[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2221-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue May 27 10:15:06 PDT 2014 

Synopsis: USN-2221-1 can now be patched using Ksplice
CVEs: CVE-2013-4483 CVE-2014-0069 CVE-2014-0077 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2678 CVE-2014-2851

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2221-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.

The floppy driver would leak internal memory addresses to userspace,
and would allow unprivileged userspace code to overwrite those
addresses, allowing for a local privilege escalation and gaining
of root.


* CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.

A missing check in the wireless RDS protocol leads to a NULL pointer
dereference when there is no device. A local, unprivileged user could use
this flaw to cause a NULL pointer dereference and denial-of-service.


* Missing check in selinux for IPSec TCP SYN-ACK packets.

Due to a flaw in the selinux code, IPSec TCP SYN-ACK packets could pass-
through without permission checking. An attacker could use this to send or
receive unauthorized traffic.


* Memory leak in SELinux when loading a policy.

A flaw in SELinux error path policy code loading leads to a memory leak. A
local, privileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in Radeon driver on resume from suspend.

A missing check in the Radeon driver code could lead to a NULL pointer
dereference and kernel oops. A local, privileged user could use this flaw to
cause a denial-of-service.


* Information leak in btrfs code when creating a snapshot.

Due to incorrect privilege checks in btrfs code, no restriction was
enforced on subvolumes snapshots. A local, unprivileged user could use this
flaw to have access to parts of the filesystem which were otherwise
protected by Unix permissions.


* NULL pointer dereference in MAX17040 fuel gauge driver on probing.

A missing check in the MAX17040 fuel gauge driver could result in a NULL
pointer dereference. A local, privileged user could use this flaw to cause
a denial-of-service.


* Information leak in mac80211 when transferring fragmented packet.

A flaw in the mac80211 stack could result in leaking 8 bytes of plain text
in the air. An attacker, physically in the range of the WiFi network, could
use this flaw to obtain sensitive informations.


* Race condition in swap subsystem between swapon()/swapoff().

A race condition in the swap subsystem could lead to a use-after-free
and potentially kernel crash. A local, privileged user could use this
flaw to cause a denial-of-service.


* Deadlock in memory management subsystem when setting page_dirty bit.

Incorrect locking in the memory management could lead to a deadlock when
setting the dirty bit. An attacker could use this flaw to cause a
denial-of-service.


* Out of bounds memory access in raw char device driver upon binding.

Incorrect input validation in the raw character device driver could lead to
out of bounds memory access, potentially leading to kernel crash. A local,
privileged user could use this flaw to cause a denial-of-service.


* Denial-of-service in VFS subsystem when allocating a file descriptor.

A flaw in the VFS subsystem could result in OOM killer being triggered and
potentially result in a denial-of-service. An attacker could use this flaw
to cause a denial-of-service.


* Soft lockup in block lib driver when discarding a device.

A race condition in the block lib driver could result in soft lock under
specific conditions. A local, privileged user could use this flaw to cause
a denial-of-service.


* NULL pointer dereference in Realtek RTL8192CE/RTL8188CE 802.11n PCIe driver.

A NULL pointer dereference in the Realtek RTL8192CE/RTL8188CE 802.11n
PCIe driver could result in a system crash when bringing up the wireless
network adapter.


* Use-after-free in STE DMA driver tasklet.

A flaw in the STE DMA driver results in a use-after-free and potentially to
a kernel crash.


* Denial-of-service in cgroup subsystem when adding a cgroup to a task.

Incorrect locking in the cgroup subsystem could lead to list corruptions
and kernel crash under specific conditions. A local, unprivileged user
could use this flaw to cause a denial-of-service.


* Kernel panic in ath9k transmit.

A race condition in the ath9k xmit driver code could lead
to multiple frees on the same object, causing an invalid memory
access and a kernel panic.


* Deadlock in EHCI USB2 controller driver when handling an interrupt.

Incorrect locking in the EHCI driver code could lead to a deadlock,
resulting in a denial-of-service under specific conditions.


* Denial-of-service in perf subsystem when hotplugging CPU.

Incorrect locking in the perf subsystem could lead to use-after-free and
kernel crash when hotplugging a CPU. A local, privileged user could use
this flaw to cause a denial-of-service.


* Quota file corruption in ocfs2.

Improper caching of quota file structures could result in
corruption of the quota file.


* Information leak in mac80211 QoS-null frames.

Uninitialized memory in QoS-null frames in the mac80211 code
could leak information.


* Kernel BUG on SCSI isci hard reset timeout.

The isci code was incorrectly generating a kernel BUG() in the
case of a hard reset timeout.


* Data corruption in ocfs2 sync.

The ocfs2 file system was syncing the wrong range.  This could
allow data to not be correctly synced and therefore cause
corruption.


* Data corruption in vmxnet3 netpoll driver.

A race condition in the vmxnet3 poll driver can lead to data
corruption and kernel panics.


* NULL pointer dereference in Huge TLB subsystem.

A missing check in the Huge TLB subsystem could lead to a NULL pointer dereference
and panic. An attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in HPFS+ filesystem directory lseek() operations.

Incorrect locking could result in hitting a race condition during
lseek() calls on a directory.  A local, unprivileged user could use this
to cause a denial-of-service.


* Deadlock in the tg3 ethernet driver when changing the MTU.

Incorrect locking in the tg3 ethernet driver could lead to a deadlock when
changing the MTU. A local, privileged user could use this flaw to cause a
denial-of-service.


* CVE-2014-0101: NULL pointer dereference in SCTP protocol.

A flaw was found in the way Linux kernel processed authenticated
COOKIE_ECHO chunks in SCTP protocol. A remote attacker could use this flaw
to cause a denial-of-service by sending a maliciously prepared SCTP
handshake in order to trigger a NULL pointer dereference on the server.


* Data corruption of ext4 immutable files when updating inode flags.

A race condition in the ext4 file system when updating the inode flags of
an immutable file could open a small window of time where the immutable
flag is not set. Provided very good timing, a local, unprivileged user
could use this flaw to modify an immutable file.


* CVE-2014-2523: Remote crash via DCCP conntrack.

A flaw in the dccp protocol could allow a remote user to cause a crash
resulting in a denial-of-service.


* CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.

The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10
does not properly manage a reference count, which allows local users to
cause a denial of service (memory consumption or system crash) via a
crafted application.


* Denial-of-service in KVM with nested VMs.

A missing check in the KVM MMU code could lead to a kernel crash. A local,
privileged user could use this flaw to cause a denial-of-service.


* CVE-2014-0069: Incorrect handling of bad iovecs in CIFS.

A flaw in how CIFS handled iovecs could be used by an unprivileged local
user with access to crash the system or leak kernel memory.


* CVE-2014-2851: Integer overflow in IPv4 ping initialization.

Integer overflow in IPv4 ping_init_sock function could allow an attacker
to cause a denial-of-service or elevate privileges.


* CVE-2014-2309: Denial-of-service in ICMPv6 route code.

The ip6_route_add function does not properly count the addition of routes,
which allows remote attackers to cause a denial of service (memory
consumption) via a flood of ICMPv6 Router Advertisement packets.


* CVE-2014-0077: Kernel panic when receiving short packets in virtio networking.

Missing data validation when receiving truncated packets in the virtual networking
subsystem can cause the kernel to dereference an invalid pointer triggering a
kernel panic.


* Deadlocks in CPU hotplug in raid5 code.

A bug in registering and initializing CPUs that are already online
could lead to deadlocks.  This could be used by a malicious user to
cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-12.04-Updates mailing list