[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2631-1)

[Oracle Ksplice]

Synopsis: USN-2631-1 can now be patched using Ksplice
CVEs: CVE-2015-2150 CVE-2015-3331 CVE-2015-3636 CVE-2015-4167

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2631-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Security bypass in kernel pseudo terminal subsystem.

The kernel pseudo-terminal (PTY) subsystem does not enforce restrictions
on which users can signal processes which allows local unprivileged
users to send arbitrary signals to privileged process.


* Memory corruption when configuring a virtual interface link through netlink.

A minimum length was mistakenly interpreted as a maximum length when
configuring a virtual interface link through netlink, leading to memory
corruption and potentially a kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Denial of service when decoding NFSv4.1 sequence operations.

The kernel NFSv4.1 client tries to free invalid memory when decoding NFS
sequence operations which can trigger a kernel panic. This flaw can be
triggered by remote users.


* Denial-of-service in the mmap() system call.

An integer overflow in the routine checking if there is enough memory to
satisfy an allocation request leads all future allocations to fail.  A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Denial-of-service when reading physical memory from user-space.

The routine generic_phys_access(), used by the /dev/mem and userspace IO
drivers, was only re-mapping one page of IO memory when the request could
span a bigger range, causing out of bounds memory accesses and kernel
panic.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory corruption when mounting malformed JFFS2 disk images.

The kernel JFFS2 filesystem driver does no validate the eraseblock which
can trigger an assertion and kernel panic.


* Kernel panic when probing iSCSI BladeEngine devices.

An invalid DMA configuration can trigger an assertion and kernel panic
when probing a iSCSI BladeEngine device.


* Kernel crash in netfilter socket matching.

Incorrect use of stack-allocated variables could result in accessing
stale data.  This could potentially be used by a local, privileged user
to cause a denial-of-service or potentially, escalate privileges.


* Use-after-free in the Multiple devices driver when taking a reference count.

Incorrect locking in the Multiple devices driver (RAID and LVM) could lead
to a use-after-free.  A local, privileged user could use this flaw to cause
a denial-of-service.


* Use-after-free in the Multiple devices driver when taking a snapshot.

An internal structure of the Multiple devices (RAID and LVM) driver was
being accessed after it was released.  An attacker could use this flaw to
cause a denial-of-service.


* Information leak in the USB stack when sending signals to userspace.

A lack of clearing a struct siginfo sent to user-space leads to leaking
kernel stack content to userspace.  A local, unprivileged user could use
this flaw to gain information about the running kernel, facilitating an
attack.


* Use-after-free in USB serial stack on failure to probe a device.

A logic error in the USB serial stack could lead to a use-after-free and
kernel panic on failure to probe a device.  A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference in Radeon DRM_IOCTL_RADEON_CS ioctl().

Incorrect initialization could result in a NULL pointer dereference when
performing a DRM_IOCTL_RADEON_CS ioctl().  A local user with access to
the DRM device could use this flaw to trigger a denial-of-service
attack.


* Resource leak in IP virtual server backup sync protocol.

Missing resource freeing could result in a memory leak and failure to
remove an IP virtual server instance.


* Frames filtering bypass in mesh forwarding in mac80211 stack.

A flaw in the mac80211 mesh forwarding allows un-encrypted frames to pass
through.  A remote attacker could use this flaw to inject un-encrypted
frames to an otherwise encrypted network.


* Kernel crash in SAS driver during expander discovery.

Incorrect handling of expander device discovery could result in a NULL
pointer dereference and kernel crash.


* Kernel crash in controller area network (CAN) sockets.

Incorrect initialization of CAN sockets could result in a kernel crash
when using AF_PACKET sockets.


* CVE-2015-2150: Denial-of-service in Xen PCI passthrough devices.

Incorrect restrictions to PCI device configuration could allow a
privileged user in a Xen guest to trigger a fatal NMI in the host.  A
privileged, local user could use this flaw to cause a denial-of-service.


* Deadlock during NILFS2 filesystem recovery.

Mounting a NILFS2 filesystem could cause deadlock if roll-forward
recovery was required.  This could happen after a crash during a
datasync write.


* CVE-2015-3331: Denial-of-service in Intel AES RFC4106 decryption.

Incorrect mapping of buffers in the Intel AES RFC4106 implementation
could result in a kernel crash.  A local, unprivileged user with access
to AF_ALG(aead) sockets could use this flaw to trigger a
denial-of-service.


* Information leak in /proc/PID/pagemap.

/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user.  This could be used in
conjuction with flaws such as ROWHAMMER to elevate privileges.


* Denial-of-service in pSCSI backend.

A missing NULL pointer check could result in a denial-of-service,
triggerable by a local, unprivileged user for incomplete configurations.


* Use-after-free in Industrial I/O core error handling.

Incorrect error handling in the Industrial I/O device registration
function could result in a double-free and kernel crash.


* Kernel crash in compat sendmsg/recvmsg calls.

Incorrect validation of user supplied data could result in memory
corruption when sending or receiving messages to a datagram socket and
the audit subsystem was enabled.


* Use-after-free in CIFS page writing during intermittent network connectivity.

Incorrect error handling during loss of network connection could result
in a use-after-free when writing pages on a CIFS filesystem.


* Use-after-free in network namespace device moving.

Incorrect linked list manipulation could result in a use-after-free and
kernel crash when moving devices between namespaces.


* Kernel crash in physical to virtual reverse mapping lookup.

Incorrect error handling when adjusting a virtual memory area could
result in integer underflow and a crash in the address reverse mapping
code.


* Data corruption on hfsplus filesystem when inserting node at position zero.

A logic error in the hfsplus filesystem driver leads to on-disk data
corruption when inserting a node at position zero.


