[Ksplice][Debian 8.0 Updates] New Ksplice updates for Debian 8.0 Jessie (3.16.43-2)
Oracle Ksplice
ksplice-support_ww at oracle.com
Mon May 15 07:11:07 PDT 2017
Synopsis: 3.16.43-2 can now be patched using Ksplice
CVEs: CVE-2016-10044 CVE-2016-10200 CVE-2016-10208 CVE-2016-2188 CVE-2016-6213 CVE-2016-8632 CVE-2016-9604 CVE-2017-2647 CVE-2017-2671 CVE-2017-5967 CVE-2017-7184 CVE-2017-7261 CVE-2017-7273 CVE-2017-7294 CVE-2017-7308 CVE-2017-7472 CVE-2017-7616 CVE-2017-7618
Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian kernel update, 3.16.43-2.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Debian 8.0
Jessie install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.
A missing check when creating L2TP socket could lead to a use-after-free
if a concurrent thread modify socket's flag while creating it. An attacker
could use this flaw to cause a denial-of-service.
* CVE-2016-10208: Denial-of-service when mounting ext4 image with large metablock group.
A missing check when mounting an ext4 image with a high first metablock
group value could lead to a buffer overflow. A local attacker with mount
capability could use this flaw to cause a denial-of-service.
* CVE-2017-5967: Information leak when querying timer stats.
A missing check when reading timer_stats proc entry from a PID namespace
could lead to a leakage of system PIDs outside of this namespace. A
local attacker could use this flaw to retrieve information about running
system and facilitate an attack.
* Metadata corruption of uid/gid on ext4 file system.
A logic error when removing an inode from an Ext4 filesystem could
lead to metadata corruptions and early zeroing of high 16 bits of the
uid/gid bits before the inode deletion had been committed on disk. An
attacker could potentially use this flaw to bypass permission checks
on ext4 filesystem.
* Use-after-free in device mapper driver when removing dm devices.
A locking error when stopping device mapper queue could lead to a
use-after-free of a work. An attacker could use this flaw to cause a
denial-of-service.
* Infinite loop when activating path in device mapper.
An error in condition check when activation path in device mapper
multipathing driver could lead to infinite loop. An attacker with
permissions to use multipath_prepare ioctl could cause a
denial-of-service.
* Denial-of-service in reiserfs quota handling on mount.
Incorrect locking when initializing quotas for a reiserfs mount could
lead to a deadlock. A local user with mount permission could use this
flaw to cause a denial-of-service.
* NULL pointer dereference when probing Lego Mindstorms infrared device.
A race condition when probing Lego Mindstorms infrared device can trigger
a NULL pointer dereference and cause a local denial of service.
* Permission bypass in fuse filesystem when changing directory mode.
A flaw in the fuse filesystem could allow a local user to use
previously cached directory modes when they have been changed.
A local user could potentially use this flaw to escalate privileges
or access restricted information.
* Permission bypass in fuse filesystem when using write/truncate/chown.
A flaw in the fuse filesystem causes stalled directory modes to be used
when checking permissions in the write, truncate and chown operations.
A local user could potentially use this flaw to escalate privileges or
access restricted information.
* Out-of-bounds memory access when setting key in crypto gcm.
An error in array declaration while setting gcm key could lead to
out-of-bounds memory access. A local user with ability to set gcm key
could use this flaw to cause a denial-of-service.
* NULL pointer dereference in Intel XL710 ethernet driver.
A flaw in pci error handling of XL170 ethernet driver could lead to NULL
pointer dereference. A local user with capability to load a module and
to trigger pci errors could cause a denial of service.
* Denial of service when validating RAID6 syndromes.
A reference on a DMA buffer is never released when validating RAID6
syndromes, leading to a memory leak. A local user with the ability to
cause a RAID6 sync could use this flaw to exhaust the memory on the
system and cause a denial-of-service.
* Overflow in Cifs credit handling.
