[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (USN-2889-1)

[Oracle Ksplice]

Synopsis: USN-2889-1 can now be patched using Ksplice
CVEs: CVE-2013-7446 CVE-2015-7513 CVE-2015-7990 CVE-2015-8374

Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2889-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out of bounds memory access in infra-red driver.

Incrementing a pointer instead of its value in the infra-red driver could
lead to an out of bounds memory access.  A local user could use this flaw
to cause a denial-of-service.


* Remote denial-of-service in the Transparent Inter Process Communication protocol.

A flaw int the Transparent Inter Process Communication (tipc) protocol
leads a kernel BUG assertion to trigger when receiving multicast packets
over UDP.  A remote user could use this flaw to cause a denial-of-service.


* Information leak in RDS over TCP.

In low memory situations, an incoming RDS datagram may get corrupted and
potentially leak sensitive information to the userspace program receiving
the datagram.


* Kernel BUG in IP multicast routing.

Due to a race condition when updating network device statistics for IP
multicast routing, a malicious local user may in rare circumstances be
able to cause a kernel crash.


* NULL pointer dereference when destroying TCP or ICMP sockets.

A lack of NULL pointer check when about to release a TCP or ICMP socket
could lead to a NULL pointer dereference and kernel panic under low memory.
A local user could use this flaw to cause a denial-of-service.


* Use-after-free in the network destination cache.

A logic error could cause a use-after-free when releasing a network
destination cache object.  A local, unprivileged user could use this flaw
to cause a denial-of-service.


* Information leak in HID core when connecting device.

In certain circumstances, connecting a HID device could cause an
uninitialised buffer to be printed to the kernel log. A malicious
local user with the ability to connect devices could use this to
obtain sensitive information from the kernel.


* Information leak in procfs wchan field.

The wchan field in the proc filesystem is exposing absolute kernel
addresses, giving away the address space layout randomization offset.  This
information can be used by an attacker to facilitate an attack.


* CVE-2015-8374: Information leak when truncating a compressed and inlined extent on Btrfs.

An information leak vulnerability was found when truncating a file to a
smaller size which consists of an inline extent that is compressed. The
data between the new file size and the old file size was not discarded,
allowing another user to read it through the clone ioctl.


* Use-after-free in the ext4 filesystem when stopping journaling.

A flaw in the ext4 filesystem when stopping journaling leads to a
use-after-free.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Data corruption on ext4 filesystem when recording an error into the super block.

A race condition in the ext4 filesystem when using JDB2 journaling could
cause non recoverable data corruption under certain circumstances.  A
local, unprivileged user could use this flaw to cause permanent data
corruption.


* Use-after-free in DesignWare SPI device host removal.

Incorrect freeing of IRQ resources in the DesignWare SPI device host
removal could result in a use-after-free, triggering a kernel warning,
or in rare cases, a use-after-free and kernel crash.


* Memory corruption in CAN driver when filling netlink packet.

A flaw in the CAN driver when writing device information on a netlink
socket can lead to memory corruption and kernel panic.  A local user could
use this flaw to cause a denial-of-service.


* Deadlock in memory technology device subsystem.

Incorrect ordering of locking calls could result in a deadlock during
concurrent accesses to an MTD device.  A local user with access to the
MTD device could use this flaw to hang the system.


* Denial-of-service in cryptographic algorithm sockets.

Incorrect assumptions about sequencing of calls to hash algorithms could
result in a kernel crash with specific algorithms if accept() was called
on the socket before data was received.  A local, unprivileged user
could use this flaw to crash the system.


* Denial-of-service in Megaraid SAS compatibility ioctl() handler.

Missing validation of user supplied data could allow a local user with
access to the device to trigger an unhandled fault and crash the system.


* Divide by zero in 802.11 WiFi-Direct stack on notification of absence.

