[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2967-1)

Tue May 10 10:15:08 PDT 2016

Synopsis: USN-2967-1 can now be patched using Ksplice
CVEs: CVE-2015-7515 CVE-2015-7566 CVE-2015-8767 CVE-2015-8812 CVE-2016-0723 CVE-2016-0774 CVE-2016-2069 CVE-2016-2543 CVE-2016-2544 CVE-2016-2548 CVE-2016-2549 CVE-2016-2782

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2967-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Kernel panic in Atheros wireless driver HTC frame handling.

The kernel Atheros wireless driver does not correctly handle malformed
HTC frames which can trigger kernel memory corruption. A unauthenticated
remote user can trigger this issue.

* Memory leak when requeuing priority inversion futex.

A logic error in the kernel futex subsystem can trigger a memory leak
and subsequent kernel panic when failing to acquire a PI futex.

* Denial-of-service when parsing UDF indirect extents.

A UDF disk image can trigger an infinite loop and denial of service
when parsing malformed indirect extents.

* Memory corruption when processing multibyte unicode filenames on UDF.

The kernel UDF filesystem driver incorrectly manages memory when
converting multibyte unicode filenames on UDF filesystems which can
trigger kernel memory corruption.

* Use-after-free in IPv6 SYNACK retransmission.

Missing locking when retransitting a SYNACK packet could result in a
use-after-free and kernel crash.  Under specific conditions, this could
result in a denial-of-service.

* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.

* CVE-2016-2543: Denial-of-service in ALSA SNDRV_SEQ_IOCTL_REMOVE_EVENTS ioctl().

A missing NULL pointer check in the SNDRV_SEQ_IOCTL_REMOVE_EVENTS
ioctl() handler could result in a NULL pointer dereference and kernel
crash.  A local user with access to an ALSA device could use this flaw
to crash the system.

* CVE-2016-2544 through CVE-2016-2548: Use-after-free in ALSA sequencer timers.

Multiple flaws could result in a use-after-free when adding and
removing timers in the ALSA sequencer.  A local user with access to the
device could use this flaw to crash the system, or potentially escalate
privileges.

* Information leak when reading directory entries on CIFS mount.

Incorrect memory management allows a local user to leak the contents of
kernel memory to debug logs when reading from a directory on a CIFS
mount.

* Use-after-free in OCFS2 distributed lock manager.

Incorrect reference counting in the OCFS2 filesystem driver can trigger
a use-after-free and kernel panic when migrating a lock.

* Use-after-free when unregistering events in memory control group.

Incorrect locking in the memory control group subsystem (memcg) when
unregistering events can trigger a use-after-free condition and kernel
panic.

* Use-after-free when failing to accept userspace cryptographic sockets.

A logic error in kernel cryptographic subsystem can allow a unprivileged
user to trigger a use after free condition and kernel panic when calling
accept(2) on a cryptographic socket fails.

* CVE-2016-2549: Denial-of-service in ALSA timer management.

Incorrect timer reprogramming in the ALSA subsystem could result in
deadlock.  A local user with access to the device could use this flaw to
cause a denial-of-service.

* Privilege escalation in ALSA compatibility ioctl().

Incorrect handling of compatibility data structures could result in a
heap buffer overflow.  A local user with access to the ALSA devices
could use this flaw to trigger a kernel crash or potentially, escalate
privileges.

* Denial-of-service in ALSA TLV controls.

Missing validation of user-supplied data could result in kernel warnings
being output to the kernel console.  A local user could use this flaw to
flood the kernel console, causing a denial-of-service.

* Deadlock in NFS share exported from OCFS2 filesystem.

Incorrect locking can trigger a deadlock and kernel panic when OCFS2 is
used to export an NFS share.

* Denial-of-service when accepting userspace cryptographic sockets.

A logic error in the kernel cryptographic subsystem can allow a
unprivileged user to trigger a denial of service by calling accept(2) on
PF_ALG socket before setting a cryptographic key.

* CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.

Incorrect locking when accepting an SCTP connection during the 4-way
handshake could result in deadlock.  A local user could use this flaw to
block SCTP connections.

* Memory leak when reading from AF_UNIX socket.

Incorrect reference counting when reading from AF_UNIX can trigger a
memory leak when a signal is delivered to a process.

* CVE-2016-2782: Crash in USB serial driver when malicious Treo device is connected.

Improper handling of USB endpoint probing during Treo device initialization
leads to a NULL pointer dereference.

* CVE-2015-7566: Denial-of-service in USB Handspring Visor driver.

Incomplete USB endpoint validation could result in a kernel crash when
probing a USB Handspring Visor device.  A malicious USB device could use
this flaw to crash the system.

* Use-after-free when removing virtio PCI devices.

A logic error in the virtio subsystem can trigger a use-after-free and
kernel panic when removing a virtio PCI device.

* Deadlock when reading from rfkill sysfs file.

Incorrect locking in the rfkill sysfs interface can cause a kernel panic
when reading events. A privileged local user could use this flaw to
cause a denial of service.

* Crash in SCSI driver during power management suspend and resume.

Performing a suspend while the SCSI driver is probing for devices may
crash or cause CD/DVD and hard disk devices to become unusable.

* CVE-2016-0723: Denial-of-service in TTY TIOCGETD ioctl().

A use-after-free when getting the line discipline for a TTY could allow
a local user to trigger a kernel crash.

* Kernel crash in userspace interface for hash algorithm when sending a message.

A failure to wait for the completion of crypto_ahash_init() when using
sendpage()/sendmsg() could cause a kernel crash.  A local, unprivileged
user could use this flaw to cause a denial-of-service.

* Integer underflow when accessing Intel Storage Controller Unit (SCU) registers.

A flaw in the Intel SCU driver could lead to an integer underflow when
accessing the SCU registers.  A local user with CAP_SYS_RAWIO could use
this flaw to cause out of range memory accesses leading to a kernel crash.

* Kernel log buffer flood in ALSA rawmidi driver.

The ALSA rawmidi driver would dump the kernel stack to the kernel log
buffer every time userspace would pass it a NULL pointer.  A local,
unprivileged user with access to the ALSA device could use this flaw to
flood the kernel logs, potentially causing a denial-of-service or gaining
information about the running kernel if he's able to read the kernel log.

* Multiple kernel deadlocks in ALSA OSS emulation.

Incorrect locking in the ALSA OSS emulation code could lead to AB-BA
deadlocks when accessing read()/write() and mmap() concurrently.  A local
user could use these flaws to cause a denial-of-service.

* Multiple use-after-free in ALSA sequencers when closing the device.

Incorrect locking in the ALSA sequencers sub-system could lead to different
use-after-free under certain conditions.  A local user could use these
flaws to cause a denial-of-service.

* Denial-of-service in ALSA timer handling.

Multiple locking flaws in the ALSA timer handling could lead to memory
corruptions and denial-of-service on concurrent operations.  A local user
could use these flaws to cause a denial-of-service.

* Memory corruption in ALSA rawmidi driver on concurrent read/write.

Incorrect locking in the ALSA rawmidi driver on concurrent read/write
operations could lead to memory corruptions.  A local, unprivileged user
could use this flaw to cause a denial-of-service.

* Use-after-free when unloading xHCI host driver.

A flaw in the xHCI host driver could lead to reading already freed memory
when removing the driver.  A local user with the ability to unload the xHCI
kernel module could use this flaw to cause a denial-of-service.

* Kernel panic when closing Philips SAA7134 devices.

The Philips SAA7134 TV card driver does not correctly free memory when
closing a device which can lead to a NULL pointer dereference and kernel
panic.

* Use-after-free in the crypto sub-system when traversing the list of crypto algorithms.

