[Ksplice][Debian 7.0 Updates] New Ksplice updates for Debian 7.0 Wheezy (3.2.88-1)

Thu May 4 11:17:20 PDT 2017

Synopsis: 3.2.88-1 can now be patched using Ksplice
CVEs: CVE-2016-10200 CVE-2016-9604 CVE-2017-2647 CVE-2017-2671 CVE-2017-5967 CVE-2017-5970 CVE-2017-7184 CVE-2017-7261 CVE-2017-7273 CVE-2017-7294 CVE-2017-7308 CVE-2017-7472 CVE-2017-7616

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.88-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 7.0
Wheezy install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Memory corruption with ext4 block size greater than 64k.

Utilizing an ext4 filesystem with block size greater than 64k can cause
memory corruption, potentially causing a denial-of-service.

* Invalid memory access in btrfs multi-delete replay.

Incorrect logic when replaying a delete of directory entries could cause
an out-of-bounds access, potentially causing a denial-of-service or
exposing privileged memory.

* Denial-of-service in EXT4 filesystems with negative sized inodes.

A maliciously formed EXT4 filesystem could trigger an integer overflow
in the virtual filesystem layer, leading to a kernel crash.

* Ceph authorize reply not verified as authentic.

When establishing a Ceph connection, the authorizer reply is not
actually verified as authentic, potentially allowing an attacker to
spoof another connection.

* Denial-of-service caused by use-after-free in fsnotify.

When iterating through a list of inodes to unmount, fsnotify could
potentially free a node while iterating through the list. This could
cause a kernel crash, but usually manifests as an infinite loop, causing
a denial-of-service.

* Race condition in generic block device code causes spurious BUG.

An incorrect condition when attempting to exclusively lock a block
device could cause error checking code to erroneously fire, causing a
BUG and denial-of-service.

* Denial-of-service when adding new iSCSI target portal group fail.

A redundant kfree in the error path when adding new portal group could
lead to a double-free. An attacker could use this flaw to cause a
denial-of-service.

* Denial-of-service in traffic control when using any net scheduler.

An incorrect variable initialization when classifying traffic control
could lead to a soft lockup. An attacker could use this flaw to cause a
denial-of-service.

* Denial-of-service when closing interface of Korina ethernet driver.

An incorrect logic when closing interface in Korina ethernet driver
could lead to a use-after-free. A local attacker could use this flaw to
create a denial-of-service.

* Denial-of-service when writing data to usb gadgetfs endpoints.

A missing check on packet length size written to endpoint 0 could lead
to an out of bounds write. A local attacker could use this flaw to cause
a denial-of-service.

* Denial-of-service when using special gadgetfs configuration.

A logic error when configuring a new usb gadgetfs device could lead to
a use-after-free. A local user could use this flaw to cause a
denial-of-service.

* Denial-of-service when transferring data to Garmin GPS device.

A missing free after sending data to Garmin GPS device could lead to a
memory leak. A local attacker could use this flaw to exhaust host
memory and cause a denial-of-service.

* Denial-of-service when using Edge Port USB serial driver.

Missing checks in Edge Port USB serial driver could lead to multiple
NULL pointer dereference. A local attacker could use such device to
cause a denial-of-service.

* Denial-of-service when using USB Moschip 7720 serial devices.

Logic errors when using USB Moschip 7720 serial devices could lead to a
NULL pointer dereference or a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.

* CVE-2017-7273: Denial-of-service in Crypress USB HID driver.

A missing check in Crypress USB HID driver when parsing usb descriptors
could lead to an out of bounds access. An attacker with physical access
to the machine could use this flaw to cause a denial-of-service.

* Denial-of-service when using Distributed Lock Manager with OCFS2.

A locking error when using Distributed Lock Manager (DLM) with OCFS2
filesystem could lead to a kernel BUG(). An attacker could use this flaw
to cause a denial-of-service.

* Information leak in USB Winchiphead CH341 driver when using TIOCMGET.

A logic error in USB CH341 Serial driver could lead to leaking heap
data to userspace by using TIOCMGET. An attacker could use this flaw
to leak sensitive data and facilitate an exploit.

* Information leak when using I2C_SMBUS ioctl.

