[Ksplice][Ubuntu-14.10-Updates] New updates available via Ksplice (USN-2565-1)

[Oracle Ksplice]

Synopsis: USN-2565-1 can now be patched using Ksplice
CVEs: CVE-2015-1593 CVE-2015-2041 CVE-2015-2042

Systems running Ubuntu 14.10 Utopic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2565-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.10 Utopic
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free in USB Host Controller Device driver.

Incorrect memory management in he USB Host Controller Driver (HCD) can
trigger a use-after-free condition and kernel panic.


* Security bypass in kernel pseudo terminal subsystem.

The kernel pseudo-terminal (PTY) subsystem does not enforce restrictions
on which users can signal processes which allows local unprivileged
users to send arbitrary signals to privileged process.


* Denial of service when decoding NFSv4.1 sequence operations.

The kernel NFSv4.1 client tries to free invalid memory when decoding NFS
sequence operations which can trigger a kernel panic. This flaw can be
triggered by remote users.


* Kernel bug when handling a huge page fault.

A race condition in the huge page fault handler could lead to a BUG()
assertion to be hit, causing a denial-of-service.


* Denial-of-service in the mmap() system call.

An integer overflow in the routine checking if there is enough memory to
satisfy an allocation request leads all future allocations to fail.  A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Denial-of-service when reading physical memory from user-space.

The routine generic_phys_access(), used by the /dev/mem and userspace IO
drivers, was only re-mapping one page of IO memory when the request could
span a bigger range, causing out of bounds memory accesses and kernel
panic.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Denial-of-service when soft-offlining a page on concurrent migration.

A race condition in the memory subsystem when soft-offlining a page being
migrated could lead to a BUG_ON() assertion to be triggered.  An attacker
could use this flaw to cause a denial-of-service.


* Memory corruption when mounting malformed JFFS2 disk images.

The kernel JFFS2 filesystem driver does no validate the eraseblock which
can trigger an assertion and kernel panic.


* Multiple data losses on TCM Storage Engine.

Lack of input validation and range checks in the TCM Storage Engine (Target
Core) driver could lead to data loss or data corruption under certain
circumstances.


* Integer overflow in adjtimex syscall.

The adjtimex syscall does not validate the 'freq' argument which can
allow a malicious local user to set the clock frequency to an invalid
value.


* Use-after-free in the Multiple devices driver when taking a reference count.

Incorrect locking in the Multiple devices driver (RAID and LVM) could lead
to a use-after-free.  A local, privileged user could use this flaw to cause
a denial-of-service.


* Use-after-free in the Multiple devices driver when taking a snapshot.

An internal structure of the Multiple devices (RAID and LVM) driver was
being accessed after it was released.  An attacker could use this flaw to
cause a denial-of-service.


* CVE-2015-1593: Stack layout randomization entropy reduction.

A flaw in the the stack base randomization code could result in a
reduction of entropy by a factor of four.  An attacker could use this
flaw to reduce the amount of work needed to bypass ASLR.


* Use-after-free on removing from debugfs on concurrent symlink traversal.

A race condition in the debugfs filesystem could lead to a use-after-free
when removing inodes from debugfs concurrently with traversing symlinks.  A
local, privileged user could use this flaw to cause a denial-of-service.


* Use-after-free on removing from procfs on concurrent symlink traversal.

A race condition in the procfs filesystem could lead to a use-after-free
when removing inodes from procfs concurrently with traversing symlinks.  A
local, privileged user could use this flaw to cause a denial-of-service.


* Out of bounds memory access in autofs4 filesystem ioctl.

A time of check to time of use vulnerability when validating the size of
the ioctl input buffer in the autofs4 could lead to out of bounds memory
access.  A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially escalate their privileges.


* NULL pointer dereference in GFS2 filesystem when deleting ACL.

A lack of NULL pointer check when deleting ACLs on a GFS2 filesystem could
lead to a NULL pointer dereference.  A local, privileged user could use
this flaw to cause a denial-of-service.


* CVE-2015-2042: Information leak in the Reliable Datagram Socket protocol.

A flaw in the handling of userspace tuning for the Reliable Datagram Socket
(RDS) protocol leads to an information leak when reading from the sysctl
files. A local, privileged user could use this flaw to gain knowledge about
the running kernel, potentially facilitating an attack.


* Denial-of-service when changing permissions of a huge page.

A race condition when changing the permissions of a huge page on concurrent
migration could lead to kernel panic and denial-of-service.  An attacker
could use this flaw to cause a denial-of-service.


* Use-after-free when disconnecting CephFS client.

A race condition when closing a connection to a CephFS service can
trigger a use-after-free condition and kernel panic.


* CVE-2015-2041: Information leak in 802.2 LLC sysctl interface.

The 802.2 Link Layer type 2 subsystem uses an incorrect length when
returning data to userspace from the sysctl interface, allowing
userspace processes to disclose the contents of kernel memory.


* Kernel panic caused by generating a MLD listener on devices with large MTUs.

Under certain circumstances, generating an MLD listener on devices
with a large maximum transmission unit may trigger an kernel panic
causing a denial-of-service.


* Kernel panic when reading pagemap procfs file.

Incorrect locking when reading the /proc/pid/pagemap procfs file can
trigger a kernel assertion and kernel panic. A unprivileged local user
can use this flaw to a denial of service.


* Use-after-free in SMACK security module.

Incorrect locking in the SMACK security module can trigger a
use-after-free and kernel panic when looking up the credentials of a
userspace process. This flaw can be used by a local unprivileged user to
trigger a kernel panic or elevate privileges.


* Kernel panic when probing iSCSI BladeEngine devices.

An invalid DMA configuration can trigger an assertion and kernel panic
when probing a iSCSI BladeEngine device.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.