[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (USN-2970-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Tue May 10 10:15:08 PDT 2016
Synopsis: USN-2970-1 can now be patched using Ksplice
CVEs: CVE-2015-7515 CVE-2015-8830 CVE-2016-2184 CVE-2016-2185 CVE-2016-2186 CVE-2016-2188 CVE-2016-3136 CVE-2016-3137 CVE-2016-3138 CVE-2016-3140 CVE-2016-3157 CVE-2016-3689 CVE-2016-3951
Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2970-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2015-7515: Denial-of-service in the aiptek USB driver.
A flaw in the aiptek USB tablet driver could lead to an out-of-bounds
memory access when the interface has no endpoints. An attacker with
physical access could use a specially crafted USB device to cause a
denial-of-service.
* Kernel panic when using receive aggregation on WiFi.
Use of uninitialised values in the WiFi stack when using RX aggregation
could lead to a kernel crash.
* Information leak in the ATA 32 bits compat ioctl.
A logic error in the ATA 32 bits compat ioctl could lead to writing 3 bytes
of uninitialized stack content to userspace. An attacker could use this
flaw to gain information about the running kernel.
* Kernel deadlock in JFFS2 filesystem when writing.
Incorrect lock ordering when writing to a JFFS2 filesystem could lead to
deadlocks. A local, unprivileged user could use this flaw to cause a
denial-of-service.
* Memory corruption when removing Geschwister Schneider USB/CAN device.
Invalid usage of kfree() on a pointer that is reference counted leads to
use-after-free and memory corruptions when removing a Geschwister Schneider
USB/CAN device. An attacker with physical access could use this flaw to
cause a denial-of-service.
* Out of bounds memory access on reading a file from a SMB server.
Missing input validation when parsing the lease state from a Server Message
Block (SMB) Create response could lead to an out of bounds memory read and
kernel crash. A local, unprivileged user or a rogue SMB server could use
this flaw to cause a denial-of-service.
* Kernel hang when the function graph tracer is enabled on suspend.
The function graph tracer gets inconsistent call return information in the
low level ACPI suspend code, leading to a kernel hang.
* Privilege escalation when chowning files on overlayfs mount.
The overlayfs filesystem driver does not update filesystem metadata when
changing file ownership which could allow a local user to access
privileged files and gain escalated privileges.
* Heap overflow in the Unsorted Block Images (UBI) on volume update.
A flaw in the UBI code causes a heap structure to be allocated with too few
bytes, leading to a write overflow when updating the volume. A local,
unprivileged user could use this flaw to cause a denial-of-service or
potentially escalate privileges.
* Use-after-free in generic Target Core Mod (TCM) on completed commands.
An extra reference count was dropped when aborting an already completed
command, leading to use-after-free and memory corruption.
* Denial-of-service in JFFS2 when recovering a halfway failed rename.
A logic error in the JFFS2 journalling driver could lead to a kernel panic
when recovering a halfway failed rename.
* Information leak to KVM guests when the the host is using PEBS tracing.
KVM hosts using Intel Precise Events Based Sampling (PEBS) could have their
PEBS tracing record written to a KVM guest under certain circumstances. An
attacker with full control of a KVM kernel guest could use this flaw to get
information about the KVM host kernel.
* Denial-of-service when running KVM guest with Extended Page Table disabled.
KVM guests with Extended Page Table (EPT) disabled could trigger a
continuous stream of faults, effectively causing a denial-of-service of the
host.
* Filesystem corruption in EXT4 extent moving.
A missing update of the buffer head could result in filesystem
corruption when moving extent data.
* CVE-2016-3951: Use-after-free in USB networking bind failure.
A race condition between probing a USB network device and error handling
could result in a use-after-free condition and kernel crash.
* CVE-2016-2186: Denial of service in Griffin PowerMate USB descriptor parsing.
A logic error in the Griffin PowerMate USB driver can allow a malformed
USB descriptor with zero endpoints to trigger a NULL pointer dereference
and kernel panic.
* CVE-2016-2188: Denial of service in IO Warrior USB descriptor parsing.
A logic error in the IO Warrior USB driver can allow a malformed USB
descriptor with zero endpoints to trigger a NULL pointer dereference and
kernel panic.
* CVE-2016-2184: Denial of service in ALSA USB audio descriptor parsing.
A logic error in the ALSA USB audio driver can allow a malformed USB
descriptor with zero end-points to trigger a NULL pointer dereference
and kernel panic.
* CVE-2016-2185: Denial of service in ATI/Philips USB RF remote descriptor parsing.
A logic error in the ATI/Philips USB RF remote driver can allow a
malformed USB descriptor to trigger a NULL pointer dereference and
kernel panic.
* CVE-2016-3138: Denial of service in CDC ADM USB descriptor parsing.
A logic error in the CDC ADM USB driver can allow a malformed USB
descriptor with an incorrect number of interfaces to trigger a NULL
pointer dereference and kernel panic.
* NULL pointer dereference in TTY line discipline reception.
A missing NULL pointer check could result in a NULL pointer dereference
when receiving a buffer under specific conditions.
* Use-after-free in Infra-red terminal opening.
Use of a stale pointer when opening an IrTTY device could result in a
use-after-free condition and subsequent kernel crash. A local user with
access to the IrTTY device could use this flaw to crash the system.
