[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (USN-2667-1)

[Oracle Ksplice]

Synopsis: USN-2667-1 can now be patched using Ksplice
CVEs: CVE-2015-1420 CVE-2015-4001 CVE-2015-4002 CVE-2015-4003 CVE-2015-5363 CVE-2015-5366

Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2667-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

NOTE

The update titled "Kernel hang on UDP flood with wrong checksums." has been 
assigned CVE-2015-5364 and CVE-2015-5366.  It was not part of the officialy
released kernel but we felt that it's important to ship this update early,
before distributions released kernels, because our audit showed that we
have a large number of customers affected by this issue.

DESCRIPTION

* CVE-2015-1420: Buffer overflow in name_to_handle_at() system call.

Due to a race condition in the name_to_handle_at() system call, it is
possible for userspace to change the length of the buffer read by the
kernel after it has been allocated. This could lead to a buffer
overflow. A local user with CAP_DAC_READ_SEARCH privileges could
potentially use this to cause denial of service or possibly escalate
their privileges.


* Filesystem corruption with ext4 delayed extents.

Incorrect handling of unwritten and delayed extents could result in
filesystem corruption.  A local, unprivileged user could use this flaw
to zero parts of files under specific conditions.


* Filesystem corruption in ext4 fallocate().

A race condition in the fallocate() implementation on an ext4 filesystem
could result in filesystem corruption under specific conditions.


* CVE-2015-4003: Remote divide-by-zero in the ozwpan driver.

The oz_usb_handle_ep_data() in the ozwpan driver could allow remote
attackers to cause a divide-by-zero via a crafted packet.


* CVE-2015-4001, CVE-2015-4002: Remote denial-of-service in ozwpan driver.

Lack of input validation and incorrect uses of signed types in the ozwpan
could lead to a heap overflow.  A remote attacker could use these flaws via
a crafted packet to cause a denial-of-service or potentially gain code
execution.


* Infinite loop in USB CDC class driver when parsing CDC headers.

Lack of input validation in the USB CDC class driver could lead to an
infinite loop when parsing CDC headers.  A local attacker with physical
access could use a crafted USB device to cause a denial-of-service.


* Kernel hang in btrfs driver when deleting a subvolume.

Incorrect locking in the btrfs filesystem driver could result in a mutex
being incorrectly held on return of btrfs_ioctl_snap_destroy(), leading to
kernel hang next time the mutex is to be locked.


* Multiple deadlocks in ALSA emux driver.

Incorrect locking in the ALSA emux driver could lead to AB-BA deadlocks in
the kernel under various conditions.


* Denial-of-service in Rados Block Device (RBD) driver on end I/O.

Incorrect logic in the RBD driver on end I/O could trigger a kernel
assertion and lead to a denial-of-service under certain conditions.


* Multiple use-after-free in the block multiqueue core driver.

Logic errors in the block multiqueue core driver could lead to
use-after-free on concurrent CPU hotplug events.  A local, privileged user
could use this flaw to cause a denial-of-service.


* Multiple divide-by-zero in the page write-back code.

Multiple logic errors in the page write-back code could lead to
divide-by-zero and denial-of-service under certain conditions.


* Memory leak and denial-of-service in the memory-failure subsystem.

A logic error in the memory-failure subsystem when handling transparent
huge page could result in a memory leak and to a machine check error
killing the application using the transparent huge page.


* Out-of-bounds memory access in the nilfs driver.

An off-by-one error when checking the btree level in the nilfs driver could
lead to out-of-bounds memory access.  An attacker could use a specially
crafted nilfs image to cause a denial-of-service.


* Kernel hang in the ocfs2 driver when locking resources.

A race condition in the dlm_get_lock_resource() function in the ocfs2
driver could lead to a kernel hang on concurrent purge.  A local attacker
could use this flaw to cause a denial-of-service.


* Double-free in the VFS subsystem when opening an unnamed temporary file.

A logic error in the path_openat() function in the VFS subsystem when
opening an unnamed temporary file leads to a double-free.  A local,
unprivileged user could use this flaw to cause a denial-of-service or
potentially escalate privileges.


* Permission bypass in filesystem namespace.

A logic error in the filesystem namespace subsystem allows a restricted
user to bypass mount restrictions and mount /proc or /sys if there is a
bind mount of part of /proc or /sys in its namespace.


* Kernel hang on UDP flood with wrong checksums.

A flaw in the UDP handling of wrong checksums could lead to a kernel hang
under a UDP flood attack.  A remote attacker could use this flaw to cause a
denial-of-service.


SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.