A missing variable initialization could lead to kernel sensitive
information leak when using I2C_SMBUS ioctl. An attacker could use this
flaw to leak kernel information and facilitate an exploit.

* Memory leak in SunRPC GSSAPI teardown.

A logic error when handling GSS_PROC_DESTROY messages can allow a remote user
to cause a kernel memory leak when establishing a connection to the kernel NFS
daemon.

* Denial-of-service when using nbd transmit path.

An incorrect logic in transmit path of network block device driver could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.

* Denial-of-service caused by infinite loop when COW-ing huge pages.

A missing flag check could cause an infinite loop if a read-only memory
region with page size huge was written to via copy-on-write, causing a
denial-of-service.

* Denial-of-service in CIPSO / IPv4 protocol engine.

Missing length check in CIPSO protocol implementation results in
out-of-bound memory access. An unprivileged local process can exploit
this to read kernel memory or cause denial-of-service.

* Denial-of-service in ALSA sequencer memory management.

A race condition when use of a memory pool is finished can trigger a
use-after-free causing a kernel crash. A local attacker could use this
flaw to cause a denial-of-service.

* Denial-of-service when reading USB RTL8150 registers.

An incorrect usage of DMA buffer on the stack could lead to a stack
corruption since CONFIG_VMAP_STACK is enabled. A local attacker could
use this flaw to cause a denial-of-service.

* Denial-of-service during ALSA sequencer queue creation.

A logic error when creating an ALSA sequencer queue can lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* Denial-of-service in IPv4 `ping' implementation.

A missing null-pointer check in the ping implementation inside the IPv4
subsystem allows a unprivileged local user to crash the kernel and cause
denial-of-service.

* Denial-of-service in Siano TV receiver driver.

An incorrect use of DMA buffer on the stack when passing USB control
message to Siano USB TV driver could lead to a stack corruption since
CONFIG_VMAP_STACK is enabled. A local attacker could use this flaw to
cause a denial-of-service.

* Denial-of-service when receiving data over Xilinx ethernet controller.

A missing check when receiving data over Xilinx ethernet controller
could lead to a buffer overflow. A remote attacker could use this flaw
to cause a denial-of-service.

* Denial-of-service in SCSI Generic driver.

A missing sanity-check when writing to generic SCSI device may lead to
kernel panic. An unprivileged user with write permission to /dev/sg can
exploit this to cause denial-of-service.

* NULL pointer dereference in DECnet routing.

Missing NULL pointer checks could result in a NULL pointer dereference
and kernel crash when outputting a DECnet packet.  A local, unprivileged
user could use this flaw to crash the system.

* Use-after-free in network bridge ioctl().

Missing locking in the bridge ioctl handler for receiving network
interface indices could result in a use-after-free and kernel crash
under specific conditions.

* Denial-of-service due to memory leak in TCP subsystem.

A malicious TCP client could cause the kernel to leak memory via the use
of crafted selective acknowledgements. This could result in stalling the
TCP stack for all connections or exhausting system memory.

* Denial-of-service due to incorrect TCP checksum calculation.

When both MTU probing and TX offload checksumming is enabled incorrect
TCP checksums can be generated which can cause a TCP connection to
stall, preventing further transmission.

* Use-after-free when using setsockopt() or connect() on sctp socket.

A race condition in the connect() and setsockopt() syscalls for a sctp
socket could lead to a use-after-free. A local user with capabilities to
use those syscalls could cause a denial-of-service.

* Denial-of-service when receiving packet with packet editing enabled.

A missing argument validation when receiving malformed packet while
packet editing is enabled could lead to a memory overflow. A remote
attacker could use this flaw to cause a denial-of-service.

* Denial-of-service when checking DCCP packet validity.

Incorrect logic when checking the validity of a received DCCP packet
header could lead to a use-after-free. A remote attacker could use this
flaw to cause denial of service.

* Denial-of-service when using specific options of raw ipv6 socket.

A missing check when sending data through ipv6 socket configured with
IPV6_CHECKSUM and IPV6_DSTOPTS options could lead to a kernel panic. An
attacker could use this flaw to cause a denial-of-service.

* Deadlock when disabling IPv6 network interface.

Incorrect locking in the IPv6 address auto-configuration when disabling a
network interface can trigger a deadlock and kernel panic.

* Invalid memory access in IPv6 tunneling subsystem.

