type is truncated to 32 bits after having been tested for
non-zero, which could still leave the resulting 32 bits type as zero and
cause a divide-by-zero in-kernel when reading /proc/<pid>/sched procfs
file. A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Memory leak in the Radeon display driver when retrieving the display modes.

The EDID of a display device could be allocated multiple times under
specific conditions, leading the first one allocated to be unreachable and
leaked. A local, privileged user could use this flaw to exhaust the memory
on the system and cause a denial-of-service.


* Memory leak in 802.1Q VLAN error handling.

Incorrect error handling when untagging an 802.1Q frame could result in
a memory leak and eventual kernel crash.


* Information leak in the stream control transmission protocol stack.

Some structures exchanged between user space and kernel space in the stream
control transmission protocol stack contain holes which may be left
uninitialized. A local, unprivileged user could use this flaw to obtain
information about the running kernel.


* Memory leak in sunvnet ethernet driver when removing the module.

The vnet ethernet driver wasn't releasing the resources it had allocated at
creation time, leading to memory leaks. A local, privileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Out of bounds memory access in the DNS resolver when querying.

A logic error in the DNS resolver could lead to an out of bound read of one
byte, possibly causing a kernel panic. A local, unprivileged user could use
this flaw to cause a denial-of-service.


* Memory leak in XFS extent allocation lookup failure.

Missing resource freeing in in the extent allocation code could result
in a memory leak and eventual kernel crash.


* NULL pointer dereference in Applicom Intelligent Fieldbus device probe failure.

Incorrect error handling in the Applicom Intelligent Fieldbus driver
initialization could result in a NULL pointer dereference, crashing the
system.


* Use-after-free in IP Virtual Server module unloading.

A missing call to unregister statistics collection could result in a
use-after-free and kernel crash after unloading the IP Virtual Server
module.


* Integer overflow in Ceph filesystem snapshots.

An integer overflow in the Ceph filesystem snapshot handling could
result in failure to allocate sufficient heap space.  A malicious Ceph
node could use this to crash the system or possible gain code execution.


* Information leak in Intel i915 graphics driver when copying execbuffer.

When copying an execbuffer to userspace, the Intel i915 graphics drivers
also exports internal structure that needs to be hidden from userspace.


* CVE-2014-4171: Denial-of-service in shared memory when faulting into a hole while it's punched.

A flaw in the shared memory fault implementation could lead to a kernel
hang if the fault happens to be in a hole which is being punched or
sliced. A local, privileged user could use this flaw to cause a
denial-of-service.


* Information leak in netfilter ULOG module.

The netfilter ULOG module does not sanitize kernel memory when saving
packets, leading to the contents of kernel memory to be leaked to
userspace.


* Kernel BUG in reiserfs when NFS changes file attributes.

Incorrect locking in the reiserfs code could lead to a race condition when
NFS changes a file attribute concurrently with the file being released,
leading to a kernel BUG and denial-of-service. A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Use-after-free in rtmutex unlocking.

Under certain circumstances, the kernel rtmutex implementation does not
correctly unlock a mutex causing a use-after-free condition and kernel
panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-12.04-Updates mailing list