[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (4.9.144-3)
Oracle Ksplice
ksplice-support_ww at oracle.com
Thu Feb 28 00:37:35 PST 2019
Synopsis: 4.9.144-3 can now be patched using Ksplice
CVEs: CVE-2017-18249 CVE-2017-5715 CVE-2018-1129 CVE-2018-12896 CVE-2018-13053 CVE-2018-13096 CVE-2018-13097 CVE-2018-13100 CVE-2018-14610 CVE-2018-14611 CVE-2018-14612 CVE-2018-14614 CVE-2018-14633 CVE-2018-16862 CVE-2018-17972 CVE-2018-18281 CVE-2018-18690 CVE-2018-18710 CVE-2018-19407 CVE-2018-3639 CVE-2018-5848
Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian kernel update, 4.9.144-3.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Invalid memory access when getting user queue pairs in VMware VMCI driver.
A logic error when getting user queue pairs in VMware VMCI driver could
lead to an invalid memory access. A local attacker could use this flaw
to cause a denial-of-service.
* Denial-of-service when handling packets over IPv6 over Low power Wireless Personal Area Network.
A logic error when handling packets over IPv6 over Low power Wireless
Personal Area Network could lead to a kernel assert. A local attacker
could use this flaw to cause a denial-of-service.
* CVE-2018-13053: Integer overflow in alarm_timer_nsleep.
The alarm_timer_nsleep function in the kernel timekeeping code does not
check for overflow when adding two time values together, potentially
causing undefined behavior in the kernel.
* Use-after-free when registering error detection and correction driver for Intel i7 processors.
Wrong error handling when registering error detection and correction
driver for Intel i7 processors could lead to a use-after-free. A local
attacker could use this flaw to cause a denial-of-service.
* Use-after-free when claiming USB interface.
A logic error in error path when claiming USB interface could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when configuring USB host.
A missing check when configuring USB host could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service in Intel Omin-Path HFI SDMA request.
A failure to properly validate user input in the Intel hfi code
could result in a NULL pointer dereference. This could be exploited
to cause a denial-of-service.
* CVE-2018-14633: Permission bypass in SCSI authentication request process.
A logic error in SCSI authentication request process could lead to a
buffer overflow. A local attacker could use this flaw to expose SCSI
content without permission.
* NULL pointer dereference when setting ring parameters of e1000 network interface.
A logic error when setting ring parameters of e1000 network interface
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.
* Memory leak when setting ring parameters of e1000 network interface.
A missing free of resources when setting ring parameters of e1000
network interface could lead to a memory leak. A local attacker could
use this flaw to exhaust kernel memory and cause a denial-of-service.
* NULL pointer dereference when passing Fast Transition Information Element to the WLAN driver.
A missing check when passing Fast Transition Information Element to the
WLAN driver could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.
* Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization.
Incorrect locking when initializing an OCFS2 DLM lock resource could
result in memory corruption and a kernel crash.
* Kernel crash during device mapper cache resize operation.
A failure to reload dm-cache information during a resize operation can
result in a kernel crash.
* Deadlock in CPU hotplug cgroup migration.
A logic error can result in a terminating process causing a deadlock if
it is migrated between cpuset cgroups whilst it is being terminated.
* Use-after-free in ath10k command tracing.
A race condition in the ath10k driver can result in a tracepoint handler
accessing memory which has already been freed.
* Denial-of-service during Flash-Friendly filesystem mount.
A logic error in the f2fs mount code could lead to an invalid memory
access and possible kernel panic. This could be exploited to cause
a denial-of-service.
* Use-after-free during RMDA Userspace Connection Manager close.
A race condition between closing a userspace RDMA connection and an IP
resolution call can result in a use-after-free. A local user with access
to RDMA could use this flaw to cause a kernel crash or potentially
escalate privileges.
* NULL pointer dereference during UBIFS mount.
A missing NULL pointer check when reading the device name in a UBIFS
filesystem can result in a NULL pointer dereference, leading to a kernel
crash.
* Kernel crash during ath10k scan operation.
A logic error when calculating the size of a scan message in the ath10k
driver can result in an out-of-bounds write, leading to memory
corruption and a kernel crash.
* Kernel crash in ebtables target validation.
A failure to validate information from userspace can result in an
out-of-bounds memory access leading to a kernel crash.
* Kernel crash during HD audio device initialisation.
A race condition during initialisation of an HD audio device can result
in an interrupt being delivered before the driver is ready to receive
it, leading to a kernel crash.
* Kernel crash in ACPI i2c transaction execution.
A failure to correctly set the length of an i2c transaction can result
in the kernel reading an invalid value, leading to a kernel crash.
* Denial-of-service in IPv4 and IPv6 tunnel packet transmission.
