[Ksplice][Debian 8.0 Updates] New updates available via Ksplice (DSA 3434-1)

Thu Jun 30 23:45:29 PDT 2016

Synopsis: DSA 3434-1 can now be patched using Ksplice
CVEs: CVE-2015-7515 CVE-2016-1237 CVE-2016-1583 CVE-2016-2117 CVE-2016-2184 CVE-2016-2185 CVE-2016-2186 CVE-2016-2187 CVE-2016-3070 CVE-2016-3134 CVE-2016-3136 CVE-2016-3137 CVE-2016-3138 CVE-2016-3140 CVE-2016-3156 CVE-2016-3157 CVE-2016-3672 CVE-2016-3951 CVE-2016-3955 CVE-2016-3961 CVE-2016-4470 CVE-2016-4482 CVE-2016-4485 CVE-2016-4486 CVE-2016-4565 CVE-2016-4569 CVE-2016-4578 CVE-2016-4580 CVE-2016-4581 CVE-2016-4913 CVE-2016-4997 CVE-2016-4998 CVE-2016-5243 CVE-2016-5244

Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian kernel update, DSA 3434-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 8.0 Jessie
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2016-3157: Xen I/O port access privilege escalation in x86-64.

User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.

* SMAP bypass in 32bit compatibility syscall handler.

The 32bit compatibility syscall does not disable the Access Control flag
when entering kernel-mode which can allow kernel code to incorrectly
access user-mode data.

* CVE-2016-3955: Privilege escalation in IP over USB driver.

Missing user supplied input validation could result in an out-of-bounds
write allowing a local user to crash the system or potentially escalate
privileges.

* CVE-2016-3134: Memory corruption when parsing netfilter source chains.

A logic error when parsing netfilter source chains can allow local users
to corrupt kernel memory.

* CVE-2016-3156: Denial-of-service when removing a network interface.

Removal of a network interface with lots of IPv4 addresses may lead to the
kernel hanging for a long time, with all network operation blocked.  A
local, privileged user in a container could use this flaw to block network
access and cause a denial-of-service.

* CVE-2016-2117: Information leak in Atheros ATL2 transmission.

The Atheros ATL2 driver advertised features that weren't supported by
the hardware and this could result in a buffer overflow, leaking the
contents of kernel memory into transmitted packets.

* CVE-2016-4913: Information leak in ISO9660 filename parsing.

Incorrect handling of NUL termination bytes could result in reading
excessive data from a kernel buffer into user-space.  A local user with
permissions to mount a maliciously crafted filesystem could use this
flaw to leak the contents of sensitive memory.

* CVE-2016-4581: Denial-of-service in slave mount propagation.

Incorrect handling of mount propagation could result in a NULL pointer
dereference.  A local, unprivileged user could use this flaw to crash
the system.

* CVE-2016-4482: Information leak in USB devfs ioctl.

The USB devfs driver can leak the contents on the kernel stack to
userspace when performing a USBDEVFS_CONNECTINFO operation.

* CVE-2016-4578, CVE-2016-4569: Information leak in sound timers.

Missing initialization of stack data structures could result in leaking
the contents of kernel stack memory to user-space.  A local user with
access to the sound device could use this flaw to infer the layout of
kernel memory.

* CVE-2016-5243: Information leak in the Transparent Inter Process Communication protocol.

The use of strcpy() inside the Transparant Inter Process Communication
protocol (TIPC) when dumping the link name leads to a maximum of 58 bytes
leaked to userspace.  A local attacker could use this flaw to gain
information about the running kernel and facilitate an attack.

* CVE-2016-5244: Information leak in the RDS network protocol.

Lack of on-stack struct initialization in the RDS network protocol leads to
one byte of kernel stack being leaked to userspace.  A local attacker could
use this flaw to gain information about the running kernel and facilitate
an attack.

* CVE-2015-7515: Denial-of-service in the aiptek USB driver.

A flaw in the aiptek USB tablet driver could lead to an out-of-bounds
memory access when the interface has no endpoints.  An attacker with
physical access could use a specially crafted USB device to cause a
denial-of-service.

* CVE-2016-2184: Denial of service in ALSA USB audio descriptor parsing.

A logic error in the ALSA USB audio driver can allow a malformed USB
descriptor with zero end-points to trigger a NULL pointer dereference
and kernel panic.

* CVE-2016-2185: Denial of service in ATI/Philips USB RF remote descriptor parsing.

