[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DSA-3981-1)

[Oracle Ksplice]

Synopsis: DSA-3981-1 can now be patched using Ksplice
CVEs: CVE-2017-1000111 CVE-2017-1000112 CVE-2017-1000251 CVE-2017-1000252 CVE-2017-1000371 CVE-2017-1000380 CVE-2017-11600 CVE-2017-12134 CVE-2017-12153 CVE-2017-12154 CVE-2017-14051 CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340 CVE-2017-14489 CVE-2017-14497 CVE-2017-7518 CVE-2017-7558

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian Security Advisory, DSA-3981-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-7518: Privilege escalation in KVM emulation subsystem.

An implementation error in the syscall instruction emulation in KVM
leads to a kernel exception raised in userspace. A user/process inside
guest could use this flaw to potentially escalate their privileges
inside guest.


* CVE-2017-1000371: Privilege escalation when executing a shared object file.

A logic error when loading shared object file with ELF format could
facilitate an exploit leading to privilege escalation.


* CVE-2017-1000380: Information leak when reading timer information from ALSA devices.

A missing data initialization and a race condition when reading timer
information of ALSA devices from user space could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.


* CVE-2017-11600: Out-of-bound access in network Transformation user configuration interface.

A missing check on user-controlled input in network Transformation user
configuration interface could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.

A missing locking when setting options on AF_PACKET socket could lead to
an out-of-bounds access. A local attacker with CAP_NET_RAW capability,
or on a system with unprivileged namespace enabled, could use this flaw
to cause a denial-of-service or execute arbitrary code.


* CVE-2017-1000112: Privilege escalation using the UDP Fragmentation Offload (UFO) code.

Multiple missing checks on headers length when using UDP Fragmentation
Offload (UFO) protocol while sending packets could lead to out-of-bounds
accesses.  A local attacker with CAP_NET_RAW capability, or on a system
with unprivileged namespace enabled, could use this flaw to cause a
denial-of-service or execute arbitrary code.


* CVE-2017-7558: Information disclosure in SCTP diagnostic reporting.

Incorrect sanitisation of information in the SCTP diagnostic information
reporting can result in uninitialised memory being provided to
userspace.  A local user could use this flaw to facilitate a further
attack on the kernel.


* CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.

Incorrect merging of block IO vectors could result in corruption of data
accesses to/from a block device.  A malicious guest could use this flaw
to crash the host, or potentially, gain privileges in the host.


* CVE-2017-12153: NULL pointer dereference in the Wireless configuration layer.

A failure to verify netlink attributes existence before processing them
could lead to a NULL pointer dereference.  A local user with CAP_NET_ADMIN
could use this flaw to cause a denial-of-service.


* CVE-2017-12154: Denial-of-service when using KVM nested virtualization.

A missing flag when setting up a nested virtualization using KVM could
give access to CR8 register to L2 guest. A local attacker could use this
register to disable system external interrupts from L2 guest and cause a
denial-of-service.


* CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler.

A failure to validate information from userspace can result in an
unbounded kernel memory allocation. A local user could use this flaw to
cause memory exhaustion or a kernel crash, resulting in a
denial-of-service.


* CVE-2017-14140: ASLR bypass due to insufficient permissions checks in move_pages.

A failure to correctly check permissions when using the move_pages
system call can allow an attacker to map out the address space of a
process which shares the same uid. A local user could use this flaw to
facilitate a further attack.


* CVE-2017-14156: Information leak in the ATI Rage 128 video drivers when copying clock information.

A missing struct initialization when copying clock information could lead
to uninitialized memory being leaked to userspace.  This could help an
attacker bypass protections like ASLR or infer memory layouts that would
otherwise be hidden.


* CVE-2017-14340: Denial-of-service when flushing data on XFS without a realtime device.

Lack of input validation before trying to flush data to a real-time device
on XFS where the device might not be present leads to a NULL pointer
dereference.  A local, unprivileged user can use this flaw to cause a
denial-of-service.


* CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.

A logic error when checking the bounds to be read from a netlink socket in
the SCSI could lead to a NULL pointer dereference.  A local user could use
this flaw to cause a denial-of-service.


* CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.

Incorrectly parsing a Bluetooth L2CAP configuration buffer could allow
it to overwrite data on the stack, potentially allowing a remote
attacker to execute arbitrary code in the kernel.


* CVE-2017-14497: Buffer overflow when setting options of AF_PACKET socket.

Missing check when setting options of AF_PACKET socket could lead to a
buffer overflow caused by user inputs. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2017-1000252: Denial-of-service when receiving out of bounds KVM's guest interrupts.

A kernel assert when receiving out of bounds guest interrupts in KVM
could lead to a kernel hang. A local attacker from a guest VM could use
this flaw to cause a denial-of-service.


* CVE-2017-14106: Divide-by-zero on TCP disconnect.

A missing initialization of the TCP Maximum Segment Size (MSS) to the
minimum authorized MSS value could lead to a division by zero on TCP
disconnect.  A local user could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.