A cifs client can get as much credit as requested from the server,
leading to an integer overflow of the credit counter. An attacker
could use this flaw to cause a denial-of-service.
* Multiple memory leaks in cifs ioctls.
Missing memory free in copychunk_file and file_clone ioctls of cifs
leads to memory leak. An attacker could use those ioctls to exhaust
the memory and cause a denial-of-service.
* Race condition in super block handling of filesystems.
Due to a race condition when locking and unlocking the file system, a
BUG_ON could be triggered. An attacker could use this race to cause a
denial-of-service.
* Use-after-free when probing some scsi devices.
An error in refcounting when probing scsi device could lead to a
use-after-free. A user with the ability to probe scsi devices could
cause a denial-of-service.
* Infinite loop in getdents() syscall from UBI filesystem.
An incorrect error handling in the getdents() syscall path for UBI
filesystem could lead to an infinite loop in the LIBC. An attacker
could use this flaw to cause a denial-of-service.
* Denial-of-service in DM_TABLE_LOAD ioctl of device mapper.
An incorrect error handling in DM_TABLE_LOAD ioctl could lead to
reference count leak. A local user with access to this ioctl could use
this flaw to cause a denial-of-service.
* Data loss when passing command to megaraid controller.
A bug in the way SYNCHRONIZE_CACHE command was handled resulted in
cached data not being flushed to disk properly in JBOD mode. This
results in data integrity failure.
* User controlled memory allocation when resizing a virtual terminal.
Error in arguments sanitizing during Virtual Terminal resizing leads to
a user controlled memory allocation. A local user could use this flaw to
exhaust memory and cause a denial-of-service.
* Denial-of-service when resizing a virtual terminal.
Missing check during Virtual Terminal resizing could lead to an
invalid memory access. A local user could use this flaw to cause a
denial-of-service.
* Denial-of-service when syncing log of BTRFS filesystem.
A locking error when syncing logs of BTRFS could lead to a list
corruption. An attacker could use this flaw to cause a
denial-of-service.
* Use-after-free when removing a KVM Virtual Machine.
An incorrect logic while clearing Virtual CPU related data could cause
a use-after-free. An attacker able to load and unload VMs could use
this flaw to cause a denial-of-service.
* Double-free in GenWQE PCIe Accelerator driver.
An incorrect error handling in GENWQE_EXECUTE_DDCB ioctl() flaw could
lead to a double-free. A local user with the ability to use this ioctl
could cause a denial-of-service.
* Use of uninitialized memory in Intel Management Engine Interface.
A logic error could lead to a uninitialized memory access while enabling
Intel MEI phy. A user with the capability to set an interface using
this phy up, could cause a denial-of-service.
* Memory leak when using InfiniBand userspace driver.
A missing free of Queue Pairs during cleanup when userspace release
the driver could lead to a memory leak. An attacker could use this
flaw to cause a denial-of-service.
* NULL pointer dereference in Infiniband MLX5 debug print.
A missing check during Infiniband MLX5 Queue Pairs creation could lead
to a NULL pointer dereference if logging level is set to debug. An
attacker could use this flaw to cause a denial-of-service.
* Information leak in mwifiex driver.
Incorrect logging of SSID strings in the mwifiex driver can leak kernel
stack information to userspace. A local attacker could use this flaw to
gain information about the running kernel.
* Denial-of-service when mounting a crafted EXT4 image as read-only.
A missing check when mounting a crafted EXT4 image as read-only could
lead to a kernel panic. An attacker with mount capabilities could use
this flaw to cause a denial-of-service.
* Invalid memory access when failing allocation in BATMAN driver.
Failing to check whether memory allocation succeeded in the BATMAN
network driver could cause already-allocated memory to be returned,
potentially exposing kernel memory.
* Three-way race condition in rtmutex causes lock corruption.
A race condition between three concurrent threads could cause corruption
of the associated rtmutex, causing the mutex to potentially be granted
to the wrong waiter. This would likely lead to a kernel panic and
denial-of-service.
