[Ksplice][Ubuntu-17.10-Updates] New Ksplice updates for Ubuntu 17.10 Artful (USN-3617-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Wed Apr 4 06:21:01 PDT 2018
Synopsis: USN-3617-1 can now be patched using Ksplice
CVEs: CVE-2017-0861 CVE-2017-1000407 CVE-2017-13080 CVE-2017-15129 CVE-2017-16532 CVE-2017-16537 CVE-2017-16646 CVE-2017-16649 CVE-2017-16650 CVE-2017-16994 CVE-2017-17448 CVE-2017-17450 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806 CVE-2017-17807 CVE-2018-1000026 CVE-2018-5332 CVE-2018-5333 CVE-2018-5344
Systems running Ubuntu 17.10 Artful can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3617-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 17.10
Artful install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Out-of-bounds access when getting packet's size with Generic Segmentation Offload.
A logic error when computing packet's size with Generic Segmentation
Offload could lead to an out-of-bounds access. A remote attacker could
use this flaw to cause a denial-of-service.
* Invalid memory accesses when dumping netlink information.
Logic errors when dumping netlink information could lead to invalid
memory accesses. A local attacker could use this flaw to cause a
denial-of-service.
* Invalid memory access when cloning a socket.
A logic error when cloning a socket could lead to an invalid memory
access in case the cloned socket needs to be freed early. A local
attacker could use this flaw to cause a denial-of-service.
* Memory leak when using IEEE 802.1AE MAC-level encryption.
A missing free when encrypting or decrypting MAC addresses with IEEE
802.1AE MAC-level encryption could lead to a memory leak. A local
attacker could use this flaw to cause a denial-of-service.
* NULL pointer dereference when using session ioctl of Layer Two Tunneling Protocol (L2TP).
A missing check when using session ioctl of Layer Two Tunneling Protocol
(L2TP) could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.
* Race condition while setting ACK option on AF netlink socket.
Missing checks when setting ACK option on AF netlink socket could lead
to a race condition and to a kernel warning. A local attacker could use
this flaw to flood the system log and cause a denial-of-service.
* Use-after-free when using redirect in Stream Control Transmission Protocol.
A missing check when using ICMP redirect functionality with Stream
Control Transmission Protocol could lead to a use-after-free. A local
attacker could use this flaw to cause a denial-of-service.
* Denial-of-service when getting packet rollover stats on a socket.
A locking error when getting packet rollover stats on a socket could
lead to a kernel panic. A local attacker could use this flaw to cause a
denial-of-service.
* Memory leak when setting SO_REUSEPORT socket option.
A double allocation when setting SO_REUSEPORT socket option could lead
to a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.
* NULL pointer dereference in ipv6 flowlabel functionality.
Usage of uninitialized memory when using ipv6 flowlabel functionality
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.
* NULL pointer dereference when registering a distributed switch.
Missing checks when registering a distributed switch could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.
* Information leak when using UNIX socket monitoring interface.
A missing check when using UNIX socket monitoring interface could leak
information of a socket from another net namespace. A local attacker
could use this flaw to leak information about another net namespace.
* Double-free when opening a TAP device.
A logic error in error path when opening a TAP device could lead to a
double free. A local attacker could use this flaw to cause a
denial-of-service.
* Deadlock when using Mellanox Technologies ConnectX-4 and Connect-IB core driver.
A locking error in health code of Mellanox Technologies ConnectX-4 and
Connect-IB core driver could lead to a deadlock. A local attacker could
use this flaw to cause a denial-of-service.
* Denial-of-service when migrating socket to another one using Stream Control Transmission Protocol.
A logic error when migrating socket to another one using Stream Control
Transmission Protocol could lead to a memory leak or overflow. A local
attacker could use this flaw to cause a denial-of-service.
* NULL pointer dereference when adding a queuing discipline to a network interface.
A missing check when adding a new queuing discipline to a network
interface with an invalid parent could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.
* Use-after-free when attaching a PPPoX to a tunnel UDP socket in Layer Two Tunneling Protocol.
A logic error when attaching a PPPoX to a tunnel UDP socket in Layer Two
Tunneling Protocol could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.
* Memory leak when restoring routes for permanent IPV6 addresses.
A missing reference count incrementation when restoring routes for
permanent IPV6 addresses could lead to a memory leak. A local attacker
could use this flaw to cause a denial-of-service.
* Use-after-free when probing IPV4 MTU.
