[Ksplice][Ubuntu-14.10-Updates] New updates available via Ksplice (USN-2590-1)

[Oracle Ksplice]

Synopsis: USN-2590-1 can now be patched using Ksplice
CVEs: CVE-2015-2150 CVE-2015-2666 CVE-2015-2922

Systems running Ubuntu 14.10 Utopic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2590-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.10 Utopic
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash in netfilter socket matching.

Incorrect use of stack-allocated variables could result in accessing
stale data.  This could potentially be used by a local, privileged user
to cause a denial-of-service or potentially, escalate privileges.


* Resource leak in IP virtual server backup sync protocol.

Missing resource freeing could result in a memory leak and failure to
remove an IP virtual server instance.


* Kernel panic when garbage collecting the IPv4 and IPv6 flow caches.

A miscalculation of a field offset when garbage collecting flow caches
leads to invalid memory access and kernel panic.


* Memory corruption when configuring a virtual interface link through netlink.

A minimum length was mistakenly interpreted as a maximum length when
configuring a virtual interface link through netlink, leading to memory
corruption and potentially a kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Use-after-free in IPv6 stack on TCP fast open.

TCP fast open could release a socket buffer which is still in use by the
IPv6 stack, leading to a use-after-free and kernel panic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Memory leak when adding a vlan device to a shut down interface.

A lack of un-registering stacked devices in the error path of rtnl_newlink()
leads to a memory leak.  A local, privileged user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* Use-after-free in the extended matches network classifier.

A logic error in the extended matches (ematch) network classifier could
lead to a use-after-free and kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference in the Team driver on concurrent device un-registering.

A race condition in the network Team driver could lead to NULL pointer
dereference on concurrent network device un-registering.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Out of bounds memory write in macvtap driver with IPv6.

A logic error in the macvtap driver when allocating room in the socket
buffer for the ethernet header potentially leads to a two bytes memory
overwrites.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Denial of service in XFS quota management.

The kernel XFS filesystem driver does not reset quota metadata when
removing and creating files which can trigger an assertion failure and
kernel panic. A local user able to write to an XFS filesystem could use
this flaw to trigger a denial of service.


* Memory corruption in the Intel i915 video driver when setting the tiling.

Incorrect locking in the Intel i915 video driver when setting the tiling
could lead to list corruptions and kernel panic.  A local, privileged user
could use this flaw to cause a denial-of-service.


* Information leak in the USB stack when sending signals to userspace.

A lack of clearing a struct siginfo sent to user-space leads to leaking
kernel stack content to userspace.  A local, unprivileged user could use
this flaw to gain information about the running kernel, facilitating an
attack.


* Use-after-free in USB serial stack on failure to probe a device.

A logic error in the USB serial stack could lead to a use-after-free and
kernel panic on failure to probe a device.  A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference in USB serial mxuport driver.

A missing check for NULL in the USB serial mxuport driver leads to a NULL
pointer dereference when it is used as a console.  A local, privileged user
could use this flaw to cause a denial-of-service.


* NULL pointer dereference in Radeon DRM_IOCTL_RADEON_CS ioctl().

Incorrect initialization could result in a NULL pointer dereference when
performing a DRM_IOCTL_RADEON_CS ioctl().  A local user with access to
the DRM device could use this flaw to trigger a denial-of-service
attack.


* Denial-of-service in btrfs when reading extended ref.

Improper pointer arithmetic when calculating the address of the extended
ref could lead to an out of bounds memory read and kernel panic.  A local
attacker could use this flaw to cause a denial-of-service.


* List corruption in the SUNRPC stack on back-channel request completion.

Improper locking in the routine handling a back-channel completion could
lead to list corruption and kernel panic.  An attacker could use this flaw
to cause a denial-of-service.


* Memory leak in the BSD Packet Filter when preparing filters.

Missing input validation on the lengths read from userspace could cause a
memory leak.  A local, privileged user could use this flaw to exhaust the
memory on the system and cause a denial-of-service.