A flaw in the Mac 802.11 WiFi-Direct stack could lead to a division by zero
in kernel upon receipt of a notification of absence with a zero interval.
A remote user in the physical range of the WiDi radio could use this flaw
to cause a denial-of-service.


* Memory leak when parsing SMPS mode when starting in Access Point mode.

A flaw in the NL80211 stack could lead to a memory leak of the ACL policy
when failing to parse the SMPS mode.  A local user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* NULL pointer dereference in 802.11 WiFi stack on channel switch.

A missing check for NULL in the mac 802.11 WiFi stack on channel switch
could lead to a NULL pointer dereference when those events are being
traced.  A local user with the capabilities to trace those events could use
this flaw to cause a NULL pointer dereference.


* Integer overflow in /dev/kmsg facility.

Integer overflow of the /dev/kmsg facility could allow a local user to
spoof kernel messages in the kernel log.


* Kernel crash when running delayed allocation in Btrfs.

Due to a race between concurrent link/xattr and delayed allocation
operations in the Btrfs filesystem, it was possible for the kernel
to trigger an assertion failure and crash.


* Use-after-free in FS-Cache filesystem registration.

A reference count imbalance could result in premature freeing of a
filesystem and kernel crash under specific conditions.


* Kernel crash in FS-Cache when writing beyond end-of-file marker.

Incorrect handling of accesses to pages beyond the end-of-file marker
could result in triggering an assertion that would crash the system.


* Memory corruption in Marvell mwifiex driver when reading the eeprom.

A flaw in the Marvell mwifiex driver could lead to memory corruptions when
reading the eeprom.  A local user could use this flaw to cause a
denial-of-service.


* NULL pointer dereference in Virtual Video Test Driver removal.

A missing NULL pointer check during removal of the Virtual Video Test
Driver could result in a kernel crash under specific conditions.


* Out-of-bounds memory access when releasing PCI I/O regions.

Incorrect loop bounds could result in accessing beyond the end of an
array when releasing I/O regions on device removal.


* Use-after-free in High Speed Synchronous Serial Interface registration.

Failure to register a High Speed Synchronous Serial device could result
in a double-free and kernel crash.


* NULL pointer dereference in Netfilter NAT redirection.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when redirecting an IPV4 packet.


* Use-after free in Trusted Platform Module log reading.

Premature freeing of an Open Firmware node could result in a
use-after-free and kernel crash when reading the TPM log.


* Umask bypass when creating a block or character file on OCFS2.

A flaw in the OCFS2 filesystem causes the current umask to be ignored when
creating a block or character special file.  A local, unprivileged user
could get access to those special files and potentially use it to escalate
privileges.


* Memory leak when receiving frames in MAC-VLAN virtual interface driver.

In certain circumstances, receiving a frame through the MAC-VLAN
virtual network interface driver could cause the memory used for the
frame to be leaked. A malicious local user could potentially abuse
this to cause denial of service.


* Out-of-bounds read in Mac partition table parser.

Due to missing input validation in the Mac partition table parser, a
corrupted partition table could cause a buffer overflow. A malicious
local user could use this to crash the kernel or potentially escalate
privileges.


* Denial of service in sendfile() system call.

Due to a missing check for pending signals, a malicious call to
sendfile() by a regular userspace process could cause the system
call to hang for a long time. This could tie up resources and thus
cause denial of service.


* Softlockups and RCU stalls in sendfile() system call.

Due to missing scheduling points in sendfile(), attempting to send
large amounts of memory between certain types of file descriptors could
cause the kernel to get tied up, causing denial of service.


* Denial-of-service in the NFSv4 client code when allocating an ID.

Incorrect reference counting when allocating an ID in the NFSv4 client code
could lead to a kernel crash under certain circumstances.  A local,
unprivileged user with access to a NFSv4 mount could use this flaw to cause
a denial-of-service.


* CVE-2015-7990: Race condition when sending a message on unbound RDS socket.

