[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (USN-3901-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Apr 4 16:14:20 PDT 2019 

Synopsis: USN-3901-1 can now be patched using Ksplice
CVEs: CVE-2018-18397 CVE-2018-19854 CVE-2019-6133

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3901-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in ipip tunnel netlink interface.

A missing check in the ipip driver netlink interface can result in a NULL
pointer dereference, leading to a kernel crash. A local user with the ability
to create network interfaces could use this flaw to cause a denial-of-service.


* CVE-2019-6133: Permission bypass of userspace Policykit protection.

When a non-root user try to control a systemd unit, the Policykit asks
for an administrator password. Once entered, polkit caches this password
up to five minutes for corresponding process based on PID and start_time
of the process. A race condition in the fork syscall could let an
attacker spawn a process with same start_time and same PID as targeted
process and thus control a systemd unit.


* CVE-2018-19854: Information leak in cryptography socket NETLINK_CRYPTO call.

Incorrect string copying in the NETLINK_CRYPTO report could result in
leaking the contents of kernel stack memory to an unprivileged local
user.


* Spurious signals during TTY reopen.

A logic error when locking a TTY when it is reopened can result in unnecessary
signals being sent to userspace processes.


* Kernel panic in IPv6 GRE tunneling driver.

The ip6_gre driver can incorrectly handle network namespaces in the
ip6gre_changelink function, resulting in list corruption, and a
potential future kernel panic.


* NULL pointer dereference in Exynos PCIe controller initialization.

A logic error in the exynos code could cause a NULL pointer dereference
during device probing.  This could be used for a denial-of-service.


* Additional Spectre v1 hardening for ZeitNet ZN1221/ZN1225 driver.

A missing sanitization of array index after bounds check in ZeitNet
ZN1221/ZN1225 driver could lead to an information leak. A local attacker
could use this flaw to leak information about running system.


* Denial-of-service in DCCP CCID-3 feedback.

An invalid kernel assertion could cause a kernel crash when processing
DCCP CCID-3 packets on an especially fast host or with a malicious
remote user.


* Denial-of-service in DCCP timestamps.

Invalid clock selection could allow a malicious local user to cause
integer overflows when handling DCCP packet reception causing a denial
of service.


* Use-after-free when receiving tpacket with virtio header over a TCP socket.

A logic error when receiving tpacket with virtio header over a TCP
socket could lead to a use-after-free. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when setting backend in Host kernel accelerator for virtio net.

A missing check in error path when setting backend in Host kernel
accelerator for virtio net could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in Chelsio Communications T3 10Gb Ethernet driver.

A missing sanitization of array index after bounds check in Chelsio
Communications T3 10Gb Ethernet driver could lead to an information
leak. A local attacker could use this flaw to leak information about
running system.


* Denial-of-service when connecting to an access point with Realtek rtlwifi family of devices.

A race condition when connecting to an access point and quickly entering
and leaving power states with Realtek rtlwifi family of devices could
lead to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in ebtables evaluation loop.

A missing check in ebtables evaluation loop could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Buffer overflow in warning messages of Reiser filesystem.

A missing bounds check when printing mount options in warning messages
of Reiser filesystem could lead to a buffer overflow. A local attacker
could use crafted mount options to cause a denial-of-service.


* Use-after-free when sending messages over Transport Layer Security socket.

A logic error when sending messages over Transport Layer Security socket
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Out-of-bounds access when using Kernel automounter version 4.

A missing check on user input when using Kernel automounter version 4
could lead to an out-of-bounds access. A local attacker could use this
flaw to cause a denial-of-service.


* Denial-of-service when using Inter-FE action based on IETF ForCES InterFE LFB.

A logic error when using Inter-FE action based on IETF ForCES InterFE
LFB could lead to a use-after-free and a deadlock. A local attacker
could use this flaw to cause a denial-of-service.


* NULL pointer dereference when initializing Cadence network driver.

A missing variable initialization when initializing Cadence network
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service in Virtio while executing XDP_REDIRECT.

A logic error in the XDP_REDIRECT path in the virtio code could lead to
a memory leak.  This could be exploited to cause a denial-of-service.


* Denial-of-service in KVM KVM_IRQFD ioctl().

Missing synchronization when assigning an deassigning a KVM IRQ eventfd
instance could result in a use-after-free and kernel crash, or
potentially, escalation of privileges.


* Denial-of-service in FAT filesystem option parsing.

Missing error handling when parsing filesystem options for a FAT
filesystem could result in a double free.  A local user with permissions
to mount filesystems could use this flaw to crash the system.


* Denial-of-service in non-hierarchical memory cgroup iteration.

A logic error in the memory cgroup code could lead to kernel memory
corruption and a kernel crash when iterating over cgroups.  This could
be exploited to cause a denial-of-service.


* Improved fix for Spectre v1: Information leak in VFIO PCI ioctl.

A missing sanitization of array index in the VFIO PCI ioctl code
could lead to an information leak.  A local attacker could use this flaw
to leak information about the running system.


* Memory corruption with Nouveau Multi-Stream Transport connectors.

Several race conditions in the Nouveau driver code when looping through
MST connectors can lead to memory corruption or kernel panic.  This could
be exploited to cause a denial-of-service.


* Denial-of-service in IPv4 TCP socket close.

A logic error in the TCP abort code results in sockets being freed
twice, leading to possible memory corruption or a kernel panic. This
could be exploited to cause a denial-of-service.


* Denial-of-service in kernel rhashtable destruction.

A logic error in rhashtable could result in some elements not being
properly freed, leading to memory corruption and kernel panic.  This could
be used to cause a denial-of-service.


* NULL pointer dereference in FQ_CODEL net scheduling initialization.

A failure to properly handle an error could lead to a NULL pointer
dereference in the fq_codel initialization code.  This could be exploited
to cause a denial-of-service.


* CVE-2018-18397: Permission bypass when using userfaultd to write temp or hugetlb filesystem files.

Missing checks in userfaultd could let a local attacker write into
read-only files residing in a hugetlb or a temp filesystem.


* NULL pointer dereference when running fstrim on Bcache driver.

A missing check when running fstrim on Bcache driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Use-after-free when creating a iscsi session fails.

A logic error when creating a iscsi session fails could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-18.04-updates mailing list