[Ksplice][Ubuntu-14.10-Updates] New updates available via Ksplice (USN-2666-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Tue Jul 7 05:10:32 PDT 2015
Synopsis: USN-2666-1 can now be patched using Ksplice
CVEs: CVE-2015-1420 CVE-2015-4001 CVE-2015-4002 CVE-2015-4003 CVE-2015-4167 CVE-2015-4700 CVE-2015-5364 CVE-2015-5366
Systems running Ubuntu 14.10 Utopic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2666-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 14.10 Utopic
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
NOTES
The update titled "Kernel hang on UDP flood with wrong checksums."
has been assigned CVE-2015-5364 and CVE-2015-5366. It was not part
of the officialy released kernel but we felt that it's important to
ship this update early, before distributions released kernels,
because our audit showed that we have a large number of customers
affected by this issue.
The update titled "Denial-of-service in the BSD Packet Filter just-in-time compiler." has been assigned CVE-2015-4700.
DESCRIPTION
* CVE-2015-1420: Buffer overflow in name_to_handle_at() system call.
Due to a race condition in the name_to_handle_at() system call, it is
possible for userspace to change the length of the buffer read by the
kernel after it has been allocated. This could lead to a buffer
overflow. A local user with CAP_DAC_READ_SEARCH privileges could
potentially use this to cause denial of service or possibly escalate
their privileges.
* CVE-2015-4003: Remote divide-by-zero in the ozwpan driver.
The oz_usb_handle_ep_data() in the ozwpan driver could allow remote
attackers to cause a divide-by-zero via a crafted packet.
* CVE-2015-4001, CVE-2015-4002: Remote denial-of-service in ozwpan driver.
Lack of input validation and incorrect uses of signed types in the ozwpan
could lead to a heap overflow. A remote attacker could use these flaws via
a crafted packet to cause a denial-of-service or potentially gain code
execution.
* CVE-2015-4167: Memory corruption when mounting malformed UDF disk images.
The kernel UDF filesystem driver, used by some CD-ROMs and DVDs, does
not validate overly long extended attributes which can trigger kernel
memory corruption and a kernel panic.
* Infinite loop in USB CDC class driver when parsing CDC headers.
Lack of input validation in the USB CDC class driver could lead to an
infinite loop when parsing CDC headers. A local attacker with physical
access could use a crafted USB device to cause a denial-of-service.
* Denial of service when unmounting filesystem in user namespace.
A race condition can cause the audit subsystem to incorrectly audit
filesystems that have been unmounted, leading to a NULL pointer
dereference. This flaw could be used by a local user to trigger a kernel
panic.
* Multiple deadlocks in ALSA emux driver.
Incorrect locking in the ALSA emux driver could lead to AB-BA deadlocks in
the kernel under various conditions.
* Denial-of-service in Rados Block Device (RBD) driver on end I/O.
Incorrect logic in the RBD driver on end I/O could trigger a kernel
assertion and lead to a denial-of-service under certain conditions.
* Filesystem corruption with ext4 delayed extents.
Incorrect handling of unwritten and delayed extents could result in
filesystem corruption. A local, unprivileged user could use this flaw
to zero parts of files under specific conditions.
* Filesystem corruption in ext4 fallocate().
A race condition in the fallocate() implementation on an ext4 filesystem
could result in filesystem corruption under specific conditions.
* Multiple divide-by-zero in the page write-back code.
Multiple logic errors in the page write-back code could lead to
divide-by-zero and denial-of-service under certain conditions.
* Memory leak and denial-of-service in the memory-failure subsystem.
A logic error in the memory-failure subsystem when handling transparent
huge page could result in a memory leak and to a machine check error
killing the application using the transparent huge page.
* Out-of-bounds memory access in the nilfs driver.
An off-by-one error when checking the btree level in the nilfs driver could
lead to out-of-bounds memory access. An attacker could use a specially
crafted nilfs image to cause a denial-of-service.
* Kernel hang in the ocfs2 driver when locking resources.
A race condition in the dlm_get_lock_resource() function in the ocfs2
driver could lead to a kernel hang on concurrent purge. A local attacker
could use this flaw to cause a denial-of-service.
* Double-free in the VFS subsystem when opening an unnamed temporary file.
