[Ksplice][Debian 7.0 Updates] New Ksplice updates for Debian 7.0 Wheezy (3.2.93-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Tue Sep 26 00:42:35 PDT 2017
Synopsis: 3.2.93-1 can now be patched using Ksplice
CVEs: CVE-2017-1000111 CVE-2017-1000251 CVE-2017-1000365 CVE-2017-1000380 CVE-2017-100363 CVE-2017-10661 CVE-2017-10911 CVE-2017-11176 CVE-2017-11600 CVE-2017-12134 CVE-2017-12153 CVE-2017-12154 CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340 CVE-2017-14489 CVE-2017-6951 CVE-2017-7482 CVE-2017-7542 CVE-2017-7889
Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.93-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Debian 7.0
Wheezy install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2017-6951: Denial-of-service from userspace via dead security keys.
Dead security keys were improperly assigned a type with name "dead",
which allowed them to be accessed by users with the
key_get_type_from_user() syscall, causing a kernel panic and
denial-of-service.
* CVE-2017-7482: Memory corruption when decoding Keberos 5 ticket.
A boundary condition error when decoding Keberos 5 tickets using the
RXRPC keys leads to local buffer overflow. This could lead to memory
corruption and possible privilege escalation.
* CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.
An incorrect data type when parsing IPV6 fragments header could lead to
a buffer overflow and to an infinite loop. A remote attacker could use
this flaw to cause a denial-of-service.
* CVE-2017-7889: Permissions bypass via /dev/mem file.
The mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM
protection mechanism, which allows local users to read or write to
kernel memory locations via an application that opens the /dev/mem file.
* CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.
Missing serialization when canceling timer file descriptors could cause
the cancels to race, causing a data race or use-after-free, potentially
resulting in a kernel crash and denial-of-service.
* CVE-2017-10911: Information leak in Xen block-device backend driver.
A data structure allocated on stack in Xen block-device backend driver
may leak sensitive data through padding fields. A malicious unprivileged
guest may be able to obtain sensitive information from the host or other
guests.
* CVE-2017-11176: Use-after-free in message queue notify syscall.
A race condition when closing a message queue file descriptor could
cause the memory for the associated socket to be freed twice, corrupting
memory or causing a denial-of-service.
* CVE-2017-11600: Out-of-bound access in network Transformation user configuration interface.
A missing check on user-controlled input in network Transformation user
configuration interface could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.
* CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.
Incorrect merging of block IO vectors could result in corruption of data
accesses to/from a block device. A malicious guest could use this flaw
to crash the host, or potentially, gain privileges in the host.
* CVE-2017-12153: NULL pointer dereference in the Wireless configuration layer.
A failure to verify netlink attributes existence before processing them
could lead to a NULL pointer dereference. A local user with CAP_NET_ADMIN
could use this flaw to cause a denial-of-service.
* CVE-2017-12154: Permission bypass when nested guest accesses CR8.
Incorrectly configuring the Virtual Machine Control Structures (VMCS) from
the host L0 hypervisor could allow nested L2 guests unrestricted read/write
access to the Task Priority Register (TPR or CR8). Nested guests could use
this flaw to block interrupts L0 or L1 are waiting, potentially leading to
a denial-of-service.
* Improve fix for Permission bypass when checking credentials for fs accesses.
An incorrect backport of the fix can result in a kernel error when
attempting to access another processes pagemep in proc.
* CVE-2017-14140: ASLR bypass due to insufficient permissions checks in move_pages.
A failure to correctly check permissions when using the move_pages
system call can allow an attacker to map out the address space of a
process which shares the same uid. A local user could use this flaw to
facilitate a further attack.
* CVE-2017-14156: Information leak in the ATI Rage 128 video drivers when copying clock information.
A missing struct initialization when copying clock information could lead
to uninitialized memory being leaked to userspace. This could help an
attacker bypass protections like ASLR or infer memory layouts that would
otherwise be hidden.
* CVE-2017-14340: Denial-of-service when flushing data on XFS without a realtime device.
Lack of input validation before trying to flush data to a real-time device
on XFS where the device might not be present leads to a NULL pointer
dereference. A local, unprivileged user can use this flaw to cause a
denial-of-service.
* CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.
A logic error when checking the bounds to be read from a netlink socket in
the SCSI could lead to a NULL pointer dereference. A local user could use
this flaw to cause a denial-of-service.
* CVE-2017-100363: Denial-of-service in printer driver setup.
Missing validation on the "lp" module parameter could result in an
out-of-bounds access and integer overflow. A local, privileged user
could use this flaw to crash the kernel or defeat secure boot
protections.
* CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.
Incorrectly parsing a Bluetooth L2CAP configuration buffer could allow
it to overwrite data on the stack, potentially allowing a remote
attacker to execute arbitrary code in the kernel.
