[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2631-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Mon Jun 15 13:06:34 PDT 2015
Synopsis: USN-2631-1 can now be patched using Ksplice
CVEs: CVE-2015-2150 CVE-2015-3331 CVE-2015-3636 CVE-2015-4167
Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2631-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Security bypass in kernel pseudo terminal subsystem.
The kernel pseudo-terminal (PTY) subsystem does not enforce restrictions
on which users can signal processes which allows local unprivileged
users to send arbitrary signals to privileged process.
* Memory corruption when configuring a virtual interface link through netlink.
A minimum length was mistakenly interpreted as a maximum length when
configuring a virtual interface link through netlink, leading to memory
corruption and potentially a kernel panic. A local, privileged user could
use this flaw to cause a denial-of-service.
* Denial of service when decoding NFSv4.1 sequence operations.
The kernel NFSv4.1 client tries to free invalid memory when decoding NFS
sequence operations which can trigger a kernel panic. This flaw can be
triggered by remote users.
* Denial-of-service in the mmap() system call.
An integer overflow in the routine checking if there is enough memory to
satisfy an allocation request leads all future allocations to fail. A
local, unprivileged user could use this flaw to cause a denial-of-service.
* Denial-of-service when reading physical memory from user-space.
The routine generic_phys_access(), used by the /dev/mem and userspace IO
drivers, was only re-mapping one page of IO memory when the request could
span a bigger range, causing out of bounds memory accesses and kernel
panic. A local, privileged user could use this flaw to cause a
denial-of-service.
* Memory corruption when mounting malformed JFFS2 disk images.
The kernel JFFS2 filesystem driver does no validate the eraseblock which
can trigger an assertion and kernel panic.
* Kernel panic when probing iSCSI BladeEngine devices.
An invalid DMA configuration can trigger an assertion and kernel panic
when probing a iSCSI BladeEngine device.
* Kernel crash in netfilter socket matching.
Incorrect use of stack-allocated variables could result in accessing
stale data. This could potentially be used by a local, privileged user
to cause a denial-of-service or potentially, escalate privileges.
* Use-after-free in the Multiple devices driver when taking a reference count.
Incorrect locking in the Multiple devices driver (RAID and LVM) could lead
to a use-after-free. A local, privileged user could use this flaw to cause
a denial-of-service.
* Use-after-free in the Multiple devices driver when taking a snapshot.
An internal structure of the Multiple devices (RAID and LVM) driver was
being accessed after it was released. An attacker could use this flaw to
cause a denial-of-service.
* Information leak in the USB stack when sending signals to userspace.
A lack of clearing a struct siginfo sent to user-space leads to leaking
kernel stack content to userspace. A local, unprivileged user could use
this flaw to gain information about the running kernel, facilitating an
attack.
* Use-after-free in USB serial stack on failure to probe a device.
A logic error in the USB serial stack could lead to a use-after-free and
kernel panic on failure to probe a device. A local, privileged user could
use this flaw to cause a denial-of-service.
* NULL pointer dereference in Radeon DRM_IOCTL_RADEON_CS ioctl().
Incorrect initialization could result in a NULL pointer dereference when
performing a DRM_IOCTL_RADEON_CS ioctl(). A local user with access to
the DRM device could use this flaw to trigger a denial-of-service
attack.
* Resource leak in IP virtual server backup sync protocol.
Missing resource freeing could result in a memory leak and failure to
remove an IP virtual server instance.
* Frames filtering bypass in mesh forwarding in mac80211 stack.
A flaw in the mac80211 mesh forwarding allows un-encrypted frames to pass
through. A remote attacker could use this flaw to inject un-encrypted
frames to an otherwise encrypted network.
* Kernel crash in SAS driver during expander discovery.
Incorrect handling of expander device discovery could result in a NULL
pointer dereference and kernel crash.
* Kernel crash in controller area network (CAN) sockets.
