[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2968-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed May 11 08:56:24 PDT 2016 

Synopsis: USN-2968-1 can now be patched using Ksplice
CVEs: CVE-2015-7515 CVE-2015-8830 CVE-2016-0774 CVE-2016-2184 CVE-2016-2185 CVE-2016-2186 CVE-2016-2188 CVE-2016-3136 CVE-2016-3137 CVE-2016-3138 CVE-2016-3140 CVE-2016-3157 CVE-2016-3689 CVE-2016-3951

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2968-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-7515: Denial-of-service in the aiptek USB driver.

A flaw in the aiptek USB tablet driver could lead to an out-of-bounds
memory access when the interface has no endpoints.  An attacker with
physical access could use a specially crafted USB device to cause a
denial-of-service.


* Kernel panic when using receive aggregation on WiFi.

Use of uninitialised values in the WiFi stack when using RX aggregation
could lead to a kernel crash.


* Information leak in the ATA 32 bits compat ioctl.

A logic error in the ATA 32 bits compat ioctl could lead to writing 3 bytes
of uninitialized stack content to userspace.  An attacker could use this
flaw to gain information about the running kernel.


* Kernel deadlock in JFFS2 filesystem when writing.

Incorrect lock ordering when writing to a JFFS2 filesystem could lead to
deadlocks.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Out of bounds memory access on reading a file from a SMB server.

Missing input validation when parsing the lease state from a Server Message
Block (SMB) Create response could lead to an out of bounds memory read and
kernel crash.  A local, unprivileged user or a rogue SMB server could use
this flaw to cause a denial-of-service.


* Kernel hang when the function graph tracer is enabled on suspend.

The function graph tracer gets inconsistent call return information in the
low level ACPI suspend code, leading to a kernel hang.


* Heap overflow in the Unsorted Block Images (UBI) on volume update.

A flaw in the UBI code causes a heap structure to be allocated with too few
bytes, leading to a write overflow when updating the volume.  A local,
unprivileged user could use this flaw to cause a denial-of-service or
potentially escalate privileges.


* Filesystem corruption in EXT4 extent moving.

A missing update of the buffer head could result in filesystem
corruption when moving extent data.


* CVE-2016-3951: Use-after-free in USB networking bind failure.

A race condition between probing a USB network device and error handling
could result in a use-after-free condition and kernel crash.


* NULL pointer dereference in TTY line discipline reception.

A missing NULL pointer check could result in a NULL pointer dereference
when receiving a buffer under specific conditions.


* Use-after-free in Infra-red terminal opening.

Use of a stale pointer when opening an IrTTY device could result in a
use-after-free condition and subsequent kernel crash.  A local user with
access to the IrTTY device could use this flaw to crash the system.


* NULL pointer dereference in Infiniband CSI RDMA Protocol Target.

Missing SRP targets could result in a NULL pointer dereference and
subsequent kernel crash under specific conditions.


* Kernel crash in disk quota initialization.

Missing array initialization could result in dereferencing an invalid
pointer and a kernel crash when initializing a quota for an inode and
experiencing an error.


* Journalling filesystem corruption on unmount under memory pressure.

Unmounting a filesystem under memory pressure could result in journal
corruption on a subsequent remount.


* CVE-2016-2186: Denial of service in Griffin PowerMate USB descriptor parsing.

A logic error in the Griffin PowerMate USB driver can allow a malformed
USB descriptor with zero endpoints to trigger a NULL pointer dereference
and kernel panic.


* Heap overflow in I2C USB HID reporting.

Missing bounds checks could result in a heap overflow when setting or
sending a report.  A local user with access to the device could use this
flaw to crash the system or potentially, escalate privileges.


* Denial-of-service in NFS secinfo+readdir operations.

Incorrect locking could allow a malicious client to deadlock the system
with unexpected compound operations.


* CVE-2016-3689: Denial of service in IMS PCU USB descriptor parsing.

A logic error in the IMS PCU USB driver can allow a malformed USB
descriptor with missing interfaces to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-2188: Denial of service in IO Warrior USB descriptor parsing.

A logic error in the IO Warrior USB driver can allow a malformed USB
descriptor with zero endpoints to trigger a NULL pointer dereference and
kernel panic.


* Denial of service in generic USB interface management.

A malformed USB descriptor can trigger a NULL pointer dereference and
kernel panic when the generic USB driver claims interfaces.


* CVE-2016-3138: Denial of service in CDC ADM USB descriptor parsing.

A logic error in the CDC ADM USB driver can allow a malformed USB
descriptor with an incorrect number of interfaces to trigger a NULL
pointer dereference and kernel panic.


