[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2417-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Nov 28 07:34:42 PST 2014 

Synopsis: USN-2417-1 can now be patched using Ksplice
CVEs: CVE-2014-3610 CVE-2014-3611 CVE-2014-3645 CVE-2014-3646 CVE-2014-3647 CVE-2014-3673 CVE-2014-3687 CVE-2014-3688 CVE-2014-3690 CVE-2014-4608 CVE-2014-7207 CVE-2014-7825 CVE-2014-7826 CVE-2014-7975

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2417-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-7825, CVE-2014-7826: Perf DoS and local privilege escalation.

A missing validation of syscall id range allows an attacker to trigger a
kernel panic, or leverage it into gaining root privileges if root was
doing perf tracing at that time.


* Improved fix to CVE-2014-4608: Memory corruption in kernel lzo decompressor.

The original upstream fix for CVE-2014-4608 did not cover all cases and
was still exploitable.


* CVE-2014-7975: Denial-of-service in do_umount.

A missing capability check in do_umount allows unprivileged local users to
remount the root file system read-only, causing a denial-of-service (loss
of writability).


* Kernel crash in Ultra Wideband device registration.

Use of unintialized data could result in a kernel crash when registering
an ultra wideband device.


* Invalid memory access in libceph with large replies.

A failure to correctly allocate new messages with large replies
from the mon in libceph could result in a buffer overrun.


* NULL pointer dereference in XHCI initialization failure.

Incorrect cleanup during XHCI initialization failure could result in a
NULL pointer dereference and kernel crash.


* Kernel hang in PI futex requeueing.

A missing queue unlock operation could result in returning to userspace
with preemption disabled.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Memory corruption in iSCSI target logout handler.

A logic error in the logout handler could result in memory corruption
when a target was disconnected.


* NULL pointer dereference in iSCSI target memory allocation failure.

Incorrect error handling on allocation failure when copying a parameter
list could result in a NULL pointer dereference and kernel crash.


* Privilege escalation in iSCSI PDU sending.

Missing bounds checks could allow a user with privileges to send PDUs to
an iSCSI device to overflow a buffer and potentially escalate
privileges.


* Kernel hang in block device buffer with large disks.

32-bit systems with disks larger than 4TB could result in an integer
overflow when accessing block devices.  This could cause an infinite
loop and kernel hang.


* NULL pointer defereference in CPU hotplug cache management.

Incorrect handling of hotplug removal could result in a NULL pointer
dereference and kernel crash.


* Data corruption in NILFS with files during mmap().

Incorrect handling of dirty pages with NILFS mmapped files could result
in failure to write to disk correctly.  This could result in data
corruption when remounting the filesystem or after eviction from the
page cache.


* Use-after-free in perf subsystem on fork error path.

A flaw in the perf subsystem could lead to releasing a perf event on fork
failure while it is still in use, leading to a use-after-free and kernel
panic. A local attacker could use this flaw to cause a denial-of-service.


* CVE-2014-3645 and CVE-2014-3646: KVM guest denial-of-service when using invalid opcodes.

The KVM host emulator does not gracefully handle a KVM guest using the
invept or invvpid opcodes, causing a guest VM exit without proper error
codes being propagated to userspace. A local, unprivileged guest user
could use this flaw to crash a KVM guest VM and cause a denial-of-service.


* CVE-2014-3610: Denial-of-service in KVM host from the guest.

A KVM guest could write a non-canonical address to certain MSRs registers,
which the host KVM will write into its own MSRs registers, leading the host
kernel to panic. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2014-3611: Denial-of-service in KVM emulated programmable interval timer.

Incorrect locking in the KVM emulated programmable interval timer (PIT)
could crash the host kernel under specific conditions. A local attacker
could use this flaw to cause a denial-of-service in the host KVM.


* CVE-2014-3647: Denial-of-service in guest KVM when changing RIP to non-canonical address.

A flaw in the KVM emulator mishandles non-canonical addresses when
emulating instructions which change the instruction pointer, potentially
causing a failed VM-entry. A privileged guest user could use this flaw to
cause a denial-of-service in the guest.


* CVE-2014-3673: Remote denial-of-service in SCTP stack.

A flaw in the SCTP stack when receiving malformed ASCONF chunks leads to a
kernel panic. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2014-3687: Remote denial-of-service in SCTP stack.

A flaw in the SCTP stack when receiving duplicate ASCONF chunks leads to a
kernel panic. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2014-3688: Remote denial-of-service in SCTP stack by memory exhaustion.

A flaw in the SCTP stack could allow a remote attacker to force a SCTP
server to allocate big amounts of memory and trigger the kernel
out-of-memory killer, leading to a denial-of-service.


* CVE-2014-3690: Denial of Service in KVM/VMX CR4 register management.

KVM on VMX does not reload the CR4 register when it changes on the host,
which means that host features aren't updated on guests. This could lead
to a local denial of service.


* Buffer overflow in dm-crypt crypto handling.

Incorrect buffer allocation in the dm-crypt subsystem could result in
accessing beyond the end of an allocation resulting in memory corruption
and a kernel crash.


* NULL pointer dereference in LT2P stack when getting PMTU.

A race condition in the LT2P stack when getting PMTU over PPP could lead to
a NULL pointer dereference and kernel panic. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service when a monitored job exits monitoring.

A race condition in the perf code could result in the perf code
getting stuck in an endless retry loop, leading to a soft lockup.
A malicious user could exploit this to cause a denial-of-service.


* Invalid permissions during mm migration.

A race condition between mm migration completion and mprotect could
allow an entry to marked as write that should have only read permissions.


* Ext2 filesystem corruption while getting XIP memory.

A bug in the ext2 code could result in an accounting error where ext2
thought 0 blocks had been allocated but 1 had really been allocated.
This could result in a loop whereby all blocks get allocated.  A
malicious user could exploit this by causing a denial-of-service where
all ext2 blocks are exhausted.


* CVE-2014-7207: Denial-of-service in UFO with virtual networking.

A flaw in the virtio and associated network virtualization subsystems
could result in a NULL pointer dereference or incorrect IPv6
fragmentation ID's.  A local user with access to tun or macvtap devices,
or a virtual machine connected to such a device, can cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-12.04-Updates mailing list