Incorrect initialization of CAN sockets could result in a kernel crash
when using AF_PACKET sockets.
* CVE-2015-2150: Denial-of-service in Xen PCI passthrough devices.
Incorrect restrictions to PCI device configuration could allow a
privileged user in a Xen guest to trigger a fatal NMI in the host. A
privileged, local user could use this flaw to cause a denial-of-service.
* Deadlock during NILFS2 filesystem recovery.
Mounting a NILFS2 filesystem could cause deadlock if roll-forward
recovery was required. This could happen after a crash during a
datasync write.
* CVE-2015-3331: Denial-of-service in Intel AES RFC4106 decryption.
Incorrect mapping of buffers in the Intel AES RFC4106 implementation
could result in a kernel crash. A local, unprivileged user with access
to AF_ALG(aead) sockets could use this flaw to trigger a
denial-of-service.
* Information leak in /proc/PID/pagemap.
/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user. This could be used in
conjuction with flaws such as ROWHAMMER to elevate privileges.
* Denial-of-service in pSCSI backend.
A missing NULL pointer check could result in a denial-of-service,
triggerable by a local, unprivileged user for incomplete configurations.
* Use-after-free in Industrial I/O core error handling.
Incorrect error handling in the Industrial I/O device registration
function could result in a double-free and kernel crash.
* Kernel crash in compat sendmsg/recvmsg calls.
Incorrect validation of user supplied data could result in memory
corruption when sending or receiving messages to a datagram socket and
the audit subsystem was enabled.
* Use-after-free in CIFS page writing during intermittent network connectivity.
Incorrect error handling during loss of network connection could result
in a use-after-free when writing pages on a CIFS filesystem.
* Use-after-free in network namespace device moving.
Incorrect linked list manipulation could result in a use-after-free and
kernel crash when moving devices between namespaces.
* Kernel crash in physical to virtual reverse mapping lookup.
Incorrect error handling when adjusting a virtual memory area could
result in integer underflow and a crash in the address reverse mapping
code.
* Data corruption on hfsplus filesystem when inserting node at position zero.
A logic error in the hfsplus filesystem driver leads to on-disk data
corruption when inserting a node at position zero.
* Kernel panic in ServerEngines iSCSI BladeEngine 2 initialization failure.
An incorrect call to remove the device in the error handling path could
result in a kernel crash when a BladeEngine 2 device failed to
initialize.
* Kernel crash in SCSI devices during unplug.
Incorrect handling of unoperational links could result in accessing a
device when it should not be possible to do so. This could result in an
invalid pointer dereference and kernel crash.
* Information leak when reading IPv4 and IPv6 error queue.
The error queue mechanism (MSG_ERRQUEUE) in IPv4 and IPv6 sockets does
not correctly initialise kernel data-structures which causes the
contents of kernel memory to be leaked to userspace.
* Denial of service when routing IPv6 atomic fragments.
The kernel IPv6 implementation processes atomic fragments according to
the IPv6 RFC. However, remote attackers can leverage a feature of
atomic fragments to stop the routing of IPv6 traffic, causing a denial
of service.
* Kernel panic when receiving compressed PPP data.
The kernel Point-to-Point networking implementation does not correctly
handle decompressing large PPP packets which can trigger an assertion
failure and kernel panic.
* Use-after-free in the extended matches network classifier.
A logic error in the extended matches (ematch) network classifier could
lead to a use-after-free and kernel panic. A local, privileged user could
use this flaw to cause a denial-of-service.
* Kernel hang in Broadcom Tigon3 ethernet driver.
The Broadcom Tigon3 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.
* Deadlock during packet transmission in Emulex BladeEngine driver.
A locking error in the be2net driver could in rare circumstances cause
a deadlock during packet transmission.
* Kernel panic in IPv4 forwarding of timewait sockets.
The kernel IPv4 stack does not correctly handle forwarding data from
timewait sockets which can trigger an assertion failure and kernel
panic.
