[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2840-1)

Thu Dec 17 07:32:45 PST 2015

Synopsis: USN-2840-1 can now be patched using Ksplice
CVEs: CVE-2015-7872 CVE-2015-8104

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2840-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Out of bounds memory access in the UBI driver.

A lack of input validation when parsing a UBI image could cause out of
bounds memory accesses and lead to a kernel crash.  A local user able to
mount a special handcrafted image could use this flaw to cause a
denial-of-service.

* Out of bounds memory access in get_wchan().

A logic error when checking bounds of the current stack pointer in
get_wchan() could lead to out of bounds memory accesses.  A local,
un-privileged user could use this flaw to cause a kernel panic.

* Kernel BUG when unmapping a hugetlbfs page.

A logic error in the hugetlbfs when unmapping a page that is mapped both
with MAP_SHARED and MAP_PRIVATE could trigger a BUG() assertion.  A local,
un-privileged user could use this flaw to cause a denial-of-service.

* Kernel panic when reshaping a RAID5 to RAID0.

A flaw in the RAID sub-system could lead to device errors and trigger a
kernel BUG() assertion when reshaping a RAID5 to a RAID0 in certain
circumstances.  A local, privileged user could use this flaw to cause a
denial-of-service.

* Permission bypass in the tty driver.

A flaw in the tty code would allow someone with a file descriptor opened
write only to re-open the tty with different flags, allowing him to control
the terminal when this should require both read and write access to the
tty.

* NULL pointer dereference in the Point to point over ethernet protocol.

A flaw in the Point to point over ethernet driver could lead to a NULL
pointer dereference and kernel panic when flushing the device.  A local,
un-privileged user could use this flaw to cause a denial-of-service.

* Kernel crash when using ahash driver without import/export callback.

Ahash drivers are required to provide import/export callbacks to be
registered with the ahash crypto sub-system, otherwise they could lead to a
kernel crash under certain circumstances.  A local, un-privileged user
could use this flaw to cause a denial-of-service.

* Use-after-free in Infiniband Connected Mode Service ID Resolution.

Incorrect handling of Service ID Resolution requests could result in a
use-after-free condition and kernel crash.

* NULL pointer dereference in PPP over Ethernet device releasing.

An incorrect check for disconnected PPP over Ethernet devices could
result in a NULL pointer dereference and kernel crash when closing the
device.

* Information leak when getting strings from the ethtool device.

A lack of cleaning an allocated buffer that is copied to user space on
ETHTOOL_GSTRINGS requests could leak information about the running kernel.
This could help an attacker to elevate privileges.

* Remote denial-of-service when receiving socket buffers with partial checksums.

A flaw in the socket buffer code dealing with partial checksums causes out
of bounds memory accesses on the socket buffer and kernel panic.  A remote
attacker could use this flaw to cause a denial-of-service.

* CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.

A logic error in the security keyring subsystem leads to a kernel crash
when garbage collecting a un-instantiated keyring.  A local, un-privileged
user can use this flaw to cause a denial-of-service.

* CVE-2015-8104: KVM host denial-of-service in debug exception.

A guest could cause a denial-of-service on a KVM host by triggering a
debug exception to fire during an existing debug exception.  This could
cause the host to get trapped in an infinite loop causing a
denial-of-service.  A privileged user in a guest could use this flaw to
crash the host.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.