[Ksplice][Ubuntu-17.10-Updates] New Ksplice updates for Ubuntu 17.10 Artful (USN-3507-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Fri Dec 8 06:12:08 PST 2017
Synopsis: USN-3507-1 can now be patched using Ksplice
CVEs: CVE-2017-1000380 CVE-2017-1000405 CVE-2017-12193 CVE-2017-15951 CVE-2017-16535
Systems running Ubuntu 17.10 Artful can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3507-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 17.10
Artful install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Race condition when accessing Page Middle Directory.
A logic error when accessing Page Middle Directory of a virtual memory
mapping could lead to a race condition. A local attacker could use this
flaw to cause a denial-of-service.
* Denial-of-service when sending data from user space to USB devices.
A logic error in the kernel interface to user space USB driver could
lead to an invalid memory access. A local attacker could use this flaw
to cause a denial-of-service.
* CVE-2017-16535: Out-of-bounds memory access when reading USB descriptors.
A missing check when reading USB descriptors could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.
* Use-after-free when stopping USB XHCI driver.
A missing check when stopping XHCI driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when stopping an USB device connected to a XHCI host controller.
A missing check when stopping an USB device connected to a XHCI host
controller could lead to a deadlock or to a memory leak. A local
attacker could use this flaw to cause a denial-of-service.
* NULL pointer dereference when initializing a CAN socket.
A missing error check when initializing a CAN socket could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.
* NULL pointer dereference when revoking a master key of type 'user'.
A missing check when requesting a user key after revoking the associated
master key could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.
* NULL pointer dereference when handling Nvidia Nouveau related interrupt.
A missing check when handling an interrupt in the Nvidia Nouveau driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.
* Invalid memory access when accessing DiBcom 3000P/M-C Tuner device.
An invalid setup of USB DMA when accessing DiBcom 3000P/M-C Tuner device
could lead to invalid memory accesses. A local attacker could use this
flaw to cause a denial-of-service.
* Invalid memory access when initializing master playback in HD-Audio driver.
A logic error when initializing master playback in HD-Audio driver
could lead to invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.
* NULL pointer dereference when probing bus capabilities in HD-Audio driver.
A missing check when probing bus capabilities in HD-Audio driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.
* Out-of-bounds access when receiving short packets over Broadcom FullMAC WLAN driver.
A missing check on received short packets length in Broadcom FullMAC
WLAN driver could lead to an out-of-bounds access. A remote attacker
could use this flaw to cause a denial-of-service.
* NULL pointer dereference when revoking a master key of type 'user' in RSA verification.
A missing check when requesting a user key after revoking the associated
master key when doing RSA verification could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when revoking a master key of type 'user' in fscrypt driver.
A missing check when requesting a user key after revoking the associated
master key could lead to a NULL pointer dereference in fscrypt driver. A
local attacker could use this flaw to cause a denial-of-service.
* NULL pointer dereference when revoking a master key of type 'user' in ecryptfs driver.
A missing check when requesting a user key after revoking the associated
master key could lead to a NULL pointer dereference in ecryptfs driver.
A local attacker could use this flaw to cause a denial-of-service.
* Denial-of-service in uninstantiated key configuration.
A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.
* Denial-of-service in pkcs7 cryptographic provider error case.
In rare cases, when processing a pkcs7 cryptographic key, a missing info
field could lead to a NULL pointer dereference and denial-of-service.
* NULL pointer dereference when using direct write with XFS filesystem.
A logic error when using direct write through XFS filesystem driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.
* Memory leak when copying a file using copy-on-write in XFS filesystem.
A missing check when copying a file using copy-on-write in XFS
filesystem could lead to a Memory leak. A local attacker could use this
flaw to cause a denial-of-service.
* Data corruption when using finsert and fcollapse commands with XFS filesystem.
A missing check when using finsert and fcollapse commands with XFS
filesystem could lead to a data corruption on filesystem. A local
attacker could use this flaw to corrupt sensitive data.
* Permission bypass after changing permissions on XFS filesystem.
A missing check on return error after setting permissions of an object
on XFS filesystem could lead to wrong permissions being set. A local
attacker could use this flaw to access sensitive data.
* NULL pointer dereferences caused by B+trees manipulation in XFS filesystem.
Logic errors when manipulation B+trees in XFS driver could lead to NULL
pointer dereferences. A local attacker could use this flaw to cause a
denial-of-service.
* Data corruption when doing concurrent writes on XFS filesystem.
A logic error when doing concurrent writes on XFS filesystem could lead
to data corruption. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service in Ceph I/O capability flushing.
A failure to correctly handle errors when flushing capabilities to disk
can result in a deadlock. A local user with access to a Ceph filesystem
could use this flaw to cause a Denial-of-service.
* Denial-of-service in OverlayFS inode allocation.
A failure to check for NULL can result in a NULL pointer dereference
when attempting to allocate an inode. A local user with access to an
OverlayFS filesystem could use this flaw to cause a denial-of-service.
* Out-of-bounds access during Xen Grant device memory unmapping.
