[Ksplice][Ubuntu-17.10-Updates] New Ksplice updates for Ubuntu 17.10 Artful (USN-3617-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Apr 4 06:21:01 PDT 2018 

Synopsis: USN-3617-1 can now be patched using Ksplice
CVEs: CVE-2017-0861 CVE-2017-1000407 CVE-2017-13080 CVE-2017-15129 CVE-2017-16532 CVE-2017-16537 CVE-2017-16646 CVE-2017-16649 CVE-2017-16650 CVE-2017-16994 CVE-2017-17448 CVE-2017-17450 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806 CVE-2017-17807 CVE-2018-1000026 CVE-2018-5332 CVE-2018-5333 CVE-2018-5344

Systems running Ubuntu 17.10 Artful can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3617-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 17.10
Artful install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out-of-bounds access when getting packet's size with Generic Segmentation Offload.

A logic error when computing packet's size with Generic Segmentation
Offload could lead to an out-of-bounds access. A remote attacker could
use this flaw to cause a denial-of-service.


* Invalid memory accesses when dumping netlink information.

Logic errors when dumping netlink information could lead to invalid
memory accesses. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access when cloning a socket.

A logic error when cloning a socket could lead to an invalid memory
access in case the cloned socket needs to be freed early. A local
attacker could use this flaw to cause a denial-of-service.


* Memory leak when using IEEE 802.1AE MAC-level encryption.

A missing free when encrypting or decrypting MAC addresses with IEEE
802.1AE MAC-level encryption could lead to a memory leak. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when using session ioctl of Layer Two Tunneling Protocol (L2TP).

A missing check when using session ioctl of Layer Two Tunneling Protocol
(L2TP) could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Race condition while setting ACK option on AF netlink socket.

Missing checks when setting ACK option on AF netlink socket could lead
to a race condition and to a kernel warning. A local attacker could use
this flaw to flood the system log and cause a denial-of-service.


* Use-after-free when using redirect in Stream Control Transmission Protocol.

A missing check when using ICMP redirect functionality with Stream
Control Transmission Protocol could lead to a use-after-free. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when getting packet rollover stats on a socket.

A locking error when getting packet rollover stats on a socket could
lead to a kernel panic. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when setting SO_REUSEPORT socket option.

A double allocation when setting SO_REUSEPORT socket option could lead
to a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* NULL pointer dereference in ipv6 flowlabel functionality.

Usage of uninitialized memory when using ipv6 flowlabel functionality
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when registering a distributed switch.

Missing checks when registering a distributed switch could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Information leak when using UNIX socket monitoring interface.

A missing check when using UNIX socket monitoring interface could leak
information of a socket from another net namespace. A local attacker
could use this flaw to leak information about another net namespace.


* Double-free when opening a TAP device.

A logic error in error path when opening a TAP device could lead to a
double free. A local attacker could use this flaw to cause a
denial-of-service.


* Deadlock when using Mellanox Technologies ConnectX-4 and Connect-IB core driver.

A locking error in health code of Mellanox Technologies ConnectX-4 and
Connect-IB core driver could lead to a deadlock. A local attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service when migrating socket to another one using Stream Control Transmission Protocol.

A logic error when  migrating socket to another one using Stream Control
Transmission Protocol could lead to a memory leak or overflow. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when adding a queuing discipline to a network interface.

A missing check when adding a new queuing discipline to a network
interface with an invalid parent could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when attaching a PPPoX to a tunnel UDP socket in Layer Two Tunneling Protocol.

A logic error when attaching a PPPoX to a tunnel UDP socket in Layer Two
Tunneling Protocol could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.


* Memory leak when restoring routes for permanent IPV6 addresses.

A missing reference count incrementation when restoring routes for
permanent IPV6 addresses could lead to a memory leak. A local attacker
could use this flaw to cause a denial-of-service.


* Use-after-free when probing IPV4 MTU.

A logic error when probing IPV4 MTU could lead to a use-after-free. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2017-13080: Key Reinstallation Attacks (KRACK) on WPA2 protocol.

