[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2376-1)

[Oracle Ksplice]

Synopsis: USN-2376-1 can now be patched using Ksplice
CVEs: CVE-2014-3181 CVE-2014-3182 CVE-2014-3184 CVE-2014-3185 CVE-2014-3186 CVE-2014-5207 CVE-2014-6410 CVE-2014-6416 CVE-2014-6417 CVE-2014-6418

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2376-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel panic in debugfs.

A race condition in the debugfs removal code could result in
memory corruption and a kernel panic. An unprivileged local user
could exploit this flaw to cause a denial-of-service


* Denial-of-service in Bluetooth sockets during task exit.

Invalid treatment of a Bluetooth socket (BTPROTO_L2CAP, BTPROTO_SCO,
or BTPROTO_RGCOMM) close could result in an unkillable process.  A
malicious user could exploit this to cause a denial-of-service.


* Denial-of-service in network sendmsg() calls.

Missing validation of msg_namelen on a sendmsg call could result in a
NULL pointer dereference.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Invalid memory access in ADS1015 hardware monitor driver.

An invalid bounds check on an array index in the ads1015 driver
could lead to an invalid memory access.


* Invalid recovery during RAID1 and RAID10 recoveries.

Invalid treatment of a write error during recovery in raid1
and raid10 drivers could result in some sectors not being correctly
recovered.


* Incorrect SELinux label in cryptographic sockets.

The kernel does not correctly apply an SELinux label to cryptographic
control sockets. This can allow local users to bypass SELinux policies.


* Data corruption in trace ring buffer during reads.

A race condition while reading a trace file could cause the
ring buffer iterator to get corrupted, leading to a kernel
panic.


* Data corruption in btrfs checksums.

A race condition in btrfs could result in the same file extent
range having two versions of a checksum, causing data corruption.


* Use-after-free in AMD iommu mass device removal.

Incomplete cleanup during mass device remove in the AMD
iommu could result in a use-after-free.


* CVE-2014-3182: Invalid memory read in HID Logitech driver.

The Logitech Unifying receivers full support driver is vulnerable
to an out-of-bounds read flaw. It could occur if a device offers a
malicious HID report with arbitrary device_index.

A malicious user with physical access to the system could use this
flaw to crash the system resulting in a denial-of-service.


* CVE-2014-3184: Invalid memory write in HID drivers.

Several HID drivers (Cherry Cymotion keyboard, KYE/Genius devices,
Logitech devices, Monterey Genius KB29E keyboard, Petalynx Maxtor
remote control, and Sunplus wireless desktop) are vulnerable to an
out-of-bounds write due to some off-by-one bugs.  This could occur if
a HID device report offers an invalid report descriptor size.

A local user with physical access to the system could use this flaw to
write past an allocated memory buffer.


* CVE-2014-3185: Memory corruption in USB serial WhiteHEAD device driver.

The USB ConnectTech WhiteHEAT serial driver is vulnerable to a memory
corruption flaw. It could occur when reading completion commands via USB
Request Blocks buffers.

A local user with physical access to the system could use this flaw to
corrupt kernel memory area or crash the system kernel resulting in a
denial-of-service.


* Possible incorrect permissions in NFSv4 close with delegation.

The check in NFSv4 for read/write, read-only, or write-only share
mode is  invalid in the presence of delegations.  This could lead to close
being done with the wrong state flags.


* CVE-2014-3181: Memory corruption in Apple Magic Mouse USB driver.

The Apple Magic Mouse USB driver does not correctly validate event data
allowing a malicious USB device to trigger kernel memory corruption and
potentially gain elevated privileges.


* CVE-2014-3186: Memory corruption in PicoLCD USB driver.

The PicoLCD USB driver does not correctly validate event data allowing a
malicious USB device to trigger kernel memory corruption and potentially
gain elevated privileges.


* Invalid memory access in network vectored I/O.

Incorrect handling of a zero length I/O vector could result in
dereferencing an invalid pointer.  Under specific conditions this could
result in a kernel crash.


* Deadlock in SCTP protocol stack when transmitting a packet.

Improper use of the macro IP_INC_STATS_BH() to update the network
statistics when transmitting a packet in the SCTP stack in user context
could lead to a deadlock. A local, unprivileged user could use this flaw to
cause a denial-of-service.


* CVE-2014-6416, CVE-2014-6417, CVE-2014-6418: Buffer overflow in libceph authorization.

An invalid hard-coded buffer size could lead to buffer overflows
and kernel panics during ticket authorization.


* CVE-2014-6410: Denial of service in UDF filesystem parsing.

The kernel UDF filesystem driver does not correctly validate indirect
inodes allowing a malicious user to cause a kernel panic by mounting a
UDF volume with deeply nested indirect inodes.


* Denial-of-service in HW monitoring drivers.

Invalid boundary check in several hwmon drivers (gpio-fan, lm85,
lm78, and sis5595) could lead to invalid values being written out
for temperature limits.  A privileged user could exploit this to cause
a denial-of-service.


* CVE-2014-5207: Permission bypass in locked mount options in a container.

Various mount options weren't locked from within a container and could
allow a user in container with CAP_SYS_ADMIN to bypass intended
permissions, potentially leading to privilege escalation or container
escape.


* Buffer overflows in USB serial probes.

A failure to verify ports and/or endpoints in the USB serial code
could lead to writing off the end of an array, causing heap and/or
stack overflows.  A malicious user could exploit this to cause a
denial of service.


* NULL pointer dereference when setting NFSv4 ACL.

The kernel NFSv4 server does not correctly validate pointers when
setting an ACL on a file leading to a NULL pointer dereference and
kernel panic.


* Data corruption in ext4 when discarding allocated blocks.

The ext4 filesystem driver does not correctly handle discarding
allocated blocks on an ext4 volume leading to potential data corruption.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.