[Ksplice][Debian 7.0 Updates] New Ksplice updates for Debian 7.0 Wheezy (DSA 3886-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Jun 29 06:19:34 PDT 2017 

Synopsis: DSA 3886-1 can now be patched using Ksplice
CVEs: CVE-2017-0605 CVE-2017-1000364 CVE-2017-7487 CVE-2017-7645 CVE-2017-7895 CVE-2017-8924 CVE-2017-9074 CVE-2017-9075 CVE-2017-9242

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, DSA 3886-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 7.0
Wheezy install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-0605: Privilege escalation when using kernel tracing subsystem.

Usage of strcpy() when using kernel tracing subsystem and retrieving
traced process command line could lead to a stack overflow. A local
attacker could use this flaw to execute arbitrary code in the kernel and
escalate privilege.


* CVE-2017-7487: Use-after-free in IPX reference count handling.

A reference count leak in the IPX ioctl handler can result in a
reference count overflow leading a use-after-free. A local attacker
could use this flaw to crash the kernel or escalate privileges.


* CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

If an NFS version 2 or 3 client appends extraneous data to their RPC
calls or replies, the server fails to correctly allocate sufficient
memory, potentially causing memory corruption and a denial-of-service.


* CVE-2017-7895: Remote information leak in kernel NFS server.

Missing bounds checks could result in an out-of-bounds memory access,
allowing a remote attacker to leak the contents of kernel memory.


* CVE-2017-9075: Incorrectly copying list headers on socket clone causes denial-of-service.

When cloning sockets, several list headers are incorrectly copied to the
child sockets, which then leads to double-frees when both sockets are
closed, causing a kernel panic and denial-of-service.


* CVE-2017-9074: Information leak via ipv6 fragment header.

The header size of an ipv6 fragment is not properly checked, potentially
allowing an attacker to read out-of-bounds memory when attempting to
parse it, leaking information.


* Information leak in USB ARK Micro 3116 serial driver.

A logic error when handling short register-accessor responses can allow the
contents of kernel memory to be leaked to userspace.


* Information leak in USB FTDI serial response parsing.

A logic error when handling short modem-status responses can allow the contents
of kernel memory to be leaked to userspace.


* Kernel panic in Realtek wireless header parsing.

The Realtek wireless driver does not correctly handle truncated wireless frames
which can trigger a NULL pointer dereference and kernel panic.


* Denial of service in Radeon buffer-object caching.

The Radeon graphics driver does not correctly handle swapping out
buffer-objects which can trigger an assertion failure and kernel panic.


* Memory corruption when handling EXT4 small group sizes.

A logic error when handling EXT4 filesystems with small group sizes can trigger
an out-of-bounds read and potentially corrupt kernel memory.


* Denial of service in Digi AccelePort OOB events.

A logic error when parsing truncated OOB events from Digi AccelePort USB
devices can trigger an out-of-bounds read and kernel panic.


* Denial of service in Moschip USB serial driver.

A logic error when attaching to a Moschip USB serial device with no
interrupt-in endpoint can trigger a NULL pointer dereference and kernel panic.


* Memory leak when synchronously closing FUSE files.

Incorrect reference counting when synchronously closing files on FUSE
filesystems can trigger a kernel memory leak and subsequent kernel panic.


* Denial of service when parsing RDMA iWARP parameters.

The kernel RDMA connection manager does not fully validate iWARP parameters
from userspace which can allow a local user to trigger a NULL pointer
dereference and kernel panic.


* Deadlock when setting ALSA timer with small tickrate.

The ALSA subsystem does not define a lower-bound for tickrates which can allow
a local user to cause deadlocks by setting a small tickrate for timers.


* Denial-of-service when using Generic Segmentation Offload on IPV6 socket.

A missing check when using Generic Segmentation Offload on IPV6 socket
could lead to a memory leak. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2017-9075: Denial-of-service in SCTP IPv6 socket inheritance.

A failure to correctly initialize an SCTP socket during an accept() call
can later result in a double-free. A local, unprivileged attacker could
use this flaw to cause memory corruption or a kernel crash, resulting in
a denial-of-service.


* CVE-2017-9242: Out-of-bounds access in IPv6 packet transmission.

A logic error when aggregating IPv6 packets for transmission can result
in an out-of-bounds memory access. A local unprivileged attacker could
use this flaw to cause a denial-of-service.


* Invalid user stack expansion on VMA overrun.

Under specific conditions, an overrun of a virtual memory area in a
userspace task can cause the stack to be incorrectly expanded leading to
application failures.


* Double-free of IP-over-IB on concurrent transaction.

Failing to reinitialize the work item list for an IP-over-IB transaction
could lead to a use-after-free or list corruptions.  A local user could use
this flaw to cause a denial-of-service or potentially escalate privileges..


* Data corruption or deadlock when writing to ext4 with journaling enabled.

Encountering an error when writing to a file on an ext4 filesystem with
journaling enabled would incorrectly mark the underlying data buffers as
dirty, in rare cases causing data corruption on disk or a deadlock.


* NULL pointer dereference when requesting master key for encrypted keys.

The error return value when failing to request the master key to decrypt
encrypted keys in the kernel keyring was incorrectly set to NULL and not
handled correctly by consumers, potentially causing a denial-of-service
or other exploitable behavior when the pointer was dereferenced.


* Remote denial-of-service when setting file size+uid/gid over NFS.

The NFS protocol allows simultaneous change of both a file's size and
ownership information. However, filesystems such as XFS and GFS2 do not
allow this, and will cause a kernel assert and denial-of-service if it
is encountered.


* Use-after-free of timer on DCCP network shutdown.

When shutting down a Datagram Congestion Control Protocol connection,
the shutdown code does not correctlly cancel outstanding timers,
potentially allowing them to be used-after-free, causing a
denial-of-service or other exploitable behavior.


* Memory leak in Adaptec RAID DMA init.

Incorrect de-allocation loic in the Adaptec RAID device driver causes
the driver to free memory incorrectly, potentially leaking it.


* Denial-of-service in NFSv4 client when accessing ACLs.

Improper range checking when getting or setting the ACLs coud lead to
overflowing an on-stack array of pages.  An attacker could use this flaw to
cause a denial-of-service or potentially escalate privileges.


* CVE-2017-1000364: Increase stack guard size to 1 MiB.

A vulnerability in how userspace programs are compiled can cause the
program's stack to grow into the program's heap and corrupt either of
them. Depending on which program is targeted, an attacker can gain
additional privileges.

This update provides a new sysctl variable which can be used to tune
the gap between a program's heap and stack. To change it, use e.g.:

    # set gap to 32 MiB
    echo 33554432 > /proc/sys/vm/heap_stack_gap

This update is a kernel mitigation for what is fundamentally a
userspace problem. As such, there is no guarantee that it will stop
every potential attack vector, but it will stop the ones that are
currently known and make it much more difficult to exploit in general.

Running processes where the stack and heap are already very close may
need to be restarted for the change to take effect. It is therefore
recommended that long-running processes and network daemons are
restarted after applying this update.


* CVE-2017-8924: Information leak in Digi Edgeport TI callback completion.

An integer underflow in the Digi Edgeport TI USB driver can allow a malicious
USB device to leak the contents of kernel memory to userspace.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-7.0-Updates mailing list