* Use-after-free when disconnecting from a PEAK USB/CAN adapter.
A logic error when releasing the network device of a PEAK USB/CAN adapter
leads to a use-after-free. A local user with the ability to disconnect the
adapter could use this flaw to cause a denial-of-service.
* Race condition when completing queued block device transaction causes corruption.
A missing lock in block device request completion could cause the
completion to race with another request being queued, causing corruption
of the queue and a possible denial-of-service.
* Memory corruption with ext4 block size greater than 64k.
Utilizing an ext4 filesystem with block size greater than 64k can cause
memory corruption, potentially causing a denial-of-service.
* Invalid memory access in btrfs multi-delete replay.
Incorrect logic when replaying a delete of directory entries could cause
an out-of-bounds access, potentially causing a denial-of-service or
exposing privileged memory.
* Double-closing block device while listing devices causes denial-of-service.
If a block device is closed while other block devices are being
enumerated with iterate_bdevs(), a NULL data member can be dereferenced,
causing a crash and denial-of-service.
* Memory corruption in SMB2 client when reacquiring lost locks.
When attempting to require locks lost after a session break, an
incorrectly sized buffer could be used for the lock structure,
corrupting memory and potentially causing a denial-of-service.
* Denial-of-service in EXT4 filesystems with negative sized inodes.
A maliciously formed EXT4 filesystem could trigger an integer overflow
in the virtual filesystem layer, leading to a kernel crash.
* Denial-of-service when setting fan speed using G762 driver.
A logic error when setting fan speed though sysfs attributes using G762
driver could lead to division by zero error. A local attacker could set
a specific value for the fan speed to cause a denial-of-service.
* Ceph authorize reply not verified as authentic.
When establishing a Ceph connection, the authorizer reply is not
actually verified as authentic, potentially allowing an attacker to
spoof another connection.
* Kernel panic when destroying Mellanox 4 queue pairs.
A logic error when destroying the queue pair for Mellanox InfiniBand queue
pairs can trigger an out-of-bounds read and subsequent kernel panic.
* Race condition in generic block device code causes spurious BUG.
An incorrect condition when attempting to exclusively lock a block
device could cause error checking code to erroneously fire, causing a
BUG and denial-of-service.
* Denial-of-service when adding new iSCSI target portal group fail.
A redundant kfree in the error path when adding new portal group could
lead to a double-free. An attacker could use this flaw to cause a
denial-of-service.
* Infinite loop on failed read in AST GPU driver.
Failing to detect an error condition on an unsuccessful read in the AST
GPU driver can cause an infinite loop, causing performance degradation
and a potential denial-of-service.
* Permission bypass in close-on-exec file descriptors.
A race condition in setup_new_exec could allow reading a process's file
descriptors via /proc if they were opened with O_CLOEXEC.
* Denial-of-service in traffic control when using any net scheduler.
An incorrect variable initialization when classifying traffic control
could lead to a soft lockup. An attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when writing data to usb gadgetfs endpoints.
A missing check on packet length size written to endpoint 0 could lead
to an out of bounds write. A local attacker could use this flaw to cause
a denial-of-service.
* Denial-of-service when using special gadgetfs configuration.
A logic error when configuring a new usb gadgetfs device could lead to
a use-after-free. A local user could use this flaw to cause a
denial-of-service.
* Denial-of-service when opening/disconnecting multiple USB serial devices.
A missing callback registration in multiple USB serial driver could lead
to a NULL pointer dereference. A local attacker could use open and
disconnect tty operations to cause a denial-of-service.
* Denial-of-service when transferring data to Garmin GPS device.
A missing free after sending data to Garmin GPS device could lead to a
memory leak. A local attacker could use this flaw to exhaust host
memory and cause a denial-of-service.
* Denial-of-service when using USB Moschip 7720 serial devices.
Logic errors when using USB Moschip 7720 serial devices could lead to a
NULL pointer dereference or a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.
