[Ksplice][Debian 8.0 Updates] New Ksplice updates for Debian 8.0 Jessie (3.16.64-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Apr 1 12:53:52 PDT 2019 

Synopsis: 3.16.64-1 can now be patched using Ksplice
CVEs: CVE-2016-10150 CVE-2016-10741 CVE-2017-13168 CVE-2017-13305 CVE-2017-5753 CVE-2017-5967 CVE-2017-9725 CVE-2018-12896 CVE-2018-13053 CVE-2018-16862 CVE-2018-17972 CVE-2018-18281 CVE-2018-18690 CVE-2018-18710 CVE-2018-19824 CVE-2018-19985 CVE-2018-20511 CVE-2018-5848 CVE-2018-5953 CVE-2019-3701 CVE-2019-3819 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-9213

Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian kernel update, 3.16.64-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 8.0
Jessie install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-13168: Denial-of-service in sg read/write implementation.

An unsafe implementation of read/write in the sg driver can result in
userspace being able to corrupt Kernel memory. A local user with access
to an sg device could use this flaw to cause undefined behaviour or a
Kernel crash, leading to a denial-of-service.


* CVE-2018-13053: Integer overflow in alarm_timer_nsleep.

The alarm_timer_nsleep function in the kernel timekeeping code does not
check for overflow when adding two time values together, potentially
causing undefined behavior in the kernel.


* CVE-2018-17972: Information leak in /proc kernel stack dumps.

A failure to restrict accessing /proc/self/task/*/stack to only
root could allow an unprivileged user to get information about the
stack and its contents on another process.


* CVE-2017-13305: Information leak in encrypted keys subsystem.

Providing the encrypted keys subsystem with a shorter-than-expected
master key description could cause the key validation routine to read
beyond the end of the buffer, potentially exposing kernel memory.


* CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver.

Improper length validation could lead to integer overdlow and undefined
behaviour.  A local user could use this flaw to cause a memory corruption
and potentially escalate privileges.


* CVE-2018-16862: Potential memory corruption in inode truncation path.

A logic error in the memory manager's inode truncation path can lead to
an inode not being properly cleaned up.  If another file is created with
the same inode, it is possible to read old leftover data, instead of
the expected data, when attempting to read the new file.  This could
cause a system to exhibit unexpected behavior.


* CVE-2018-18281: Information leak in mremap syscall.

A logic error in the mremap code could allow one process to access
memory of a different process.


* CVE-2018-18690: XFS filesystem failure during extended attribute replacement.

Incorrect handling of extended attribute replacement on an XFS
filesystem could result in a filesystem shutdown.  A local, unprivileged
user could use this flaw to trigger a denial of service.


* CVE-2018-18710: Information leak when checking the CD-ROM slot status.

An incorrect bounds check in the CD-ROM driver could allow an out-of-bounds
access and kernel information leak to an unprivileged user.


* CVE-2016-10741: Denial-of-service during I/O on memory-mapped XFS block.

Mixing direct I/O and memory-mapped I/O on an XFS block results in
crashing the kernel. A malicious local user can exploit this to cause
denial-of-service.


* CVE-2017-9725: Memory corruption in contiguous memory allocation.

A type conversion error when allocating contiguous memory for Direct
Memory Access can result in memory corruption outside of the allocated
memory. A local user could use this flaw to cause undefined behavior or
a Kernel crash.


* CVE-2018-19985: Out-of-bounds memory access in USB High Speed Mobile device driver.

A missing length check in the hso_probe can lead to an out-of-bounds
memory access.  This could cause a system to exhibit unexpected
behavior.


* CVE-2019-7221: Use-after-free in nested KVM preemption timer.

A failure to cancel a nested KVM timer before freeing it can result in a
use-after-free. A guest VM could use this flaw to crash the host.


* CVE-2019-7222: Information disclosure in KVM VMX emulation.

Incorrectly handling a page fault exception while emulating VMX instructions
can result in leaking host stack information to a guest. A guest VM could use
this flaw to facilitate a further attack on the host.


* CVE-2019-9213: Bypass of mmap_min_addr restriction.

An incorrect capability check in the mmap memory expansion implementation can
result in applications being able to bypass the minimum mmap address
restriction. A local user on a system without SMAP enabled could use this flaw
to exploit kernel NULL pointer dereferences.


* CVE-2016-10150: Use-after-free in KVM device creation.

Incorrect ordering when creating a KVM device can result in a
use-after-free. A local user could use this flaw to cause an assertion
failure in the kernel.


* CVE-2018-12896: Denial-of-service via POSIX timer overflow.

The POSIX timer overrun value can potentially overflow an integer value
if the timer has a sufficiently long interval and expiry time. A
malicious user to create such a timer to cause a denial-of-service.


* CVE-2018-5953: Information leak in software IO TLB driver.

Too verbose prints in software IO TLB driver leak information about
running kernel. A local attacker could use this flaw to facilitate an
attack.


* CVE-2018-20511: Information leak when using Appletalk-IP driver.

A missing initialization of on-stack data passed from kernelspace to
userspace in Appletalk-IP driver ioctl could lead to an information
leak. A local attacker could use this flaw to facilitate an attack.


