[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (3.13.0-39.66)

Thu Oct 30 10:56:13 PDT 2014

Synopsis: 3.13.0-39.66 can now be patched using Ksplice
CVEs: CVE-2014-3182 CVE-2014-3611 CVE-2014-3646 CVE-2014-3647 CVE-2014-7145

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-39.66.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Use-after-free in AMD iommu mass device removal.

Incomplete cleanup during mass device remove in the AMD
iommu could result in a use-after-free.

* CVE-2014-7145: NULL pointer dereference in CIFS SMB2 error handling.

Invalid error handling in the cifs smb2 code could result in
a NULL pointer dereference and kernel panic.

* CVE-2014-3182: Invalid memory read in HID Logitech driver.

The Logitech Unifying receivers full support driver is vulnerable
to an out-of-bounds read flaw. It could occur if a device offers a
malicious HID report with arbitrary device_index.

A malicious user with physical access to the system could use this
flaw to crash the system resulting in a denial-of-service.

* Buffer overflow in ALSA line accessor.

An off-by-one error in the ALSA subsystem could result in accessing
beyond the end of a buffer and corrupting memory.

* Possible incorrect permissions in NFSv4 close with delegation.

The check in NFSv4 for read/write, read-only, or write-only share
mode is  invalid in the presence of delegations.  This could lead to close
being done with the wrong state flags.

* Buffer overflows in USB serial probes.

A failure to verify ports and/or endpoints in the USB serial code
could lead to writing off the end of an array, causing heap and/or
stack overflows.  A malicious user could exploit this to cause a
denial of service.

* Data corruption in ext4 inode disksize.

Incorrect error handling in block allocation in ext4 could result
in an inode being assigned an invalid disksize. An attacker could use
this to cause a denial-of-service.

* Denial-of-service in jbd2 on corrupt journal recovery.

When the jbd2 code encounters a corrupt journal block during
journal recovery, it falls into an infinite loop.  An attacker
could potentially exploit this flaw to cause a denial-of-service.

* Data corruption in XFS when extending EOF.

Invalid dirty buffer handling in XFS could result in data
corruption when one process extends the EOF while another
process attempts to write via direct I/O to the same file.
A malicious user could use this to cause a denial-of-service.

* XFS page cache corruption with O_DIRECT operations.

XFS reads and writes with O_DIRECT can zero out partial ranges in a page in
a cache. This page can stay in the cache, causing normal, buffered reads to
read zeros instead of the actual content.

* Use-after-free in keyring associative array garbage collection.

The keyring garbage collection was incorrectly using a data
structure after it had potentially been freed, leading to an
use-after-free and potential kernel panic.

* CVE-2014-3611: Denial-of-service in KVM emulated programmable interval timer.

Incorrect locking in the KVM emulated programmable interval timer (PIT)
could crash the host kernel under specific conditions. A local attacker
could use this flaw to cause a denial-of-service in the host KVM.

* CVE-2014-3646: KVM guest denial-of-service when using invvpid opcode.

The KVM host emulator does not gracefully handle a KVM guest using the
invvpid opcode, causing a guest VM exit without proper error codes being
propagated to userspace. A local, unprivileged guest user could use this
flaw to crash a KVM guest VM and cause a denial-of-service.

* CVE-2014-3647: Denial-of-service in guest KVM when changing RIP to non-canonical address.

A flaw in the KVM emulator mishandles non-canonical addresses when
emulating instructions which change the instruction pointer, potentially
causing a failed VM-entry. A privileged guest user could use this flaw to
cause a denial-of-service in the guest.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.