A logic error in the path_openat() function in the VFS subsystem when
opening an unnamed temporary file leads to a double-free. A local,
unprivileged user could use this flaw to cause a denial-of-service or
potentially escalate privileges.
* Permission bypass in filesystem namespace.
A logic error in the filesystem namespace subsystem allows a restricted
user to bypass mount restrictions and mount /proc or /sys if there is a
bind mount of part of /proc or /sys in its namespace.
* XFS filesystem corruption during truncation.
Failure to write zeroed blocks to disk during truncation on an XFS
filesystem could result in failure to zero those blocks during a crash.
This could leave sensitive information on the disk.
* Use-after-free in USB gadget configfs filesystem.
Missing invalidation of a pointer during function removal could result
in a use-after-free and kernel crash.
* Denial-of-service in JBD2 journal recovery.
An integer overflow in the JBD2 journal could result in an out-of-bounds
memory access and kernel crash. A local user could use a maliciously
crafted filesystem to crash the system.
* Denial-of-service in SNDCTL_SEQ_OUTOFBAND OSS ioctl().
Incorrect locking could allow a local user with access to /dev/sequencer
to deadlock the system resulting in a denial-of-service.
* Denial-of-service in SonicBlue Optimized MPEG File System mounting.
Missing mount option termination could allow a user with permission to
mount filesystems to trigger a denial-of-service by passing an
unrecognized mount option.
* Kernel hang in btrfs driver when deleting a subvolume.
Incorrect locking in the btrfs filesystem driver could result in a mutex
being incorrectly held on return of btrfs_ioctl_snap_destroy(), leading to
kernel hang next time the mutex is to be locked.
* Use-after-free in the block multiqueue core driver.
Logic error in the block multiqueue core driver could lead to
use-after-free on concurrent CPU hotplug events. A local, privileged user
could use this flaw to cause a denial-of-service.
* Out-of-bounds memory access in Mellanox 4 ethernet driver.
A logic error in the Mellanox 4 ethernet on handling an error when starting
a port leads to an out of bounds memory access. A local attacker could use
this flaw to cause a denial-of-service.
* Memory corruption in Ceph crush mapper.
A flaw in the Ceph crush mapper could lead temporary buffers to overlap
when there are more OSDs than replicas. A local, privileged user could use
this flaw to cause memory corruption.
* Denial-of-service in netfilter when parsing netlink tuples.
Uninitialized struct fields on the stack when parsing netlink tuples in the
netfilter code could result in netfilter misbehaviour, where unintended
traffic could be sent to userspace.
* Denial-of-service when adding a new netfilter rule.
Incorrect input validation in the netfilter code could lead to out-of-bounds
memory accesses when adding a new rule. A local, privileged user could use
this flaw to cause a denial-of-service or potentially escalate privileges.
* Kernel panic on changing the number of rings in Intel PCI-Express Ethernet driver.
Internal structures were not re-initialized properly when changing the
number of rings on the Intel PCI-Express Gigabit Ethernet driver, leading
to a Kernel panic. A local, privileged user could use this flaw to cause a
denial-of-service.
* Memory corruption when replacing ECMP route on IPv6.
Replacing ECMP route on IPv6 replaces only the first matching route without
replacing the siblings, leading to a memory corruption. A local,
privileged user could use this flaw to cause a denial-of-service.
* NULL pointer dereference when handling IPv4 errors.
A missing check for NULL could lead to a NULL pointer dereference when
handling IP errors when the network device is being removed. An attacker
could use this flaw to cause a denial-of-service.
* Denial-of-service in the BSD Packet Filter just-in-time compiler.
A logic error in the BSD Packet Filter (BPF) just-in-time (jit) compiler
could lead the jit'ed program to contain only software breakpoints instead
of the intended opcodes. A local, privileged user could use this flaw to
cause a denial-of-service by using a specially crafter BPF program.
* Kernel crash when attaching a new queue discipline in the network scheduler.
A flaw in the networking scheduler could lead to a use-after-free when
attaching a new queue discipline to a network device. A local, privileged
user could use this flaw to cause a denial-of-service.
* Kernel hang on UDP flood with wrong checksums.
A flaw in the UDP handling of wrong checksums could lead to a kernel hang
under a UDP flood attack. A remote attacker could use this flaw to cause a
denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-14.10-updates
mailing list