[Ksplice][Ubuntu-13.10-Updates] New updates available via Ksplice (USN-2228-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue May 27 10:18:26 PDT 2014 

Synopsis: USN-2228-1 can now be patched using Ksplice
CVEs: CVE-2014-0055 CVE-2014-0077 CVE-2014-0100 CVE-2014-0101 CVE-2014-1737 CVE-2014-1738 CVE-2014-2309 CVE-2014-2523 CVE-2014-2678 CVE-2014-2851

Systems running Ubuntu 13.10 Saucy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2228-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.10 Saucy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.

The floppy driver would leak internal memory addresses to userspace,
and would allow unprivileged userspace code to overwrite those
addresses, allowing for a local privilege escalation and gaining
of root.


* CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.

A missing check in the wireless RDS protocol leads to a NULL pointer
dereference when there is no device. A local, unprivileged user could use
this flaw to cause a NULL pointer dereference and denial-of-service.


* Kernel panic in mwifiex wireless driver during cleanup.

The mwifiex driver code was attempting to clean the PCIe buffer
without the device being present, leading to an invalid memory
access and kernel panic.


* NULL pointer dereference in mwifiex wireless driver during receive.

A failure to check the outcome of a skb allocation could
result in a NULL pointer dereference and kernel panic.


* Kernel panic in ath9k transmit.

A race condition in the ath9k xmit driver code could lead
to multiple frees on the same object, causing an invalid memory
access and a kernel panic.


* Use-after-free in firewire.

An error in a failure path in the firewire code could result in an
use-after-free error and kernel panic.


* NULL pointer dereference in NFS async code.

A NULL pointer check in the NFS delegation code could lead
to a NULL pointer dereference and kernel panic.


* Quota file corruption in ocfs2.

Improper caching of quota file structures could result in
corruption of the quota file.


* NULL pointer dereference in compressed RAM device.

A failure to check that an allocation succeeded could result
in a NULL pointer dereference and system hang.


* Invalid fragmentation IDs on IPv6 UFO segmentation.

The fragment ids generated on UFO segmentation were either
unreliable or very predictable.  This could allow a malicious user
to guess the fragment ids.


* NULL pointer dereference in Ethernet Solarflare driver.

A race condition in the sfc driver could lead to a PTP event
coming in from the NIC without being properly setup.  This
causes a NULL pointer dereference, leading to a kernel panic.


* CVE-2014-0101: SCTP Null Pointer Dereference vulnerability.

The SCTP module failed to validate fields before making an authenticate
call, which a remote attacker could use to cause a denial-of-service.


* Information leak in mac80211 QoS-null frames.

Uninitialized memory in QoS-null frames in the mac80211 code
could leak information.


* Kernel BUG on SCSI isci hard reset timeout.

The isci code was incorrectly generating a kernel BUG() in the
case of a hard reset timeout.


* Data corruption in ocfs2 sync.

The ocfs2 file system was syncing the wrong range.  This could
allow data to not be correctly synced and therefore cause
corruption.


* Kernel BUG in mm compaction.

Improper error handling in the mm compaction code could lead to
a bad page state and kernel BUG().


* General protection fault in proc filesystem.

A race condition in the proc filesystem could lead to a
GPF when accessing /proc/$PID/map_files.  A local unprivileged
user could use this to cause a denial-of-service.


* Data corruption in vmxnet3 netpoll driver.

A race condition in the vmxnet3 poll driver can lead to data
corruption and kernel panics.


* NULL pointer dereference in SCSI storvsc.

Invalid error handling in storvsc initialization could cause
a NULL pointer dereference leading to a kernel panic.


* NULL pointer dereference in drm TTM code.

The TTM code didn't check that a TTM driver had an invalidate_caches()
function and tried to call it, leading to a NULL pointer dereference
and kernel panic.


* Data corruption in btrfs compressed extents.

When using a mix of compressed file extents and prealloc extents, it
is possible to fill a page of a file with random, garbage data from
some unrelated previous use of the page.


* Denial-of-service with x86 fpu code and aesni-intel.

A bug in the x86 fpu code could lead to interrupts being improperly
disabled in subsequent calls.  Specifically, this has been seen to
cause a kernel BUG() when a user process dumps code on an ecrypt fs
while aesni-intel is loaded.  In this case, all subsequent accesses
to the ecrypt fs filesystem will hang.  A malicious user could exploit
this to cause a denial-of-service.


* Memory leak in linkat.

A bug in the linkat code could allow a mountpoint reference
leak and a memory link when attempting to retry on ESTALE.


* Userspace memory corruption in SYSLOG_ACTION_READ_ALL.

The kernel syslog implementation does not correctly handle the
SYSLOG_ACTION_READ_ALL syslog command causing too much data to be copied to a
userspace process. This potentially causes memory corruption and crash in the
userspace process.


* Data corruption of ext4 immutable files when updating inode flags.

A race condition in the ext4 file system when updating the inode flags of
an immutable file could open a small window of time where the immutable
flag is not set. Provided very good timing, a local, unprivileged user
could use this flaw to modify an immutable file.