A missing check on socket buffer and use of a stale pointer results in
invalid memory accesses inside the IPv6 tunneling subsystem. This may
lead to undefined behavior in the kernel or denial-of-service.

* Denial-of-service when TCP window scaling is not enabled.

A division-by-zero error occurs when selecting the window size for TCP
over IPv4, resulting in denial-of-service.

* CVE-2017-5970: Denial-of-service in ipv4 options field handling.

Incorrect behaviour when ipv4 options are used can result in a kernel
crash.  A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2017-2647: Denial-of-service when invoking request_key() syscall.

A missing check in request_key() syscall could lead to a NULL pointer
dereference. A local unprivileged user could use this flaw to cause a
denial-of-service.

* CVE-2017-5967: Information leak when querying timer stats.

A missing check when reading timer_stats proc entry from a PID namespace
could lead to a leakage of system PIDs outside of this namespace. A
local attacker could use this flaw to retrieve information about running
system and facilitate an attack.

* CVE-2016-9604: Permission bypass when creating key using keyring subsystem.

A missing check when a user creates a key beginning with '.' could lead
to a permission bypass. A local attacker could use this flaw to access
sensitive information.

* CVE-2017-2671: Use-after-free in ping implementation.

A race condition in the kernel ping implementation can result in a
use-after-free. A local attacker with access to ping sockets could use
this flaw to cause a kernel crash or escalate privileges.

* CVE-2017-7184: Privilege escalation when using xfrm IP framework.

A missing check when using xfrm IP framework could lead to an out of
bound access. A local attacker could use this flaw to cause a denial of
service or to escalate privilege.

* CVE-2017-7261: Denial-of-service when creating surface using DRM driver for VMware Virtual GPU.

A missing parameter check when using "surface define" ioctl of DRM
driver for VMware Virtual GPU could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.

* CVE-2017-7294: Denial-of-service when defining surface using DRM driver for VMware Virtual GPU.

A missing parameter check when using "create surface" ioctl of DRM
driver for VMware Virtual GPU could lead to an integer overflow. A local
attacker could use this flaw to cause a denial-of-service.

* CVE-2017-7308: Memory corruptions in AF_PACKET when receiving packets.

Lack of bounds checking when receiving a packet, setting ring or setting
socket options in the raw packet driver could lead to a buffer overflow
and overwrite of kernel memory. A remote or a local attacker could use
this flaw to cause a denial-of-service or potentially escalate
privileges.

* CVE-2017-7472: Denial-of-service when setting default request-key keyring.

A logic error when a user set default request-key keyring multiple
times could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a kernel panic.

* CVE-2017-7616: Information leak when setting memory policy.

A missing check when setting memory policy through set_mempolicy()
syscall could lead to a stack data leak. A local attacker could use this
flaw to leak information about running kernel and facilitate an attack.

* Multiple denial-of-services when opening malicious USB devices.

Missing checks in startup callback of multiple USB devices drivers could
lead to a NULL pointer dereference when plugging malicious USB devices.
An attacker with physical access to the machine could cause a
denial-of-service.

* CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.

A missing check when creating L2TP socket could lead to a use-after-free
if a concurrent thread modify socket's flag while creating it. An attacker
could use this flaw to cause a denial-of-service.

* Denial-of-service when IP encapsulation for L2TP is used.

A bug in SIOCINQ ioctl handler results in kernel crash when plain IP
encapsulation for L2TP frames are used. A userspace process capable of
creating L2TP tunnels can exploit this to cause denial-of-service.

* Denial-of-service due to TCP write queue overflow.

Setting a large default write queue for TCP packets can cause an
overflow in the kernel, leading to stalling of TCP connections followed
by a reset after timeout.

* Privilege escalation in SCTP getsockopt().

Incorrect integer operation when getting SCTP_EVENTS socket option leads
to undefined behavior. An attacker can use this to execute arbitrary code
in kernel mode.

* Data race in virtio network device drivers.

Unprotected reads from shared data structures in macvtap and tun device
drivers allows data race, potentially leading to kernel memory
corruption and denial-of-service.

* Denial of service in IO Warrior USB endpoint processing.

The IO Warrior USB device driver does not correctly handle malicious USB
devices with missing endpoints which can trigger a NULL pointer
dereference and kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.