A weakness in the four-way handshake of the WPA2 protocol allows an
attacker within radio range to force reuse a nonce.  This could allow he
attacker to eavesdrop on encrypted communications as well as inject and
manipulate data into a WiFi stream.


* CVE-2017-16532: NULL pointer dereference when running USB tests with a crafted USB device.

A missing check when running USB tests with a USB device exposing
invalid endpoints configuration could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* Out-of-bounds access when using IMS Passenger Control Unit Devices.

A missing check when using IMS Passenger Control Unit Devices could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver.

A missing variable reinitialization when freeing resources in Reliable
Datagram Sockets driver could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2017-17741: Denial-of-service in kvm_mmio tracepoint.

An out-of-bounds access in the kvm_mmio tracepoint could result in a
kernel crash.  A malicious guest could use this flaw to crash the
virtualization host.


* Use-after-free while offlining a CPU when Intel Resource Director Technology is enabled.

A logic error when putting a CPU offline in Intel Resource Director
Technology could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.


* CVE-2017-1000407: Denial-of-service from KVM guest on Intel processors.

A KVM guest on Intel VMX processors could flood the I/O port 0x80 with
write requests, leading to a host crash.  An attacker could use this flaw
to cause a host denial-of-service from the guest.


* CVE-2018-5344: Use-after-free when opening a loopback device.

A race condition between opening and releasing a loopback device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2017-15129: Use-after-free in network namespace when getting namespace ids.

A race condition in the net namespace code could lead to a double
free and memory corruption.


* CVE-2017-17450: Unprivileged access to netlink namespaces.

A missing permission check in the netfilter xt_osf code allows an
unprivileged user to create user and net namespaces without the proper
permissions.


* CVE-2017-16994: Information leak when using mincore system call.

A logic error with huge TLBs when using mincore system call could lead
to an information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.


* CVE-2017-17805: Denial-of-service in SALSA20 block cipher.

Incorrect handling of zero length buffers could result in an invalid
pointer dereference and kernel crash.  A local, unprivileged user could
use this flaw to crash the system, or potentially, escalate privileges.


* CVE-2017-17806: Denial-of-service in HMAC algorithms.

Invalid algorithm combinations could result in buffer overflows or other
undefined behaviour when using a keyed hash algorithm.  A local,
unprivileged user could use this flaw to crash the system, or
potentially, escalate privileges.


* CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets.

A missing check when sending messages through Reliable Datagram Sockets
could lead to an out-of-bounds write in the heap. A local attacker could
use this flaw to cause a denial-of-service.


* Memory leak using Host kernel accelerator for virtio net.

An error in handling of SKB when receiving packets over Virtio Network
driver could lead to a memory leak. A local attacker could use this flaw
to cause a denial-of-service.


* Memory leak when using TAP userspace interface.

A missing free of resources when using TAP userspace interface could
lead to a memory leak. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when using universal TUN/TAP device driver.

A missing free of resources when using universal TUN/TAP device driver
could lead to a memory leak. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2017-17448: Unprivileged access to netlink namespace creation.

net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4
does not require the CAP_NET_ADMIN capability for new, get, and del
operations, which allows local users to bypass intended access
restrictions because the nfnl_cthelper_list data structure is shared
across all net namespaces.


* CVE-2017-16537: NULL pointer dereference when registering SoundGraph iMON Receiver and Display driver.

A missing check when registering SoundGraph iMON Receiver and Display
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-16646: Denial-of-service when using DiBcom DiB0700 USB DVB devices.

Logic errors when using DiBcom DiB0700 USB DVB devices could lead to a
kernel panic. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when setting secret with Diffie-Hellman cryptographic algorithm.

An extra free when setting secret with Diffie-Hellman cryptographic
algorithm could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service in crypto Diffie-Hellmen decoding.

A missing check in the decode key function in the crypto code
could lead to a kernel panic.  A local attacker could exploit
this to cause a denial-of-service.


* Buffer underflow when decoding a key using Diffie-Hellman cryptographic algorithm.

