[Ksplice][Debian 8.0 Updates] New Ksplice updates for Debian 8.0 Jessie (DSA 3886-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Jun 29 06:20:43 PDT 2017 

Synopsis: DSA 3886-1 can now be patched using Ksplice
CVEs: CVE-2017-0605 CVE-2017-1000364 CVE-2017-7487 CVE-2017-7645 CVE-2017-7895 CVE-2017-8064 CVE-2017-8924 CVE-2017-9074 CVE-2017-9075 CVE-2017-9242

Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian kernel update, DSA 3886-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 8.0
Jessie install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-0605: Privilege escalation when using kernel tracing subsystem.

Usage of strcpy() when using kernel tracing subsystem and retrieving
traced process command line could lead to a stack overflow. A local
attacker could use this flaw to execute arbitrary code in the kernel and
escalate privilege.


* CVE-2017-7487: Use-after-free in IPX reference count handling.

A reference count leak in the IPX ioctl handler can result in a
reference count overflow leading a use-after-free. A local attacker
could use this flaw to crash the kernel or escalate privileges.


* CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

If an NFS version 2 or 3 client appends extraneous data to their RPC
calls or replies, the server fails to correctly allocate sufficient
memory, potentially causing memory corruption and a denial-of-service.


* CVE-2017-7895: Remote information leak in kernel NFS server.

Missing bounds checks could result in an out-of-bounds memory access,
allowing a remote attacker to leak the contents of kernel memory.


* CVE-2017-8064: Kernel stack memory access via USB DVD device name.

An erroneous copy of a USB DVD device name to the stack could overflow,
potentially allowing an attacker to manipulate stack memory, causing a
denial-of-service or privilege escalation.


* CVE-2017-9075: Incorrectly copying list headers on socket clone causes denial-of-service.

When cloning sockets, several list headers are incorrectly copied to the
child sockets, which then leads to double-frees when both sockets are
closed, causing a kernel panic and denial-of-service.


* CVE-2017-8924: Information leak in Digi Edgeport TI callback completion.

An integer underflow in the Digi Edgeport TI USB driver can allow a malicious
USB device to leak the contents of kernel memory to userspace.


* CVE-2017-9074: Information leak via ipv6 fragment header.

The header size of an ipv6 fragment is not properly checked, potentially
allowing an attacker to read out-of-bounds memory when attempting to
parse it, leaking information.


* CVE-2017-9075: Denial of service when using SCTP protocol with IPV6.

A missing structure initialization could lead to a double free when
creating a new socket. A local unprivileged attacker could use this flaw
to cause a denial-of-service.


* CVE-2017-9242: Denial-of-service when using send syscall of IPV6 socket.

A missing check when sending messages over IPV6 sockets could lead to an
out-of-bound access. A local user could use this flaw to cause a
denial-of-service.


* CVE-2017-1000364: Increase stack guard size to 1 MiB.

A vulnerability in how userspace programs are compiled can cause the
program's stack to grow into the program's heap and corrupt either of
them. Depending on which program is targeted, an attacker can gain
additional privileges.

This update provides a new sysctl variable which can be used to tune
the gap between a program's heap and stack. To change it, use e.g.:

    # set gap to 32 MiB
    echo 33554432 > /proc/sys/vm/heap_stack_gap

This update is a kernel mitigation for what is fundamentally a
userspace problem. As such, there is no guarantee that it will stop
every potential attack vector, but it will stop the ones that are
currently known and make it much more difficult to exploit in general.

Running processes where the stack and heap are already very close may
need to be restarted for the change to take effect. It is therefore
recommended that long-running processes and network daemons are
restarted after applying this update.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-8.0-Updates mailing list