[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (3.13.0-77.121)

[Oracle Ksplice]

Synopsis: 3.13.0-77.121 can now be patched using Ksplice
CVEs: CVE-2013-7446 CVE-2015-7513 CVE-2015-7990 CVE-2015-8374

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-77.121.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out of bounds memory access in infra-red driver.

Incrementing a pointer instead of its value in the infra-red driver could
lead to an out of bounds memory access.  A local user could use this flaw
to cause a denial-of-service.


* Information leak in RDS over TCP.

In low memory situations, an incoming RDS datagram may get corrupted and
potentially leak sensitive information to the userspace program receiving
the datagram.


* Kernel BUG in IP multicast routing.

Due to a race condition when updating network device statistics for IP
multicast routing, a malicious local user may in rare circumstances be
able to cause a kernel crash.


* NULL pointer dereference when destroying TCP or ICMP sockets.

A lack of NULL pointer check when about to release a TCP or ICMP socket
could lead to a NULL pointer dereference and kernel panic under low memory.
A local user could use this flaw to cause a denial-of-service.


* Use-after-free in the network destination cache.

A logic error could cause a use-after-free when releasing a network
destination cache object.  A local, unprivileged user could use this flaw
to cause a denial-of-service.


* Information leak in HID core when connecting device.

In certain circumstances, connecting a HID device could cause an
uninitialised buffer to be printed to the kernel log. A malicious
local user with the ability to connect devices could use this to
obtain sensitive information from the kernel.


* Information leak in procfs wchan field.

The wchan field in the proc filesystem is exposing absolute kernel
addresses, giving away the address space layout randomization offset.  This
information can be used by an attacker to facilitate an attack.


* Use-after-free in the ext4 filesystem when stopping journaling.

A flaw in the ext4 filesystem when stopping journaling leads to a
use-after-free.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Data corruption on ext4 filesystem when recording an error into the super block.

A race condition in the ext4 filesystem when using JDB2 journaling could
cause non recoverable data corruption under certain circumstances.  A
local, unprivileged user could use this flaw to cause permanent data
corruption.


* Memory corruption in CAN driver when filling netlink packet.

A flaw in the CAN driver when writing device information on a netlink
socket can lead to memory corruption and kernel panic.  A local user could
use this flaw to cause a denial-of-service.


* Deadlock in memory technology device subsystem.

Incorrect ordering of locking calls could result in a deadlock during
concurrent accesses to an MTD device.  A local user with access to the
MTD device could use this flaw to hang the system.


* Denial-of-service in cryptographic algorithm sockets.

Incorrect assumptions about sequencing of calls to hash algorithms could
result in a kernel crash with specific algorithms if accept() was called
on the socket before data was received.  A local, unprivileged user
could use this flaw to crash the system.


* Denial-of-service in Megaraid SAS compatibility ioctl() handler.

Missing validation of user supplied data could allow a local user with
access to the device to trigger an unhandled fault and crash the system.


* NULL pointer dereference in 802.11 WiFi stack on channel switch.

A missing check for NULL in the mac 802.11 WiFi stack on channel switch
could lead to a NULL pointer dereference when those events are being
traced.  A local user with the capabilities to trace those events could use
this flaw to cause a NULL pointer dereference.


* Use-after-free in FS-Cache filesystem registration.

A reference count imbalance could result in premature freeing of a
filesystem and kernel crash under specific conditions.


* Kernel crash in FS-Cache when writing beyond end-of-file marker.

Incorrect handling of accesses to pages beyond the end-of-file marker
could result in triggering an assertion that would crash the system.


* Memory corruption in Marvell mwifiex driver when reading the eeprom.

A flaw in the Marvell mwifiex driver could lead to memory corruptions when
reading the eeprom.  A local user could use this flaw to cause a
denial-of-service.


* Out-of-bounds memory access when releasing PCI I/O regions.

Incorrect loop bounds could result in accessing beyond the end of an
array when releasing I/O regions on device removal.