* Memory corruption in SPI device ioctl.
An integer overflow in the kernel SPI driver can allow malformed ioctls
to trigger kernel memory corruption and allow a local user to gain
elevated privileges.
* Information leak in Infiniband Userspace events.
The Infiniband uverbs driver did not clear the events structure
resulting in leaking 4-8 bytes of kernel stack contents to userspace.
* CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.
The kernel UDF filesystem driver, used by some CD-ROMs and DVDs, does
not validate overly long extended attributes which can trigger kernel
memory corruption and a kernel panic.
* Use-after-free in SMACK security module.
Incorrect locking in the SMACK security module can trigger a
use-after-free and kernel panic when looking up the credentials of a
userspace process. This flaw can be used by a local unprivileged user to
trigger a kernel panic or elevate privileges.
* Use-after-free in USB Host Controller Device driver.
Incorrect memory management in he USB Host Controller Driver (HCD) can
trigger a use-after-free condition and kernel panic.
* Kernel bug when handling a huge page fault.
A race condition in the huge page fault handler could lead to a BUG()
assertion to be hit, causing a denial-of-service.
* Denial-of-service when changing permissions of a huge page.
A race condition when changing the permissions of a huge page on concurrent
migration could lead to kernel panic and denial-of-service. An attacker
could use this flaw to cause a denial-of-service.
* Use-after-free when disconnecting CephFS client.
A race condition when closing a connection to a CephFS service can
trigger a use-after-free condition and kernel panic.
* XFS filesystem corruption during truncation.
Failure to write zeroed blocks to disk during truncation on an XFS
filesystem could result in failure to zero those blocks during a crash.
This could leave sensitive information on the disk.
* Memory corruption in Multiple Device driver when destroying a device.
Incorrect locking in the Multiple Device driver when destroying a device
could lead to memory corruptions and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.
* OCFS2 file corruption for files opened with O_APPEND.
The OCFS2 filesystem was incorrectly synchronizing files opened with
O_APPEND. This could result in data corruption under specific
conditions.
* CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets.
The kernel IPv4 subsystem does not correctly handle unhashing a ping
socket which can trigger kernel memory corruption. A local user can use
this flaw to gain elevated privileges.
* Use-after-free when receiving IPv4 and IPv6 ICMP echo replies.
The kernel IPv4 and IPv6 subsystems incorrectly free memory when
receiving ICMP echo replies which can trigger a use-after-free condition
and kernel panic.
* Memory leak when adding a vlan device to a shut down interface.
A lack of un-registering stacked devices in the error path of rtnl_newlink()
leads to a memory leak. A local, privileged user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.
* Out of bounds memory write in macvtap driver with IPv6.
A logic error in the macvtap driver when allocating room in the socket
buffer for the ethernet header potentially leads to a two bytes memory
overwrites. A local, unprivileged user could use this flaw to cause a
denial-of-service.
* Denial-of-service when binding an ICMP socket on IPv6.
A logic error in the IPv6 stack could lead to a kernel panic when
user-space binds an IPv4 ICMP socket. A local, privileged user could use
this flaw to cause a denial-of-service.
* Kernel crash in IP Virtual Server support when re-routing to local clients.
A logic error in the IP Virtual Server support could lead to a kernel crash
when re-routing packets to clients on the local network. An attacker could
use this flaw to cause a denial-of-service.
* Kernel hang in Intel PRO 10GbE ethernet driver.
The Intel PRO 10GbE ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.
* Kernel hang in Realtek 8169 ethernet driver.
The Realtek 8169 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.
* Kernel hang in Realtek 8139 ethernet driver.
The Realtek 8139 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.
* Out of bounds memory access in autofs4 filesystem ioctl.
A time of check to time of use vulnerability when validating the size of
the ioctl input buffer in the autofs4 could lead to out of bounds memory
access. A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially escalate their privileges.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-12.04-Updates
mailing list