* CVE-2017-7273: Denial-of-service in Crypress USB HID driver.
A missing check in Crypress USB HID driver when parsing usb descriptors
could lead to an out of bounds access. An attacker with physical access
to the machine could use this flaw to cause a denial-of-service.
* Denial-of-service when using Distributed Lock Manager with OCFS2.
A locking error when using Distributed Lock Manager (DLM) with OCFS2
filesystem could lead to a kernel BUG(). An attacker could use this flaw
to cause a denial-of-service.
* Information leak in USB Winchiphead CH341 driver when retrieving modem status.
A logic error in USB CH341 Serial driver could lead to leaking heap
data to userspace by using TIOCMGET. An attacker could use this flaw
to leak sensitive data and facilitate an exploit.
* Information leak when controlling SMBus extensions.
A missing variable initialization could lead to kernel sensitive
information leak when using I2C_SMBUS ioctl. An attacker could use this
flaw to leak kernel information and facilitate an exploit.
* Memory leak in SunRPC GSSAPI teardown.
A logic error when handling GSS_PROC_DESTROY messages can allow a remote user
to cause a kernel memory leak when establishing a connection to the kernel NFS
daemon.
* Kernel panic when probing QLogic Fibre Channel devices.
The kernel QLogic QLA2XXX device driver does not handle NULL pointers correctly
which can trigger a kernel panic.
* Null pointer dereference in Controller Area Network driver.
Probing an attached Controller Area Network driver could cause an unset
function pointer to be called, potentially causing an invalid memory
access and denial-of-service.
* Denial-of-service caused by infinite loop when COW-ing huge pages.
A missing flag check could cause an infinite loop if a read-only memory
region with page size huge was written to via copy-on-write, causing a
denial-of-service.
* Denial-of-service in CIPSO / IPv4 protocol engine.
Missing length check in CIPSO protocol implementation results in
out-of-bound memory access. An unprivileged local process can exploit
this to read kernel memory or cause denial-of-service.
* Denial-of-service in ALSA sequencer memory management.
A race condition when use of a memory pool is finished can trigger a
use-after-free causing a kernel crash. A local attacker could use this
flaw to cause a denial-of-service.
* Denial-of-service during ALSA sequencer queue creation.
A logic error when creating an ALSA sequencer queue can lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service in IPv4 `ping' implementation.
A missing null-pointer check in the ping implementation inside the IPv4
subsystem allows a unprivileged local user to crash the kernel and cause
denial-of-service.
* Denial-of-service in SCSI Generic driver.
A missing sanity-check when writing to generic SCSI device may lead to
kernel panic. An unprivileged user with write permission to /dev/sg can
exploit this to cause denial-of-service.
* NULL pointer dereference in DECnet routing.
Missing NULL pointer checks could result in a NULL pointer dereference
and kernel crash when outputting a DECnet packet. A local, unprivileged
user could use this flaw to crash the system.
* Use-after-free in network bridge ioctl().
Missing locking in the bridge ioctl handler for receiving network
interface indices could result in a use-after-free and kernel crash
under specific conditions.
* Memory leak when malformed UDP packets are tunneled.
A logic error when handling malformed UDP packets in a tunnel can
trigger a kernel memory leak and eventual kernel panic.
* Denial-of-service due to TCP write queue overflow.
Setting a large default write queue for TCP packets can cause an
overflow in the kernel, leading to stalling of TCP connections followed
by a reset after timeout.
* Denial-of-service due to incorrect TCP checksum calculation.
When both MTU probing and TX offload checksumming is enabled incorrect
TCP checksums can be generated which can cause a TCP connection to
stall, preventing further transmission.
* Privilege escalation in SCTP getsockopt().
Incorrect integer operation when getting SCTP_EVENTS socket option leads
to undefined behavior. An attacker can use this to execute arbitrary code
in kernel mode.
* NULL pointer dereference when binding DCCP IPv6 socket.