A logic error when probing IPV4 MTU could lead to a use-after-free. A
local attacker could use this flaw to cause a denial-of-service.
* CVE-2017-13080: Key Reinstallation Attacks (KRACK) on WPA2 protocol.
A weakness in the four-way handshake of the WPA2 protocol allows an
attacker within radio range to force reuse a nonce. This could allow he
attacker to eavesdrop on encrypted communications as well as inject and
manipulate data into a WiFi stream.
* CVE-2017-16532: NULL pointer dereference when running USB tests with a crafted USB device.
A missing check when running USB tests with a USB device exposing
invalid endpoints configuration could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.
* Out-of-bounds access when using IMS Passenger Control Unit Devices.
A missing check when using IMS Passenger Control Unit Devices could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.
* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver.
A missing variable reinitialization when freeing resources in Reliable
Datagram Sockets driver could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.
* CVE-2017-17741: Denial-of-service in kvm_mmio tracepoint.
An out-of-bounds access in the kvm_mmio tracepoint could result in a
kernel crash. A malicious guest could use this flaw to crash the
virtualization host.
* Use-after-free while offlining a CPU when Intel Resource Director Technology is enabled.
A logic error when putting a CPU offline in Intel Resource Director
Technology could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.
* CVE-2017-0861: Use-after-free in ALSA sound subsystem.
A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.
* CVE-2017-1000407: Denial-of-service from KVM guest on Intel processors.
A KVM guest on Intel VMX processors could flood the I/O port 0x80 with
write requests, leading to a host crash. An attacker could use this flaw
to cause a host denial-of-service from the guest.
* CVE-2018-5344: Use-after-free when opening a loopback device.
A race condition between opening and releasing a loopback device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.
* CVE-2017-15129: Use-after-free in network namespace when getting namespace ids.
A race condition in the net namespace code could lead to a double
free and memory corruption.
* CVE-2017-17450: Unprivileged access to netlink namespaces.
A missing permission check in the netfilter xt_osf code allows an
unprivileged user to create user and net namespaces without the proper
permissions.
* CVE-2017-16994: Information leak when using mincore system call.
A logic error with huge TLBs when using mincore system call could lead
to an information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.
* CVE-2017-17805: Denial-of-service in SALSA20 block cipher.
Incorrect handling of zero length buffers could result in an invalid
pointer dereference and kernel crash. A local, unprivileged user could
use this flaw to crash the system, or potentially, escalate privileges.
* CVE-2017-17806: Denial-of-service in HMAC algorithms.
Invalid algorithm combinations could result in buffer overflows or other
undefined behaviour when using a keyed hash algorithm. A local,
unprivileged user could use this flaw to crash the system, or
potentially, escalate privileges.
* CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets.
A missing check when sending messages through Reliable Datagram Sockets
could lead to an out-of-bounds write in the heap. A local attacker could
use this flaw to cause a denial-of-service.
* Memory leak using Host kernel accelerator for virtio net.
An error in handling of SKB when receiving packets over Virtio Network
driver could lead to a memory leak. A local attacker could use this flaw
to cause a denial-of-service.
* Memory leak when using TAP userspace interface.
A missing free of resources when using TAP userspace interface could
lead to a memory leak. A local attacker could use this flaw to cause a
denial-of-service.
* Memory leak when using universal TUN/TAP device driver.
A missing free of resources when using universal TUN/TAP device driver
could lead to a memory leak. A local attacker could use this flaw to
cause a denial-of-service.
* CVE-2017-17448: Unprivileged access to netlink namespace creation.
net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4
does not require the CAP_NET_ADMIN capability for new, get, and del
operations, which allows local users to bypass intended access
restrictions because the nfnl_cthelper_list data structure is shared
across all net namespaces.
* CVE-2017-16537: NULL pointer dereference when registering SoundGraph iMON Receiver and Display driver.
A missing check when registering SoundGraph iMON Receiver and Display
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.
* CVE-2017-16646: Denial-of-service when using DiBcom DiB0700 USB DVB devices.
Logic errors when using DiBcom DiB0700 USB DVB devices could lead to a
kernel panic. A local attacker could use this flaw to cause a
denial-of-service.
* Use-after-free when setting secret with Diffie-Hellman cryptographic algorithm.
An extra free when setting secret with Diffie-Hellman cryptographic
algorithm could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.
* Denial-of-service in crypto Diffie-Hellmen decoding.