* Kernel panic in ServerEngines iSCSI BladeEngine 2 initialization failure.

An incorrect call to remove the device in the error handling path could
result in a kernel crash when a BladeEngine 2 device failed to
initialize.


* Kernel crash in SCSI devices during unplug.

Incorrect handling of unoperational links could result in accessing a
device when it should not be possible to do so.  This could result in an
invalid pointer dereference and kernel crash.


* Information leak when reading IPv4 and IPv6 error queue.

The error queue mechanism (MSG_ERRQUEUE) in IPv4 and IPv6 sockets does
not correctly initialise kernel data-structures which causes the
contents of kernel memory to be leaked to userspace.


* Denial of service when routing IPv6 atomic fragments.

The kernel IPv6 implementation processes atomic fragments according to
the IPv6 RFC. However, remote attackers can leverage a feature of
atomic fragments to stop the routing of IPv6 traffic, causing a denial
of service.


* Kernel panic when receiving compressed PPP data.

The kernel Point-to-Point networking implementation does not correctly
handle decompressing large PPP packets which can trigger an assertion
failure and kernel panic.


* Use-after-free in the extended matches network classifier.

A logic error in the extended matches (ematch) network classifier could
lead to a use-after-free and kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Kernel hang in Broadcom Tigon3 ethernet driver.

The Broadcom Tigon3 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.


* Deadlock during packet transmission in Emulex BladeEngine driver.

A locking error in the be2net driver could in rare circumstances cause
a deadlock during packet transmission.


* Kernel panic in IPv4 forwarding of timewait sockets.

The kernel IPv4 stack does not correctly handle forwarding data from
timewait sockets which can trigger an assertion failure and kernel
panic.


* Memory corruption in SPI device ioctl.

An integer overflow in the kernel SPI driver can allow malformed ioctls
to trigger kernel memory corruption and allow a local user to gain
elevated privileges.


* Information leak in Infiniband Userspace events.

The Infiniband uverbs driver did not clear the events structure
resulting in leaking 4-8 bytes of kernel stack contents to userspace.


* CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.

The kernel UDF filesystem driver, used by some CD-ROMs and DVDs, does
not validate overly long extended attributes which can trigger kernel
memory corruption and a kernel panic.


* Use-after-free in SMACK security module.

Incorrect locking in the SMACK security module can trigger a
use-after-free and kernel panic when looking up the credentials of a
userspace process. This flaw can be used by a local unprivileged user to
trigger a kernel panic or elevate privileges.


* Use-after-free in USB Host Controller Device driver.

Incorrect memory management in he USB Host Controller Driver (HCD) can
trigger a use-after-free condition and kernel panic.


* Kernel bug when handling a huge page fault.

A race condition in the huge page fault handler could lead to a BUG()
assertion to be hit, causing a denial-of-service.


* Denial-of-service when changing permissions of a huge page.

A race condition when changing the permissions of a huge page on concurrent
migration could lead to kernel panic and denial-of-service.  An attacker
could use this flaw to cause a denial-of-service.


* Use-after-free when disconnecting CephFS client.

A race condition when closing a connection to a CephFS service can
trigger a use-after-free condition and kernel panic.


* XFS filesystem corruption during truncation.

Failure to write zeroed blocks to disk during truncation on an XFS
filesystem could result in failure to zero those blocks during a crash.
This could leave sensitive information on the disk.


* Memory corruption in Multiple Device driver when destroying a device.

Incorrect locking in the Multiple Device driver when destroying a device
could lead to memory corruptions and kernel panic.  A local, privileged
user could use this flaw to cause a denial-of-service.


* OCFS2 file corruption for files opened with O_APPEND.

The OCFS2 filesystem was incorrectly synchronizing files opened with
O_APPEND.  This could result in data corruption under specific
conditions.


* CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets.

The kernel IPv4 subsystem does not correctly handle unhashing a ping
socket which can trigger kernel memory corruption. A local user can use
this flaw to gain elevated privileges.


* Use-after-free when receiving IPv4 and IPv6 ICMP echo replies.

The kernel IPv4 and IPv6 subsystems incorrectly free memory when
receiving ICMP echo replies which can trigger a use-after-free condition
and kernel panic.


* Memory leak when adding a vlan device to a shut down interface.

A lack of un-registering stacked devices in the error path of rtnl_newlink()
leads to a memory leak.  A local, privileged user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* Out of bounds memory write in macvtap driver with IPv6.

A logic error in the macvtap driver when allocating room in the socket
buffer for the ethernet header potentially leads to a two bytes memory
overwrites.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Denial-of-service when binding an ICMP socket on IPv6.

A logic error in the IPv6 stack could lead to a kernel panic when
user-space binds an IPv4 ICMP socket.  A local, privileged user could use
this flaw to cause a denial-of-service.


* Kernel crash in IP Virtual Server support when re-routing to local clients.

A logic error in the IP Virtual Server support could lead to a kernel crash
when re-routing packets to clients on the local network.  An attacker could
use this flaw to cause a denial-of-service.


* Kernel hang in Intel PRO 10GbE ethernet driver.

The Intel PRO 10GbE ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.


* Kernel hang in Realtek 8169 ethernet driver.

The Realtek 8169 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.


* Kernel hang in Realtek 8139 ethernet driver.

The Realtek 8139 ethernet driver was calling a function not intended to
run in interrupt context in its interrupt handler. In certain cases, this
could lead to the kernel hanging.


* Out of bounds memory access in autofs4 filesystem ioctl.

A time of check to time of use vulnerability when validating the size of
the ioctl input buffer in the autofs4 could lead to out of bounds memory
access.  A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially escalate their privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.