* CVE-2019-3701: Denial-of-service in CAN controller.

Missing sanity checking in the Controller Area Network driver can allow
a malicious user to write arbitrary bits into the CAN device's I/O
memory, resulting in a system crash and denial-of-service.


* CVE-2019-3819: Deadlock in HID debug events read.

A logic error when reading HID debug events can result in the kernel entering
an infinite loop, leading to a system lock up. A privileged user could use this
flaw to cause a denial-of-service.


* CVE-2019-6974: Use-after-free in KVM device creation.

A reference count manipulation error when creating a KVM device can result in
an early free, leading to a use-after-free. A local user with access to KVM
could use this flaw to cause a kernel crash or potentially escalate privileges.


* CVE-2018-19824: Use-after-free when connecting ALSA USB sound device.

A use-after-free when connecting an ALSA USB sound device could result
in memory corruption, potentially allowing a malicious user to corrupt
memory or escalate privileges.


* CVE-2017-5967: Information leak when reading /proc/timer_list and /proc/timer_stats.

Too verbose messages when reading /proc/timer_list and /proc/timer_stats
could leak information about current PID. An attacker from a PID
namespace could use this flaw to get its real PID.


* Improved fix for Spectre v1: Speculative execution in array accesses.

The current fix for CVE-2017-5753 fails to correctly disable compiler
optimization, which results in some array accesses not being correctly
protected against speculative execution attacks.


* Improved fix for Spectre v1: Bounds-check bypass in ZeitNet ZN1221/ZN1225 driver.

A missing sanitization of array index after bounds check in ZeitNet
ZN1221/ZN1225 driver could lead to an information leak. A local attacker
could use this flaw to leak information about running system.


* Improved fix for CVE-2017-5753: Bounds-check bypass in ATM LAN emulation.

A missing use of the indirect call protection macro in the ATM LAN
emulation driver could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in Chelsio Communications T3 10Gb Ethernet driver.

A missing sanitization of array index after bounds check in Chelsio
Communications T3 10Gb Ethernet driver could lead to an information
leak. A local attacker could use this flaw to leak information about
running system.


* Improved fix for Spectre v1: Bounds-check bypass in ext4 multiblocks allocation routines.

A missing use of the indirect call protection macro in ext4 multiblocks
allocation routines could lead to speculative execution. A local
attacker could use this flaw to leak information about the running
system.


* Improved fix for Spectre v1: Information leak in filesystem quota control code.

A missing sanitization of an array index in filesystem quota control code can
lead to kernel memory being leaked to userspace.  A local attacker could exploit
this flaw to leak information about the running system.


* Improved fix for Spectre v1: Information leak in NCT6775 driver.

A missing sanitization of array index in the NCT6775 driver could lead to an
information leak.  A local attacker could use this flaw to leak information
about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in Honeywell HMC6352 compass driver.

A missing use of the indirect call protection macro in Honeywell HMC6352
compass driver could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in Virtual terminal driver.

A missing use of the indirect call protection macro in Virtual terminal
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* Improved fix for Spectre v1: bounds-check bypass in Infiniband driver.

A missing use of the indirect call protection macro in the Infiniband
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* Improved fix for Spectre v1: bounds-check bypass in PTP clock driver.

A missing use of the indirect call protection macro in the PTP clock
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* Improved fix for Spectre v1: bounds-check bypass in Human Input Device driver.

Information controlled by userspace can be used to disclose kernel
memory via speculation in the Human Input Device driver. A local user
could use this flaw to facilitate a further attack on the system.


* Improved fix for Spectre v1: Bounds-check bypass in asynchronous I/O subsystem.

A missing sanitization of array index after bounds check in asynchronous
I/O subsystem could lead to an information leak. A local attacker
could use this flaw to leak information about running system.


* Improved fix for Spectre v1: Bounds-check bypass in various ALSA sound drivers.

Various arrays in the ALSA sound driver code are potentially vulnerable
to a Spectre variant 1 speculative execution attack.


* Improved fix for Spectre v1: Bounds-check bypass in scheduler userspace interface.

A missing use of the indirect call protection macro in the scheduler
userspace interface could lead to speculative execution. A local
attacker could use this flaw to leak information about the running
system.


* Improved fix for Spectre v1: Bounds-check bypass in getrlimit syscall.

The 'resource' parameter of the getrlimit syscall is vulnerable to a
Spectre variant 1 speculative execution attack.


* Improved fix for Spectre v1: Bounds-check bypass when using USB Gadget mass storage.

A missing use of the indirect call protection macro in the USB Gadget
mass storage driver could lead to a speculative execution. A local
attacker could use this flaw to leak information about the running
system.


* Improved fix for Spectre v1: Bounds-check bypass in perf events.

A missing use of the indirect call protection macro during perf event retrieval
could lead to speculative execution. A local attacker could use this flaw to
leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in DRM driver's ioctl handler.

A value that is indirectly controlled by userspace is used to index a
buffer in drm_ioctl.  A local attacker could use a Spectre-style attack
to exploit this flaw and cause unexpected behavior, or a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-8.0-Updates mailing list