A missing callback in dccp_v6 ops could cause a NULL pointer dereference
when binding a socket. A local user with capabilities to bind dccpv6
socket could use this flaw to cause a denial-of-service.
* Use-after-free when using setsockopt() or connect() on sctp socket.
A race condition in the connect() and setsockopt() syscalls for a sctp
socket could lead to a use-after-free. A local user with capabilities to
use those syscalls could cause a denial-of-service.
* Denial-of-service when receiving packet with packet editing enabled.
A missing argument validation when receiving malformed packet while
packet editing is enabled could lead to a memory overflow. A remote
attacker could use this flaw to cause a denial-of-service.
* Denial-of-service when checking DCCP packet validity.
Incorrect logic when checking the validity of a received DCCP packet
header could lead to a use-after-free. A remote attacker could use this
flaw to cause denial of service.
* Denial-of-service when using specific options of raw ipv6 socket.
A missing check when sending data through ipv6 socket configured with
IPV6_CHECKSUM and IPV6_DSTOPTS options could lead to a kernel panic. An
attacker could use this flaw to cause a denial-of-service.
* Deadlock when disabling IPv6 network interface.
Incorrect locking in the IPv6 address auto-configuration when disabling a
network interface can trigger a deadlock and kernel panic.
* Invalid memory access in IPv6 tunneling subsystem.
A missing check on socket buffer and use of a stale pointer results in
invalid memory accesses inside the IPv6 tunneling subsystem. This may
lead to undefined behavior in the kernel or denial-of-service.
* Denial-of-service when TCP window scaling is not enabled.
A division-by-zero error occurs when selecting the window size for TCP
over IPv4, resulting in denial-of-service.
* Denial-of-service in IPv6-over-IPv4 tunnel subsystem.
Failure to reset a flag when initializing an IPv6 over IPv4 tunnel fails
results in a double-free causing denial-of-service.
* Kernel BUG when releasing unused pages in the ext4 filesystem.
Failure to clear the dirty bit when releasing unused pages in the ext4
filesystem could lead to a kernel BUG assertion to trigger. A local user
could use this flaw to cause a denial-of-service.
* Out of bound access when using multiple netfilters.
Missing checks when initializing some netfilters could lead to an
out of bound access. A local attacker could use this flaw to facilitate
an attack.
* Integer overflow in generic file read on 32 bits systems.
Lack of input validation in generic file read syscall could lead to
integer overflow and infinite loop. An unprivileged user could use
this flaw to cause a denial of service.
* CVE-2016-8632: Denial-of-service when using TIPC and too short MTU.
Missing checks when checking TIPC (Transparent Inter Process
Communication) header could lead to a buffer overflow if device MTU is
too short. An attacker with ability to configure MTU could use this flaw
to cause a denial-of-service.
* Denial-of-service caused by use-after-free in fsnotify.
When iterating through a list of inodes to unmount, fsnotify could
potentially free a node while iterating through the list. This could
cause a kernel crash, but usually manifests as an infinite loop, causing
a denial-of-service.
* Denial-of-service when closing interface of Korina ethernet driver.
An incorrect logic when closing interface in Korina ethernet driver
could lead to a use-after-free. A local attacker could use this flaw to
create a denial-of-service.
* Denial-of-service when using mlx4 network interface.
An incorrect logic in the mlx4 ethernet driver could lead to a
use-after-free and a resource leak. A local attacker could use this flaw
to cause a denial-of-service.
* Denial-of-service when using nbd transmit path.
An incorrect logic in transmit path of network block device driver could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.
* Denial-of-service when sending packet through GRE IPV6 socket.
A missing logic when sending packet over GRE (Generic Routing
Encapsulation) socket could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.
* Denial-of-service when receiving data over Xilinx ethernet controller.
A missing check when receiving data over Xilinx ethernet controller
could lead to a buffer overflow. A remote attacker could use this flaw
to cause a denial-of-service.
* Data race in virtio network device drivers.