A failure to handle an error case when mapping memory in a Xen Grant
device can result in an out-of-bounds access during unmap. A local user
with access to a Xen Grant device could use this flaw to cause undefined
behaviour or potentially escalate privileges.
* Denial-of-service during failure to mount SMBv2 share.
A failure to correctly handle a communication failure when mounting a
Server Message Block 2 share can result in a NULL pointer dereference
causing a Kernel crash. A local user could use this flaw to cause a
denial-of-service.
* Out-of-bounds access in GTCO CalComp/InterWrite USB tablet HID parsing.
A validation failure when parsing a HID report from a GTCO
CalComp/InterWrite USB tablet can result in an out-of-bounds memory
access. A user with physical access to a system could use this flaw to
cause undefined behaviour or potentially escalate privileges.
* CVE-2017-12193: Denial-of-service in generic associative array implementation.
A logic error when inserting a new entry into an associative array can
result in a NULL pointer dereference, leading to a Kernel crash. A local
user could use this flaw to cause a denial-of-service.
* Out-of-bounds access in SCSI device when creating a request table.
An off-by-one error when processing a list of SCSI requests can result
in an out-of-bounds memory access. A local user could use this flaw to
cause undefined behaviour or potentially escalate privileges.
* Denial-of-service in IPSEC transform policy netlink dump.
A failure to handle an error case when dumping IPSEC transform
information via netlink can result in a Kernel crash. A local user with
the ability to administer an IPSEC tunnel could use this flaw to cause a
denial-of-service.
* Improved fix for CVE-2017-1000380: Information leak when reading timer information from ALSA devices.
A race condition when reading timer information from ALSA driver results
in use-after-free which leads to kernel information leaking into
userspace. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.
* Denial-of-service when validating CIFS path.
A validation error combined with a memory leak in error path could
result in kernel memory exhaustion. A malicious user can exploit this to
cause denial-of-service.
* Userspace memory corruption when reading key.
An out-of-bound write in kernel key management facility results in
user memory corruption. This could result in incorrect control flow and
denial-of-service in userspace.
* Denial-of-service when parsing ASN.1 key.
Out-of-bound read in the kernel key management facility when parsing
ASN.1 key could lead to kernel crash. An unprivileged attacker can
exploit this vulnerability to cause denial-of-service.
* Denial-of-service when handling page fault through userfaultfd.
Incorrect error handling during userfaultfd UFFDIO_COPY ioctl operation
leads to kernel crash. An attacker can exploit this to cause
denial-of-service.
* Data corruption when trimming OCFS2 filesystem.
A bug in the implementation of FITRIM ioctl in OCFS2 could result in
data corruption when trimming the filesystem. The resulting corruption
cannot be fixed using fsck.
* Denial-of-service when terminating process.
A race condition in the fast mutex subsystem results in a kernel crash
when cleaning up the memory allocated to a process. An unprivileged
local user could exploit this to cause denial-of-service.
* Denial-of-service due to race condition in workqueue manipulation.
A race condition during concurrent manipulation of a workqueue by a
kernel thread and an interrupt handler can result in a NULL pointer
dereference, leading to a Kernel crash.
* Out-of-bounds access in Cyclic Counter Mode block cipher implementation.
Incorrect manipulation of an initialisation vector when performing
cryptographic operations using Cyclic Counter Mode can result in an
out-of-bounds memory access, leading to undefined behaviour or a Kernel
crash. A local user could use this flaw to cause a denial-of-service.
* Denial-of-service in AVX2 SHA256 implementation.
An unaligned access in the AVX2 SHA256 implementation can result in a Kernel
crash. A local user could use this flaw to cause a denial-of-service.
* Denial-of-service in ASN.1 certificate parsing.
A logic error when parsing an ASN.1 encoded certificate can result in a
NULL pointer dereference. A local user user could use this flaw to cause
a denial-of-service.
* Denial-of-service in Ceph RADOS Block Device cloned images.
A logic error when processing cloned Ceph images stored on a RADOS Block
Device can result in a deadlock. A local user with access to a Ceph
filesystem could use this flaw to cause a denial-of-service.
* Denial-of-service in VirtIO block device request queue initialization.
A failure to correctly initialise a SCSI request queue within the VirtIO
block device driver can lead to a NULL pointer dereference when
processing an ioctl command. A local user with access to a VirtIO block
device could use this flaw to cause a denial-of-service.
* Denial-of-service in AVX2 SHA1 implementation.
An unaligned access in the AVX2 SHA1 implementation can result in a
Kernel crash. A local user could use this flaw to cause a
denial-of-service.
* CVE-2017-15951: Denial-of-service when requesting a key in negative state.
A missing locking when requesting an already created key in negative
state could lead to a race condition. A local attacker could use this
flaw to cause a denial-of-service.
* CVE-2017-1000405: Privilege escalation when writing into a Transparent Huge Page.
A logic error in internal Transparent Huge Page handling of the kernel
could let an attacker overwrite read-only data and escalate privileges.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-17.10-updates
mailing list