[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2792-1)

[Oracle Ksplice]

Synopsis: USN-2792-1 can now be patched using Ksplice
CVEs: CVE-2015-0272 CVE-2015-2925 CVE-2015-5257 CVE-2015-7613

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2792-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-5257: Denial-of-service in Whiteheat device probing.

Missing validation of USB endpoints could result in a NULL pointer
dereference when probing a Whiteheat USB device.  An attacker with a
malicious USB device and physical access to the system could use this
flaw to crash the system.


* Infinite loop during connection teardown iSCSI library code.

Incorrect locking in the iSCSI library code could cause the kernel to
enter an infinite loop.


* Kernel BUG in FibreChannel library code during SCSI device reset.

Incorrect locking in FibreChannel library code could cause a reschedule
while a spinlock was held, thus potentially causing either a kernel
assertion failure or a deadlock. A malicious local user with access to
the SCSI device could use this to cause denial of service.


* Use-after-free in IPC semaphores during task exit.

Due to incorrect locking, two tasks with shared IPC semaphore references
could exit and simultaneously try to free the semaphores. This could lead
to a use-after-free and memory corruption, allowing a malicious local user
to cause denial of service.


* Kernel crash in 80211 mesh network transmission.

Incorrect handling of peering state could result in a kernel crash when
transmitting frames on a network with fixed mesh paths and all stations
had not yet completed peering.


* Invalid memory free in device resource management.

A logic error in the device resource management code could cause the
wrong pointer to be freed, possibly crashing the kernel. A malicious
local user with device configuration privileges could use this to cause
denial of service.


* Invalid memory accesses in accelerated GHASH crypto algorithm.

Due to an incorrectly specified context size, the kernel would allocate
too little memory for the GHASH context and possibly access invalid
memory. A local user could potentially use this to cause denial of
service or escalate privileges.


* Use after-free in HFS B-tree node handling.

Incorrect releasing of pages for HFS B-tree nodes could result in a
use-after-free and kernel crash.  On a heavily loaded system, a local
attacker could use this flaw to crash the system.


* Kernel crash in HFS B-tree insertion.

Inserting a new record in an HFS B-tree at position 0 could corrupt the
tree resulting in either filesystem corruption or a kernel crash.


* CVE-2015-0272: Remote denial-of-service in IPv6 address autoconfiguration.

Incorrect handling of MTU sysctl setting for an IPv6 device could allow
a remote attacker to trigger packet loss and a denial-of-service under
certain system configurations.


* CVE-2015-7613: Privilege escalation in IPC object initialization.

Incorrect initialization of IPC objects could result in memory
corruption when creating message queues or shared memory.  A local,
unprivileged user could use this flaw to escalate privileges.


* Kernel hang in IPv6 multicast router addition.

Incorrect handling of IPv6 multicast router iteration could result in
failure to acquire a lock and a kernel deadlock.


* CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.

Incorrect handling of renames inside container bind mounts could allow a
local user to escape a container and escalate privileges under specific
conditions.


* Memory corruption when receiving datagram packets.

Incorrect reference counting can cause a double-free and kernel panic
when peeking received datagram packets, such as the UDP and netlink
protocols.


* Improperly escaped output in procfs files.

Lack of quoting in procfs files could cause userspace programs to
misinterpret the contents of these files. A malicious local user
could possibly use this to manipulate certain procfs files (and thereby
also manipulate other programs reading these files).


* Denial-of-service in IP datagram socket connection.

Missing locking when creating an IP datagram socket could result in list
corruption.  A local, unprivileged user could use this flaw to trigger a
denial-of-service.


* Disable modification of LDT by userspace processes.

The seldom-used modify_ldt syscall allowing processes to modify their local
descriptor table has several vulnerabilities allowing local unprivileged
users to elevate privileges.

This update disables by default the modify_ldt syscall and introduces a new
sysctl 'ksplice_modify_ldt' to allow administrators to re-enable it.
Re-enabling the syscall will make the machine vulnerable.

To re-enable modify_ldt, run the following command as root:

  sysctl ksplice_modify_ldt=1

To disable, run:

  sysctl ksplice_modify_ldt=0

This mitigates CVE-2015-3290, CVE-2015-3291 and CVE-2015-5157.


* Denial-of-service in BTRFS special file writing.

Incorrect handling of special files including device nodes could result
in a kernel panic when evicting inodes.  A local, privileged user with
permission to create device nodes could use this flaw to crash the
system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.