[Ksplice][Ubuntu-17.10-Updates] New Ksplice updates for Ubuntu 17.10 Artful (USN-3487-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Tue Nov 21 11:20:17 PST 2017
Synopsis: USN-3487-1 can now be patched using Ksplice
CVEs: CVE-2017-0786 CVE-2017-12153 CVE-2017-12154 CVE-2017-12188 CVE-2017-12190 CVE-2017-12192 CVE-2017-14156 CVE-2017-14489 CVE-2017-14954 CVE-2017-15265 CVE-2017-15537 CVE-2017-15649 CVE-2017-16526 CVE-2017-16527 CVE-2017-16529 CVE-2017-16530 CVE-2017-16531 CVE-2017-16533 CVE-2017-16534
Systems running Ubuntu 17.10 Artful can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3487-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 17.10
Artful install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Denial-of-service during CIFS connection opening.
A failure to clear memory in an error path can result in the Kernel
accessing invalid memory, leading to a Kernel crash or undefined
behaviour. A local user with access to a CIFS filesystem could use this
flaw to cause a denial-of-service.
* Out-of-bounds memory access during MMC probe.
A race condition during probe of an MMC device can result in an
out-of-bounds memory access leading to a Kernel crash or other undefined
behaviour. A local user with access to an MMC device could use this flaw
to cause a denial-of-service.
* Denial-of-service in SCSI FiberChannel job timeout handling.
A logic error in timeout handling of SCSI FiberChannel job timeouts can
result in a NULL pointer dereference, leading to a kernel crash.
* CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.
A logic error when checking the bounds to be read from a netlink socket in
the SCSI could lead to a NULL pointer dereference. A local user could use
this flaw to cause a denial-of-service.
* Denial-of-service in Deterministic Random Bits Generator cleanup.
A logic error in the Deterministic Random Bits Generator cleanup
handling can result in the Kernel attempting to free an invalid pointer,
leading to a Kernel crash. A local user with access to the crypto
subsystem could use this flaw to cause a denial-of-service.
* Information disclosure during free of a big_key.
A failure to correctly zero memory when freeing a big key in key
subsystem can result in sensitive information being left in memory. A
local user could use this flaw to facilitate a further attack.
* CVE-2017-12192: Denial-of-service when reading negative key.
Invalid memory access when reading key negative from kernel key management
facility results in a crash. An unprivileged local user can exploit this
to cause denial-of-service.
* CVE-2017-12153: NULL pointer dereference in the Wireless configuration layer.
A failure to verify netlink attributes existence before processing them
could lead to a NULL pointer dereference. A local user with CAP_NET_ADMIN
could use this flaw to cause a denial-of-service.
* Use-after-free in SCSI Generic block device job error case.
An incorrect free in error path of job creation for an SCSI Generic
block device can result in a use-after-free. A local user with access to
a SCSI Generic block device could use this flaw to potentially escalate
privileges.
* Denial-of-service in Chelsio gigabit ethernet adapter listen error handling.
A failure to correctly clean up after an error in the listen handler of
the cxgb4 driver can result in the access of freed memory, leading to a
kernel crash or undefined behaviour. A local user could use this flaw to
cause a denial-of-service.
* Denial-of-service due to unbalanced reference count during cxgb4 accept.
A failure to decrement a reference count can result in a memory leak
which could lead to kernel memory exhaustion. A local user could use
this flaw to cause a denial-of-service.
* Use-after-free in seccomp filter reference count handling.
A logic error when manipulating reference counts for seccomp filters can
result in unbalanced references, leading to potential memory leaks or
use-after-free. A local user could use this flaw to potentially escalate
privileges.
* Guest crash during KVM page fault.
A logic error in KVM page fault handling during a guest RCU critical
section can result in a guest crash.
* CVE-2017-12154: Denial-of-service when using KVM nested virtualization.
A missing flag when setting up a nested virtualization using KVM could
give access to CR8 register to L2 guest. A local attacker could use this
register to disable system external interrupts from L2 guest and cause a
denial-of-service.
* CVE-2017-14954: Information disclosure from waitid.