* Use-after free in Trusted Platform Module log reading.

Premature freeing of an Open Firmware node could result in a
use-after-free and kernel crash when reading the TPM log.


* Memory leak in HyperV baloon device when allocating large memory blocks.

An incorrect handling of 2MB blocks can lead to memory leak if a failure to
allocate occurs.


* Denial-of-service in the NFSv4 client code when allocating an ID.

Incorrect reference counting when allocating an ID in the NFSv4 client code
could lead to a kernel crash under certain circumstances.  A local,
unprivileged user with access to a NFSv4 mount could use this flaw to cause
a denial-of-service.


* CVE-2015-7990: Race condition when sending a message on unbound RDS socket.

Incorrect locking when checking the state of a socket before sending a
message could lead to a NULL pointer dereference.  A local, un-privileged
user could use this flaw to cause a denial-of-service.


* NULL pointer dereference when dumping proxy entries.

A missing check for NULL when dumping proxy entries could lead to a NULL
pointer dereference when the proxy entry is device agnostic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* CVE-2015-7513: Divide-by-zero in KVM when reloading the programmable interrupt timer.

A missing input sanitization when loading the programmable interrupt timer
counters from userspace could cause KVM to make a division by zero, causing
a kernel crash.  A local user with the capability to run KVM machines could
use this flaw to cause a denial-of-service.


* Integer overflow in /dev/kmsg facility.

Integer overflow of the /dev/kmsg facility could allow a local user to
spoof kernel messages in the kernel log.


* Data loss on Btrfs when cloning an inline extent.

A flaw in the Btrfs filesystem clone ioctl() causes data loss when cloning
a file with inline extent to a larger file with inline extent.


* CVE-2015-8374: Information leak when truncating a compressed and inlined extent on Btrfs.

An information leak vulnerability was found when truncating a file to a
smaller size which consists of an inline extent that is compressed. The
data between the new file size and the old file size was not discarded,
allowing another user to read it through the clone ioctl.


* Memory leak when removing routing table in the IPv6 stacks.

Incorrect reference counting when destroying a routing table in the IPv6
IPv6 stack leads to a memory leak.  A local user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* CVE-2013-7446: Use after free in Unix sockets.

Invalid reference counting in the kernel Unix socket subsystem can
trigger a use after free condition. A local unprivileged user could use
this flaw to bypass permission checks on Unix sockets or potentially
escalate privileges.


* Kernel crash when running delayed allocation in Btrfs.

Due to a race between concurrent link/xattr and delayed allocation
operations in the Btrfs filesystem, it was possible for the kernel
to trigger an assertion failure and crash.


* Out-of-bounds read in Mac partition table parser.

Due to missing input validation in the Mac partition table parser, a
corrupted partition table could cause a buffer overflow. A malicious
local user could use this to crash the kernel or potentially escalate
privileges.


* Denial of service in sendfile() system call.

Due to a missing check for pending signals, a malicious call to
sendfile() by a regular userspace process could cause the system
call to hang for a long time. This could tie up resources and thus
cause denial of service.


* Softlockups and RCU stalls in sendfile() system call.

Due to missing scheduling points in sendfile(), attempting to send
large amounts of memory between certain types of file descriptors could
cause the kernel to get tied up, causing denial of service.


* Use-after-free when opening X.25 async driver TTY.

A logic error in the X.25 async driver could result in a use-after-free
when opening the TTY device. A malicious local user with sufficient
permissions could potentially use this to crash the kernel or escalate
privileges.


* Read of tty may block even when data is present.

Lack of memory_barriers may cause __receive_buf to not wake up a process
that went to sleep during the receive.


* Corrupted root FAT filesystem directory causes readdir to never terminate.

A corrupted root directory could cause fat_get_entry() to fail causing
progress to not be reported to VFS. The result is that userspace will
never see the end of the directory, causing e.g. 'ls' to hang in a loop.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.