[Ksplice][Debian 7.0 Updates] New Ksplice updates for Debian 7.0 Wheezy (DLA-1200-1)

[Oracle Ksplice]

Synopsis: DLA-1200-1 can now be patched using Ksplice
CVEs: CVE-2015-9004 CVE-2016-10208 CVE-2016-7097 CVE-2017-1000364 CVE-2017-1000407 CVE-2017-12190 CVE-2017-13080 CVE-2017-14051 CVE-2017-15115 CVE-2017-15265 CVE-2017-15299 CVE-2017-15649 CVE-2017-15868 CVE-2017-16525 CVE-2017-16527 CVE-2017-16529 CVE-2017-16531 CVE-2017-16532 CVE-2017-16533 CVE-2017-16535 CVE-2017-16536 CVE-2017-16537 CVE-2017-16643 CVE-2017-16649 CVE-2017-16939 CVE-2017-7542 CVE-2017-8824 CVE-2017-8831

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, DLA-1200-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 7.0
Wheezy install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for CVE-2017-1000364: allow stack expansion close to userspace guard.

Some userspace applications like the Java Virtual Machine are trying to
implement a stack guard area manually by using a fixed mapping which,
together with the original Ubuntu fix for CVE-2017-1000364, prevents stack
expansion when it shouldn't have.


* Improved fix for CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.

An incorrect data type when parsing IPV6 fragments header could lead to
a buffer overflow and to an infinite loop. A remote attacker could use
this flaw to cause a denial-of-service.


* CVE-2015-9004: Privileges escalation in the perf subsystem when grouping events.

A logic error when checking if events grouping is allowed in the perf
subsystem allows to form a group on a different CPU than the CPU where the
event was registered.  A local user with the privileges to manager perf
probes could use this flaw to escalate privileges.


* CVE-2017-8824: Privileges escalation when calling connect() system call on a DCCP socket.

A missing free when calling connect() system call on a DCCP socket while it is
in DCCP_LISTEN state could lead to a use-after-free. A local attacker
could use this flaw to escalate privileges.


* CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.

A missing check on user input when using NXP SAA7164 video driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2017-12190: Denial-of-service in block I/O page merging.

A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.


* CVE-2017-13080: Key Reinstallation Attacks (KRACK) on WPA2 protocol.

A weakness in the four-way handshake of the WPA2 protocol allows an
attacker within radio range to force reuse a nonce.  This could allow he
attacker to eavesdrop on encrypted communications as well as inject and
manipulate data into a WiFi stream.


* CVE-2017-15115: Use-after-free in SCTP peel off operation inside network namespace.

A logic error when performing an SCTP peel off operation from a network
namespace can result in an incorrect free, leading to a subsequent
use-after-free. A local user could use this flaw to cause a
denial-of-service, or potentially escalate privileges.


* CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler.

A failure to validate information from userspace can result in an
unbounded kernel memory allocation. A local user could use this flaw to
cause memory exhaustion or a kernel crash, resulting in a
denial-of-service.


* CVE-2017-15265: Use-after-free in ALSA seq port creation.

Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.


* CVE-2017-15299: Denial-of-service in uninstantiated key configuration.

A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.


* CVE-2017-15649: Use-after-free in socket fanout.

A logic error when enabling fanout on a socket can result in the socket
being added to a list twice, which can lead to a use-after-free. A local
user could use this flaw to cause a denial-of-service or possibly
escalate privileges.


* CVE-2017-15868: Privilege escalation in the Bluetooth stack when adding connections.

Multiple missing checks that a socket belongs to the L2CAP layer leads to
type confusion and kernel crash.  A local user with the ability to create a
BNEP (Bluetooth Network Encapsulation Protocol), Humand Interface Device
Protocol (HIDP) or a CAPI Message Transport Protocol (CMTP) connection
could use this flaw to escalate privileges.


* CVE-2017-16525: Use-after-free in USB serial console setup failure.

A failure to handle an error case during USB serial console setup can lead to
a use-after-free.


* CVE-2017-16527: Use-after-free when creating mixer for USB Audio device.

A missing free in error path when creating mixer for USB Audio device
could lead to a use-after-free. A local attacker could use a crafted USB
Audio device to cause a denial-of-service.

Orabug: 27148276


* CVE-2017-16529: Out-of-bounds due to corrupted buffer parsing in USB audio.

A failure to validate buffer descriptors from a USB audio device can
result in an out-of-bounds memory access.


* CVE-2017-16531: Out-of-bounds access in USB configuration parsing.

A failure to correctly validate a USB interface association description
can result in an out-of-bounds memory access.


* CVE-2017-16532: NULL pointer dereference when running USB tests with a crafted USB device.

A missing check when running USB tests with a USB device exposing
invalid endpoints configuration could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2017-16533: Out-of-bounds access during parsing of Human Interface Device information.

A failure to validate information supplied by a USB device can result in
a out-of-bounds memory write, leading to undefined behaviour.


* CVE-2017-16535: Out-of-bounds memory access when reading USB descriptors.

A missing check when reading USB descriptors could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-16536: NULL pointer dereference when registering a Conexant cx231xx USB video device.

A missing check when probing a Conexant cx231xx USB video device could
lead to a NULL pointer dereference. A local attacker could use a crafted
USB device to cause a denial-of-service.


* CVE-2017-16537: NULL pointer dereference when registering SoundGraph iMON Receiver and Display driver.

A missing check when registering SoundGraph iMON Receiver and Display
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-16643: Out-of-bounds access in GTCO CalComp/InterWrite USB tablet HID parsing.

A validation failure when parsing a HID report from a GTCO
CalComp/InterWrite USB tablet can result in an out-of-bounds memory
access. A user with physical access to a system could use this flaw to
cause undefined behaviour or potentially escalate privileges.


* CVE-2017-16649: Divide by zero when binding a network USB device.

A logic error when binding a network USB device could lead to a divide
by zero error. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-16939: Denial-of-service in IPSEC transform policy netlink dump.

A failure to handle an error case when dumping IPSEC transform
information via netlink can result in a Kernel crash. A local user with
the ability to administer an IPSEC tunnel could use this flaw to cause a
denial-of-service.


* CVE-2016-10208: Denial-of-service when using a crafted ext4 image.

Missing check in ext4 meta block groups validation could lead to an out
of bound access. A Local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-1000407: Denial-of-service from KVM guest on Intel processors.

A KVM guest on Intel VMX processors could flood the I/O port 0x80 with
write requests, leading to a host crash.  An attacker could use this flaw
to cause a host denial-of-service from the guest.


* Improved fix to CVE-2016-7097: Group permission bypass when setting ACLs.

Multiple logic errors when setting POSIX ACLs in various filesystems could
lead to an incorrect set-group-id bit being set or cleared.  A local
unprivileged user could use this flaw to access files otherwise restricted,
potentially allowing a privilege escalation.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.