A logic error in the waitid implementation can result in Kernel memory
being disclosed to userspace. A local user could use this flaw to
facilitate a further attack.
* Denial-of-service in futex reference count manipulation.
A race condition due in improper locking in the futex implementation can
result in undefined behaviour, leading to a Kernel crash or potentially
other consequences. A local user could use this flaw to cause a
denial-of-service.
* Denial-of-service during BTRFS relocation removal.
A logic error when freeing a relocation can result in a NULL pointer
dereference, leading to a Kernel crash. A local user with the ability to
rebalance or remove devices from a BTRFS filesystem could use this flaw
to cause a denial-of-service.
* Denial-of-service in BTRFS extent cleanup.
A failure to correctly cleanup extents in BTRFS filesystems mounted with
nospace_cache can result in a Kernel crash. A local user with access to
a BTRFS filesystem could use this flaw to cause a denial-of-service.
* Denial-of-service in BTRFS deduplication implementation.
A failure to correctly handle an error case can result in the access of
freed pages, leading to undefined behaviour. A local user could use this
flaw to cause a denial-of-service.
* Denial-of-service due to invalid default subvolume ID.
A failure to validate the specified ID when setting the default
subvolume can result in an unmountable filesystem. A local user with the
ability to set the default subvolume ID of a BTRFS filesystem could use
this flaw to cause a denial-of-service.
* Denial-of-service in Memory Protection Key fault handling.
A logic error in the Memory Protection Keys subsystem can result in
undefined behavior, leading to a Kernel crash or other unspecified
consequence. A local user with access to Memory Protection Keys could
use this flaw to cause a denial-of-service.
* CVE-2017-15537: Information disclosure in FPU restoration after signal.
A failure to correctly handle an error case can result in a warning
being displayed and FPU information from another process being leaked. A
local user could use this flaw to facilitate a further attack.
* CVE-2017-14156: Information leak in the ATI Rage 128 video drivers when copying clock information.
A missing struct initialization when copying clock information could lead
to uninitialized memory being leaked to userspace. This could help an
attacker bypass protections like ASLR or infer memory layouts that would
otherwise be hidden.
* Use-after-free when freeing traffic control classifier actions.
A race condition in the freeing of a traffic control classifier action
can result in the dereference of a freed pointer. A local user could use
this flaw to escalate privileges.
* Out-of-bounds memory access in SCTP event interface.
A failure to validate information from userspace can result in an
out-of-bounds read, resulting in undefined behaviour or a kernel crash.
* Denial-of-service during qdisc classification.
A logic error during packet classification can result in dereference of
an invalid pointer, resulting in a kernel crash. A local user with the
ability to configure network interfaces could use this flaw to cause a
denial-of-service.
* Denial-of-service during free of BPF map.
Incorrect locking during the free of a BPF map can result in a kernel
crash. A local user could use this flaw to cause a denial-of-service.
* CVE-2017-15649: Use-after-free in AF_PACKET socket fanout.
A logic error when enabling fanout on a socket can result in the socket
being added to a list twice, which can lead to a use-after-free. A local
user could use this flaw to cause a denial-of-service or possibly
escalate privileges.
* Use-after-free in IP Virtual Tunnel Interface transmission.
A race condition in the Virtual Tunnel Interface implementation can
result in a use-after-free. A local user could use this flaw to cause a
denial-of-service or possibly escalate privileges.
* Out-of-bounds access in tun interface.
A failure to check bounds correctly when writing to a tun interface can
result in an out-of-bounds memory access. A local user could use this
flaw to cause a denial-of-service.
* Memory corruption in IPv6 to IPv4 socket cloning.
A logic error when transforming an IPv6 socket to an IPv4 socket can
result in releasing memory into the wrong cache. This flaw can result in
memory corruption.
* Denial-of-service in netlink dump implementation.
A failure to handle an error case can result in an invalid pointer
dereference when attempting to dump information via netlink. A local
user could use this flaw to cause a denial-of-service.
* Use-after-free in socket memory accounting.
Incorrect locking surrounding memory accounting when using BPF programs
on sockets can result in a use-after-free. A local user could use this
flaw to potentially escalate privileges
* Information disclosure in netlink statistics reporting.