Unprotected reads from shared data structures in macvtap and tun device
drivers allows data race, potentially leading to kernel memory
corruption and denial-of-service.
* CVE-2016-10208: Denial-of-service when using a crafted ext4 image.
Missing check in ext4 meta block groups validation could lead to an out
of bound access. A Local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service in IPv4 when configuring ping group range.
Incorrect locking in the sysctl interface to IPv4 subsystem let to
inconsistent lock state which could cause the kernel to get stuck in a
deadlock.
* CVE-2017-7184: Privilege escalation when using xfrm IP framework.
A missing check when using xfrm IP framework could lead to an out of
bound access. A local attacker could use this flaw to cause a denial of
service or to escalate privilege.
* CVE-2017-7308: Memory corruption in AF_PACKET socket options.
Multiple integer overflows in the AF_PACKET setsockopt implementation can
trigger kernel memory corruption. A local user could use this flaw to elevate
privileges.
* Improved fix for CVE-2016-2188: Denial of service in IO Warrior USB endpoint processing.
The IO Warrior USB device driver does not correctly handle malicious USB
devices with missing endpoints which can trigger a NULL pointer dereference and
kernel panic.
* CVE-2017-2647: Denial-of-service when invoking request_key() syscall.
A missing check in request_key() syscall could lead to a NULL pointer
dereference. A local unprivileged user could use this flaw to cause a
denial-of-service.
* Address space layout randomization bypass in position independent executables.
A weakness in the address space layout randomization (ASLR)
implementation for position independent executables (PIE) could allow an
attacker that could leak a single address from the executable to infer
the addresses of all libraries in the process. This flaw could then be
used with another exploit to gain reliable code execution.
* CVE-2017-7616: Information leak when setting memory policy.
A missing check when setting memory policy through set_mempolicy()
syscall could lead to a stack data leak. A local attacker could use this
flaw to leak information about running kernel and facilitate an attack.
* CVE-2017-7472: Denial-of-service when setting default request-key keyring.
A logic error when a user set default request-key keyring multiple
times could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a kernel panic.
* CVE-2017-2671: Use-after-free in ping implementation.
A race condition in the kernel ping implementation can result in a
use-after-free. A local attacker with access to ping sockets could use
this flaw to cause a kernel crash or escalate privileges.
* CVE-2017-7261: Denial-of-service when creating surface using DRM driver for VMware Virtual GPU.
A missing parameter check when using "surface define" ioctl of DRM
driver for VMware Virtual GPU could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.
* CVE-2017-7294: Denial-of-service when defining surface using DRM driver for VMware Virtual GPU.
A missing parameter check when using "create surface" ioctl of DRM
driver for VMware Virtual GPU could lead to an integer overflow. A local
attacker could use this flaw to cause a denial-of-service.
* CVE-2016-9604: Permission bypass when creating key using keyring subsystem.
A missing check when a user creates a key beginning with '.' could lead
to a permission bypass. A local attacker could use this flaw to access
sensitive information.
* CVE-2017-7618: Remote denial of service in asynchronous hash functions.
In certain cases, a remote attacker could trigger an edge condition in the
kernel's CRC and cryptographic hash function facilities. This could cause
the kernel to crash or lock up.
* Denial-of-service when IP encapsulation for L2TP is used.
A bug in SIOCINQ ioctl handler results in kernel crash when plain IP
encapsulation for L2TP frames are used. A userspace process capable of
creating L2TP tunnels can exploit this to cause denial-of-service.
* CVE-2016-10044: Permission bypass when setting up an async io filesystem.
Missing limitation on execution access when setting up an async io
filesystem could allow a local attacker to bypass SELinux restrictions
and leads to permission bypass.
* CVE-2016-6213: Denial-of-service when bind mounting filesystems.
A missing limit could cause an overflow of the mount table. A user with
mount permissions could cause a denial-of-service by bind mounting many
filesystems and overflowing the mount table.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Debian-8.0-Updates
mailing list