* NULL pointer dereference in Infiniband CSI RDMA Protocol Target.
Missing SRP targets could result in a NULL pointer dereference and
subsequent kernel crash under specific conditions.
* Denial-of-service in NFS server buffer decoding.
Integer overflows in the NFS buffer decoding operations could result in
out-of-bounds accesses and a kernel crash. A malicious client could use
this flaw to crash the system.
* Kernel crash in disk quota initialization.
Missing array initialization could result in dereferencing an invalid
pointer and a kernel crash when initializing a quota for an inode and
experiencing an error.
* Kernel crash in block cache device initialization.
A race between initializing a block cache device and the writeback
thread could result in triggering a kernel assertion and crashing the
system.
* NULL pointer dereference in block cache registration failure.
Allocation failures whilst creating a block cache device could result in
a NULL pointer dereference and kernel crash when the system was under
memory pressure.
* Journalling filesystem corruption on unmount under memory pressure.
Unmounting a filesystem under memory pressure could result in journal
corruption on a subsequent remount.
* Heap overflow in I2C USB HID reporting.
Missing bounds checks could result in a heap overflow when setting or
sending a report. A local user with access to the device could use this
flaw to crash the system or potentially, escalate privileges.
* Denial-of-service in NFS secinfo+readdir operations.
Incorrect locking could allow a malicious client to deadlock the system
with unexpected compound operations.
* CVE-2016-3689: Denial of service in IMS PCU USB descriptor parsing.
A logic error in the IMS PCU USB driver can allow a malformed USB
descriptor with missing interfaces to trigger a NULL pointer dereference
and kernel panic.
* Denial of service in generic USB interface management.
A malformed USB descriptor can trigger a NULL pointer dereference and
kernel panic when the generic USB driver claims interfaces.
* Denial-of-service in pipe splicing with no pages.
Splicing from a pipe with no pages could result in a NULL pointer
dereference and kernel crash. Under specific conditions a local user
could use this flaw to crash the system.
* Denial-of-service in KVM invept instruction emulation.
Incorrect handling of an invalid invept instruction could
result in a kernel hang. A local user could use this flaw to crash the
system.
* Denial-of-service in KVM VCPU creation.
Incorrect error handling could result in an integer overflow, allowing a
user with permission to create virtual CPUs to trigger a kernel
assertion and crash the system.
* Kernel hang in OCFS2 Distributed Lock Manager convert and recovery operations.
A race condition between convert and recovery operations could result in
a system hang under specific conditions.
* Kernel crash in OCFS2 Distributed Lock Manager during master loss.
A race condition when the DLM master went down could result in
triggering a kernel assertion and crashing the system under specific
conditions.
* Denial-of-service in recvmmsg() error handling.
Incorrect reference counting could result in a use-after-free in the
recvmmsg() system call. A local, unprivileged user could use this flaw
to trigger a denial-of-service.
* Denial-of-service in SUNRPC cache management.
Incorrect error handling could result in a reference count imbalance of
the SUNRPC cache object, triggering either a resource leak, or
potentially, a use-after-free.
* Use-after-free in PPP ioctl() handling.
Incorrect locking in the PPP ioctl handler could result in dereferencing
an invalid pointer and a kernel crash. A local user with access to the
PPP device could use this flaw to crash the system.
* CVE-2016-3157: Xen I/O port access privilege escalation in x86-64.
User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.
* Use-after-free in Maxim MAX1111 ADC channel read.
Incorrect clearing of the MAX1111 global pointer on removal could result
in a use-after-free and kernel crash. A local, privileged user could
use this flaw to crash the system.
* CVE-2016-3136: Denial of service in MCT Serial USB descriptor parsing.
A logic error in the MCT Single Port Serial driver can allow a malformed
USB descriptor with missing ports to trigger a NULL pointer dereference
and kernel panic.
* CVE-2016-3137: Denial of service in USB Cypress M8 descriptor parsing.
A logic error in the Cypress M8 device driver can allow a malformed USB
descriptor with missing endpoints to trigger a NULL pointer dereference
and kernel panic.
* CVE-2016-3140: Denial of service in Digi AccelePort USB descriptor parsing.
A logic error in the Digi AccelePort USB driver can allow a malformed
USB descriptor with missing endpoints to trigger a NULL pointer
dereference and kernel panic.
* Kernel crash in ALSA timer arming.
Incorrect use of the timer API could result in triggering a kernel
assertion when rearming the ALSA system timer.
* Kernel crash in NUMA page migration.
Incorrect handling of NUMA nodes could result in a kernel crash when
allocating memory during page isolation.
* Divide-by-zero in the ALSA RME Hammerfall audio driver.
A lack of data validation in the system sample rate code of the RME
Hammerfall audio driver could lead to a division-by-zero and kernel crash.
* Denial-of-service in coredump writing.
Under specific conditions, the kernel could write corefiles for SUID
processes into a user-controlled directory. This flaw could be used to
exhaust disk space and trigger a denial-of-service.
* CVE-2015-8830: Denial of service in AIO.
Due to a missing length check, a userspace process could potentially
pass a very large IO control block to the kernel. A malicious user
could use this to cause denial of service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-15.04-updates
mailing list