Incorrect locking when traversing the list of crypto algorithms could lead
to a use-after-free when concurrently unregistering an algorithm.  A local,
unprivileged user could use this flaw to cause a kernel crash.

* Use-after-free in the kernel list library on concurrent hotplug events.

The starting node given to klist_iter_init_node() might not be on the list
anymore in case of concurrent hotplug events, potentially leading to a
user-after-free and crash.

* CVE-2015-8812: Use-after-free in Infiniband CXGB3 driver on network congestion.

A logic error in the Infiniband CXGB3 driver could lead to a use-after-free
of a socket buffer when the network is congested.  A local, unprivileged
user could use this flaw to cause a kernel crash or potentially escalate
privileges.

* CVE-2016-0774: Information leak in the pipe system call on failed atomic read.

The fix for CVE-2015-1805 incorrectly kept buffer offset and length in sync
on a failed atomic read, leading to piper buffer state corruption.  A
local, unprivileged user could use this flaw to cause a denial-of-service
or leak kernel memory to userspace.

* Kernel panic when using receive aggregation on WiFi.

Use of uninitialised values in the WiFi stack when using RX aggregation
could lead to a kernel crash.

* Information leak in the ATA 32 bits compat ioctl.

A logic error in the ATA 32 bits compat ioctl could lead to writing 3 bytes
of uninitialized stack content to userspace.  An attacker could use this
flaw to gain information about the running kernel.

* Memory leak in the ALSA audio driver on concurrent writes to the sequencer device.

Incorrect locking in the ALSA audio sequencer could lead to a memory leak
on concurrent writes to the sequencer device.  A local user with write
access to the sequencer device could use this flaw to exhaust the memory on
the system.

* Memory corruption when parsing numbers from NFS requests.

The kernel NFS server does not correctly parse hex strings from
userspace which can trigger kernel memory corruption.

* Kernel deadlock in JFFS2 filesystem when writing.

Incorrect lock ordering when writing to a JFFS2 filesystem could lead to
deadlocks.  A local, unprivileged user could use this flaw to cause a
denial-of-service.

* Kernel hang when the function graph tracer is enabled on suspend.

The function graph tracer gets inconsistent call return information in the
low level ACPI suspend code, leading to a kernel hang.

* Heap overflow in the Unsorted Block Images (UBI) on volume update.

A flaw in the UBI code causes a heap structure to be allocated with too few
bytes, leading to a write overflow when updating the volume.  A local,
unprivileged user could use this flaw to cause a denial-of-service or
potentially escalate privileges.

* Kernel deadlock in the USB HID stack on interrupt.

Incorrect locking in the USB HID stack could lead to recursive deadlocks in
specific conditions, potentially causing the kernel to hang.

* Denial of service in Topro USB Camera ioctl.

The Topro USB Camera driver does not correctly handle setting the
framerate to zero which can trigger a divide-by-zero and kernel panic.

* Memory leak in Realtek USB Wireless adapter when receiving malformed frames.

The kernel driver for Realtek USB Wireless adapters does not correctly
free memory when processing frames with incorrect checksums. A remote
attacker could trigger a denial-of-service by intentionally sending
frames with incorrect frames.

* Memory corruption in ALSA dummy driver when switching timer.

Improper switching between high resolution timers and system timers while a
stream is open can lead to memory corruption.

* Infinite loop when unmounting an OCFS2 filesystem using the kernel distributed lock manager.

A logic error when releasing the locks of an OCFS2 recovery master dead
node could lead to an infinite loop when later trying to unmount the OCFS2
filesystem.

* CVE-2015-7515: Denial-of-service in the aiptek USB driver.

A flaw in the aiptek USB tablet driver could lead to an out-of-bounds
memory access when the interface has no endpoints.  An attacker with
physical access could use a specially crafted USB device to cause a
denial-of-service.

* Remote denial of service in ASIX USB 10/100 Ethernet adapter driver.

Error logging upon receipt of an oversize packet can be abused to cause
a denial of service by repeatedly sending oversize packets.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.