An incorrect assumption in the IPv4 and IPv6 tunnel implementations can
result in attempting to access uninitialized memory, leading to undefined
behavior. A local user with access to an IP tunnel could use this flaw
to cause a denial of service.
* Use-after-free in IP ancillary message reception.
Reading a stale IP header value in the ancillary message path can result
in a use-after-free.
* Use-after-free in IPv6 raw socket header sending.
A failure in the ipv6 error handling code could lead to a
use-after-free and possible kernel panic. This could be
exploited to cause a denial-of-service.
* Denial-of-service in netlink IPv4 netlabel management.
An incorrect assumption about the format of a netlink netlabel request
can result in a NULL pointer dereference, leading to a kernel crash. A
local user with the ability to configure netlabels could use this flaw
to cause a kernel crash.
* Kernel crash during SMSC75xx unbinding.
A failure to cancel delayed work in the SMSC75xx USB network driver can result
in a NULL pointer dereference after the driver has been unbound.
* Deadlock during enslave of network interface to team device.
Attaching the same network interface to a team device can result in a double
lock, leading to a deadlock. A local user with the ability to configure network
interfaces could use this flaw to cause a denial-of-service.
* Out-of-bounds write in AF9035 DVB tuner i2c implementation.
A logic error when transferring a small number of bytes via an i2c
interface to an AF9035 DVB tuner can result in an integer underflow,
leading to an out-of-bounds memory write. A local user with access to an
AF9035 DVB tuner could use this flaw to cause a denial-of-service.
* Invalid memory access in Advanced B.A.T.M.A.N sysfs access.
Logic errors in the batman-advanced code could result in an
invalid memory access and possible memory corruption or kernel
panic. This could be exploited to generate a denial-of-service.
* Invalid memory access in IBM vSCSI target string handling.
Logic errors in the ibm vscsi code could result in invalid memory
accesses, which could be exploited for a denial-of-service attack.
* Kernel crash during USB serial gadget TTY close.
A race condition when closing a TTY session for a USB serial device
gadget can result in a NULL pointer dereference, leading to a kernel
crash.
* Invalid memory access in Intel Omin-Path HFI Service Level handling.
A failure to validate user input in the service level handling code
for the Intel hfi could cause an out-of-bounds array access, leading
to possible memory corruption or kernel crash. This could be used to
cause a denial-of-service.
* CVE-2018-17972: Information leak in kernel stack dumps in /proc.
A missing permissions check in the proc code could allow an unprivileged
user to access the kernel stack memory space.
* CVE-2018-18281: Information leak in mremap syscall.
A logic error in the mremap code could allow one process to access
memory of a different process.
* Invalid memory access when reopening a TTY device.
A race condition when reopening a TTY device could lead to an invalid
memory access. A local attacker could use this flaw to cause a
denial-of-service.
* Undefined behavior in XFRM selector.
A failure to properly validate user input in the xfrm selector can
lead to undefined and invalid behavior.
* Denial-of-service in XFRM user templates with IP_XFRM_POLICY.
A failure to validate user input in the xfrm code could lead to
a invalid memory read and possible kernel panic. This could be
exploited to cause a denial-of-service.
* Improved fix for Spectre v1: Bounds check bypass on nl80211 with TXRATE_HT.
A missing use of the indirect call protection macro in the nl80211 code
with NL80211_TXRATE_HT set could lead to speculative execution. A local
attacker could use this flaw to leak information about the running system.
* Denial-of-service in Bluetooth device unpair.
A race condition in the Bluetooth code could cause an invalid memory
access and subsequent kernel crashing if unpair_device gets called
at the same time that a device pairing is in progress.
* Invalid memory access in CHELSIO T3 ioctl.
A failure to completely verify user-supplied memory in the cxgb3 code
could allow a malicious user to modify memory used in the driver, leading
to undefined behavior.
* Use-after-free when sending command over MLX5 driver.
Redundant free when sending command over Mellanox Technologies
ConnectX-4 and Connect-IB (MLX5) driver could lead to a use-after-free.
A local attacker could use this flaw to cause a denial-of-service.
* Divide by zero error when using Mellanox Technologies ConnectX-4 Ethernet driver.
A missing check when using Mellanox Technologies ConnectX-4 driver could
lead to a divide by zero error. A local attacker could use this flaw to
cause a denial-of-service.
* Deadlock when using Mellanox Technologies ConnectX-4 and Connect-IB core driver.
A locking error in health code of Mellanox Technologies ConnectX-4 and
Connect-IB core driver could lead to a deadlock. A local attacker could
use this flaw to cause a denial-of-service.
* Reference leak in RDS endpoint setup.
Missing reference count releases when setting up an Infiniband RDS
endpoint could result in later RDS socket failures.
* Denial-of-service while copying large file on OCFS2 filesystem.
A locking error while copying large file on OCFS2 filesystem while
changing file attributes could lead to a dead lock. A local attacker
could use this flaw to cause a denial-of-service.
