[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (4.9.65-3)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Dec 11 13:05:52 PST 2017 

Synopsis: 4.9.65-3 can now be patched using Ksplice
CVEs: CVE-2016-7097 CVE-2017-0786 CVE-2017-1000405 CVE-2017-12188 CVE-2017-12190 CVE-2017-12192 CVE-2017-12193 CVE-2017-13080 CVE-2017-14991 CVE-2017-15115 CVE-2017-15265 CVE-2017-15299 CVE-2017-15537 CVE-2017-15649 CVE-2017-15951 CVE-2017-16525 CVE-2017-16526 CVE-2017-16527 CVE-2017-16528 CVE-2017-16529 CVE-2017-16530 CVE-2017-16531 CVE-2017-16532 CVE-2017-16533 CVE-2017-16534 CVE-2017-16535 CVE-2017-16536 CVE-2017-16537 CVE-2017-16643 CVE-2017-16645 CVE-2017-16646 CVE-2017-16647 CVE-2017-16649 CVE-2017-16650 CVE-2017-16939 CVE-2017-16994

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian kernel update, 4.9.65-3.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2016-7097: Permission bypass in Orange filesystem when setting POSIX ACLs.

A logic error when setting POSIX ACLs in the Orange filesystem causes
the set-group-ID to not be cleared.  A local, unprivileged user could
use this flaw to escalate privileges.


* CVE-2017-14991: Information leak in SCSI Generic Support driver.

Failing to initialize buffer when performing ioctl call for /dev/sg0
results in stale kernel data leaked into userspace. This allows local
users to obtain sensitive information about kernel heap memory.


* CVE-2017-12192: Denial-of-service when reading negative key.

Invalid memory access when reading key negative from kernel key management
facility results in a crash. An unprivileged local user can exploit this
to cause denial-of-service.


* CVE-2017-15537: Information disclosure in FPU restoration after signal.

A failure to correctly handle an error case can result in a warning
being displayed and FPU information from another process being leaked. A
local user could use this flaw to facilitate a further attack.


* CVE-2017-16529: Out-of-bounds access due to corrupted buffer parsing in USB audio.

A failure to validate buffer descriptors from a USB audio device can
result in an out-of-bounds memory access.


* CVE-2017-16530: Out-of-bounds access in USB alternate setting enumeration.

A failure to correctly validate USB alternate information from a USB
device can result in an out-of-bounds memory access.


* CVE-2017-16534: Out-of-bounds access in USB CDC header parsing.

A failure to correctly validate a CDC header can result in an
out-of-bounds memory access.


* CVE-2017-16531: Out-of-bounds access in USB configuration parsing.

A failure to correctly validate a USB interface association description
can result in an out-of-bounds memory access.


* CVE-2017-16526: Denial-of-service in failed launch of UWB daemon.

A failure to handle an error case when launching the UWB management
daemon can result in an invalid pointer dereference leading to a kernel
crash.


* CVE-2017-15649: Privileges escalation using PACKET_FANOUT socket option.

A locking error when using PACKET_FANOUT option could lead to a race
condition. A local attacker could use this flaw with a crafted Fanout
system call to escalate privileges.


* CVE-2017-16533: Out-of-bounds access during parsing of Human Interface Device information.

A failure to validate information supplied by a USB device can result in
a out-of-bounds memory write, leading to undefined behaviour.


* CVE-2017-16527: Use-after-free when creating mixer for USB Audio device.

A missing free in error path when creating mixer for USB Audio device
could lead to a use-after-free. A local attacker could use a crafted USB
Audio device to cause a denial-of-service.


* CVE-2017-15265: Use-after-free in ALSA seq port creation.

Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.


* CVE-2017-12190: Denial-of-service in block I/O page merging.

A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.


* CVE-2017-16535: Out-of-bounds memory access when reading USB descriptors.

A missing check when reading USB descriptors could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-15299: Denial-of-service in uninstantiated key configuration.

A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.


* CVE-2017-15951: Denial-of-service when requesting a key in negative state.

