[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2663-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue Jul 7 05:12:50 PDT 2015 

Synopsis: USN-2663-1 can now be patched using Ksplice
CVEs: CVE-2014-9710 CVE-2015-1420 CVE-2015-4001 CVE-2015-4002 CVE-2015-4003 CVE-2015-4167 CVE-2015-5364 CVE-2015-5366

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2663-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

NOTE                                                                                                                                                                                       

The update titled "Kernel hang on UDP flood with wrong checksums."                                                                                                                         
has been assigned CVE-2015-5364 and CVE-2015-5366.  It was not part                                                                                                                        
of the officialy released kernel but we felt that it's important to                                                                                                                        
ship this update early, before distributions released kernels,                                                                                                                             
because our audit showed that we have a large number of customers                                                                                                                          
affected by this issue.

DESCRIPTION

* CVE-2014-9710: Privilege escalation in Btrfs when replacing extended attributes.

Incorrect locking in Btrfs when replacing file extended attributes leads to
a race condition in which the ACL settings are inconsistent with the
requested replacement.  A local, unprivileged user could use this flaw to
bypass intended ACL and potentially elevate privileges.


* CVE-2015-1420: Buffer overflow in name_to_handle_at() system call.

Due to a race condition in the name_to_handle_at() system call, it is
possible for userspace to change the length of the buffer read by the
kernel after it has been allocated. This could lead to a buffer
overflow. A local user with CAP_DAC_READ_SEARCH privileges could
potentially use this to cause denial of service or possibly escalate
their privileges.


* CVE-2015-4003: Remote divide-by-zero in the ozwpan driver.

The oz_usb_handle_ep_data() in the ozwpan driver could allow remote
attackers to cause a divide-by-zero via a crafted packet.


* CVE-2015-4001, CVE-2015-4002: Remote denial-of-service in ozwpan driver.

Lack of input validation and incorrect uses of signed types in the ozwpan
could lead to a heap overflow.  A remote attacker could use these flaws via
a crafted packet to cause a denial-of-service or potentially gain code
execution.


* Infinite loop in USB CDC class driver when parsing CDC headers.

Lack of input validation in the USB CDC class driver could lead to an
infinite loop when parsing CDC headers.  A local attacker with physical
access could use a crafted USB device to cause a denial-of-service.


* Data loss when mounting btrfs volume with the 'discard' option.

When mounting a btrfs volume with '-o discard' the btrfs driver can
possibly overwrite filesystem metadata causing data loss.


* Memory leak in HyperV virtual storage driver.

The HyperV virtual storage driver does not correctly unmap memory when
handling I/O commands from a guest causing a kernel memory leak in the
host.


* Denial of service in btrfs IOC_FILE_EXTENT_SAME ioctl.

Attempting to query the extents of a file on a btrfs volume can trigger
an infinite loop and kernel panic. A local user could use this flaw to
cause a denial of service.


* Denial of service in btrfs IOC_CLONE ioctl.

Attempting to clone a zero-length region from one file to another on a
btrfs volume can trigger an infinite loop and kernel panic. A local
user could use this flaw to cause a denial of service.


* Memory corruption when resolving symlink target.

A reference counting error when opening a symlink which crosses a
mountpoint can trigger a use-after-free condition and kernel panic.


* Kernel panic when chowning files on NFS mount.

Under specific circumstances chowning a file on an NFS mount can trigger
an assertion failure and cause a kernel panic.


* Filesystem corruption with ext4 delayed extents.

Incorrect handling of unwritten and delayed extents could result in
filesystem corruption.  A local, unprivileged user could use this flaw
to zero parts of files under specific conditions.


* CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.

The kernel UDF filesystem driver, used by some CD-ROMs and DVDs, does
not validate overly long extended attributes which can trigger kernel
memory corruption and a kernel panic.


* Kernel hang on UDP flood with wrong checksums.

A flaw in the UDP handling of wrong checksums could lead to a kernel hang
under a UDP flood attack.  A remote attacker could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-14.04-updates mailing list