[Ksplice][Debian 8.0 Updates] New Ksplice updates for Debian 8.0 Jessie (DLA 1884-1)

Thu Sep 5 04:46:05 PDT 2019

Synopsis: DLA 1884-1 can now be patched using Ksplice
CVEs: CVE-2017-18509 CVE-2018-20836 CVE-2019-10207 CVE-2019-10638 CVE-2019-1125 CVE-2019-13631 CVE-2019-14283 CVE-2019-14284 CVE-2019-15214 CVE-2019-15216 CVE-2019-15239 CVE-2019-3900

Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian kernel update, DLA 1884-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 8.0
Jessie install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Potential kernel crash in UDF filesystem's truncate() error path.

An incorrectly handled error case in the truncate(2) syscall on a UDF
filesystem can trip a kernel BUG(), leading to a kernel panic.  This
could potentially be exploited to cause a denial-of-service.

* Improved fix to Spectre v1: bounds-check bypass in various ALSA sound drivers.

Several arrays in subsystems of the ALSA sound device driver code are
potentially vulnerable to a Spectre variant 1 speculative execution
attack.

* Out-of-bounds memory access when changing PCM parameters on ALSA device.

When altering PCM parameters for an ALSA sound device, incorrect
ordering of allocations could result in an out-of-bounds memory access,
potentially resulting in memory corruption or a denial-of-service.

* NULL pointer dereference in fair schedule load calculation.

A race condition in the fair scheduler code could lead to a NULL pointer
dereference and possible memory corruption or kernel panic.

* Denial-of-service in Xen ioctl when processing command input.

A failure to validate user input in the Xen ioctl code could result in an
out of bounds memory access, leading to possible memory corruption or a
kernel panic.  This could be used for a denial-of-service attack.

* Memory leak in block bio layer when adding a page fails.

A failure to properly handle an error condition with adding a page in the
block bio layer results in a memory leak.  This could be exploited to cause
a denial-of-service attack.

* Out-of-bounds access when getting USB string descriptor.

A logic error when getting USB string descriptor could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.

* NULL pointer dereference when attaching Velleman VM110/VM140 USB Board fails.

A logic error when attaching Velleman VM110/VM140 USB Board fails could
lead to using an uninitialized semaphore and a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.

* Memory leak in CIFS symlink query path.

A failure to close a file handle under certain conditions can lead to
a memory leak in the CIFS code path that deals with symlinks.  This
flaw could potentially be exploited by a malicious local user to waste
system resources and degrade performance.

* Invalid memory access when renaming debugfs in Generic IEEE 802.11 Networking Stack.

A missing check when renaming debugfs in Generic IEEE 802.11 Networking
Stack could lead to an invalid memory access. A local attacker could use
this flaw to cause a denial-of-service.

* Denial-of-service to filesystem in CIFS rename code path.

If a path-based rename fails with EBUSY in cifs_do_rename on an SMB2+
mount, the kernel will attempt to fall back to using the SMB protocol,
which will force a session close.  This could be exploited by a
malicious attacker to disrupt service to the filesystem.

* CVE-2019-15216: Use-after-free when removing a USB Yurex device.

A logic error when removing a USB Yurex device could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* Out-of-bounds access when connecting DS2490 USB to W1 transport layer for 1-wire.

A logic error when connecting DS2490 USB to W1 transport layer for
1-wire could lead to an out-of-bounds access. A local attacker could
use this flaw to cause a denial-of-service.

* Permission bypass when using ipv6 flowlabel manager.

A logic error when using ipv6 flowlabel manager could let a process with
a recycled PID configure flowlabel owned by a previous process having
same PID.

* CVE-2019-13631: Denial-of-service in GTCO CalComp/InterWrite tablet.

Missing range checks could allow an out-of-bounds stack memory write
when parsing USB descriptors.  A physically present user could use a
malicious device to trigger an out-of-bounds access leading to a kernel
crash.

* CVE-2019-14284: Denial-of-service in floppy disk formatting.

A division by zero in the setup_format_params function for the floppy
disk driver could result in a kernel crash.  A local user with access to
the floppy disk device could use this flaw to crash the system.

* CVE-2018-20836: Use-after-free in SCSI SAS timeout.

A logic error when performing task completion for a SCSI SAS SMP timeout
could result in a use-after-free and kernel crash.