* NULL pointer dereference when accepting or peeling off a SCTP socket.
A logic error when accepting or peeling off a SCTP socket could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.
* Memory leak when using IEEE 802.1AE MAC-level encryption.
A missing free when encrypting or decrypting MAC addresses with IEEE
802.1AE MAC-level encryption could lead to a memory leak. A local
attacker could use this flaw to cause a denial-of-service.
* Denial-of-service when removing USB3 device.
A double-free bug when removing USB3 devices leads to a NULL pointer
dereference. This can be triggered in the device's "safely remove"
feature path and lead to a denial-of-service.
* NULL pointer dereference during Elastic Network Adapter bringup.
A race condition during the initialization of the ENA network driver can
result in a kernel crash.
* Denial-of-service in IPv6 netfilter with IPv6 defragmentation.
A logic error in the netfilter code could result in a kernel crash
with ipv6 packets. This could be used for a denial-of-service.
* Use-after-free in IPv6 multicast check.
A race condition in the ipv6 code could lead to a use-after-free
condition while checking the packet. This could be used for a
denial-of-service attack.
* Invalid memory access in ethtool ioctl.
A failure to properly check user-supplied memory in the ethtool code
could allow a malicious user to modify memory that is used by the kernel,
leading to undefined behavior.
* Use-after-free in SCTP ID association lookup.
A race condition in the sctp code could result in a use-after-free
condition. This could be exploited to cause a denial-of-service.
* Improved fix for Spectre v1: Bounds check bypass in Vhost ioctl.
A missing use of the indirect call protection macro in the vhost ioctl
code could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.
* Privilege escalation in ethtool ethcmd.
A failure to properly check user input in the ethtool code could allow
a malicious user to change memory in use by the ethtool code in order
to execute commands they lack the privilege for.
* Uninitialized memory access in Rtnetlink forwarding database configuration.
A failure to properly check the device type in rtnetlink could cause the
rtnetlink code to attempt to configure an invalid device, making it
use uninitialized memory. This could be exploited by a malicious user.
* Denial-of-service when resetting a AHCI SATA controller.
A missing check of return code when resetting a AHCI SATA controller
could lead to an invalid memory access. A local attacker could use this
flaw to cause a denial-of-service.
* Improved fix for Spectre v1: bounds-check bypass in PTP clock driver.
A missing use of the indirect call protection macro in the PTP clock
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.
* Improved fix for Spectre v1: bounds-check bypass in Infiniband driver.
A missing use of the indirect call protection macro in the Infiniband
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.
* Use-after-free when mounting a JFFS2 filesystem with an invalid mount option.
A missing free of resources when mounting a JFFS2 filesystem with an
invalid mount option could lead to a use-after-free. A local attacker
could use this flaw to cause a denial-of-service.
* Denial-of-service when using an ioctl of LSI Logic MegaRAID SAS RAID Module.
A missing check when using FIRMWARE32 ioctl of LSI Logic MegaRAID SAS
RAID Module could lead to an invalid memory access. A local attacker
could use this flaw to cause a denial-of-service.
* Stack corruption in Infiniband ICMP send control buffer management.
A failure to clear a control buffer when sending an ICMP packet over Infiniband
can result in stack corruption.
* Use-after-free in VMWare Virtual Machine Communication Interface wildcards.
A validation failure when adding VMCI resources can result in a duplicate entry
leading to refcount errors which can result in a use-after-free. A local user
with the ability to configure VMCI could use this flaw to cause a kernel crash
or potentially escalate privileges.
* Out-of-bounds access in iwlwifi rate management.
A failure to handle an error case can result in an out-of-bounds memory access,
leading to undefined behavior or a kernel crash.
* Use-after-free in the journaling layer for block devices.
A locking error in the journaling layer for block devices could lead to
a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when mounting a GFS2 filesystem.
A missing check on user input when mounting a GFS2 filesystem could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.
* Improved fix for Spectre v1: bounds-check bypass in Human Input Device driver.
Information controlled by userspace can be used to disclose kernel
memory via speculation in the Human Input Device driver. A local user
could use this flaw to facilitate a further attack on the system.
* Out-of-bounds access in LRW crypto driver.
A logic error in LRW crypto driver could lead to an overflow and an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.
* Reserved page accounting imbalance with hugetlbfs mappings.
Incorrect handling of dirty hugetlbfs pages could result in a reserved
page count underflow when dropping filesystem caches under specific
conditions.
* Denial-of-service when closing NFSD transport layer.
A logic error when closing NFSD transport layer could lead to a kernel
panic. A local attacker could use this flaw to cause a
denial-of-service.
* Out-of-bounds access in a print in lockd driver.
A logic error in a print in lockd driver could lead to an out-of-bounds
access. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when using ioctl of Multiple devices driver.