A missing locking when requesting an already created key in negative
state could lead to a race condition. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2017-12193: Denial-of-service in generic associative array implementation.

A logic error when inserting a new entry into an associative array can
result in a NULL pointer dereference, leading to a Kernel crash. A local
user could use this flaw to cause a denial-of-service.


* CVE-2017-16532: NULL pointer dereference when running USB tests with a crafted USB device.

A missing check when running USB tests with a USB device exposing
invalid endpoints configuration could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2017-16528: Use-after-free when unbinding a MIDI sequencer device.

A missing cancelling of a work queue when unbinding a MIDI sequencer
device could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2017-15115: Use-after-free in SCTP peel off operation inside network namespace.

A logic error when performing an SCTP peel off operation from a network
namespace can result in an incorrect free, leading to a subsequent
use-after-free. A local user could use this flaw to cause a
denial-of-service, or potentially escalate privileges.


* CVE-2017-16994: Information leak when using mincore system call.

A logic error with huge TLBs when using mincore system call could lead
to an information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.


* CVE-2017-0786: Privilege escalation in Broadcom WIFI driver.

A failure to validate the results of a scan could result in kernel
memory corruption. A remote attacker could use this flaw to escalate
privileges.


* CVE-2017-16525: Use-after-free in USB serial console setup failure.

A failure to handle an error case during USB serial console setup can lead to
a use-after-free.


* CVE-2017-12188: Out-of-bounds memory access during KVM page table walk.

A logic error in the page table management of KVM guests can result in
an out-of-bounds memory access. A guest virtual machine could use this
flaw to crash the host or potentially execute malicious code with host
privileges.


* CVE-2017-16643: Out-of-bounds access in GTCO CalComp/InterWrite USB tablet HID parsing.

A validation failure when parsing a HID report from a GTCO
CalComp/InterWrite USB tablet can result in an out-of-bounds memory
access. A user with physical access to a system could use this flaw to
cause undefined behaviour or potentially escalate privileges.


* CVE-2017-16939: Denial-of-service in IPSEC transform policy netlink dump.

A failure to handle an error case when dumping IPSEC transform
information via netlink can result in a Kernel crash. A local user with
the ability to administer an IPSEC tunnel could use this flaw to cause a
denial-of-service.


* CVE-2017-13080: Key Reinstallation Attacks (KRACK) on WPA2 protocol.

A weakness in the four-way handshake of the WPA2 protocol allows an
attacker within radio range to force reuse a nonce.  This could allow he
attacker to eavesdrop on encrypted communications as well as inject and
manipulate data into a WiFi stream.


* CVE-2017-16645: Out-of-bounds access when using IMS Passenger Control Unit Devices.

A missing check when using IMS Passenger Control Unit Devices could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2017-16537: NULL pointer dereference when registering SoundGraph iMON Receiver and Display driver.

A missing check when registering SoundGraph iMON Receiver and Display
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-16646: Denial-of-service when using DiBcom DiB0700 USB DVB devices.

Logic errors when using DiBcom DiB0700 USB DVB devices could lead to a
kernel panic. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-16649: Divide by zero when binding a network USB device.

A logic error when binding a network USB device could lead to a divide
by zero error. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-16650: Divide by zero error when binding a QMI WWAN USB device.

A missing check when binding a QMI WWAN network USB device could lead to
a divide by zero error. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-16647: NULL pointer dereference when suspending a ASIX AX88xxx Based USB 2.0 Ethernet Adapter.

A missing check when suspending a ASIX AX88xxx Based USB 2.0 Ethernet
Adapter could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-16536: NULL pointer dereference when registering a Conexant cx231xx USB video device.

A missing check when probing a Conexant cx231xx USB video device could
lead to a NULL pointer dereference. A local attacker could use a crafted
USB device to cause a denial-of-service.


* CVE-2017-1000405: Privilege escalation when writing into a Transparent Huge Page.

A logic error in internal Transparent Huge Page handling of the kernel
could let an attacker overwrite read-only data and escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-9.0-Updates mailing list