A failure to correctly initialise memory can result in leaking of Kernel
stack information to userspace. A local user could use this flaw to
facilitate a further attack.
* CVE-2017-16529: Out-of-bounds access due to corrupted buffer parsing in USB audio.
A failure to validate buffer descriptors from a USB audio device can
result in an out-of-bounds memory access.
* Denial-of-service in USBFS URB submission.
A validation failure when processing URBs submitted from userspace can
result in an integer overflow leading to an unbounded memory allocation.
A local user could use this flaw to cause a denial-of-service.
* CVE-2017-16530: Out-of-bounds access in USB alternate setting enumeration.
A failure to correctly validate USB alternate information from a USB
device can result in an out-of-bounds memory access.
* CVE-2017-16534: Out-of-bounds access in USB CDC header parsing.
A failure to correctly validate a CDC header can result in an
out-of-bounds memory access.
* CVE-2017-16531: Out-of-bounds access in USB configuration parsing.
A failure to correctly validate a USB interface association description
can result in an out-of-bounds memory access.
* CVE-2017-16526: Denial-of-service in failed launch of UWB daemon.
A failure to handle an error case when launching the UWB management
daemon can result in an invalid pointer dereference leading to a kernel
crash.
* Denial-of-service in page lazy free handling.
A logic error when marking a page as free on a system with swap enabled
can lead to a infinite loop in the Kernel or corruption of data within
the page. A local user could use this flaw to cause a denial-of-service.
* Use-after-free in userfaultfd fork handling.
A logic error when duplicating userfaultfd events in a fork can result
in a use-after-free. A local user could use this flaw to possibly
escalate privileges.
* Denial-of-service in SMACK security attribute retrieval.
A logic error when reading SMACK security attributes from an inode can
result in a memory leak. A local user could use this flaw to exhaust
Kernel memory, resulting in a denial-of-service.
* Denial-of-service in Tascam USB audio device memory allocation.
A failure to suppress memory allocation warning messages can result in
flooding the kernel log buffer with messages. A local user could use
this flaw to cause a denial-of-service.
* Information disclosure in driver_override sysfs interface.
A bounds checking error in the driver_override sysfs node can result in
reading past the end of a buffer, leaking sensitive information from
kernel memory. A local user could use this flaw to facilitate a further
attack.
* Denial-of-service in OverlayFS dentry reference count manipulation.
A failure to correctly handle an error case can result in the
dereference on an invalid pointer, leading to a kernel crash. A local
user could use this flaw to cause a denial-of-service.
* Denial-of-service in OverlayFS index cleanup.
A failure to handle and error case can result in a memory leak which
could lead to exhaustion of system memory. A local user with access to
an OverlayFS filesystem could use this flaw to cause a
denial-of-service.
* Denial-of-service in OverlayFS copy up operation.
Incorrect locking during an OverlayFS copy up operation could result in
a deadlock. A local user with access to an OverlayFS mount could use
this flaw to cause a denial-of-service.
* Out-of-bounds memory access in I2C Human Interface Device buffer allocation.
A logic error when allocating memory for a host to device message can
result in an out-of-bounds memory access. A local user with access to an
I2C HID device could use this flaw to cause undefined behaviour.
* Denial-of-service in BTRFS block I/O memory allocation.
An integer overflow in BTRFS memory allocation can result in an
unbounded allocation of kernel memory. A local user could use this flaw
to cause a denial-of-service.
* Denial-of-service in dm crypt mount.
A failure to free memory when mounting a dm crypt device can result in a
memory leak. A local user could use this flaw to exhaust system memory,
resulting in a denial-of-service.
* Denial-of-service in multicast support for WIFI devices.
A logic error in the iwlwifi driver can result in the trigger of warning
from userspace. A local user with the ability to configure network
interfaces could use this flaw to flood the kernel print buffer,
resulting in a denial-of-service.
* CVE-2017-0786: Privilege escalation in Broadcom WIFI driver.
A failure to validate the results of a scan could result in kernel
memory corruption. A remote attacker could use this flaw to escalate
privileges.
* Information disclosure in 802.11 packet attribute parsing.
