[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DSA-4308-1)

[Oracle Ksplice]

Synopsis: DSA-4308-1 can now be patched using Ksplice
CVEs: CVE-2018-10902 CVE-2018-10938 CVE-2018-13099 CVE-2018-14617 CVE-2018-14633 CVE-2018-14678 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276 CVE-2018-16658 CVE-2018-17182 CVE-2018-6554 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363 CVE-2018-9516

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian Security Advisory, DSA-4308-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-7755: Information leak through floppy disk driver ioctl.

A logic error when using floppy disk driver ioctl could lead to a kernel
address leak.  A local attacker could use this flaw to get address of
running kernel and facilitate an attack.


* CVE-2018-10902: Denial-of-service in ALSA rawmidi ioctl.

Race conditions in the SNDRV_RAWMIDI_IOCTL_PARAMS ioctl code could result
in memory corruption.  This could be exploited to cause a denial-of-service.


* CVE-2018-14734: Use-after-free in Infiniband leave_multicast function.

A race condition in the infiniband code could allow the leave_multicast
function to use a structure that was allocated but subsequently freed in
the process_join function, leading to memory corruption and possible system
crash.


* CVE-2018-10938: Remote denial-of-service in IPv4 options handling.

A flaw in IPv4 CIPSO option handling could cause an infinite loop,
allowing a remote attacker to trigger a denial of service with crafted
packets in some configurations.


* CVE-2018-16276: Privilege escalation in USB Yurex read handler.

A logic error in the USB Yurex read handler code could allow the driver
to access userspace memory outside the bounds of the userspace buffer,
potentially leading to memory corruption or privilege escalation inside
userspace.


* CVE-2018-16658: Information leak in CD-ROM status ioctl.

An incorrect bounds check in the CD-ROM driver could allow an
out-of-bounds access and kernel information leak to an unprivileged
user.


* CVE-2018-14678: Privilege escalation in Xen PV guests.

Incorrect register accounting during paravirtualized failsafe callbacks
could result in the use of uninitialized memory and a kernel crash or
potentially escalation of privileges in a paravirtualized guest.


* CVE-2018-6554: Denial-of-service in IRDA socket binding.

Repeated calls to bind() on an IRDA socket could cause a memory leak
resulting in a denial of service by a local, unprivileged user.


* CVE-2018-6555: Privilege escalation in IRDA setsockopt().

Missing liveness checks could result in a use-after-free when performing
setsockopt() on an IRDA socket.  A local, unprivileged user could use
this flaw to corrupt kernel memory and potentially escalate privileges.


* CVE-2018-9363: Remote code execution in Bluetooth HIDP driver.

An integer overflow in the Bluetooth HIDP driver could result in a
buffer overflow and memory corruption.  A remote user could use this
flaw to trigger a denial of service or potentially, gain code execution.


* CVE-2018-14633: Information leak in iSCSI CHAP authentication.

A stack overflow in the iSCSI CHAP authentication MD5 computation could
result in an out of bounds access and denial of service or potentially
leaking sensitive data by an unauthenticated remote user.


* CVE-2018-9516: Denial-of-service in Bluetooth HIDP debug events.

Missing bounds checks in the Bluetooth HIDP debugfs functions could
result in an out of bounds access and kernel crash, triggerable by a
privileged user.


* CVE-2018-13099: Use-after-free in F2FS inline inodes.

Missing error checking for F2FS inline inodes could result in a
use-after-free and kernel crash.  A user with the ability to mount
filesystems could use a maliciously crafted filesystem image to crash
the system or potentially, escalate privileges.


* NULL pointer dereference in BTRFS relocation cleanup.

A missing NULL pointer check could result in a kernel crash when
mounting a corrupted filesystem.  A user with the ability to mount
filesystems could use this flaw to crash the system with a maliciously
crafted image.


* CVE-2018-14617: Denial-of-service in HFS+ filesystem mounting.

A logic error when mounting an HFS+ filesystem could result in a NULL
pointer dereference and kernel crash.  A local user with the ability to
mount filesystems could use this flaw to crash the system with a
maliciously crafted filesystem image.


* CVE-2018-15572: Information leak in context switches (SpectreRSB).

Missing RSB fills on some CPU families during context switch could allow
leaking of information between processes with a Spectre v2 attack.


* Note: Oracle will not be providing a zero downtime update for CVE-2018-15594

CVE-2018-15594 is a Spectre v2 leak in paravirt kernels.  This impacts
Xen and KVM VM guest kernels where retpoline is used as the Spectre v2
mitigation.  Enabling IBRS for Spectre v2 mitigation or upgrading to a
newer kernel mitigates CVE-2018-15594.


* CVE-2018-17182: Privilege escalation in VMA cache flushing.

A failure to correctly invalidate the VMA cache when an integer overflow
occurs can result in a use-after-free. An unprivileged local user could
use this flaw to escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.