[Ksplice][Debian 7.0 Updates] New Ksplice updates for Debian 7.0 Wheezy (3.2.86-1)

[Oracle Ksplice]

Synopsis: 3.2.86-1 can now be patched using Ksplice
CVEs: CVE-2016-8632 CVE-2016-9588 CVE-2017-2636 CVE-2017-5669 CVE-2017-5986 CVE-2017-6214 CVE-2017-6345 CVE-2017-6346 CVE-2017-6348 CVE-2017-6353

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.86-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 7.0
Wheezy install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-2636: Privilege escalation in High Level Data Synchronous TTY line discipline.

A race condition when flushing the transmit queue concurently to sending
frames in the HDLC TTY line discipline could lead to a double free.  A
local, unprivileged user could use this flaw to elevate his privileges.


* Metadata corruption of uid/gid on ext4 file system.

A logic error when removing an inode from an Ext4 filesystem could
lead to metadata corruptions and early zeroing of high 16 bits of the
uid/gid bits before the inode deletion had been committed on disk. An
attacker could potentially use this flaw to bypass permission checks
on ext4 filesystem.


* Denial-of-service in reiserfs quota handling on mount.

Incorrect locking when initializing quotas for a reiserfs mount could
lead to a deadlock.  A local user with mount permission could use this
flaw to cause a denial-of-service.


* NULL pointer dereference when probing Lego Mindstorms infrared device.

A race condition when probing Lego Mindstorms infrared device can trigger
a NULL pointer dereference and cause a local denial of service.


* Permission bypass in NFSv4 during open state recovery.

An incorrect error checking on open state recovery could lead to
unaligned permissions between client and server. An attacker could use
this flaw to bypass permissions.


* Permission bypass in fuse filesystem when changing directory mode.

A flaw in the fuse filesystem could allow a local user to use
previously cached directory modes when they have been changed.
A local user could potentially use this flaw to escalate privileges
or access restricted information.


* Permission bypass in fuse filesystem when using write/truncate/chown.

A flaw in the fuse filesystem causes stalled directory modes to be used
when checking permissions in the write, truncate and chown operations.
A local user could potentially use this flaw to escalate privileges or
access restricted information.


* Out-of-bounds memory access when setting key in crypto gcm.

An error in array declaration while setting gcm key could lead to
out-of-bounds memory access. A local user with ability to set gcm key
could use this flaw to cause a denial-of-service.


* Use-after-free when probing some scsi devices.

An error in refcounting when probing scsi device could lead to a
use-after-free. A user with the ability to probe scsi devices could
cause a denial-of-service.


* Infinite loop in getdents() syscall from UBI filesystem.

An incorrect error handling in the getdents() syscall path for UBI
filesystem could lead to an infinite loop in the LIBC. An attacker
could use this flaw to cause a denial-of-service.


* Memory leak when resizing a virtual terminal.

Error in arguments sanitizing during Virtual Terminal resizing could
lead to a memory leak. A local user could use this flaw to exhaust
memory and cause a denial-of-service.


* Denial-of-service when resizing a virtual terminal.

Missing check during Virtual Terminal resizing could lead to an
invalid memory access. A local user could use this flaw to cause a
denial-of-service.


* Use-after-free when removing a KVM Virtual Machine.

An incorrect logic while clearing Virtual CPU related data could cause
a use-after-free. An attacker able to load and unload VMs could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when binding DCCP IPv6 socket.

A missing callback in dccp_v6 ops could cause a NULL pointer dereference
when binding a socket. A local user with capabilities to bind dccpv6
socket could use this flaw to cause a denial-of-service.


* Memory leak when using InfiniBand userspace driver.

A missing free of Queue Pairs during cleanup when userspace release
the driver could lead to a memory leak. An attacker could use this
flaw to cause a denial-of-service.


* Information leak in mwifiex driver.

Incorrect logging of SSID strings in the mwifiex driver can leak kernel
stack information to userspace. A local attacker could use this flaw to
gain information about the running kernel.


* CVE-2016-9588: Denial-of-service in Intel nested VMX exception handling.

Failure to handle exceptions thrown by an L2 guest could result in
kernel crash.  A malicious guest could use this flaw to crash the
virtualization host.


* CVE-2017-6214: Denial-of-service when splicing from TCP socket.

A specially crafted packet can be queued to trigger an infinite loop in
IPv4 subsystem. This can be exploited by an remote attacker to cause
denial-of-service.


* CVE-2017-5986: Denial-of-service when using SCTP socket with concurrent thread.

A BUG_ON() could be triggered when queueing data in a full SCTP socket
while another thread disassociates the first thread from the socket. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2017-6346: Use-after-free in AF_PACKET fanout.

Invalid locking when processing the PACKET_FANOUT sockopt for AF_PACKET sockets
can trigger a use-after-free condition and kernel panic. A local user could use
this flaw to elevate privileges.


* CVE-2017-6348: Deadlock in Infrared socket teardown.

Invalid locking in the infrared networking subsystem can trigger a deadlock and
kernel panic when tearing down sockets. A local user can use this flaw to
trigger a denial of service.


* Denial-of-service in DM_TABLE_LOAD ioctl of device mapper.

An incorrect error handling in DM_TABLE_LOAD ioctl could lead to
reference count leak. A local user with access to this ioctl could use
this flaw to cause a denial-of-service.


* Data loss when passing command to megaraid controller.

A bug in the way SYNCHRONIZE_CACHE command was handled resulted in
cached data not being flushed to disk properly in JBOD mode. This
results in data integrity failure.


* Denial-of-service when mounting a crafted EXT4 image as read-only.

A missing check when mounting a crafted EXT4 image as read-only could
lead to a kernel panic. An attacker with mount capabilities could use
this flaw to cause a denial-of-service.


* Three-way race condition in rtmutex causes lock corruption.

A race condition between three concurrent threads could cause corruption
of the associated rtmutex, causing the mutex to potentially be granted
to the wrong waiter. This would likely lead to a kernel panic and
denial-of-service.


* CVE-2016-8632: Denial-of-service when using TIPC and too short MTU.

Missing checks when checking TIPC (Transparent Inter Process
Communication) header could lead to a buffer overflow if device MTU is
too short. An attacker with ability to configure MTU could use this flaw
to cause a denial-of-service.


* CVE-2017-5669: Privilege bypass when using shmat() syscall to map page zero.

A logic error when mapping a page using shmat() syscall could allow a
user to map page zero and consequently bypass a protection mechanism
that exists for the mmap() system call.


* CVE-2017-6353: Denial-of-service when peeling off a sctp socket.

A logic error when peeling off a sctp socket could lead to a double free
or a deadlock. A local user could use this flaw to cause a
denial-of-service.


* CVE-2017-6345: Denial of service in 802.2 LLC packet processing.

A logic error when receiving PDUs on an 802.2 LLC network socket can trigger a
kernel panic and denial of service when freeing memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.