* Information leak in packet filter JIT engine.

An incorrect bound is used when validating Berkeley Packet Filter programs
allowing a malicious user to read the contents kernel memory.


* CVE-2014-2523: Remote crash via DCCP conntrack.

A flaw in the dccp protocol could allow a remote user to cause a crash
resulting in a denial-of-service.


* Memory leak in SCTP stack on COOKIE ECHO error path.

A memory leak in SCTP stack on COOKIE ECHO handling when memory is
constrained could lead to a memory leak. A remote attacker could use this
flaw to exhaust the memory on the system and cause a denial-of-service.


* Denial-of-service in IPv4 fragmentation code on evicting fragments.

A race condition in the IPv4 fragmentation code could lead to a kernel
crash under specific conditions. A local, privileged user could use this
flaw to cause a denial-of-service.


* CVE-2014-2309: Denial-of-service in ICMPv6 route code.

The ip6_route_add function does not properly count the addition of routes,
which allows remote attackers to cause a denial of service (memory
consumption) via a flood of ICMPv6 Router Advertisement packets.


* Deadlock in TCP stack on software checksum calculation.

A logic error in the TCP stack when the NIC has no support for RX checksum
could lead to a deadlock under specific conditions.


* NULL pointer dereference in VXLAN code when handling ARP requests.

A lack of input validation in the VXLAN code could lead to a NULL pointer
dereference when memory is constrained. A remote attacker could use this
flaw to cause a denial-of-service.


* CVE-2014-0077: Kernel panic when receiving short packets in virtio networking.

Missing data validation when receiving truncated packets in the virtual networking
subsystem can cause the kernel to dereference an invalid pointer triggering a
kernel panic.


* CVE-2014-0055: Kernel panic when receiving packets in virtio networking.

When receiving packets, missing data validation can cause the virtual networking
subsystem to dereference an invalid pointer causing a kernel panic.


* Deadlocks in IPv6 stack when updating statistic counters.

Incorrect locking in various places in the IPv6 stack could lead to a
deadlock when updating statistic counters.


* Memory corruption in ISDN loop driver.

A lack of input validation in various places of the ISDN loop driver could
lead to out of bounds memory accesses. A local, unprivileged user could use
these flaws to cause a denial-of-service or potentially escalate
privileges.


* CVE-2014-2851: Integer overflow when initializing a ping socket.

Incorrect reference counting in the error path of ping_init_sock() leads to
a memory leak and could result in an reference integer overflow and
use-after-free. A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially to escalate privileges.


* Use-after-free in netfilter xtables when copying counters to userspace.

A logic error in the netfilter ebtables, arp tables and IPv4/IPv6 tables
may lead to a use-after-free if there is an error when copying counters to
userspace as this will result in freeing the tables when they have already
been exposed to userspace. Any subsequent packet processing will lead to a
use-after-free and kernel panic.


* NULL pointer dereference in CPU idle driver when getting a reference counter.

A missing check for NULL in the CPU idle driver could lead to a NULL
pointer dereference and kernel panic in case there is no CPU idle driver
registered with the current CPU.


* Denial-of-service in Bridge code on receiving malformed MFD queries.

A lack of input validation in the bridge code when handling MFD queries
could lead to multi-cast ports being shut down. A remote attacker could use
this flaw to cause a denial-of-service.


* CVE-2014-0100: Remote denial-of-service in the IPv4 fragmentation code.

A race condition in the IPv4 fragmentation code could result in a
use-after-free and kernel crash. A remote user could use this flaw to cause
a denial-of-service.


* Memory corruption in CPU freq governor when hot-unplugging a CPU.

A race condition between the CPU freq governor and hot-unplugging a CPU
could lead to workqueue and timers corruptions, potentially leading to a
denial-of-service.


* Kernel panic in nested KVM MMU management.

The KVM virtual MMU does not correctly handle memory mappings in nested virtual
machines leading to a kernel panic.


* Deadlock in DvbWorld and TeVii DVB device driver.

The DvbWorld and TeVii USB Digital Video Broadcasting driver does not correctly
unlock data when a data transfer fails, leading to a deadlock and kernel panic.


* Kernel panic in Conexant PCI video recorder device driver.

Memory allocation can fail in the Conexant PCI video recorder device driver
triggering a NULL pointer dereference and kernel panic when reading the device's
EEPROM.


* Deadlock in Conexant USB DVB data transfer.

The USB Digital Video Broadcasting driver does not correctly unlock data when a
data transfer fails, leading to a deadlock and kernel panic.


* Remote denial-of-service in CephFS object storage daemon.

The Ceph filesystem object storage daemon (OSD) does not correctly handle
truncated requests which can lead to the OSD never completing a request and
blocking further requests leading to a denial of service.


* Kernel panic in isci host code.

An invalid loop in the isci for_each_isci_host macro could
lead to a NULL pointer dereference and kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-13.10-Updates mailing list