[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (USN-2638-1)

Wed Jun 10 20:04:37 PDT 2015

Synopsis: USN-2638-1 can now be patched using Ksplice
CVEs: CVE-2015-0275 CVE-2015-3636 CVE-2015-4036

Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2638-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2015-0275: Information leak in ext4 zero range allocation.

The ext4 filesystem driver does not correctly zero data when attempting
to create a new zero range in a file. This potentially allows locally
unprivileged users to view the contents of other files.

* Kernel panic in IPv4 forwarding of timewait sockets.

The kernel IPv4 stack does not correctly handle forwarding data from
timewait sockets which can trigger an assertion failure and kernel
panic.

* Deadlock when sending IPv4 FIN packets.

The kernel IPv4 stack can deadlock causing a kernel panic when
transmitting IPv4 FIN packets under high memory pressure.

* Data loss when mounting btrfs volume with the 'discard' option.

When mounting a btrfs volume with '-o discard' the btrfs driver can
possibly overwrite filesystem metadata causing data loss.

* Denial of service in btrfs IOC_CLONE ioctl.

Attempting to clone a zero-length region from one file to another on a
btrfs volume can trigger an infinite loop and kernel panic. A local
user could use this flaw to cause a denial of service.

* Denial of service in btrfs IOC_FILE_EXTENT_SAME ioctl.

Attempting to query the extents of a file on a btrfs volume can trigger
an infinite loop and kernel panic. A local user could use this flaw to
cause a denial of service.

* Memory corruption in SPI device ioctl.

An integer overflow in the kernel SPI driver can allow malformed ioctls
to trigger kernel memory corruption and allow a local user to gain
elevated privileges.

* Kernel panic when chowning files on NFS mount.

Under specific circumstances chowning a file on an NFS mount can trigger
an assertion failure and cause a kernel panic.

* Memory leak in HyperV virtual storage driver.

The HyperV virtual storage driver does not correctly unmap memory when
handling I/O commands from a guest causing a kernel memory leak in the
host.

* Data loss when handling iSER commands.

The iSCSI Extensions for RDMA (iSER) driver incorrectly calculates the
amount of length of DIX data which can lead to silent data corruption.

* Memory corruption when resolving symlink target.

A reference counting error when opening a symlink which crosses a
mountpoint can trigger a use-after-free condition and kernel panic.

* NULL pointer dereference in NFSv4 server SEEK and ALLOCATE commands.

A logic error in the kernel NFSv4 server can trigger a NULL pointer
dereference and kernel panic when handling SEEK and ALLOCATE commands
with particular stateids.

* Missing permission checks in NFSv4 server READ command.

The kernel NFSv4 server does not validate permissions when handling READ
commands with particular stateids which can allow remote attackers to
read the contents of arbitrary files.

* CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets.

The kernel IPv4 subsystem does not correctly handle unhashing a ping
socket which can trigger kernel memory corruption. A local user can use
this flaw to gain elevated privileges.

* CVE-2015-4036: Memory corruption in Virtual host SCSI driver.

Incorrect input validation in the Virtual host SCSI driver when checking an
array index could lead to an out of bounds memory access and memory
corruption.  A local, privileged user could use this flaw to cause a
denial-of-service or potentially escalate privileges.

* Incorrect locking in Direct Rendering Manager in drm_mode_getconnect().

Incorrect locking in the drm_mode_getconnector() error path lead to lock
imbalance which could lead to kernel deadlocks.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.