[Ksplice][Debian 8.0 Updates] New Ksplice updates for Debian 8.0 Jessie (DSA-4187-1)

[Allan Xavier]

Synopsis: DSA-4187-1 can now be patched using Ksplice
CVEs: CVE-2017-0861 CVE-2017-12190 CVE-2017-13166 CVE-2017-13220 CVE-2017-16526
CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017
CVE-2017-18203 CVE-2017-18216 CVE-2017-18241 CVE-2017-5753 CVE-2018-1000004
CVE-2018-1000028 CVE-2018-1000199 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092
CVE-2018-5332 CVE-2018-5333 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927
CVE-2018-7492 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995
CVE-2018-8781 CVE-2018-8822

Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-4187-1.

Ksplice will not be providing zero-downtime updates for CVE-2017-18232 and
CVE-2015-9016.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 8.0
Jessie install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-16526: Denial-of-service in failed launch of UWB daemon.

A failure to handle an error case when launching the UWB management
daemon can result in an invalid pointer dereference leading to a kernel
crash.


* Improved fix for CVE-2017-12190: Denial-of-service in block I/O page merging.

A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.


* CVE-2017-18203: Denial-of-service during device mapper destruction.

A race condition between creation and destruction of device mapper
objects can result in an assertion failure, leading to a kernel crash. A
local user could use this flaw to cause a denial-of-service.


* CVE-2017-18017: Use-after-free when processing TCP packets in netfliter TCPMSS
target.

A missing check when using TCPMSS target for TCP could lead to an
use-after-free. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-5332: Out-of-bounds write when sending messages through Reliable
Datagram Sockets.

A missing check when sending messages through Reliable Datagram Sockets
could lead to an out-of-bounds write in the heap. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable
Datagram Sockets driver.

A missing check when freeing resources in Reliable Datagram Sockets
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.


* CVE-2018-1000028: Permission bypass when using rootsquash with NFS.

A logic error when using rootsquash feature of NFS could lead to a
permission bypass. A remote attacker could use this flaw to access
sensitive information stored on a shared filesystem.


* CVE-2018-6927: Integer overflow when re queuing a futex.

A missing check when calling futex system call with "requeue" option could
lead to an integer overflow. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2018-7492: NULL pointer dereference when setting options for RDS over
Infiniband socket.

A missing check when setting RDS_GET_MR option for RDS over Infiniband
socket could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-1068: Privilege escalation in bridging interface.

Lack of userspace parameter sanitization in the 32-bit syscall interface
for bridging allows a user with limited privilege to write into kernel
memory. This flaw could be exploited to escalate privilege.


* CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.

A missing check when receiving a forged packet with custom properties
over SCTP socket could lead to a kernel assert. A remote attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-7566: Denial-of-service when initializing ALSA sequence pool.

A race condition when initializing ALSA sequence pool leads to
use-after-free and out-of-bound memory access. An attacker can exploit
this to cause denial-of-service.


* CVE-2018-7757: Memory leak when reading invalid_dword_count attribute of SAS
Domain Transport driver.

A missing free when reading invalid_dword_count attribute of SAS Domain
Transport driver could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* CVE-2017-13166: Privileges escalation when using V4L2 ioctls.

Logic errors in multiple V4L2 ioctls could lead to arbitrary execution
of user space defined addresses. A local attacker could use this flaw to escalate
privileges.


* CVE-2017-13220: Privilege escalation in Bluetooth Human Interface Device Protocol.

A failure to validate a Bluetooth socket in the Human Interface Device
Protocol can result in the dereference of an invalid pointer. A local
user could use this flaw to escalate privileges.


* CVE-2017-16911: Information disclosure in USB over IP HCI status report.

A failure to correctly sanitize information reported by the Kernel about
USB over IP HCI device can result in a sensitive memory address being
disclosed to userspace. A local, unprivileged user could use this flaw
to facilitate a further attack.


* CVE-2017-18216: NULL pointer dereference while deleting OCFS2 node.

A race condition when deleting OCFS2 node could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-18241: NULL pointer dereference when using flush command of F2FS
filesystem.

A logic error when mounting a F2FS filesystem with noflush_merge option
could lead to NULL pointer dereference while flush command is called. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2018-1000199: Denial-of-service in hardware breakpoints.

Incorrect validation of a ptrace hardware breakpoint could result in
corrupted kernel state.  A local, unprivileged user could use this flaw
to crash the system or potentially, escalate privileges.


* CVE-2018-1092: NULL pointer dereference when using unallocated root directory
on ext4 filesystem.

A missing check when using unallocated root directory on ext4 filesystem
could lead to a NULL pointer dereference. A local attacker could mount a
crafted ext4 filesystem and cause a denial-of-service.


* CVE-2018-5750: Information leak when registering ACPI Smart Battery System driver.

A too verbose printk when registering ACPI Smart Battery System driver
leaks kernel addresses. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* CVE-2018-7740: Denial-of-service when using remap_file_pages() system call.

A logic error in HugeTLB file system when using remap_file_pages()
system call could lead to a kernel assert. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2018-7995: Denial-of-service when accessing CPU MCE sysfs entries.

A race condition when accessing CPU Machine Check sysfs entries could
lead to a kernel panic. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-8781: Integer overflow when mapping memory in USB Display Link video
driver.

A missing check on user input when mapping memory in USB Display Link
video driver could lead to an integer overflow. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-8822: Denial-of-service in NCP filesystem server during mmap.

A failure to verify bounds in the NCP filesystem on the server side
could lead to memory corruption and a kernel panic.  This could be
exploited to cause a denial-of-service.


* CVE-2017-16912, CVE-2017-16913: Denial-of-service in USBIP command validation.

A validation error when parsing information from an USB over IP packet
can result in an out-of-bounds memory access leading to a Kernel crash.
A remote USB over IP client could use this flaw to cause a
denial-of-service.


* CVE-2017-16914: Denial-of-service in USB over IP NULL transfer buffer handling.

A failure to correctly validate a NULL transfer buffer in the USB over
IP subsystem can result in a NULL pointer dereference, leading to a
Kernel crash. A local user with access to a USB over IP device could use
this flaw to cause a denial-of-service.


* CVE-2018-1000004: Use-after-free when using MIDI sequencer ioctl.

A race condition when using MIDI sequencer ioctl could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-1066: Denial-of-service in CIFS session negotiation.

A logic error in the CIFS session negotiation implementation can result
in a NULL pointer dereference leading to a Kernel crash. A remote CIFS
server could use this flaw to cause a denial-of-service.


* Improved fix for CVE-2017-5753: Bounds-check bypass in 80211 transmission
parameter parsing.

A missing use of indirect calls protection macro in the nl80211 driver
could lead to speculative execution. A local attacker could use this
flaw to leak information about running system.


* Improved fix for CVE-2017-5753: Bounds-check bypass in KVM subsystem.

A missing use of indirect calls protection macro in KVM could lead to
speculative execution. A local attacker could use this flaw to leak
information about running system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.