[Ksplice][Ubuntu-14.10-Updates] New updates available via Ksplice (USN-2518-1)

[Oracle Ksplice]

Synopsis: USN-2518-1 can now be patched using Ksplice
CVEs: CVE-2014-8133 CVE-2014-8160 CVE-2014-8559 CVE-2014-8989 CVE-2014-9419 CVE-2014-9420 CVE-2014-9428 CVE-2014-9529 CVE-2014-9585 CVE-2015-0239

Systems running Ubuntu 14.10 Utopic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2518-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.10 Utopic
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Data loss on Btrfs on concurrent fsync() on different sub-volumes.

A lack of synchronization between two concurrent fsync() operations on
different sub-volumes leads to data loss.


* Data corruption in Btrfs when un-pinning from the extent cache.

A logic error in the Btrfs driver when un-pinning from the extent cache
causes some checksums not to be re-written on disk, leading to data
corruption on certain circumstances.


* Use-after-free in NFSv4 when getting a layout header.

Incorrect reference counting in the NFSv4 when releasing a layout could
cause a use-after-free and kernel panic.  An attacker could use this flaw
to cause a denial-of-service.


* Leak of sensitive cryptographic materials in Multiple Devices driver.

A lack of cleaning up temporary cryptographic materials on the stack could
potentially allow an attacker to gain sensitive cryptographic information.


* Denial-of-service when using force umount() from a namespace.

A force unmount() affects the underlying superblock and not just the mount
namespace so it should be restricted to the global root user.  A privileged
user in a user namespace could force the shutdown of a superblock in a more
privileged mount namespace, leading to a denial-of-service.


* Memory corruption when loading a stale AES key.

A lack of key unregistering when the key size check fails leads to a stale
key still being in the keys list, causing a memory leak and a kernel panic
when the registering a new key.  A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in thermal initialization error path.

Wrong ordering when releasing resources in the thermal management
initialization function leads to a use-after-free and kernel panic.


* Memory leak of process namespace on child_reaper concurrent exit.

Incorrect reference counting in the pid namespace code could prevent a
namespace from being released, causing a memory leak.  A local user could
use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* CVE-2014-9419: Address leak on context switch bypasses ASLR.

A flaw in the context switch code could lead to leaking another thread's
local storage area.  A local, unprivileged user could use this flaw to gain
information about another process address space mappings and bypass address
space layout randomization.


* Memory leak in cfg80211 when processing an already set driver hint.

Lack of verification that a driver hint is already set in the cfg80211
stack leads to a memory leak. A local, privileged user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.


* NULL pointer dereference in nl80211 when parsing invalid sched scan request.

Lack of proper input validation in the nl80211 stack could lead to a NULL
pointer dereference when parsing an invalid sched scan request.  A local,
privileged user could use this flaw to cause a denial-of-service.


* CVE-2014-8133: Information leak in thread area of 32-bit KVM guests.

The espfix implementation which prevents kernel information leaking to
unprivileged guests can be bypassed by creating a custom thread area. A
local unprivileged user could potentially use this flaw to leak stack
addresses.


* CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.

A flaw in the iso9660 file system support could lead to an infinite
recursion loop when parsing continuation entries.  An unprivileged user
could use this flaw to crash the system resulting in a denial-of-service.


* Memory leak in mac80211 when free-ing management frame keys.

A logic error in the mac80211 driver when releasing station management keys
causes two management keys not to be released, leading to a memory leak.  A
local user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.


* Use-after-free in umount when appending to an existing unmounted list.

A logic error when unmounting leaves a released mount point the unmounted
list, causing a kernel panic later when we access this released mount
point.  A local user could use this flaw to cause a denial-of-service.


* Cluster deadlock during journal commit in OCFS2 filesystem.

Under certain circumstances, incorrect lock ordering could cause a
deadlock if one thread handles a buffer write at the same time as the
journal commit thread attempts to flush the buffer. If this happens,
the whole cluster will hang.


* Data corruption in RAID on concurrent writes during unplug.

Lack of synchronization in bitmap_unplug() could lead to data corruption
under certain circumstances.


* Use-after-free in Multiple Devices (md) thin provisioning on removal.

Incorrect locking in the Multiple Devices (md) driver on device removal
could lead to a use-after-free and kernel panic.  A local user could use
this flaw to cause a denial-of-service.


* Out-of-bounds memory write in eCryptfs when decoding a file name.

A lack of input validation when decoding a file name in the eCryptfs driver
could lead to an out-of-bounds memory write of one zero byte, potentially
causing a kernel panic.  A local user could use a specially crafted
eCryptfs filesystem to cause a denial-of-service.


* Btrfs filesystem corruption on aborted transactions.

Filesystem corruption may occur when a certain order of transactions
occurs and the underlying device supports discarded transactions.


* Use-after-free when reading from /proc/interrupts.

A lack of proper synchronization between the generic IRQ subsystem when
releasing an interrupt descriptor and reading the interrupt descriptor from
/proc/interrupts could lead to a use-after-free and potentially kernel
crash.


* Kernel BUG() in audit subsystem when sending events from atomic context.

Incorrect flags to allocate memory when sending events in the audit
subsystem could lead to a sleep() while in atomic context, leading to a
kernel BUG().  An attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds memory access in ISO filesystem when printing ER records.

