[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DSA-4120)

Thu Mar 8 04:05:57 PST 2018

Synopsis: DSA-4120 can now be patched using Ksplice
CVEs: CVE-2017-0861 CVE-2017-11472 CVE-2017-13166 CVE-2017-15129 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18075 CVE-2017-5753 CVE-2018-1000028 CVE-2018-5332 CVE-2018-5333 CVE-2018-5344 CVE-2018-5750

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian Security Advisory, DSA-4120.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2017-16912, CVE-2017-16913: Denial-of-service in USBIP command validation.

A validation error when parsing information from an USB over IP packet
can result in an out-of-bounds memory access leading to a Kernel crash.
A remote USB over IP client could use this flaw to cause a
denial-of-service.

* CVE-2017-16914: Denial-of-service in USB over IP NULL transfer buffer handling.

A failure to correctly validate a NULL transfer buffer in the USB over
IP subsystem can result in a NULL pointer dereference, leading to a
Kernel crash. A local user with access to a USB over IP device could use
this flaw to cause a denial-of-service.

* CVE-2017-15129: Use-after-free in network namespace when getting namespace ids.

A race condition in the net namespace code could lead to a double
free and memory corruption.

* CVE-2017-18075: Denial-of-service in freeing of parallel crypto wrapper.

A logic error when feeing a parallel crypto wrapper instance can result
in an incorrect free, leading to a Kernel crash or other unspecified
behaviour. A local user could use this flaw to cause a
denial-of-service.

* CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets.

A missing check when sending messages through Reliable Datagram Sockets
could lead to an out-of-bounds write in the heap. A local attacker could
use this flaw to cause a denial-of-service.

* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver.

A missing variable reinitialization when freeing resources in Reliable
Datagram Sockets driver could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.

* CVE-2017-16911: Information disclosure in USB over IP HCI status report.

A failure to correctly sanitize information reported by the Kernel about
USB over IP HCI device can result in a sensitive memory address being
disclosed to userspace. A local, unprivileged user could use this flaw
to facilitate a further attack.

* CVE-2018-5344: Use-after-free when opening a loopback device.

A race condition between opening and releasing a loopback device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.

* CVE-2018-1000028: Permission bypass when using rootsquash with NFS.

A logic error when using rootsquash feature of NFS could lead to a
permission bypass. A remote attacker could use this flaw to access
sensitive information stored on a shared filesystem.

* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.

* CVE-2017-11472: Information leak when handling invalid ACPI operations.

A logic error when handling invalid ACPI operations could lead to a
kernel stack dump and leak information. A local attacker could use this
flaw to leak information about running kernel and facilitate an attack.

* Improved fix for CVE-2017-5753: Speculative execution in KVM VMCS field-to-offset table.

The KVM VMCS field-to-offset table is vulnerable to a Spectre variant 1
side-channel attack. An unprivileged guest could exploit this flaw to
read arbitrary memory in the host.

* CVE-2018-5750: Information leak when registering ACPI Smart Battery System driver.

A too verbose printk when registering ACPI Smart Battery System driver
leaks kernel addresses. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.

* NULL pointer dereference in ipv6 route additions and deletions.

A failure to properly register and unregister ipv6 routes could lead to
a NULL pointer dereference and kernel crash. An attacker could exploit
this to cause a denial-of-service.

* Missing unlock in xfs inode reclaim causes potential stall.

In rare cases, an error path when freeing unused inodes failed to unlock
a read-copy-update lock before returning. This could potentially cause a
system stall.

* Double-free in SCTP message send.

When sending an SCTP message, a flawed state transition could cause the
socket's association structure to be freed twice, potentially corrupting
memory or causing a denial-of-service.

* Memory leak when listening to Transparent Inter Process Communication socket.

A missing free in error path when listening to a Transparent Inter
Process Communication (TIPC) socket could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.

* NULL pointer dereference when setting options for RDS over Infiniband socket.

