[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2929-1)

Wed Mar 16 18:52:50 PDT 2016

Synopsis: USN-2929-1 can now be patched using Ksplice
CVEs: CVE-2015-7566 CVE-2015-7833 CVE-2016-0723 CVE-2016-2384 CVE-2016-2543 CVE-2016-2544 CVE-2016-2545 CVE-2016-2546 CVE-2016-2547 CVE-2016-2548 CVE-2016-2549 CVE-2016-2782 CVE-2016-3134

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2929-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Denial of service in Topro USB Camera ioctl.

The Topro USB Camera driver does not correctly handle settting the
framerate to zero which can trigger a divide-by-zero and kernel panic.

* Memory leak in Realtek USB Wireless adapter when receiving malformed frames.

The kernel driver for Realtek USB Wireless adapters does not correctly
free memory when processing frames with incorrect checksums. A remote
attacker could trigger a denial-of-service by intentionally sending
frames with incorrect frames.

* Memory leak when requeuing priority inversion futex.

A logic error in the kernel futex subsystem can trigger a memory leak
and subsequent kernel panic when failing to acquire a PI futex.

* Denial-of-service when parsing UDF indirect extents.

A UDF disk image can trigger an infinite loop and denial of service
when parsing malformed indirect extents.

* Memory corruption when processing multibyte unicode filenames on UDF.

The kernel UDF filesystem driver incorrectly manages memory when
converting multibyte unicode filenames on UDF filesystems which can
trigger kernel memory corruption.

* Memory corruption in Nouveau driver during connector hotplug.

Missing locking could result in memory corruption and subsequent
undefined behaviour when hotplugging a connector under specific
conditions.

* CVE-2016-2543: Denial-of-service in ALSA SNDRV_SEQ_IOCTL_REMOVE_EVENTS ioctl().

A missing NULL pointer check in the SNDRV_SEQ_IOCTL_REMOVE_EVENTS
ioctl() handler could result in a NULL pointer dereference and kernel
crash.  A local user with access to an ALSA device could use this flaw
to crash the system.

* CVE-2016-2544, CVE-2016-2545, CVE-2016-2546, CVE-2016-2547, CVE-2016-2548: Use-after-free in ALSA sequencer timers.

Multiple flaws could result in a use-after-free when adding and
removing timers in the ALSA sequencer.  A local user with access to the
device could use this flaw to crash the system, or potentially escalate
privileges.

* Memory leak in virtio balloon driver under memory pressure.

Incorrect locking in the virtio balloon driver can trigger a memory leak
when the system is under memory pressure leading kernel panic and denial
of service.

* Use-after-free in virtio balloon driver during compaction.

A race condition in the virtio balloon driver can trigger a use after
free and kernel panic when memory compaction occurs.

* Information leak when reading directory entries on CIFS mount.

Incorrect memory management allows a local user to leak the contents of
kernel memory to debug logs when reading from a directory on a CIFS
mount.

* Use-after-free in OCFS2 distributed lock manager.

Incorrect reference counting in the OCFS2 filesystem driver can trigger
a use-after-free and kernel panic when migrating a lock.

* Kernel panic when soft-offlining memory.

Incorrect memory management when soft-offlining memory via
madvise(MADV_SOFT_OFFLINE) can trigger an assertion failing and kernel
panic.

* Use-after-free when unregistering events in memory control group.

Incorrect locking in the memory control group subsystem (memcg) when
unregistering events can trigger a use-after-free condition and kernel
panic.

* Use-after-free when failing to accept userspace cryptographic sockets.

A logic error in kernel cryptographic subsystem can allow a unprivileged
user to trigger a use after free condition and kernel panic when calling
accept(2) on a cryptographic socket fails.

* CVE-2016-2549: Denial-of-service in ALSA timer management.

Incorrect timer reprogramming in the ALSA subsystem could result in
deadlock.  A local user with access to the device could use this flaw to
cause a denial-of-service.

* Privilege escalation in ALSA compatibility ioctl().

Incorrect handling of compatibility data structures could result in a
heap buffer overflow.  A local user with access to the ALSA devices
could use this flaw to trigger a kernel crash or potentially, escalate
privileges.

