[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2516-1)

[Oracle Ksplice]

Synopsis: USN-2516-1 can now be patched using Ksplice
CVEs: CVE-2014-8133 CVE-2014-8160 CVE-2014-8989 CVE-2014-9419 CVE-2014-9420 CVE-2014-9428 CVE-2014-9529 CVE-2014-9584 CVE-2014-9585 CVE-2015-0239

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2516-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-0239: Privilege escalation in KVM sysenter emulation.

The KVM emulation of the sysenter instruction does not validate 16-bit
code segments which can allow a local attacker to potentially elevate
privileges.


* CVE-2014-8133: Information leak in thread area of 32-bit KVM guests.

The espfix implementation which prevents kernel information leaking to
unprivileged guests can be bypassed by creating a custom thread area. A
local unprivileged user could potentially use this flaw to leak stack
addresses.


* CVE-2014-9419: Address leak on context switch bypasses ASLR.

A flaw in the context switch code could lead to leaking another thread's
local storage area.  A local, unprivileged user could use this flaw to gain
information about another process address space mappings and bypass address
space layout randomization.


* CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.

A flaw in the iso9660 file system support could lead to an infinite
recursion loop when parsing continuation entries.  An unprivileged user
could use this flaw to crash the system resulting in a denial-of-service.


* CVE-2014-9428: Remote denial-of-service in BATMAN routing protocol.

A flaw in the fragmentation code of the BATMAN routing protocol driver
could lead to a denial-of-service. A remote attacker could use this flaw to
cause a denial-of-service.


* CVE-2014-9529: Use-after-free when garbage collecting keys.

A logic error when garbage collecting cryptographic keys leads to a
user-after-free and kernel panic. A local user could use this flaw to crash
the kernel and cause a denial-of-service.


* CVE-2014-9584: Out-of-bounds memory access in ISO filesystem when printing ER records.

A missing input validation when printing ER records on the iso9660 driver
could lead to an out-of-bounds memory write, potentially leading to a
kernel panic.  A local attacker could use a corrupted ISO file to cause a
denial-of-service.


* CVE-2014-9585: Address space layout randomization bypass for VDSO address.

A flaw in the VDSO code loader leads to a 50% chance of having the VDSO
address placed at the end of a PMD. This could allow an attacker to bypass
ASLR protections more easily.


* CVE-2014-8160: iptables rules by-pass when the protocol module is not loaded.

A flaw in the generic conntrack sub-system allows protocols that do not
have a protocol handler kernel module loaded to pass through the iptables
firewall even if explicitly denied by rule.


* Data loss on Btrfs on concurrent fsync() on different sub-volumes.

A lack of synchronization between two concurrent fsync() operations on
different sub-volumes leads to data loss.


* Data corruption in Btrfs when un-pinning from the extent cache.

A logic error in the Btrfs driver when un-pinning from the extent cache
causes some checksums not to be re-written on disk, leading to data
corruption on certain circumstances.


* Use-after-free in NFSv4 when getting a layout header.

Incorrect reference counting in the NFSv4 when releasing a layout could
cause a use-after-free and kernel panic.  An attacker could use this flaw
to cause a denial-of-service.


* Use-after-free in USB Video Class driver when removing a device.

Incorrect ordering when removing sysfs device when disconnecting a webcam
leads to use-after-free and potentially kernel panic.


* Out-of-bounds memory write in eCryptfs when decoding a file name.

A lack of input validation when decoding a file name in the eCryptfs driver
could lead to an out-of-bounds memory write of one zero byte, potentially
causing a kernel panic.  A local user could use a specially crafted
eCryptfs filesystem to cause a denial-of-service.


* Leak of sensitive cryptographic materials in Multiple Devices driver.

A lack of cleaning up temporary cryptographic materials on the stack could
potentially allow an attacker to gain sensitive cryptographic information.


* Denial-of-service when using force umount() from a namespace.

A force unmount() affects the underlying superblock and not just the mount
namespace so it should be restricted to the global root user.  A privileged
user in a user namespace could force the shutdown of a superblock in a more
privileged mount namespace, leading to a denial-of-service.


* Memory corruption when loading a stale AES key.

