[Ksplice-Fedora-26-updates] New Ksplice updates for Fedora 26 (FEDORA-2018-8dc60a4feb)

Thu Feb 1 07:27:16 PST 2018

Synopsis: FEDORA-2018-8dc60a4feb can now be patched using Ksplice
CVEs: CVE-2017-1000410 CVE-2017-18075 CVE-2017-5753 CVE-2018-5332 CVE-2018-5333 CVE-2018-5344

Systems running Fedora 26 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-8dc60a4feb.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 26
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Out-of-bounds access when setting an extended attribute.

A failure to correctly validate the length of a security capability
extended attribute provided by userspace can result in an out-of-bounds
memory access. A local user could use this flaw to cause a
denial-of-service or other unspecified consequences.

* Denial-of-service during debugstore mapping in perf subsystem.

A failure to correctly TLB flush when mapping debugstore memory in the
perf subsystem can result in an assertion failure. A local user with the
ability to use perf could use this flaw to cause a denial-of-service.

* Use-after-free in userfaultfd duplication failure during fork operation.

A failure to correctly handle a failed duplication of a userfaultfd file
descriptor during a fork can result in dangling references to freed
memory which can lead to a use-after-free. A local user could use this
flaw to potentially escalate privileges.

* Use-after-free in BTRFS delayed inode deletion.

A race condition in BTRFS when deleting delayed inodes can result in an
incorrect free which can lead to a use-after-free. A local user with
access to a BTRFS filesystem could use this flaw to potentially escalate
privileges.

* Out-of-bounds access in chacha20 poly1305 decryption.

A failure to validate the digest size when initialising a chacha20
poly1305 decryption operation can result in a buffer overrun, leading
to a Kernel crash. A local user could use this flaw to cause a
denial-of-service or other unspecified consequences.

* Denial-of-service during fatal signal processing in thread groups.

A logic error when dealing with fatal signals for thread groups can
result in an assertion failure leading to a Kernel crash. A local user
could use this flaw to cause a denial-of-service.

* Denial-of-service in filesystem cache implementation.

A logic error when attempting to free FScache pages can result in a
failure to free pages, which can lead to memory exhaustion. A local user
could use this flaw to cause a denial-of-service.

* CVE-2017-18075: Denial-of-service in freeing of parallel crypto wrapper.

A logic error when feeing a parallel crypto wrapper instance can result
in an incorrect free, leading to a Kernel crash or other unspecified
behaviour. A local user could use this flaw to cause a
denial-of-service.

* Improved fix for CVE-2017-5753: Speculative execution in KVM VMCS field-to-offset table.

The KVM VMCS field-to-offset table is vulnerable to a Spectre variant 1
side-channel attack. An unprivileged guest could exploit this flaw to
read arbitrary memory in the host.

* CVE-2017-1000410: Information leak in Bluetooth L2CAP messages.

Incorrect handling of short EFS elements in an L2CAP message could allow
an attacker to leak the contents of kernel memory.

* NULL pointer dereference when using Mellanox Technologies Spectrum driver.

A missing check when using Mellanox Technologies Spectrum driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.

* Denial-of-service when using PCM OSS audio stream.

Logic errors when reading, writing or closing PCM OSS audio stream could
lead to kernel log flood or deadlocks. A local attacker could use this
flaw to cause a denial-of-service.

* Memory leak when unregistering a VLAN device with id 0.

A logic error when unregistering a VLAN device with id 0 could lead to a
memory leak. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets.

A missing check when sending messages through Reliable Datagram Sockets
could lead to an out-of-bounds write in the heap. A local attacker could
use this flaw to cause a denial-of-service.

* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver.

A missing check when freeing resources in Reliable Datagram Sockets
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

* Denial-of-service when handling ICMP Frag in SCTP driver.

A logic error when handling ICMP Frag in SCTP driver could lead to a
kernel log flood. A local attacker could use this flaw to cause a
denial-of-service.

* Memory leak when using corking over IPV6.

A missing freeing of resources in error path when using corking over
IPV6 could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.

* NULL pointer dereference when using API for cryptographic algorithms.

A missing check when using API for cryptographic algorithms could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.

* Off-by-one access when adding a view in DRM driver for VMware Virtual GPU.

A missing check when adding a view in DRM driver for VMware Virtual GPU
could lead to an off-by-one error. A local attacker could use this flaw
to cause a denial-of-service.

* Denial-of-service when using USB monitoring interface.

A locking error when using USB monitoring interface could lead to a
kernel assert. A local attacker could use this flaw to cause a
denial-of-service.

* Information leak when using USB IP driver.

Verbose debugging information in USB IP driver could leak information
about kernel address. A local attacker could use this flaw to leak
information about kernel and facilitate an attack.

* Denial-of-service when submitting a command over USB IP.

A missing check on user input when submitting a command over USB IP
could lead to kernel memory exhaustion. A local attacker could use this
flaw to cause a denial-of-service.

* NULL pointer dereference when sending commands over USB IP.

A missing check when sending command over USB IP could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2018-5344: Use-after-free when opening a loopback device.

A race condition between opening and releasing a loopback device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.