* Denial-of-service in pipe splicing with no pages.

Splicing from a pipe with no pages could result in a NULL pointer
dereference and kernel crash.  Under specific conditions a local user
could use this flaw to crash the system.


* Denial-of-service in KVM invept instruction emulation.

Incorrect handling of an invalid invept instruction could
result in a kernel hang.  A local user could use this flaw to crash the
system.


* Denial-of-service in KVM VCPU creation.

Incorrect error handling could result in an integer overflow, allowing a
user with permission to create virtual CPUs to trigger a kernel
assertion and crash the system.


* CVE-2016-2185: Denial of service in ATI/Philips USB RF remote descriptor parsing.

A logic error in the ATI/Philips USB RF remote driver can allow a
malformed USB descriptor to trigger a NULL pointer dereference and
kernel panic.


* Kernel hang in OCFS2 Distributed Lock Manager convert and recovery operations.

A race condition between convert and recovery operations could result in
a system hang under specific conditions.


* Kernel crash in OCFS2 Distributed Lock Manager during master loss.

A race condition when the DLM master went down could result in
triggering a kernel assertion and crashing the system under specific
conditions.


* Denial-of-service in recvmmsg() error handling.

Incorrect reference counting could result in a use-after-free in the
recvmmsg() system call.  A local, unprivileged user could use this flaw
to trigger a denial-of-service.


* Denial-of-service in SUNRPC cache management.

Incorrect error handling could result in a reference count imbalance of
the SUNRPC cache object, triggering either a resource leak, or
potentially, a use-after-free.


* Use-after-free in PPP ioctl() handling.

Incorrect locking in the PPP ioctl handler could result in dereferencing
an invalid pointer and a kernel crash.  A local user with access to the
PPP device could use this flaw to crash the system.


* Use-after-free in Maxim MAX1111 ADC channel read.

Incorrect clearing of the MAX1111 global pointer on removal could result
in a use-after-free and kernel crash.  A local, privileged user could
use this flaw to crash the system.


* CVE-2016-3136: Denial of service in MCT Serial USB descriptor parsing.

A logic error in the MCT Single Port Serial driver can allow a malformed
USB descriptor with missing ports to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-3137: Denial of service in USB Cypress M8 descriptor parsing.

A logic error in the Cypress M8 device driver can allow a malformed USB
descriptor with missing endpoints to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-3140: Denial of service in Digi AccelePort USB descriptor parsing.

A logic error in the Digi AccelePort USB driver can allow a malformed
USB descriptor with missing endpoints to trigger a NULL pointer
dereference and kernel panic.


* Kernel crash in ALSA timer arming.

Incorrect use of the timer API could result in triggering a kernel
assertion when rearming the ALSA system timer.


* Kernel crash in NUMA page migration.

Incorrect handling of NUMA nodes could result in a kernel crash when
allocating memory during page isolation.


* Divide-by-zero in the ALSA RME Hammerfall audio driver.

A lack of data validation in the system sample rate code of the RME
Hammerfall audio driver could lead to a division-by-zero and kernel crash.


* NULL pointer dereference in block cache registration failure.

Allocation failures whilst creating a block cache device could result in
a NULL pointer dereference and kernel crash when the system was under
memory pressure.


* CVE-2016-2184: Denial of service in ALSA USB audio descriptor parsing.

A logic error in the ALSA USB audio driver can allow a malformed USB
descriptor with zero end-points to trigger a NULL pointer dereference
and kernel panic.


* Denial-of-service in coredump writing.

Under specific conditions, the kernel could write corefiles for SUID
processes into a user-controlled directory.  This flaw could be used to
exhaust disk space and trigger a denial-of-service.


* CVE-2016-0774: Kernel crash in pipe buffer handling.

Improper synchronization of offset and buffer length in the pipe
subsystem can lead to a kernel crash or leak of kernel memory by an
unprivileged local user.


* CVE-2015-8830: Kernel crash in Asynchronous IO subsystem with large IO vector sizes.

Improper bounds checking on the transfer size of individual asynchronous
requests can lead to a kernel crash.


* CVE-2016-3157: Xen I/O port access privilege escalation in x86-64.

User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.


* Information leak to KVM guests when the the host is using PEBS tracing.

KVM hosts using Intel Precise Events Based Sampling (PEBS) could have their
PEBS tracing record written to a KVM guest under certain circumstances.  An
attacker with full control of a KVM kernel guest could use this flaw to get
information about the KVM host kernel.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-14.04-updates mailing list