* CVE-2017-1000365: Privilege escalation when performing exec.
A logic error allows an unprivileged local user to bypass argument and
environmental string size limits when performing an exec syscall. A
local user could use this flaw to bypass guard pages between the stack
and another mapping, leading to potential privilege escalation.
* CVE-2017-1000380: Information leak when reading timer information from ALSA devices.
A missing data initialization and a race condition when reading timer
information of ALSA devices from user space could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.
* Denial of service in Digi Edgeport TI interrupt processing.
A logic error when handling interrupts from Digi Edgeport USB devices can allow
a malicious device to trigger a NULL pointer dereference and kernel panic.
* Information leak in safe-serial USB driver.
The safe-serial USB driver does not correctly validate USB frames which can
allow short USB frames to leak the contents of kernel memory to userspace.
* Denial-of-service when flashing firmware of dvb usb devices.
Wrong usage of an on-stack buffer for DMA transfers could lead to memory
corruption. A local attacker could use this flaw to cause a
denial-of-service.
* Memory corruption in futex requeuing.
A logic error when requeuing a PI futex can trigger a use-after-free condition
and kernel memory corruption when changing the owner of the futex.
* Denial-of-service when using ALSA set_client_pool ioctl.
A flag handling error in set_client_pool ioctl path could lead to a
deadlock. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service in AF_UNIX sockets garbage collector.
A logic error in implementation of garbage collector of UNIX sockets
could lead to a kernel BUG(). A local attacker could use this flaw to
cause a denial-of-service.
* Use-after-free in ALSA sequencer buffer resizing.
A race condition when resizing a FIFO in the ALSA sequencer
implementation can lead to a use-after-free. A local attacker with
access to an ALSA sequencer device could use this flaw to crash the
kernel.
* Malicious code injection in VMWare virtual GPU fence object.
Fence objects in the VMWare virtual GPU system were not properly
type-checked from userspace, potentially allowing a user to inject
malicious code.
* Information leak in VMWare virtual GPU capability sysctl.
A missing size check in the VMWare virtual GPU vmw_get_cap_3d_ioctl()
call could potentially expose kernel memory to userspace.
* Information leak via SCSI driver capability check.
Incorrectly parsing the length of a SCSI capability buffer returned from
an older device could read off the end of the buffer, potentially
leaking kernel information.
* Denial-of-service due to race condition in ptrace state.
A race condition in the ptrace signal handling can cause memory
corruption in the kernel, causing a kernel panic and denial-of-service.
* Memory corruption when reading Plan9 directories.
A logic error when the Plan9 filesystems reads a directory from a remote server
can trigger memory corruption and a kernel panic.
* Auto-suspending disconnected USB devices causes denial-of-service.
In rare cases, the generic USB driver can attempt to auto-suspend a USB
device not actually connected to the system. This causes a NULL pointer
dereference and denial-of-service.
* Race condition in USB device initialization causes denial-of-service.
Two USB devices calling init_usb_class simultaneously can race and
corrupt kernel memory, potentially causing a crash and
denial-of-service.
* Information leak in multiple debug prints of USB core driver.
Multiple debug prints in USB core driver when transferring USB packets
could leak memory addresses from the running kernel. A local attacker
could use this flaw to get information about running kernel and
facilitate an attack.
* Denial-of-service when mapping end of physical address space.
A missing check when mapping end of physical address space that wrap
around the end could lead to a kernel BUG. An attacker could use this flaw
to cause a denial-of-service.
* Information leak when accessing X86 Timer from guest.
A logic error when accessing Programmable Interval Timer (PIT) from a
guest could leak information about host's kernel. A local attacker could
use this flaw to leak information about host's kernel and facilitate an
attack.
* Denial-of-service when using videobuf2 core framework.
A check error when using videobuf2 core framework could lead to an out
of bounds access. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when adding a key using the key control subsystem.
A missing check on user input when using add_key syscall of keyctl could
lead to a NULL pointer dereference if the key type is asymmetric,
cifs.idmap, cifs.spnego, or pkcs7_test. A local attacker could use this
flaw to cause a denial-of-service.
* Denial-of-services when using XFRM to transform network packets.
Multiple errors in XFRM framework could lead to multiple NULL pointer
dereferences or out-of-bound accesses. A local attacker could use this
flaw to cause a denial-of-service.
* Denial-of-service when rescheduling timer.
A logic error when rescheduling a process in response to signal with
SI_TIMER signal code leads to kernel memory corruption and eventual
kernel crash. A local user can exploit this vulnerability to cause
denial-of-service.
* Denial-of-service when routing autofs ioctl control command.
A logic error in handling ioctl control command failure leads to a null
pointer dereference. An attacker can exploit this to cause
denial-of-service.
