[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2226-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue May 27 10:19:24 PDT 2014 

Synopsis: USN-2226-1 can now be patched using Ksplice
CVEs: CVE-2014-0077 CVE-2014-1737 CVE-2014-1738 CVE-2014-2580 CVE-2014-2851

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2226-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.

The floppy driver would leak internal memory addresses to userspace,
and would allow unprivileged userspace code to overwrite those
addresses, allowing a local user to gain privileged code.


* Memory leak in SCTP stack on COOKIE ECHO error path.

A memory leak in SCTP stack on COOKIE ECHO handling when memory is
constrained could lead to a memory leak. A remote attacker could use this
flaw to exhaust the memory on the system and cause a denial-of-service.


* Denial-of-service in Bridge code on receiving malformed MFD queries.

A lack of input validation in the bridge code when handling MFD queries
could lead to multi-cast ports being shut down. A remote attacker could use
this flaw to cause a denial-of-service.


* Memory leak in TIPC code when sending a message on a closed connection.

Incorrect reference counting in the error path of tipc_conn_sendmsg() when
the connection is found to be closed could lead to a memory leak. A local,
unprivileged user could use this flaw to exhaust the memory on the system
and cause a denial-of-service.


* Denial-of-service in IPv4 fragmentation code on evicting fragments.

A race condition in the IPv4 fragmentation code could lead to a kernel
crash under specific conditions. A local, privileged user could use this
flaw to cause a denial-of-service.


* Deadlock in Stochastic Fairness Queueing packet scheduling algorithm.

Incorrect locking in the Stochastic Fairness Queueing scheduling algorithm
could lead to a memory allocation which might sleep with interrupts
disabled, causing a deadlock.


* Deadlock in TCP stack on software checksum calculation.

A logic error in the TCP stack when the NIC has no support for RX checksum
could lead to a deadlock under specific conditions.


* NULL pointer dereference in VXLAN code when handling ARP requests.

A lack of input validation in the VXLAN code could lead to a NULL pointer
dereference when memory is constrained. A remote attacker could use this
flaw to cause a denial-of-service.


* Denial-of-service in TIPC stack on failed subscriptions.

Incorrect locking in the TIPC stack could lead to a spinlock recursion and
denial-of-service. A remote authenticated attacker could use this flaw to
cause a denial-of-service.


* Memory leak in IP tunnel stack when dropping a multi-cast packet.

Incorrect reference counting in the IP tunnel code could lead to a memory
leak when dropping a multi-cast packet. A local, unprivileged user could
use this flaw to cause a denial-of-service by exhausting the host memory.


* Double-free in virtio-net on packet transmission.

Incorrect logic in the virtio-net driver could lead to a double-free under
specific circumstances. A local user could use this flaw to cause a kernel
crash or potentially escalate privileges.


* CVE-2014-0077: Kernel panic when receiving short packets in virtio networking.

Missing data validation when receiving truncated packets in the virtual networking
subsystem can cause the kernel to dereference an invalid pointer triggering a
kernel panic.


* Deadlocks in IPv6 stack when updating statistic counters.

Incorrect locking in various places in the IPv6 stack could lead to a
deadlock when updating statistic counters.


* CVE-2014-2580: Denial-of-service in Xen backend network driver.

Invalid locking in the Xen backend network driver can trigger a deadlock and
kernel panic when receiving malformed packets.


* Memory corruption in ISDN loop driver.

A lack of input validation in various places of the ISDN loop driver could
lead to out of bounds memory accesses. A local, unprivileged user could use
these flaws to cause a denial-of-service or potentially escalate
privileges.


* Denial-of-service in TTY subsystem when using low_latency.

Incorrect locking in the TTY subsystem could lead to a deadlock. A local,
unprivileged user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in PID namespaces.

The kernel does not validate a pointer when looking up a PID namespace for a
given process which leads to a NULL pointer dereference and kernel panic.


* Denial-of-service in XFS directory lookup.

The XFS file-system driver incorrectly hashes directory entries when listing a
directory causing directory entries to be hidden. An local unprivileged user
can use this flaw to force the file-system to be remounted read-only.


* Deadlock in nested btrfs transactions.

Invalid reference counting when handling nested btrfs transactions can lead to
a deadlock and kernel panic.


* Data corruption in ext4 extents lookup.

The ext4 file-system driver does not validate a return value when mapping
extents based files leading to possible data corruption.


* Data corruption in ext4 when handling partial clusters.

Data corruption can be triggered on ext4 bigalloc filesystems by punching holes
in files with partial clusters.


* Data corruption when deleting sparse files on ext4 filesystem.

The ext4 file-system driver does not correctly handle deleting sparse files on
ext4 bigalloc file-systems leading to data corruption.


* Memory corruption when creating large files on jffs2 images.

An integer overflow in the jffs2 file-system driver when calculating the size
of a large file can trigger kernel memory corruption and kernel panic.


* Use-after-free in jffs2 garbage collection.

A logic error can cause a use-after-free and kernel panic when reserving space
on a jffs2 file-system.


* Denial-of-service when exiting processes.

A race condition when a process is exiting can lead to a process not releasing
kernel resources. A local unprivileged user could use this flaw to exhaust
kernel resources and cause a kernel panic.


* NULL pointer dereference when exiting a process.

Kernel networking resources are released in the incorrect order when exiting a
process, leading to a possible NULL pointer dereference and kernel panic.


* CVE-2014-2851: Integer overflow when initializing a ping socket.

Incorrect reference counting in the error path of ping_init_sock() leads to
a memory leak and could result in an reference integer overflow and
use-after-free. A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially to escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-14.04-updates mailing list