[Ksplice-Fedora-28-updates] New Ksplice updates for Fedora 28 (FEDORA-2018-50075276e8)

Mon Jul 23 17:03:48 PDT 2018

Synopsis: FEDORA-2018-50075276e8 can now be patched using Ksplice
CVEs: CVE-2018-12896 CVE-2018-13053 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-13405

Systems running Fedora 28 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-50075276e8.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 28
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Denial-of-service with DesignWare USB2 controller driver port bitmap.

Incorrectly applying the port bitmap for a DesignWare High-Speed USB2
Controller device could cause an out-of-bounds write and kernel panic. A
malicious device could exploit this flaw to cause a denial-of-service.

* Information leak in virtual terminal screen buffer allocation.

When creating a virtual terminal device, the memory for the screen
buffer is not properly sanitized, potentially exposing kernel memory to
userspace.

* Denial-of-service due to invalid assertion in netfilter chain.

An invalid assertion when processing an exceptionally long netfilter
chain could cause a denial-of-service.

* CVE-2018-13093: NULL-pointer dereference when reusing inodes in xfs.

If an XFS filesystem becomes corrupted, the local inode cache might
attempt to re-allocate in-use inodes. This can result in a deadlock or
NULL-pointer dereference and denial-of-service.

* CVE-2018-13094: NULL-pointer dereference when shrinking xfs inode.

When attempting to shrink an xfs inode for a file with corrupted
extended attributes, the non-existent attribute buffer might be
dereferenced, resulting in a denial-of-service.

* Denial-of-service when xfs inode has invalid extent size hints.

A corrupted xfs inode with an invalid extent size hint could trigger a
kernel assertion, resulting in a denial-of-service.

* CVE-2018-13095: Denial-of-service on xfs inode with outsize extent count.

The xfs filesystem fails to properly handle an inode with more extents
than fit in the inode fork. Encountering such a file could cause the xfs
verification code to corrupt memory or cause a denial-of-service.

* CVE-2018-13405: Permissions bypass when creating file in SGID directory.

Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.

* CVE-2018-13053: Integer overflow in alarm_timer_nsleep.

The alarm_timer_nsleep function in the kernel timekeeping code does not
check for overflow when adding two time values together, potentially
causing undefined behavior in the kernel.

* CVE-2018-12896: Denial-of-service via POSIX timer overflow.

The POSIX timer overrun value can potentially overflow an integer value
if the timer has a sufficiently long interval and expiry time. A
malicious user to create such a timer to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.