[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2492-1)

[Oracle Ksplice]

Synopsis: USN-2492-1 can now be patched using Ksplice
CVEs: CVE-2014-8133 CVE-2014-9420

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2492-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.

A flaw in the iso9660 file system support could lead to an infinite
recursion loop when parsing continuation entries.  An unprivileged user
could use this flaw to crash the system resulting in a denial-of-service.


* Kernel crash in ext4 with extended attributes.

A missing check for an extended attribute entry's value offset
could cause a kernel crash.  A malicious user could use this to
cause a denial-of-service by mounting a filesystem with a custom
crafted extended attribute.


* Use-after-free in Synopsys DesignWare SPI master during module unload.

Missing cleanup could result in continued DMA transfers and a
use-after-free when the module was unloaded.


* Kernel panic in ext4 in cases of filesystem corruption.

It is possible in the case of a corrupted ext4 filesystem for the
boot loader inode to become visible.  Ext4 did not correctly deal
with this case, leading to corruption of an in-memory orphan list
and subsequent kernel panic.  A malicious user could exploit this
by mounting a carefully constructed ext4 filesystem to cause a denial
of service.


* Denial-of-service in ecryptfs extended attribute setting.

A missing NULL pointer check could result in a kernel crash when setting
an extended attribute on an ecryptfs filesystem.  A local, unprivileged
user could use this flaw to trigger a denial-of-service.


* Denial of service in generic filesystem mounting.

The generic filesystem mounting implementation does not correctly
validate filesystem parameters leading to a division by zero and kernel
panic.


* Use after free in netlink socket and PPP ioctl.

Incorrect reference counting in netlink sendmsg and the PPPIOCDETACH
ioctl can trigger a use-after-free condition and cause kernel memory
corruption.


* Memory corruption in generic SELinux filesystem support.

The kernel SELinux subsystem does not correctly lock resources when
initializing SELinux for a filesystem leading to possible memory
corruption and a kernel panic.


* Kernel panic using sysfs soft-connect on USB gadget controller.

The USB gadget controller code did not verify that the gadget driver
was correctly loaded with the soft connect interface.  This caused
a NULL pointer dereference and kernel panic.


* NFSD4 kernel crash on invalid operation number.

Invalid handling of an invalid operation number in the nfsd4 code
could lead to a kernel crash.  A malicious user could exploit this to
cause a denial-of-service.


* Stack information leak in POSIX timers creation.

A failure to properly initialize posix timers could lead
to kernel stack information being leaked to userspace.


* Kernel oops while setting xattr in EVM security.

A failure to check the xattr value length could result in a kernel oops
while doing a setfattr with security.evm.  A malicious user could exploit
this to cause a denial-of-service.


* NULL pointer dereference in Ext4 new inode creation.

Improper error handling in ext4 during the creation of a new inode
could lead to a NULL pointer dereference and kernel panic.


* Use-after-free in IEEE80211 stack when defragmenting a packet.

A flaw in the IEEE80211 stack upon receiving a fragmented packet leads to a
use-after-free and kernel panic when updating the network statistics. An
attacker could use this flaw to cause a denial-of-service.


* Divide-by-zero with UART baud rate setting.

The serial driver did not deal correctly in some scenarios
with setting the baud rate to 38400.  This caused an invalid
baud rate to be returned and a kernel WARNING.


* Denial-of-service in audit watch sub-system on inode cache eviction.

A lack of pinning the inode being watched in the audit sub-system leads the
watch rule to being ignored if the inode being watched is evicted from the
cache. A local user could use this flaw to bypass audit watch rules.


* Memory corruption in Realtek 2x00 WiFi driver when re-transmitting a frame.

A logic error in the Realtek 2x00 WiFi driver consumes 4 bytes of a socket
buffer at each retransmission, leading to a kernel panic. A remote attacker
could potentially use this flaw to cause a denial-of-service.


* Kernel panic in libceph AES encryption engine on large authentication packets.

A flaw in the libceph AES encryption engine leads to a kernel panic on
large authentication packets. An attacker could use this flaw to cause a
denial-of-service.


* Information leak in Firewire stack when doing an ioctl.

A uninitialized variable on the stack could be leaked to userspace when
doing an ioctl() on a Firewire char device. An attacker could use this flaw
to gain knowledge about the running kernel in order to facilitate an
attack.


* Memory leak when unbinding Electronic System Design CAN-USB driver.

Private structures used by the Electronic System Design (ESD) CAN-USB
driver are not properly released when un-binding the driver. A local,
privileged user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.


* Memory corruption in QLogic NetXtreme II FCoE driver.

A logic error in the BNX2FC driver leads to an early removal of a shared
socket buffer, and corruptions of the other references. An attacker could
use this flaw to cause a denial-of-service.


* CVE-2014-8133: Information leak in thread area of 32-bit KVM guests.

The espfix implementation which prevents kernel information leaking to
unprivileged guests can be bypassed by creating a custom thread area. A
local unprivileged user could potentially use this flaw to leak stack
addresses.


* Memory leak in SCTP authentication key management.

Incorrect reference counting when setting the SCTP_AUTH_KEY socket option
on an SCTP socket leads to a memory leak of sensitive keying materials.

A local, unprivileged user could use this flaw to exhaust the memory on the
system and cause a denial-of-service. An attacker with memory read access
could also later gain sensitive information about the keys.


* Memory leak in ipv4 unicast reply.

Improper error handling in the ipv4 code could lead to leaked memory
when an error occurs while sending a unicast reply.  A malicious user
could use this to cause a denial of service.


* Kernel panic in transmission of tunnelled SCTP packets.

The kernel SCTP stack does not correctly allocate memory for SCTP
packets which are sent via a tunnel which can trigger an assertion and
kernel panic.


* Information leak in DRM MODE_GETFB ioctl.

A missing capability check in the MODE_GETFB ioctl allows processes with hardware-
accelerated rendering to arbitrarily read and write the current screen framebuffer.


* Denial-of-service in no-journal mode ext4 filesystems.

A user with physical access to a machine could use a carefully
constructed filesystem to hang the system.


* Memory corruption in VFS mmapped data.

When the block size is less than the page size, a bug in the VFS code
can lead to data corruption during writes.


* Deadlock when renaming and deleting concurrently.

Incorrect locking in the filesystem subsystem can trigger a deadlock and
kernel panic when renaming files in a directory while concurrently
deleting files in the same directory.


* Memory corruption in SUNRPC stack when handling channel reply receive.

Incorrect locking in the SUNRPC stack when handling a channel reply receive
could lead to race condition when looking up a request buffer, potentially
leading to a memory corruption and kernel panic.  An attacker could use
this flaw to cause a denial-of-service.


* Predictable IPv6 fragment IDs with Virtio UFO packets.

UDPv6 with offloading enabled on a virtio device would have a static
fragment ID of 0.  A remote attacker could use this to gain information
about the host or potentially perform a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.