* NULL pointer dereference when probing an IO Warrior USB device.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer derefence when probing an Intel Wireless WiMAX USB device.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a Siemens USB mouse with fingerprint support.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a USS-720 parallel port USB adapter.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a Wireless USB device.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a Host Wire Adapter Wireless USB adapter.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing an Intel Wireless Link 1480 USB device.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a USB SD Host Controller device.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a USB Joystick I-Force.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a C-Media CM109 phone through USB.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a Yealink phone through USB.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a Hanwanr Art Master III tablet through USB.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* NULL pointer dereference when probing a KB Gear JamStudio tablet through USB.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* Information leak when reading sensons from ASUS motherboards.
A missing error check when reading sensors exposed through the ACPI
Hardware monitiring interface could lead to uninitialized memory being
leaked to userspace. This could help an attacker bypass protections like
ASLR or infer memory layouts that would otherwise be hidden.
* Information leak when reading virtio ballooning statistics.
Some virtio ballooning statistics were being copied to userspace when the
CONFIG_VM_EVENT_COUNTERS was not enabled, disclosing uninitialized on-stack
memory. This could help an attacker bypass protections like ASLR or infer
memory layouts that would otherwise be hidden.
* Use-after-free in the Toshiba TC35815 Ethernet driver when releasing queues.
A logic error when releasing transfer queues in the Toshiba TC35815
Ethernet driver leads to a use-after-free. A local user with the ability
to force the queues to be released could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when probing a Wireless ZyDAS ZD1201 USB device.
A missing check that an endpoint exists before communicating through it
could lead to a NULL pointer dereference. This flaw can be leveraged with
a malicious USB device to cause a denial-of-service.
* Multiple use-after-free in the Conexant cx213xx USB video capture device.
Incorrect error handling when probing or initializing a Conexant cx231xx
USB video capture device could lead to various use-after-free or memory
leaks. A local user could use these flaws to cause a denial-of-service.
* Out of bounds memory write in the Nebula Electronics uDigiTV USB receiver.
Lack of bounds checking before copying into a kernel buffer could lead to
memory corruptions. A local attacker could use this flaw to cause a
denial-of-service or potentially escalate privileges.
* Bypass in memory protections when using passthrough WRITE SAME ATA commands.
A missing check to verify the origin of WRITE SAME ATA commands in the ATA
layer could allow a local user to bypass memory protections and potentially
write to otherwise read-only files. This could be used to elevate
privileges.
* Out of bounds read when converting DOS to Unix times in the CIFS filesystem.
A logic error when converting DOS to Unix times and dates in the CIFS
filesystem could lead to an out of bounds read and potentially disclose
kernel memory. An attacker could use this flaw to cause a
denial-of-service or potentially facilitate an attack.
* Data corruption on ext4 filesystem when writing through mmap.
A time-of-check-time-of-use race condition in the ext4 filesystem when
submitting pages to be written to persistent storage could cause data
corruptions on concurrent mmap writes.
* Memory corruption in the ASIX AX88796 ethernet driver on failure to register.
An IRQ was being released without having been requested on failure to
initialize an ASIX AX88796 ethernet driver. A local user with the ability
to bring up associated network devices could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when decoding an integer in the Ceph library.
Failure to properly return an error code when failing to decode an integer
in the Ceph library could lead callers to dereference a NULL pointer. An
attacker could use this flaw to cause a denial-of-service.
* NULL pointer dereference on failure to add partitions from a block device.
Failure to properly return an error code when failing to add partitions
from a block device could lead callers to dereference a NULL pointer. An
attacker could use this flaw to cause a denial-of-service.
* Information leak when passing a segment descriptor to the emulator on Intel KVM.
A failure to zero a segment descriptor to signify it is not present when
passing it to the emulator could leak uninitialized data or cause a guest
crash in the Intel KVM layer.
* Deadlock when handling eXtensible Host Controller Interface interrupts.
Incorrect use of non-interrupt safe locking in the interrupt handler of the
eXtensible Host Controller Interface (xHCI) USB Host driver could lead to a
deadlock.
* Out-of-bounds memory write when compiling an IPSec policy.
Incorrect bounds checking when checking the size of a security context
before compiling an IPSec policy could lead to an out-of-bounds memory
write. A local user could use this flaw to cause a denial-of-service or
potentially escalate privileges.
* CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.
A missing locking when setting options on AF_PACKET socket could lead to
an out-of-bounds access. A local attacker with CAP_NET_RAW capability,
or on a system with unprivileged namespace enabled, could use this flaw
to cause a denial-of-service or execute arbitrary code.
* CVE-2017-14106: Divide-by-zero on TCP disconnect.
A missing initialization of the TCP Maximum Segment Size (MSS) to the
minimum authorized MSS value could lead to a division by zero on TCP
disconnect. A local user could use this flaw to cause a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Debian-7.0-Updates
mailing list