A missing check in the decode key function in the crypto code
could lead to a kernel panic. A local attacker could exploit
this to cause a denial-of-service.
* Buffer underflow when decoding a key using Diffie-Hellman cryptographic algorithm.
A missing check on user input when decoding a key using Diffie-Hellman
cryptographic algorithm could lead to a buffer underflow. A local
attacker could use this flaw to cause a denial-of-service.
* Use-after-free in USB user-mode file system umount.
If the g_ffs module is unloaded after an unmount, it could
cause a use-after-free. A local attacker could exploit this
to cause a denial-of-service.
* NULL pointer dereference in Metro USB open.
A failure to properly stop I/O after a failed open in the Metro USB code
could lead to a NULL pointer dereference. An attacker could exploit this
to cause a denial-of-service.
* Memory leak when registering a Garmin GPS device.
A missing error handling when registering a Garmin GPS device could lead
to a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.
* Invalid memory access when handling "uncorrected error" in AMD Machine check.
A logic error when handling "uncorrected error" in AMD Machine check
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.
* Divide-by-zero in TCP New Vegas congestion control packet ack.
In rare cases, a logic flaw in the TCP New Vegas congestion control
algorithm could allow a divide-by-zero when acknowledging a packet,
causing a denial-of-service.
* CVE-2017-16649: Divide by zero when binding a network USB device.
A logic error when binding a network USB device could lead to a divide
by zero error. A local attacker could use this flaw to cause a
denial-of-service.
Orabug: 27215191
* CVE-2017-16650: Divide by zero error when binding a QMI WWAN USB device.
A missing check when binding a QMI WWAN network USB device could lead to
a divide by zero error. A local attacker could use this flaw to cause a
denial-of-service.
Orabug: 27215225
* Denial-of-service when receiving from QMI WWAN device in raw IP mode.
Missing initialization code could cause a kernel oops and
denial-of-service when receiving packets from a QMI WWAN device in raw
IP mode.
* Memory leak in TCP generic segmentation offload with unusual buffers.
When disassembling a TCP generic segmentation offload buffer, some of the
resulting buffers might incorrectly be leaked if their sizes were not as
expected.
* Use-after-free in VLAN event handling due to incorrect reference counting.
Incorrect reference counting of a VLAN information structure could allow
a race condition, potentially allowing the structure to be freed while
still in use and causing memory corruption.
* Denial-of-service in Mellanox mlx5 ethernet page reuse code.
In rare cases, failing to allocate a DMA page could cause the page
structure to be double-freed, corrupting memory or causing a
denial-of-service.
* Information leak via IPv6 SCTP scope ids.
The IPv6 SCTP driver fails to initialize the scope_id field of the ipv6
address in some cases, potentially leaking information from the kernel
stack onto the network.
* Information leak via Trusted Platform Module communications buffer.
When transmitting a TPM command, the length of the buffer is not
properly checked, potentially allowing the buffer to contain
uninitialized data.
* Deadlock in OCFS2 when modifying attributes.
A lock ordering issue when modifying file attributes on the OCFS2
filesystem could in rare cases cause a deadlock and denial-of-service.
* Denial-of-service in page extension lookup code.
When allocating space for memory page extensions, certain edge cases are
not properly checked unless CONFIG_DEBUG_VM is enabled. This could lead
to an unhandled page fault and denial-of-service.
* Information leak via fsync in Coda filesystem.
Calling fsync on the Coda filesystem causes a larger-than-necessary
buffer to be copied to userspace via upcall, potentially leaking kernel
information to userspace.
* CVE-2018-1000026: Denial-of-service when receiving invalid packet on bnx2x network card.
A missing input validation when receiving invalid packet on bnx2x
network card could lead to network outage. A remote attacker could use
this flaw to cause a denial-of-service.
* CVE-2017-17807: Permissions bypass when requesting key on default keyring.
When calling request_key() with no keyring specified, the requested key
is generated and added to the keyring even if the user does not have
write permissions.
* Memory leak in Intel XL710 rx descriptor cleanup.
A failure to properly clean up the rx descriptors in the Intel XL710
driver could lead to a memory leak and possible denial-of-service.
* Use-after-free in DCCP/TCP IPv4 packet transmit.
A race condition with the packet options in the DCCP/TCP stack
could lead to a use-after-free, potentially leading to memory corruption
or a kernel panic.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-17.10-updates
mailing list