[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DSA-4073-1)

[Oracle Ksplice]

Synopsis: DSA-4073-1 can now be patched using Ksplice
CVEs: CVE-2017-1000407 CVE-2017-1000410 CVE-2017-16538 CVE-2017-16644 CVE-2017-16995 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806 CVE-2017-17807 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864 CVE-2017-8824

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian Security Advisory, DSA-4073-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-8824: Privileges escalation when calling connect() system call on a DCCP socket.

A missing free when calling connect() system call on a DCCP socket while it is
in DCCP_LISTEN state could lead to a use-after-free. A local attacker
could use this flaw to escalate privileges.


* CVE-2017-16538: Denial-of-service in DVB-USB subsystem.

A missing warm-start check and incorrect attach timing allows local
users to cause a denial of service (general protection fault and system
crash) or possibly have unspecified other impact via a crafted USB
device.


* CVE-2017-17448: Unprivileged access to netlink namespace creation.

net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4
does not require the CAP_NET_ADMIN capability for new, get, and del
operations, which allows local users to bypass intended access
restrictions because the nfnl_cthelper_list data structure is shared
across all net namespaces.


* CVE-2017-17449: Missing permission check in netlink monitoring.

Netlink monitoring is not correctly restricted to the local namespace.
Nlmon can currently be used to sniff packets on the entire system.


* CVE-2017-17450: Unprivileged access to netlink namespaces.

A missing permission check in the netfilter xt_osf code allows an
unprivileged user to create user and net namespaces without the proper
permissions.


* CVE-2017-17558: Buffer overrun in USB core via integer overflow.

Failing to sanitize the bNumInterfaces field in a USB device descriptor
could allow a malicious device to induce a buffer overrun, potentially
causing a denial-of-service.


* CVE-2017-17807: Permissions bypass when requesting key on default keyring.

When calling request_key() with no keyring specified, the requested key
is generated and added to the keyring even if the user does not have
write permissions.


* CVE-2017-1000407: Denial-of-service from KVM guest on Intel processors.

A KVM guest on Intel VMX processors could flood the I/O port 0x80 with
write requests, leading to a host crash.  An attacker could use this flaw
to cause a host denial-of-service from the guest.


* CVE-2017-17862: Denial-of-service in BPF verifier.

Failure to verify unreachable code could result in a denial-of-service
when performing JIT compilation of a BPF program.  A local, unprivileged
user could use this flaw to crash the system.


* CVE-2017-17863: Privilege escalation in BPF verification.

Incorrect modeling of pointer arithmetic with the stack pointer could
result in an out-of-bounds access.  A local, unprivileged user could use
this flaw to execute code.


* CVE-2017-16995: Privilege escalation in BPF 32-bit loads.

Incorrect sign extension of 32-bit loads could allow a local,
unprivileged user to execute arbitrary code and escalate privileges.


* CVE-2017-17864: Information leak in BPF conditional verification.

Invalid equality checks when comparing values when verifying a BPF
program could allow a local, unprivileged user to leak the contents of
kernel memory.


* CVE-2017-16644: Denial-of-service in Hauppauge HD PVR driver.

Incorrect error handling during device probe for a Hauppauge HD PVR
device could result in a kernel crash.  A user with physical access to
the system and a malicious device could use this flaw to crash the
system.


* CVE-2017-17712: Information leak in raw IPV4 socket sendmsg().

A race condition in the raw_sendmsg() call for IPV4 raw sockets could
allow a local user to leak the contents of kernel memory.


* CVE-2017-17805: Denial-of-service in SALSA20 block cipher.

Incorrect handling of zero length buffers could result in an invalid
pointer dereference and kernel crash.  A local, unprivileged user could
use this flaw to crash the system, or potentially, escalate privileges.


* CVE-2017-17806: Denial-of-service in HMAC algorithms.

Invalid algorithm combinations could result in buffer overflows or other
undefined behaviour when using a keyed hash algorithm.  A local,
unprivileged user could use this flaw to crash the system, or
potentially, escalate privileges.


* CVE-2017-1000410: Information leak in Bluetooth L2CAP messages.

Incorrect handling of short EFS elements in an L2CAP message could allow
an attacker to leak the contents of kernel memory.


* CVE-2017-17741: Denial-of-service in kvm_mmio tracepoint.

An out-of-bounds access in the kvm_mmio tracepoint could result in a
kernel crash.  A malicious guest could use this flaw to crash the
virtualization host.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.