[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2759-1)

[Oracle Ksplice]

Synopsis: USN-2759-1 can now be patched using Ksplice
CVEs: CVE-2015-5707

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2759-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Data loss when mounting btrfs volume with the 'discard' option.

When mounting a btrfs volume with '-o discard' the btrfs driver can
possibly overwrite filesystem metadata causing data loss.


* Memory leak in HyperV virtual storage driver.

The HyperV virtual storage driver does not correctly unmap memory when
handling I/O commands from a guest causing a kernel memory leak in the
host.


* CVE-2015-5707: Privilege escalation in generic SCSI character device.

An integer overflow in the SCSI generic driver in the Linux kernel could
allow a local user with write permission on a SCSI generic device to
escalate privileges.


* Multiple divide-by-zero in the page write-back code.

Multiple logic errors in the page write-back code could lead to
divide-by-zero and denial-of-service under certain conditions.


* Multiple deadlocks in ALSA emux driver.

Incorrect locking in the ALSA emux driver could lead to AB-BA deadlocks in
the kernel under various conditions.


* Infinite loop in USB CDC class driver when parsing CDC headers.

Lack of input validation in the USB CDC class driver could lead to an
infinite loop when parsing CDC headers.  A local attacker with physical
access could use a crafted USB device to cause a denial-of-service.


* Filesystem corruption in ext4 fallocate().

A race condition in the fallocate() implementation on an ext4 filesystem
could result in filesystem corruption under specific conditions.


* Out-of-bounds memory access in the nilfs driver.

An off-by-one error when checking the btree level in the nilfs driver could
lead to out-of-bounds memory access.  An attacker could use a specially
crafted nilfs image to cause a denial-of-service.


* Kernel hang in the ocfs2 driver when locking resources.

A race condition in the dlm_get_lock_resource() function in the ocfs2
driver could lead to a kernel hang on concurrent purge.  A local attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service in JBD2 journal recovery.

An integer overflow in the JBD2 journal could result in an out-of-bounds
memory access and kernel crash.  A local user could use a maliciously
crafted filesystem to crash the system.


* Denial-of-service in SonicBlue Optimized MPEG File System mounting.

Missing mount option termination could allow a user with permission to
mount filesystems to trigger a denial-of-service by passing an
unrecognized mount option.


* Infinite loop when bridging IGMP traffic.

Incorrect reference counting in the network bridge subsystem can trigger
an infinite loop when processing IGMP traffic causing further bridged
network traffic to be dropped.


* Use-after-free in network bridging when changing ports.

Incorrect locking when adding or removing bridge ports can trigger a
use-after-free condition. A privileged user could use this flaw to gain
kernel code execution.


* Denial of service in networking packet fanout.

Incorrect locking in the networking subsystem can trigger a
divide-by-zero and kernel panic when a userspace process uses the
PACKET_FANOUT socket option.


* Use-after-free when updating networking neighbors.

Incorrect locking in the generic networking subsystem can trigger a
use-after-free condition when updating stale network neighbor
information. This flaw can trigger kernel memory corruption.


* Use-after-free in MTD block device.

Missing locking could result in a use-after-free when accessing an MTD
block device.  A local user with access to the MTD device could use this
flaw to crash the system.


* Remote privilege escalation in Realtek RTL8712U USB driver.

Incorrect buffer sizing could result in a heap buffer overflow when
receiving a fragmented packet.  A remote user could use this flaw to
crash the system or potentially escalate privileges in rare conditions.


* NULL pointer dereference in VIA VT6655 packet reception.

A race condition between receiving a packet and interrupt processing
could result in a NULL pointer dereference and kernel crash.


* Stack buffer overflow in regulator device registration.

Insufficient buffer sizing could result in a stack buffer overflow when
registering a regulator device.


* NULL pointer dereference in Amateur Radio ROSE protocol.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when killing a ROSE device.


* Privilege escalation when writing to setuid files.

A logic error in the file I/O subsystem can cause the setuid bit to be
set on world-writable files when root modifies a file. This could allow
unprivileged users to elevate privileges by modifying a setuid file.


* Filesystem corruption on Plan 9 9p filesystem during abort.

Aborted transactions were incorrectly handled resulting in corruption of
future requests.  This could corrupt the filesystem or provide incorrect
data to applications.


* BTRFS filesystem corruption on inline extent cloning.

Incorrect copying of inline extents could result in corruption of the
BTRFS filesystem or a kernel crash.  A local, unprivileged user could
use this flaw to crash the system.


* NULL pointer dereference in USB XHCI endpoint creation.

Incorrect handling of cached rings during XHCI endpoint creation could
result in a NULL pointer dereference and kernel crash.


* Denial of service in btrfs IOC_CLONE ioctl.

Attempting to clone a zero-length region from one file to another on a
btrfs volume can trigger an infinite loop and kernel panic. A local
user could use this flaw to cause a denial of service.


* NULL pointer dereference in CAIF and Unix sockets on receival.

Lack of checking that the socket has been destroyed in the recvmsg()
handlers for CAIF and Unix sockets could lead to a NULL pointer
dereference.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Kernel panic in networking round-robin packet fanout.

Incorrect synchronization can trigger an out-of-bound read and kernel
panic when a userspace process uses the PACKET_FANOUT_LB socket option.


* Denial of service when processing OOTB SCTP packets.

A race condition between processing 'out-of-the-blue' OOTB packets and
removing a SCTP route can trigger a NULL pointer dereference and kernel
panic. A remote attacker could use this flaw to trigger a denial of
service.


* Multiple privilege escalations in DVB frontends.

Missing user input validation could allow a local user with access to
the device to trigger buffer overflows when reading or writing data.
This out of bounds access could result in an out-of-bounds access and
kernel crash or potentially escalate privileges.


* Kernel crash in ext4 during truncate + write race.

Incorrect locking could result in a kernel crash when threads raced
between writing a journalled page and truncation.


* Denial-of-service in BTRFS inode cache during deletion.

Missing locking during inode unpinning could result in memory
corruption.  A local user with access to the BTRFS filesystem could use
this flaw to trigger a denial-of-service.


* Memory leak when filtering transmitted bridge traffic.

An malformed IP packet transmitted via a bridge with a netfilter hook
can trigger a kernel memory leak and cause a denial of service.


* Denial of service in KVM host when handling machine check in guest VM.

The KVM host incorrectly handles machine check exceptions in guest VMs
which allows a malicious user in a guest VM to trigger a denial of
service in the host.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.