[Ksplice][Ubuntu-13.10-Updates] New updates available via Ksplice (USN-2261-1)

[Oracle Ksplice]

Synopsis: USN-2261-1 can now be patched using Ksplice
CVEs: CVE-2014-0181 CVE-2014-1739 CVE-2014-3144

Systems running Ubuntu 13.10 Saucy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2261-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.10 Saucy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference in the filesystem stack when checking ACL.

A missing check for NULL when checking if a filesystem ACL can be
represented using traditional UNIX permissions could lead to a kernel
panic. A remote attacker controlling a NFS server or a local unprivileged
user could use this flaw to cause a denial-of-service.


* Race conditions in the workqueue subsystem.

Incorrect locking in various places in the workqueue subsystem could lead
to a kernel panic.


* NULL pointer dereference in CAAM crypto driver.

A missing check for NULL after allocating a buffer could lead to a NULL
pointer dereference when the system is under memory pressure. An attacker
could use this flaw to cause a denial-of-service.


* CVE-2014-1739: Information leak in the media stack when enumerating media devices.

The ioctl() to enumerate media devices can copy to userspace 200 bytes of
kernel stack. A local user with write access to /dev/mediaX could use this
flaw to gather information about the running kernel.


* Kernel panic in libata after detaching a port.

Lack of resources cleanup when detaching an ATA port can lead to a kernel
panic. A local, privileged user could use this flaw to cause a
denial-of-service.


* Kernel BUG() in NFS daemon when setting ACL with no entries.

A logic error in the NFS daemon code could trigger a kernel BUG() when
setting ACL with no entries.


* Kernel panic when moving a transparent huge page concurrently with splitting it.

A race condition in the code moving page tables if a transparent huge page
is concurrently being split can lead to a kernel panic under specific
conditions.


* Out of bounds memory access in V4L2 OmniVision driver.

Incorrect use of an untrusted index coming from userspace leads to an out
of bounds memory access. A local, privileged user could use this flaw to
cause a kernel panic or potentially escalate privileges.


* Memory corruption when accessing a huge TLB of a copy-on-write page.

A missing flush of the huge translation lookaside buffer for a page copied
after a write could lead to a memory corruption as it can lead a parent
process to access the child copied version of the page rather than the
original page. A local, unprivileged user could use this flaw to cause a
memory corruption or potentially elevate privileges.


* Use-after-free in libceph when sending pages over TCP.

RADOS block devices do not handle properly sending pages with page_count 0
over TCP which will result in incorrectly free-ing the page while still in
use leading to a memory corruption and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.


* Remote denial-of-service in bridge driver when filtering packets.

A logic error in the bridge driver when filtering packets could lead to a
double-free of the dropped socket buffer, potentially leading to a kernel
panic. A remote user could use this flaw to cause a denial-of-service.


* CVE-2014-3144: Multiple local denial of service vulnerabilities in netlink.

The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extension implementations
in the sk_run_filter function in net/core/filter.c failed to check whether
a certain length value is sufficiently large, which allows local users to
cause a denial of service (integer underflow and system crash) via crafted
BPF instructions.


* Divide-by-zero in TCP cubic congestion algorithm when computing delayed ack.

A logic error in the TCP cubic congestion algorithm could lead to a
divide-by-zero and kernel panic. A remote attacker could potentially use
this flaw to cause a denial-of-service.


* NULL pointer dereference in IPv6 netlink validation callback.

A missing check for NULL in the IPv6 netlink validation callback leads to a
NULL pointer dereference. A local, privileged user could use this flaw to
cause a kernel panic and denial-of-service.


* CVE-2014-0181: Incorrect namespace permission check in netlink sockets.

The kernel uses an incorrect set of permissions when querying netlink sockets
from different namespaces, allowing unprivileged users to disclose information
about networking in privileged namespaces.


* Use-after-free in netfilter for IPv6 sockets.

Incorrect ordering of de-allocation routines in the netfilter
ip6_route_me_harder() error path leads to a use-after-free and kernel
panic. An attacker could use this flaw to cause a denial-of-service.


* Use-after-free in IPv6 generic routing encapsulation driver on device removal.

Lack of reference counting between the IPv6 generic routing encapsulation
driver and its use of a tunnel net device could lead to a use-after-free a
kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service or potentially escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.