[Ksplice][Ubuntu-13.10-Updates] New updates available via Ksplice (USN-2289-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Jul 21 14:22:34 PDT 2014 

Synopsis: USN-2289-1 can now be patched using Ksplice
CVEs: CVE-2014-0131 CVE-2014-3917 CVE-2014-4014 CVE-2014-4608 CVE-2014-4611 CVE-2014-4943

Systems running Ubuntu 13.10 Saucy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2289-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.10 Saucy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.

PPP over L2TP sockets incorrectly used UDP's getsockopt and setsockopt
as a fallback handler. Since UDP's implementation expects different
data structures, a local attacker could corrupt kernel memory and gain
root privileges.


* Use-after-free in NFSv4 daemon kernel implementation when releasing a state ID.

A lack of clean-up of a lock owner attached to a state ID when releasing
the state ID could lead to use-after-free and kernel panic in the NFSv4
daemon implementation.


* Memory corruption in CPU frequency driver when accessing the current policy.

A lack of locking when accessing the current policy in the CPU frequency
driver could lead to data corruption and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.


* Information leak in Intel i915 graphics driver when copying execbuffer.

When copying an execbuffer to userspace, the Intel i915 graphics drivers
also exports internal structure that needs to be hidden from userspace.


* Deadlock in Nouveau driver when updating fan speed.

Incorrect locking in the Nouveau driver when updating the fan speed could
lead to a deadlock and denial-of-service under specific conditions.


* Use-after-free in USB host xHCI driver when releasing the device.

Incorrect ordering of de-allocation routines when releasing a xHCI device
could lead to a use-after-free and kernel panic. A local, privileged user
could use this flaw to cause a denial-of-service.


* Data corruption in multiple devices driver (MD) when reshaping a read only device.

A logic error in the MD driver could lead to data corruption when reshaping
a read only device. A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory leak in Infiniband SCSI driver when SCSI WRITE command fails.

A missing reference put in the Infiniband SCSI driver when a SCSI WRITE
command with ImmediateData=Yes fails is causing a memory leak. An attacker
could use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.

Linux kernel built with the system-call auditing support is vulnerable to a
kernel crash or information disclosure flaw caused by out of bounds memory
access.  When system call audit rules are present on a system, an
unprivileged user could use this flaw to leak kernel memory or cause a
denial-of-service.


* CVE-2014-4608: Integer overflow in LZO when uncompressing blocks larger than 16MB.

Lack of input validation in the LZO library could cause an integer overflow
when uncompressing blocks larger than 16MB, potentially leading to kernel
code execution. A local attacker could use this flaw to elevate privileges.


* CVE-2014-4611: Integer overflow in LZ4 library when uncompressing large blocks.

Lack of input validation in the LZ4 library could cause an integer overflow
when uncompressing blocks larger than 16MB, potentially leading to kernel
code execution. A local attacker could use this flaw to elevate privileges


* CVE-2014-4014: Privilege escalation in user namespace.

Incorrect use of the inode_capable() function to check permissions in a
user namespace allows unprivileged users to change the GID bit of files for
which they are not the group owner. A local, unprivileged user could use
this flaw to escalate privileges.


* CVE-2014-0131: Information leak in skb_segment function.

Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c
allows attackers to obtain sensitive information from kernel memory by
leveraging the absence of a certain orphaning operation.


* Divide-by-zero in mm page writeback.

When computing limits in page-writeback, some values were not
checked for zero, leading to a divide-by-zero error.


* NULL pointer dereference in Target Core Mod when reading from sysfs.

A missing check to verify that the backend device has been configured leads
to a NULL pointer dereference when writing to sysfs file
alua_access_state. A local, privileged user could use this to cause a
denial-of-service.


* Use-after-free in memory management subsystem when releasing a VMA.

Incorrect ordering of de-allocation routines when releasing a VMA could
lead to a use-after-free and kernel panic. A local, unprivileged user could
use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-13.10-Updates mailing list