* Denial-of-service when validating packet against xfrm policy.

A use-after-free bug in the received packet validation path in the xfrm
subsystem could lead the kernel into executing arbitrary memory. This
could cause a denial-of-service and possibly be exploited by an attacker
to hijack control flow.

* Potential denial-of-service while processing loopback data in Rose driver.

A failure to properly rate-limit the processing of the ROSE driver's
loopback_queue can lead to CPU lockups when the queue grows large.
This flaw could potentially be exploited by an attacker to cause a
denial-of-service.

* CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.

Missing input validation in the floppy disk geometry setting calls could
allow a malicious local user with access to the floppy device to cause
an out-of-bounds access either crashing the system or leaking the
contents of kernel memory.

* XSA-300: Denial-of-service in Xen memory ballooning.

A logic error in the Xen memory balloon device driver could result in
exhaustion of resources or crashes of the backend device drivers
resulting in IO stalls or guest failures.  A local privileged user could
use this flaw to cause a denial of service.

* Potential system crash in IPv6 UDP core when UFO is enabled.

A logic error in the udp6_ufo_fragment function can lead to a NULL
pointer dereference, and subsequent kernel panic.  This could
potentially be exploited by a remote attacker to cause a
denial-of-service.

* CVE-2017-18509: Denial-of-service in IPv6 multicast routing path.

A failure to properly verify certain socket properties before performing
operations on the sockets in the IPv6 multicast routing path can cause a
kernel panic.  This flaw could potentially be exploited by a local
attacker to cause a denial-of-service.

* Potential deadlock in IIO core.

A lock ordering issue in the IIO device unregister path can lead to a
deadlock.  This could be exploited by a local attacker with sufficient
privileges, in order to cause a denial-of-service.

* Memory leak while changing DCCP socket SP feature values.

Under certain conditions, it is possible for the __feat_register_sp
function to leak small amounts of memory.  This could potentially be
exploited by a local attacker to waste system resources and degrade
performance, or to aid in another type of attack.

* Out-of-bounds memory access during btrfs image validation.

A failure to properly check the length of a particular string when
validating a btrfs image can lead to an out-of-bounds read.  A local
attacker could potentially craft a special image to exploit this flaw,
which could cause a system to exhibit unexpected behavior.

* Potential use-after-free in Exar NIC driver.

When a DMA mapping operation fails while trying to allocate more mempool
space in the Exar NIC driver, a freed address will be returned from
__vxge_hw_blockpool_malloc instead of the expected NULL.  This can lead
to a use-after-free scenario, which may cause a system to exhibit
unexpected behavior, including a potential denial-of-service.

* CVE-2019-1125: Information leak in kernel entry code when swapping GS.

A local attacker could speculatively access percpu data using a user
defined GS and leak information about running kernel to facilitate an
attack.

* CVE-2019-10207: Denial-of-service in Bluetooth UART driver.

A logic error in the HCI UART device open path can cause the kernel to
attempt to execute at a bad address, leading to a system panic.  This
flaw could be exploited by a local attacker to cause a
denial-of-service.

* Multiple memory access violations in floppy driver.

A failure to properly check input from userspace can lead to either an
out-of-bounds read, or a bad pointer dereference in the floppy driver.
A local attacked with sufficient privileges could exploit these flaws
to cause a system to exhibit unexpected behavior, or to cause a
denial-of-service.

* CVE-2019-15239: Use-after-free in TCP write queue purge path.

A failure to properly zero out pointers to freed memory in the
tcp_write_queue_purge function can lead to a use-after-free scenario.
This could potentially cause a system to exhibit unexpected behavior,
and could lead to a denial-of-service.

* CVE-2019-15214: Use-after-free when connecting ALSA cards.

A race condition when connecting an ALSA sound device could result in
prematurely freeing associated data structures. A malicious device might
exploit this to cause a denial-of-service or memory corruption.

* Note: Oracle will not be providing a zero downtime update for CVE-2019-10638.

CVE-2019-10638 is a flaw in the IP ID generation code that could allow a
remote user to track remote Linux devices.

* Note: Oracle will not be providing a zero downtime update for CVE-2019-3900.

CVE-2019-3900 is a denial-of-service for vhost devices.  Virtual Machine
hosts using vhost devices for networking untrusted guests should reboot
into a newer kernel to mitigate CVE-2019-3900.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.