A failure to correctly validate a buffer can result in an out-of-bounds
access leading to disclosure of kernel memory to userspace. A local user
could use this flaw to facilitate a further attack.
* Denial-of-service during release of NFS file layout.
A missing check when freeing NFS filesystem information can result in
NULL pointer dereference leading to a kernel crash. A local user could
use this flaw to cause a Denial-of-service.
* CVE-2017-16533: Out-of-bounds access during parsing of Human Interface Device information.
A failure to validate information supplied by a USB device can result in
a out-of-bounds memory write, leading to undefined behaviour.
* Denial-of-service in crypto subsystem cipher implementation.
A failure to check for zero length input to a cipher in the crypto
subsystem can result in a Kernel crash. A local user could use this flaw
to cause a denial-of-service.
* Denial-of-service in crypto subsystem hash implementation.
A failure to check for zero length input in the hashing implementation
of the crypto subsystem can result in a Kernel crash. A local user could
use this flaw to cause a denial-of-service.
* CVE-2017-12188: Out-of-bounds memory access during KVM page table walk.
A logic error in the page table management of KVM guests can result in
an out-of-bounds memory access. A guest virtual machine could use this
flaw to crash the host or potentially execute malicious code with host
privileges.
* Denial-of-service due to memory allocation failures for killed processes.
A logic error when allocating memory to killed tasks can result in a
subsequent kernel crash. A local user could use this flaw to cause a
denial of service.
* Denial-of-service in FAT filesystem read/write page cleanup.
Incorrect locking when freeing read/write pages in a FAT filesystem can
result in an assertion failure, leading to a Kernel crash. A local user
with access to a FAT filesystem could use this flaw to cause a
Denial-of-service.
* CVE-2017-15265: Use-after-free in ALSA seq port creation.
Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.
* Use-after-free in Native Instruments USB audio devices.
A failure to correctly free a URB when a Native Instruments USB audio
device probe fails can result in a use-after-free.
* Denial-of-service in Line 6 POD USB device disconnection.
A failure to handle an error case when probing a Line 6 POD USB device
can result in a kernel crash when the device is disconnected.
* Invalid memory access during Line 6 POD USB device probe.
A race condition in the probe of a Line 6 POD USB device can result in
the access of uninitialised memory leading to a Kernel crash.
* Denial-of-service during Line 6 POD USB device probe.
A failure to correctly handle an error case can result in a URB not
being cleaned up, which can later lead to a Kernel crash.
* Out-of-bounds memory access in i915 gamma lookup table.
A logic error in the i915 gamma correction table lookup can result in an
out-of-bounds memory access. A local user could use this flaw to cause
undefined behaviour.
* Denial-of-service in Direct IO page submission.
A missing check when submitting a page for Direct IO can result in a
NULL pointer dereference, leading to a Kernel crash. A local user could
use this flaw to cause a denial-of-service.
* CVE-2017-12190: Denial-of-service in block I/O page merging.
A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.
* Use-after-free in USB serial console disconnect.
A logic error in the disconnection logic for USB serial devices can lead
to an incorrect free which can result in a use-after-free.
* Use-after-free in USB serial console setup failure.
A failure to handle an error case during USB serial console setup can lead to
a use-after-free.
* Use-after-free when binding and unbinding a USB composite multiple times.
A logic error when binding and unbinding a USB composite multiple times
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* CVE-2017-16527: Use-after-free when creating mixer for USB Audio device.
A missing free in error path when creating mixer for USB Audio device
could lead to a use-after-free. A local attacker could use a crafted USB
Audio device to cause a denial-of-service.
* Use-after-free when unregistering System Trace Module device.
A logic error when unregistering a System Trace Module device could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* Deadlock when using print ratelimit feature.
A logic error when using print ratelimit feature could lead to a
deadlock. A local attacker could use this flaw to cause a
denial-of-service.
* Deadlock when handling a mac80211 Add Block Acknowledgement request.
A locking error when handling a mac80211 Add Block Acknowledgement
request (ADDBA) could lead to a deadlock. A remote attacker could use
this flaw to cause a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-17.10-updates
mailing list