A lack of key unregistering when the key size check fails leads to a stale
key still being in the keys list, causing a memory leak and a kernel panic
when the registering a new key.  A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in thermal initialization error path.

Wrong ordering when releasing resources in the thermal management
initialization function leads to a use-after-free and kernel panic.


* Memory leak of process namespace on child_reaper concurrent exit.

Incorrect reference counting in the pid namespace code could prevent a
namespace from being released, causing a memory leak.  A local user could
use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Use-after-free when reading from /proc/interrupts.

A lack of proper synchronization between the generic IRQ subsystem when
releasing an interrupt descriptor and reading the interrupt descriptor from
/proc/interrupts could lead to a use-after-free and potentially kernel
crash.


* Memory leak in mac80211 when free-ing management frame keys.

A logic error in the mac80211 driver when releasing station management keys
causes two management keys not to be released, leading to a memory leak.  A
local user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.


* Use-after-free in umount when appending to an existing unmounted list.

A logic error when unmounting leaves a released mount point the unmounted
list, causing a kernel panic later when we access this released mount
point.  A local user could use this flaw to cause a denial-of-service.


* Cluster deadlock during journal commit in OCFS2 filesystem.

Under certain circumstances, incorrect lock ordering could cause a
deadlock if one thread handles a buffer write at the same time as the
journal commit thread attempts to flush the buffer. If this happens,
the whole cluster will hang.


* Kernel BUG when cloning btrfs volume with split extents.

A logic error in the way certain inline extents are cloned could
trigger an assertion failure and cause the kernel to crash.


* Memory leak in cfg80211 when processing an already set driver hint.

Lack of verification that a driver hint is already set in the cfg80211
stack leads to a memory leak. A local, privileged user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* CVE-2014-8989: Group based restrictions bypass in user namespace.

A flaw in the user namespace subsystem could lead to a potential Unix group
privilege escalation when un-sharing parts of a process execution context.
An attacker could use this flaw to gain extra Unix group privileges on a
system.


* Kernel BUG when setting VXLAN tunnel.

A logic error that can occur when a user attempts to tunnel through a
firewall may trigger an assertion failure and cause the kernel to crash.


* Denial of service in Xen netfront when processing highly fragmented packets.

The Xen netfront driver does not correctly process highly fragmented
packets which can cause malformed data being passed to the host netback
driver which will then disable the network interface.


* Incongruent MAC headers inside of a GRE tunnel.

An out of order operation may cause certain MAC headers to be wrong
when transmitting within the context of an NBMA tunnel.


* Enhanced security context check during packet normalization.

A missing initialization during the normalization process may
cause security contexts to be inherited across firewall tunnels.


* Disallow changing of memory mapped netlink message payloads.

An insufficient check may allow a user to change the content of an
already sent message. This allows an unprivileged local user to
potentially elevate privileges.


* Inhibit operation reordering on memory mapped netlink frames.

A possibly derelict status check on a netlink memory mapped frame may allow
load and store operations to be reordered or changed possibly causing
memory corruption.


* Memory corruption when expanding hard drive partition table.

A missing overflow check may allow a user to read and possibly write
data past the end of a kernel memory buffer causing memory corruption.


* Btrfs filesystem corruption on aborted transactions.

Filesystem corruption may occur when a certain order of transactions
occurs and the underlying device supports discarded transactions.


* Kernel BUG when using uncore event collection.

During event collection, a missing check may allow uncore to access
foreign events that can cause the kernel to crash.


* Performance monitoring unit breakpoint triggering when changing CPU affinity.

Under certain circumstances hardware breakpoints may be triggered
when changing CPU affinity during uncore event collections.


* Buffer overflow in HID device initialisation.

A missing check may allow a buffer overflow inside the kernel that can
occur when a HID device is inside of an IRQ callback.


* TCP segmentation offload transmission queue overflow.

In certain instances, existing queued packets may look to be unacknowledged
and may not be removed from the transmission queue possibly causing a
denial of service.


* Deadlock when renaming and deleting concurrently.

Incorrect locking in the filesystem subsystem can trigger a deadlock and
kernel panic when renaming files in a directory while concurrently
deleting files in the same directory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.