[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2716-1)

[Oracle Ksplice]

Synopsis: USN-2716-1 can now be patched using Ksplice
CVEs: CVE-2015-3212

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2716-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in SonicBlue Optimized MPEG File System mounting.

Missing mount option termination could allow a user with permission to
mount filesystems to trigger a denial-of-service by passing an
unrecognized mount option.


* Denial-of-service in userspace string handling.

An incorrect length check could result in accessing beyond a
validated buffer.  A local, unprivileged user could use this flaw to
crash the kernel in specific conditions.


* Information leak in CFG80211 WiFi extension.

A lack of zeroing a stack allocated structure used for statistics in the
CFG80211 WiFi extension could result in information leaks from one device
to another.  A local, unprivileged user could use this flaw to gain
knowledge about network traffic on other devices.


* Kernel hang in generic block driver.

The generic block driver was calling a function not intended to run in both
interrupt and process context. In certain cases, this could lead to the
kernel hanging.


* Infinite loop when bridging IGMP traffic.

Incorrect reference counting in the network bridge subsystem can trigger
an infinite loop when processing IGMP traffic causing further bridged
network traffic to be dropped.


* Memory corruption in SUNRPC sockets during reconnect.

Incorrect ordering of transport reset could result in incorrect locking
and memory corruption when reconnecting a SUNRPC socket.


* CVE-2015-3212: Denial-of-service when processing SCTP ASCONF packets.

Incorrect locking in the SCTP subsystem can trigger memory corruption
and a kernel panic when processing ASCONF packets.


* Use-after-free in network bridging when changing ports.

Incorrect locking when adding or removing bridge ports can trigger a
use-after-free condition. A privileged user could use this flaw to gain
kernel code execution.


* Denial of service in networking packet fanout.

Incorrect locking in the networking subsystem can trigger a
divide-by-zero and kernel panic when a userspace process uses the
PACKET_FANOUT socket option.


* Kernel panic in networking round-robin packet fanout.

Incorrect synchronization can trigger an out-of-bound read and kernel
panic when a userspace process uses the PACKET_FANOUT_LB socket option.


* Denial of service when processing OOTB SCTP packets.

A race condition between processing 'out-of-the-blue' OOTB packets and
removing a SCTP route can trigger a NULL pointer dereference and kernel
panic. A remote attacker could use this flaw to trigger a denial of
service.


* Use-after-free in SPI transfers.

Missing locking could result in a use-after-free condition when
finalizing a transfer.


* Use-after-free in MTD block device.

Missing locking could result in a use-after-free when accessing an MTD
block device.  A local user with access to the MTD device could use this
flaw to crash the system.


* Remote privilege escalation in RealTek RTL8712U USB driver.

Incorrect buffer sizing could result in a heap buffer overflow when
receiving a fragmented packet.  A remote user could use this flaw to
crash the system or potentially escalate privileges in rare conditions.


* NULL pointer dereference in VIA VT6655 packet reception.

A race condition between receiving a packet and interrupt processing
could result in a NULL pointer dereference and kernel crash.


* Stack buffer overflow in regulator device registration.

Insufficient buffer sizing could result in a stack buffer overflow when
registering a regulator device.


* Kernel crash in ext4 during truncate and write race.

Incorrect locking could result in a kernel crash when threads raced
between writing a journaled page and truncation.


* NULL pointer dereference in Amateur Radio ROSE protocol.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when killing a ROSE device.


* Privilege escalation when writing to setuid files.

A logic error in the file I/O subsystem can cause the setuid bit to be
set on world-writable files when root modifies a file. This could allow
unprivileged users to elevate privileges by modifying a setuid file.


* Filesystem corruption on Plan 9 9p filesystem during abort.

Aborted transactions were incorrectly handled resulting in corruption of
future requests.  This could corrupt the filesystem or provide incorrect
data to applications.


* Information leak in syslog with security modules.

Incorrect ordering could cause do_syslog() to fail to call the security
hooks for syslog allowing an unprivileged user to access the syslog
without the required permissions.


* Multiple privilege escalations in DVB frontends.

Missing user input validation could allow a local user with access to
the device to trigger buffer overflows when reading or writing data.
This out of bounds access could result in an out-of-bounds access and
kernel crash or potentially escalate privileges.


* Use-after-free when updating networking neighbors.

Incorrect locking in the generic networking subsystem can trigger a
use-after-free condition when updating stale network neighbor
information. This flaw can trigger kernel memory corruption.


* Kernel crash in TCP fastopen connection.

Incorrect memory allocation flags could cause an assertion to fail when
connecting a fastopen socket and resulting in a kernel crash.


* Kernel stack information leak in IEEE 802.15.4 LR-WPAN datagrams.

Missing stack structure initialization could result in leaking between 4
and 10 bytes of kernel stack contents to userspace when receiving a
datagram from an LR-WPAN socket.  A local, unprivileged user could use
this flaw to leak contents of the kernel stack.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.