[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DSA-4698)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Jul 6 13:46:34 PDT 2020 

Synopsis: DSA-4698 can now be patched using Ksplice
CVEs: CVE-2019-19768 CVE-2019-5108 CVE-2020-0543 CVE-2020-10711 CVE-2020-10751 CVE-2020-10757 CVE-2020-10942 CVE-2020-11494 CVE-2020-11565 CVE-2020-11608 CVE-2020-11609 CVE-2020-11668 CVE-2020-12114 CVE-2020-12464 CVE-2020-12653 CVE-2020-12654 CVE-2020-12770 CVE-2020-13143 CVE-2020-8428 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-8992 CVE-2020-9383

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian Security Advisory, DSA-4698.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2020-11494: Information leak in serial line CAN device communication.

When communicating with a CAN device over serial, a buffer structure is
transmitted without proper sanitization, potentially exposing stack
memory over the network.


* CVE-2020-10711: NULL pointer dereference when using CIPSO network packet labeling.

A logic error when receiving CIPSO network packets could lead to a NULL
pointer dereference. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2020-8648: Use-after-free in the virtual terminal driver.

A locking error in the virtual terminal driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service or escalate privileges.


* CVE-2020-8428: Use-after-free in filesystem directory handling.

A logic error in filesystem directory handling could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* CVE-2020-11609: NULL pointer dereference when initializing STV06XX USB Camera device.

A missing check on USB endpoints when initializing STV06XX USB Camera
device could lead to a NULL pointer dereference. A local attacker could
use this flaw and a malicious USB device to cause a denial-of-service.


* CVE-2020-9383: Information leak in floppy disk driver.

A flaw in floppy driver could lead to an out-of-bounds read causing
the information leak when assigning the floppy disk controller.


* CVE-2019-5108: Denial-of-service of a wireless access point during roaming of a station.

A logic error in protocol implementation when a station connect to an
access point during roaming could let an attacker within the internal
network cause a denial-of-service of the access point.


* Use-after-free when writing to SLIP serial line.

A locking error when writing to SLIP serial line while the line is being
closed could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2020-8647, CVE-2020-8649: Use-after-free in the VGA text console driver.

A missing check when resizing console in the VGA text console driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2020-11668: NULL pointer dereference when initializing Xirlink C-It USB camera device.

A missing check on USB endpoints when initializing Xirlink C-It USB
camera device could lead to a NULL pointer dereference. A local attacker
could use this flaw and a malicious USB device to cause a
denial-of-service.


* CVE-2020-12654: Denial-of-service when querying WMM status in mwifiex driver.

If an AP sends a malicious query to the station for WMM status, a buffer
overflow could occur. If an attacker can compromise the AP, this bug
could be triggered to cause a denial-of-service.


* CVE-2020-11608: NULL pointer dereference when initializing USB GSPCA based webcams.

A missing check on exposed endpoint numbers from USB GSPCA based webcams
could lead to a NULL pointer dereference. A local attacker could use a
malicious USB device to cause a denial-of-service.


* CVE-2020-12464: Use-after-free in USB scatter-gather library.

Use-after-free could happen in usb_sg_cancel() of USB core scatter
gather implementation when cancellation of the S-G transfer races
with the transfer completion and could result in a system crash.


* Denial-of-service in control plane of VT subsystem.

A NULL pointer dereference in the VT subsystem could result in a kernel
crash when issuing ioctl. A local user could use this flaw to crash
the system.


* CVE-2020-12653: Denial-of-service when scanning for APs in mwifiex driver.

Failing to validate user-defined length parameter could cause an
out-of-bound memory access while scanning for APs in mwifiex driver. An
attacker could exploit this bug to cause a denial-of-service.


* CVE-2020-8992: Deadlock with too big journal size on ext4 filesystem.

Using a too big journal size on ext4 filesystem could lead to a
deadlock. A local attacker could use a specially crafted ext4 filesystem
to cause a denial-of-service.


* Denial-of-service when receiving IPV4 packets over SLIP network device.

Missing checks when receiving IPV4 packets over SLIP network device
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2020-11565: Out-of-bounds access when mounting tmpfs.

A missing check on mpol mount option when mounting tmpfs could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2020-10942: Out-of-bounds memory access in the Virtual host driver.

Invalid input validation could lead to type confusion and out-of-bounds
memory accesses.  A local unprivileged user could use this to cause a
denial-of-service or potentially escalate privileges.


* CVE-2019-19768: Use-after-free when reporting an IO trace.

Lack of correct synchronization between releasing a structure used to store
a trace and filling that structure coud lead to a use-after-free.  A local
user with the ability to enable tracing on the block IO sub-system could
use this flaw to cause a denial-of-service or potentially escalate
privileges.


* CVE-2020-13143: Out-of-bounds read when connecting to UDC.

When connecting via USB in gadget mode, the USB gadgetfs copies input
fields with strcpy, which can result in the copied buffers being smaller
than the originals. Accessing these new buffers can then result in an
out-of-bounds memory access, potentially leaking information or causing
a denial-of-service.


* CVE-2020-12114: Race condition in mountpoint counter causes DoS.

A race condition in synchronization surrounding the reference counter of
a filesystem mount point could allow a malicious user to corrupt the
counter, causing a kernel assertion failure and denial-of-service.


* CVE-2020-10751: Missing validation of netlink messages when sent coupled.

When multiple netlink messages are sent within a single sk_buff
structure, only the first message is correctly validated by SELinux,
allowing later messages to bypass proper validation.


* CVE-2020-10757: Flaw in DAX page mapping allows privilege escalation.

A flaw in the kernel handling for remapping huge pages mishandles pages
mapped for the DAX (direct userspace access) subsystem. A user with
access to DAX-mapped storage could exploit this to escalate their
privileges.


* CVE-2020-12770: Information leak/DoS in SCSI generic userspace write.

When copying data from userspace to a SCSI generic (sg) device, the
associated list entry is not properly removed, potentially causing a
denial-of-service or leaking sensitive kernel information.


* Double-free when opening serial CAN device netdevice.

When opening a serial CAN netdevice, an unexpected error could result in
a double free, resulting in memory corruption or a denial-of-service.


* Information leak in corefiles in per-thread info.

When generating a corefile, the per-thread core information is not
properly sanitized, potentially leaking sensitive kernel data into the
filesystem.


* CVE-2020-0543: Side-channel information leak using SRBDS.

A side-channel information leak on some generations of Intel processors
could allow the leaking of internal microarchitectural buffers used by
instructions like RDRAND, RDSEED and SGX EGETKEY.

Updated microcode is required for this vulnerability to be mitigated.

The status of the mitigation can be found using the following command:
$ cat /sys/devices/system/cpu/vulnerabilities/srbds

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-9.0-Updates mailing list