* Denial-of-service in ALSA TLV controls.

Missing validation of user-supplied data could result in kernel warnings
being output to the kernel console.  A local user could use this flaw to
flood the kernel console, causing a denial-of-service.

* Kernel panic in Atheros wireless driver HTC frame handling.

The kernel Atheros wireless driver does not correctly handle malformed
HTC frames which can trigger kernel memory corruption. A unauthenticated
remote user can trigger this issue.

* Denial-of-service in SCTP protocol under memory pressure.

Failure to handle low memory conditions could result in a memory leak
and additional memory pressure on the system.  A malicious user could
use this flaw to crash the system under specific conditions.

* Denial-of-service in Connector callback implementation.

A reference counting imbalance of socket buffers could result in a
memory leak when processing Connector callbacks.  Under specific
conditions this could result in memory exhaustion and a system crash.

* Privilege escalation in network bridge startup.

A local, unprivileged user could create a new network namespace which
would call /sbin/bridge-stp in the initial namespace.  Under specific
conditions this could result in networking failure or potentially in
conjunction with other flaws to escalate privileges.

* Out-of-bounds access in SCTP cookie_hmac_alg sysctl writing.

Missing initialization of a stack based string could result in an
unterminated read of the buffer.  Under specific conditions this could
trigger an out-of-bounds access and kernel crash.

* NULL pointer dereference in PhoNet packet reception.

Incorrect handling of shared socket buffers could result in a NULL
pointer dereference and kernel crash when receiving PhoNet packets.

* Memory leaks in USBVision device driver.

Under multiple different circumstances, the USBVision device driver could
leak memory. A malicious local user could potentially use this to cause
denial of service.

* CVE-2016-0723: Denial-of-service in TTY TIOCGETD ioctl().

A use-after-free when getting the line discipline for a TTY could allow
a local user to trigger a kernel crash.

* CVE-2015-7566: Denial-of-service in USB Handspring Visor driver.

Incomplete USB endpoint validation could result in a kernel crash when
probing a USB Handspring Visor device.  A malicious USB device could use
this flaw to crash the system.

* CVE-2016-2384: Privilege escalation in USB MIDI device driver.

The USB MIDI device driver does not correctly free memory when failing
to initialize an endpoint which can cause a use-after-free condition. A
local unprivileged user can use this flaw to trigger kernel code
execution.

* Deadlock in NFS share exported from OCFS2 filesystem.

Incorrect locking can trigger a deadlock and kernel panic when OCFS2 is
used to export an NFS share.

* Crash in USB vision driver when malicious device is connected.

Improper handling of USB endpoint probing during vision device initialization
leads to a NULL pointer dereference.

* Buffer overflow in Analog Devices inertial measurement device driver.

Incorrect memory offset calculation in the driver for Analog Devices
inertial measurement devices leads to a buffer overflow during transmit.

* Crash in USB hub driver during device reset.

Improper memory cleanup during USB hub device reset can lead to a NULL
pointer dereference causing a crash.

* CVE-2016-2782: Crash in USB serial driver when malicious Treo device is connected.

Improper handling of USB endpoint probing during Treo device initialization
leads to a NULL pointer dereference.

* Crash in SCSI driver during power management suspend and resume.

Performing a suspend while the SCSI driver is probing for devices may
crash or cause CD/DVD and hard disk devices to become unusable.

* Memory corruption in ALSA dummy driver when switching timer.

Improper switching between high resolution timers and system timers while a
stream is open can lead to memory corruption.

* Data corruption when transmitting packets via Virtual Ethernet device.

A logic error can cause checksums to be ignored by the Virtual Ethernet
device driver which can cause corrupted data to be delivered to containers.

* Crash when registering busy Bcache device.

Improper memory locking in Bcache device registration can cause a crash
when attempting to register a device that is busy or already registered.

* CVE-2015-7833: Data loss in USB Modem driver during suspend and resume.

Improper cleanup in the USB Modem driver leads to data loss during a
suspend and resume sequence.

* CVE-2016-3134: Memory corruption when parsing netfilter source chains.

A logic error when parsing netfilter source chains can allow local users
to corrupt kernel memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.