A missing input validation when printing ER records on the iso9660 driver
could lead to an out-of-bounds memory write, potentially leading to a
kernel panic.  A local attacker could use a corrupted ISO file to cause a
denial-of-service.


* Use-after-free in cryptographic algorithms when handling backlogged requests.

A logic error in the cryptographic algorithms driver could lead to an early
return to userspace when a request is still pending.  A local attacker
could use this flaw by closing its sockets causing the pending requests to
use freed memory, leading to a user-after-free and kernel panic.


* CVE-2014-9428: Remote denial-of-service in BATMAN routing protocol.

A flaw in the fragmentation code of the BATMAN routing protocol driver
could lead to a denial-of-service. A remote attacker could use this flaw to
cause a denial-of-service.


* CVE-2014-9529: Use-after-free when garbage collecting keys.

A logic error when garbage collecting cryptographic keys leads to a
user-after-free and kernel panic. A local user could use this flaw to crash
the kernel and cause a denial-of-service.


* CVE-2014-9585: Address space layout randomization bypass for VDSO address.

A flaw in the VDSO code loader leads to a 50% chance of having the VDSO
address placed at the end of a PMD. This could allow an attacker to bypass
ASLR protections more easily.


* NULL pointer dereference in bcache btree when allocating a memory pool.

The return value of a call to mempool_alloc() with GFP_NOWAIT wasn't
checked, leading to a NULL pointer dereference and denial-of-service.


* CVE-2014-8160: iptables rules by-pass when the protocol module is not loaded.

A flaw in the generic conntrack sub-system allows protocols that do not
have a protocol handler kernel module loaded to pass through the iptables
firewall even if explicitly denied by rule.


* NULL pointer dereference in Keyspan SB driver.

A race condition when initializing a Keyspan USB serial device can
trigger a NULL pointer dereference and kernel panic.


* Deadlock when configuring line discipline of USB console device.

A kernel lock is not correctly initialized when a USB console device is
initialized. This can later trigger a deadlock when a user attempts to
configure a line discipline for the console device.


* Use-after-free when releasing a clock.

A logic error in the clock driver when releasing a clock leads to a
use-after-free and possible kernel panic.


* CVE-2015-0239: Privilege escalation in KVM sysenter emulation.

The KVM emulation of the sysenter instruction does not validate 16-bit
code segments which can allow a local attacker to potentially elevate
privileges.


* Memory corruption when expanding hard drive partition table.

A missing overflow check may allow a user to read and possibly write
data past the end of a kernel memory buffer causing memory corruption.


* Buffer overflow in HID device initialisation.

A missing check may allow a buffer overflow inside the kernel that can
occur when a HID device is inside of an IRQ callback.


* Kernel BUG when using uncore event collection.

During event collection, a missing check may allow uncore to access
foreign events that can cause the kernel to crash.


* Performance monitoring unit breakpoint triggering when changing CPU affinity.

Under certain circumstances hardware breakpoints may be triggered
when changing CPU affinity during uncore event collections.


* Multiple out-of-bounds memory accesses in UDF filesystem driver.

A lack of input validation in the UDF filesystem driver leads to multiple
out-of-bounds memory accesses and potentially to a kernel panic.  An
attacker could use a specially crafted filesystem to cause a
denial-of-service.


* Incongruent MAC headers inside of a GRE tunnel.

An out of order operation may cause certain MAC headers to be wrong
when transmitting within the context of an NBMA tunnel.


* Disallow changing of memory mapped netlink message payloads.

An insufficient check may allow a user to change the content of an
already sent message. This allows an unprivileged local user to
potentially elevate privileges.


* Inhibit operation reordering on memory mapped netlink frames.

A possibly derelict status check on a netlink memory mapped frame may allow
load and store operations to be reordered or changed possibly causing
memory corruption.


* Enhanced security context check during packet normalization.

A missing initialization during the normalization process may
cause security contexts to be inherited across firewall tunnels.


* TCP segmentation offload transmission queue overflow.

In certain instances, existing queued packets may look to be unacknowledged
and may not be removed from the transmission queue possibly causing a
denial of service.


* CVE-2014-8989: Group based restrictions bypass in user namespace.

A flaw in the user namespace subsystem could lead to a potential Unix group
privilege escalation when un-sharing parts of a process execution context.
An attacker could use this flaw to gain extra Unix group privileges on a
system.


* CVE-2014-8559: Deadlock when renaming and deleting concurrently.

Incorrect locking in the filesystem subsystem can trigger a deadlock and
kernel panic when renaming files in a directory while concurrently
deleting files in the same directory.


* Denial of service in Xen netfront when processing highly fragmented packets.

The Xen netfront driver does not correctly process highly fragmented
packets which can cause malformed data being passed to the host netback
driver which will then disable the network interface.


* Use-after-free in USB Video Class driver when removing a device.

Incorrect ordering when removing sysfs device when disconnecting a webcam
leads to use-after-free and potentially kernel panic.


* Privilege escalation in KVM ret-far emulation.

The KVM emulation of ret-far instructions does not correctly handle
real-mode or virtual-8086 guests with non-zero privilege levels. This
could lead to a process in a KVM guest elevating privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.