A missing check when setting RDS_GET_MR option for RDS over Infiniband
socket could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

* Use-after-free while removing a packet socket from a fanout group.

A logic error while removing a packet socket from a fanout group could
lead to a race condition. A local attacker could use this flaw to cause
a denial-of-service.

* Denial-of-service when binding a packet on a socket while a notification is raised.

A race condition when binding a packet on a socket while a notification
is raised on this socket could lead to a kernel assert. A local attacker
could use this flaw to cause a denial-of-service.

* Invalid memory access when inserting a request socket into TCP inet hashtable.

A logic error when inserting a request socket into TCP inet hashtable
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.

* Divide by zero error when using IP bearer with the TIPC protocol.

A logic error when using IP bearer with the TIPC protocol could lead to
a divide by zero error. A local attacker could use this flaw to cause a
denial-of-service.

* Use-after-free in netfilter rule removal.

A logic error in the netfilter code could result in a use-after-free
and possible kernel panic when removing a rule from a table.

* Permissions bypass in XenStore via invalid transaction id.

XenStore transaction ids are not correctly validated on every request.
This could potentially allow one XenStore user to intercept data from
another.

* Kernel panic in NFS4 server during unlock.

A typo in the NFS4 code could lead to a panic on the server side
with a "unable to handle kernel page request" while doing an unlock.

* Kernel panic in USB xhci removal.

A missing check in the USB xhci code could cause a kernel panic
if remove is called shortly after a probe.  A malicious user could
exploit this to cause a denial-of-service.

* Memory leak in Kvaser USB CAN vehicle bus error paths.

Missing cleanup in error paths when transferring data to the USB bus
could cause the request buffer to be leaked, causing performance
degradation and an eventual denial-of-service.

* Denial-of-service in various USB CAN drivers.

Incorrect logic when disconnecting several USB CAN vehicle bus devices
could send the driver into an infinite loop, stalling the CPU and
causing a denial-of-service.

* Data corruption in SCSI non-coherent DMA mode when flushing cache.

The generic SCSI backend does not properly guarantee the alignment of
its DMA buffers, potentially allowing them to become corrupted if the
associated memory cache becomes invalidated, causing a possible
denial-of-service.

* Information leak in Abstract Syntax Notation One decoder.

When decoding an Abstract Syntax Notation One structure, indefinite-sized
items were not properly bounds-checked. This could allow a specially
crafted ASN.1 message to reveal kernel memory.

* Memory leak in Abstract Syntax Notation One decoder.

When decoding Abstract Syntax Notation One structures, certain
operations failed to free their associated memory. This could allow a
user to deliberately leak kernel memory, causing a potential
denial-of-service.

* Out-of-bound stack write in ALSA sound device descriptor.

When reading the AudioControl Interface Descriptor for an ALSA sound
device, an iClockSource value of 0 could cause the driver to improperly
write memory out of bounds in the stack, potentially causing a
denial-of-service.

* Invalid memory access when accessing DiBcom 3000P/M-C Tuner device.

An invalid setup of USB DMA when accessing DiBcom 3000P/M-C Tuner device
could lead to invalid memory accesses. A local attacker could use this
flaw to cause a denial-of-service.

* NULL pointer dereference in Broadcom bnx2x PTP device time counter.

Accessing a PTP device with its associated bnx2x interface down causes
an invalid access of the device's time counter structure, causing a
kernel crash and denial-of-service.

* Potential buffer overrun in Broadcom bnx2x driver multicast.

The Broadcom bnx2x network driver does not properly check the number of
multicast addresses it broadcasts to, potentially allowing a buffer
overflow and corruption of associated memory.

* CVE-2017-13166: Privileges escalation when using V4L2 ioctls.

Logic errors in multiple V4L2 ioctls could lead to arbitrary execution
of user space defined addresses. A local attacker could use this flaw to escalate
privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.