A logic error in the ATI/Philips USB RF remote driver can allow a
malformed USB descriptor to trigger a NULL pointer dereference and
kernel panic.

* CVE-2016-2186: Denial of service in Griffin PowerMate USB descriptor parsing.

A logic error in the Griffin PowerMate USB driver can allow a malformed
USB descriptor with zero endpoints to trigger a NULL pointer dereference
and kernel panic.

* CVE-2016-2187: Denial of service in GTCO CallComp/InterWrite USB descriptor parsing.

A logic error in the GTCO CallComp/InterWrite USB driver can allow a
malformed USB descriptor with zero endpoints to trigger a NULL pointer
dereference and kernel panic.

* CVE-2016-3136: Denial of service in MCT Serial USB descriptor parsing.

A logic error in the MCT Single Port Serial driver can allow a malformed
USB descriptor with missing ports to trigger a NULL pointer dereference
and kernel panic.

* CVE-2016-3137: Denial of service in USB Cypress M8 descriptor parsing.

A logic error in the Cypress M8 device driver can allow a malformed USB
descriptor with missing endpoints to trigger a NULL pointer dereference
and kernel panic.

* CVE-2016-3138: Denial of service in CDC ADM USB descriptor parsing.

A logic error in the CDC ADM USB driver can allow a malformed USB
descriptor with an incorrect number of interfaces to trigger a NULL
pointer dereference and kernel panic.

* CVE-2016-3140: Denial of service in Digi AccelePort USB descriptor parsing.

A logic error in the Digi AccelePort USB driver can allow a malformed
USB descriptor with missing endpoints to trigger a NULL pointer
dereference and kernel panic.

* CVE-2016-4485: Information leak in LLC message processing.

The Logical Link Layer networking driver does not initialize memory when
processing ancillary data requests to an LLC socket which leaks the
contents of kernel memory to userspace. A local user could use this flaw
to infer the layout of kernel memory.

* CVE-2016-4486: Information leak in routing netlink interface.

The netlink interface for querying network routing information does not
initialize memory which leaks the contents of kernel memory to userspace.
A local user could use this flaw to infer the layout of kernel memory.

* CVE-2016-4580: Kernel stack information leak in X25 facility negotiation.

Missing initialization of a stack data structure could result in leaking
up to 8 bytes of kernel stack information to a local, unprivileged user.

* CVE-2016-4565: Privilege escalation in Infiniband ioctl.

The Infiniband ioctl interface does not correctly validate parameters
from userspace which can allow local users to corrupt kernel memory and
escalate privileges.

* CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.

Incomplete input validation when processing Netfilter xtables entries could
lead to out of bounds memory read and write.  An unprivileged user inside a
container could use this flaw to cause a denial-of-service or elevate
privileges.

* CVE-2016-3672: ASLR bypass on 32-bit processes.

Enabling an unlimited stack size would completely disable ASLR for
process with the limit applied.  A local user could use this flaw to
reduce the security of a setuid/setgid application.

* CVE-2016-3961: Xen PV guest crash when using HugeTLBFS.

HugeTLBFS is not supported on Xen PV guests and leads to a kernel crash
when an application tries to mmap() a Huge TLB.  A local user with the
ability to mmap() Huge TLB pages in a Xen PV guest can cause a
denial-of-service of the guest.

* CVE-2016-1583: Privilege escalation in eCryptfs.

eCryptfs was incorrectly trying to use the mmap() file operation on lower
filesystem that may not support it.  A local, unprivileged user could use
this flaw to cause a denial-of-service through recursive faults or
potentially escalate privileges.

* CVE-2016-3070: Denial of service when migrating dirty pages.

A NULL pointer dereference could happen when migrating dirty pages from an
AIO ring buffer to another node.  A local, unprivileged user could use this
flaw to cause a denial-of-service.

* CVE-2016-4470: Denial-of-service in the keyring subsystem.

Failure to check that a key was properly added to a keyring before removing
it could lead to a kernel crash.  A local, unprivileged user could use this
flaw to cause a denial-of-service.

* CVE-2016-1237: Permission bypass in NFS filesystem when setting ACLs.

Missing permission checks when setting the ACLs on a file from a NFS mount
could allow unprivileged users to grant themselves access to an otherwise
not allowed file.  This could potentially be used to escalate privileges.

* CVE-2016-3951: Use-after-free in USB networking bind failure.

A race condition between probing a USB network device and error handling
could result in a use-after-free condition and kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.