Incorrect locking when checking the state of a socket before sending a
message could lead to a NULL pointer dereference.  A local, un-privileged
user could use this flaw to cause a denial-of-service.


* Use-after-free when opening X.25 async driver TTY.

A logic error in the X.25 async driver could result in a use-after-free
when opening the TTY device. A malicious local user with sufficient
permissions could potentially use this to crash the kernel or escalate
privileges.


* Use-after-free in Rados block device when queueing work.

Incorrect reference counting in the Rados block device when queueing work
could lead to a use-after-free and kernel panic.  A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-memory condition when sending a TCP message.

A flaw in the TCP stack allows a local, unprivileged user to cause a huge
contiguous memory allocation, potentially leading to an out-of-memory
condition.


* Out-of-bounds memory access when updating elements of a Berkeley Packet Filter array.

A logic error when copying elements of a Berkeley Packet Filter to an array
could lead to an out-of-bounds memory read.  A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference when dumping proxy entries.

A missing check for NULL when dumping proxy entries could lead to a NULL
pointer dereference when the proxy entry is device agnostic.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Memory leak when removing routing table in the IPv6 stacks.

Incorrect reference counting when destroying a routing table in the IPv6
IPv6 stack leads to a memory leak.  A local user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* CVE-2013-7446: Use after free in Unix sockets.

Invalid reference counting in the kernel Unix socket subsystem can
trigger a use after free condition. A local unprivileged user could use
this flaw to bypass permission checks on Unix sockets or potentially
escalate privileges.


* Multicast group exhaustion in IPv4 IGMP driver.

In certain circumstances, hot-unplugging an interface that has joined
an IPv4 IGMP multicast group would cause the stale group entry to remain
in memory. This entry is counted against the igmp_max_memberships sysctl
and could prevent new groups from being joined. A malicious local user
with the ability to hot-unplug interfaces could use this to cause denial
of service.


* CVE-2015-7513: Divide-by-zero in KVM when reloading the programmable interrupt timer.

A missing input sanitization when loading the programmable interrupt timer
counters from userspace could cause KVM to make a division by zero, causing
a kernel crash.  A local user with the capability to run KVM machines could
use this flaw to cause a denial-of-service.


* UDP packet receive failure with short buffers.

Incorrect handling of checksums for short receive buffers could result
in applications failing to receive data from a UDP socket.


* Corrupted root FAT filesystem directory causes readdir to never terminate.

A corrupted root directory could cause fat_get_entry() to fail causing
progress to not be reported to VFS. The result is that userspace will
never see the end of the directory, causing e.g. 'ls' to hang in a loop.


* Improved fix to denial-of-service in PCI numa_node sysfs attribute.

Missing range checks could result in an out-of-bounds access when
writing to the num_node override attribute of a PCI device triggering a
kernel crash, or possibly allowing privilege escalation. The original
version of this update did not handle checking for negative numbers.


* Untrusted certificates can be loaded on the IMA trusted keyring.

Improper handling of certificate loading in the security subsystem could
result in a certificate being loaded without verifying that it is signed
by a trusted key in the system keyring.


* Btrfs file corruption after cloning inline extents.

Cloning data with the clone ioctl from a file with inline
data to a larger file can cause data loss due to mixed inline
and non-inline data.


* Use after free and memory leak in ipvlan.

Incorrect memory management in the ipvlan subsystem could cause packet
data memory leak or use after free condition.


* Denial of service in nfs4 when truncated compound request received.

When truncated compound request is received, uninitialized data is used
to process the request as if it was fully received.


* Memory leak in Bluetooth Security Manager Protocol.

Bluetooth Security Manager Protocol driver incorrectly handles reference
to Bluetooth L2CAP channel causing a memory leak.


* Timing leak in CGM and CCM decryption and ESP ICV verification.

Using non-constant time memcmp() makes the verification of the authentication
tag in the decrypt path vulnerable to timing attacks.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.