* Denial-of-service in PCI device sysfs "driver_override" attribute.

Missing length validation of the "driver_override" attribute in a PCI
device sysfs entry could result in accessing invalid memory and
triggering a kernel crash.  A local, unprivileged user could use this
flaw to trigger a denial-of-service under specific conditions.


* NULL pointer dereference in Xen event channel on large systems.

Large systems could fail to allocate a port IRQ for a Xen event channel
under specific conditions.  This could result in a NULL pointer
dereference and kernel crash.


* Kernel crash in SAS driver during expander discovery.

Incorrect handling of expander device discovery could result in a NULL
pointer dereference and kernel crash.


* Kernel crash in controller area network (CAN) sockets.

Incorrect initialization of CAN sockets could result in a kernel crash
when using AF_PACKET sockets.


* CVE-2015-2150: Denial-of-service in Xen PCI passthrough devices.

Incorrect restrictions to PCI device configuration could allow a
privileged user in a Xen guest to trigger a fatal NMI in the host.  A
privileged, local user could use this flaw to cause a denial-of-service.


* Deadlock during NILFS2 filesystem recovery.

Mounting a NILFS2 filesystem could cause deadlock if roll-forward
recovery was required.  This could happen after a crash during a
datasync write.


* Kernel crash in IPv4 socket monitoring interface.

Incorrect allocation could result in a heap overflow and subsequent
kernel crash when receiving diagnostics for an IPv4 socket.


* Kernel crash in compat sendmsg/recvmsg calls.

Incorrect validation of user supplied data could result in memory
corruption when sending or receiving messages to a datagram socket and
the audit subsystem was enabled.


* CVE-2015-2666: Privilege escalation in the Intel early microcode loader.

A lack of bounds checking when writing to an on-stack array when parsing
the microcode headers in the Intel early loader could cause a kernel panic
or potentially leads to kernel execution.  A local, privileged user could
use this flaw to escalate their privileges.


* Denial-of-service when binding an ICMP socket on IPv6.

A logic error in the IPv6 stack could lead to a kernel panic when
user-space binds an IPv4 ICMP socket.  A local, privileged user could use
this flaw to cause a denial-of-service.


* Denial-of-service in network packet transmission and reception.

Missing validation of the net.core.rmem_default and
net.core.wmem_default controls could allow a local, privileged user to
trigger a denial-of-service by setting low values for these parameters
and sending or receiving large packets.


* CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.

A flaw in the IPv6 stack allowed a remote attacker on the same network to
set the hop limit to a smaller value than the default one, preventing
devices on that network to send or receive.


* Out-of-bounds memory read in the AST graphic driver.

A static array used to store the clocking information for the AST VBios was
missing a clock entry, causing the kernel to read past the end of the
array and leading to a kernel panic.


* Kernel panic when restoring netfilter chain counters.

Incorrect preemption mode was used when restoring netfilter chain counters,
leading to a kernel BUG().


* Memory leak in netfilter when failing to add a new chain.

Incorrect clean-up of allocated resources in the nf_tables_newchain()
error path leads to memory leaks.  A local, privileged user could use this
flaw to exhaust the memory on the system and cause a denial-of-service.


* Kernel crash in IP Virtual Server support when re-routing to local clients.

A logic error in the IP Virtual Server support could lead to a kernel crash
when re-routing packets to clients on the local network.  An attacker could
use this flaw to cause a denial-of-service.


* Remote memory leak in SUNRPC stack when accepting a GSSP connection.

A missing clean-up for allocated resources in the error path of
gssp_accept_sec_context_upcall() in the SUNRPC stack leads to a memory leak
of 512 bytes.  A remote attacker could use this flaw to exhaust the memory
on the host and cause a denial-of-service.


* Use-after-free in Kvaser CAN to USB drivers when failing to send a URB.

An extra kfree() call in the error path of kvaser_usb_start_xmit() leads to
a double-free and potentially kernel panic.  An attacker could use this
flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.