A missing check on user input when decoding a key using Diffie-Hellman
cryptographic algorithm could lead to a buffer underflow. A local
attacker could use this flaw to cause a denial-of-service.


* Use-after-free in USB user-mode file system umount.

If the g_ffs module is unloaded after an unmount, it could
cause a use-after-free.  A local attacker could exploit this
to cause a denial-of-service.


* NULL pointer dereference in Metro USB open.

A failure to properly stop I/O after a failed open in the Metro USB code
could lead to a NULL pointer dereference.  An attacker could exploit this
to cause a denial-of-service.


* Memory leak when registering a Garmin GPS device.

A missing error handling when registering a Garmin GPS device could lead
to a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Invalid memory access when handling "uncorrected error" in AMD Machine check.

A logic error when handling "uncorrected error" in AMD Machine check
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.


* Divide-by-zero in TCP New Vegas congestion control packet ack.

In rare cases, a logic flaw in the TCP New Vegas congestion control
algorithm could allow a divide-by-zero when acknowledging a packet,
causing a denial-of-service.


* CVE-2017-16649: Divide by zero when binding a network USB device.

A logic error when binding a network USB device could lead to a divide
by zero error. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 27215191


* CVE-2017-16650: Divide by zero error when binding a QMI WWAN USB device.

A missing check when binding a QMI WWAN network USB device could lead to
a divide by zero error. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 27215225


* Denial-of-service when receiving from QMI WWAN device in raw IP mode.

Missing initialization code could cause a kernel oops and
denial-of-service when receiving packets from a QMI WWAN device in raw
IP mode.


* Memory leak in TCP generic segmentation offload with unusual buffers.

When disassembling a TCP generic segmentation offload buffer, some of the
resulting buffers might incorrectly be leaked if their sizes were not as
expected.


* Use-after-free in VLAN event handling due to incorrect reference counting.

Incorrect reference counting of a VLAN information structure could allow
a race condition, potentially allowing the structure to be freed while
still in use and causing memory corruption.


* Denial-of-service in Mellanox mlx5 ethernet page reuse code.

In rare cases, failing to allocate a DMA page could cause the page
structure to be double-freed, corrupting memory or causing a
denial-of-service.


* Information leak via IPv6 SCTP scope ids.

The IPv6 SCTP driver fails to initialize the scope_id field of the ipv6
address in some cases, potentially leaking information from the kernel
stack onto the network.


* Information leak via Trusted Platform Module communications buffer.

When transmitting a TPM command, the length of the buffer is not
properly checked, potentially allowing the buffer to contain
uninitialized data.


* Deadlock in OCFS2 when modifying attributes.

A lock ordering issue when modifying file attributes on the OCFS2
filesystem could in rare cases cause a deadlock and denial-of-service.


* Denial-of-service in page extension lookup code.

When allocating space for memory page extensions, certain edge cases are
not properly checked unless CONFIG_DEBUG_VM is enabled. This could lead
to an unhandled page fault and denial-of-service.


* Information leak via fsync in Coda filesystem.

Calling fsync on the Coda filesystem causes a larger-than-necessary
buffer to be copied to userspace via upcall, potentially leaking kernel
information to userspace.


* CVE-2018-1000026: Denial-of-service when receiving invalid packet on bnx2x network card.

A missing input validation when receiving invalid packet on bnx2x
network card could lead to network outage. A remote attacker could use
this flaw to cause a denial-of-service.


* CVE-2017-17807: Permissions bypass when requesting key on default keyring.

When calling request_key() with no keyring specified, the requested key
is generated and added to the keyring even if the user does not have
write permissions.


* Memory leak in Intel XL710 rx descriptor cleanup.

A failure to properly clean up the rx descriptors in the Intel XL710
driver could lead to a memory leak and possible denial-of-service.


* Use-after-free in DCCP/TCP IPv4 packet transmit.

A race condition with the packet options in the DCCP/TCP stack
could lead to a use-after-free, potentially leading to memory corruption
or a kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-17.10-updates mailing list