A logic error when using ioctl of Multiple devices driver could lead to
an invalid memory access. A local attacker could use this flaw to cause
a denial-of-service.
* Denial-of-service in V4L2 Test Pattern Generator.
A type error when displaying test patterns in V4L2 can result in an
out-of-bounds memory access, leading to a kernel crash. A local user could use
this flaw to cause a denial-of-service.
* Out-of-bounds access in TVP5150 V4L2 driver menu query.
A logic error when creating menu items in the TVP5150 V4L2 driver can result in
an out-of-bounds memory access, leading to a kernel crash or other undefined
behavior.
* Out-of-bounds access when using a crafted CRAMFS filesystem.
A logic error when reading block offsets in a CRAMFS filesystem could
lead to an out-of-bounds access. A local attacker could use a crafted
CRAMFS filesystem to cause a denial-of-service.
* Denial-of-service when walking up BTRFS tree.
A logic error when walking up BTRFS tree could lead to a kernel assert.
A local attacker could use this flaw and a crafted BTRFS filesystem to
cause a denial-of-service.
* Denial-of-service when allocating BTRFS tree.
A missing check when allocating BTRFS tree could cause a deadlock. A
local attacker could use this flaw with a crafted BTRFS filesystem to
cause a denial-of-service.
* Kernel crash during IO error handling in BTRFS shutdown.
A logic error when encountering an IO error during unmount of a BTRFS
filesystem can result in a NULL pointer dereference, leading to a kernel crash.
* Denial-of-service when using caching on BTRFS filesystem.
A logic error when using caching on BTRFS filesystem could lead to a
kernel assert. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference on compressing in BTRFS filesystem.
A logic error when compressing in BTRFS filesystem could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference in TTY driver lookup.
Incorrect string validation could result in a NULL pointer dereference
and kernel crash when looking for a polling console driver.
* Use-after-free in Plan9 network protocol statistics cleanup.
Failure to reinitialize pointers on Plan9 statistics cleanup could
result in a use-after-free and kernel crash.
* CVE-2018-18710: Information leak when checking the CD-ROM slot status.
An incorrect bounds check in the CD-ROM driver could allow an out-of-bounds
access and kernel information leak to an unprivileged user.
* Use-after-free in FUSE filesystem device reads and writes.
A race condition when performing reads and writes to a FUSE filesystem
device could result in a use-after-free and kernel crash.
* Task hang in FUSE filesystem request completion.
Incorrect synchronization could result in failure to wake up a task on
FUSE filesystem request completion leading to application hangs.
* Denial-of-service when querying ethernet statistics.
Failure to validate stat type when performing a query on e1000 network
adapter leads to a NULL pointer dereference. A local user could exploit
this to cause a denial-of-service.
* Information leak when getting information about QLogic BR-series Converged Network adapter.
A logic error when getting information about QLogic BR-series Converged
Network adapter could lead to an information leak. A local
attacker could use this flaw to leak information about running kernel
and facilitate an attack.
* Use-after-free in Ceph dentry splicing.
Incorrect reference counting could result in a use-after-free and kernel
crash when splicing a Ceph dentry to an inode.
* Use-after-free in OCFS2 metadata corruption cleanup.
Incorrect reference counting could result in a use-after-free of a block
buffer head.
* Kernel crash in TTY baud rate setting.
Missing bounds checking in the TTY baud rate setting code could result
in an out-of-bounds access and kernel crash or information leak.
* Kernel crash in BTRFS copy-on-write failure.
Incorrect cleanup during copy-on-write failure for a BTRFS filesystem
could result in triggering a kernel assertion and crash.
* BTRFS file corruption during block cloning.
Failure to clone the final block of a file could result in data
corruption of the cloned file under specific conditions.
* Denial-of-service in EXT4 buffer management.
Multiple buffer leaks in the EXT4 filesystem could result in resource
leaks and a denial of service.
* Information disclosure via bind mount manipulation.
A logic error when checking mount permissions can result in a namespaced
process being able to view filesystem content outside of its namespace.
A local user could use this flaw to view restricted information.
* Information leak via bind mount manipulation.
A logic error when checking mount permissions can result in a namespaced
process being able to view filesystem content outside of its namespace.
A local user could use this flaw to view restricted information.
* Use-after-free in FUSE asynchronous direct IO.
A use-after-free when performing FUSE asynchronous direct IO operations
could result in a kernel crash. A local, unprivileged user could use
this flaw to crash the system.
* Resource leak in FUSE filesystem notification response.
Missing error handling could result in a resource leak and unkillable
tasks under specific conditions during connection reset.
* Kernel crash in HugeTLB copying during unsharing.
A race condition when changing the protections of a HugeTLB page and
forking the process could result in triggering a kernel assertion and
crash.
* Potential denial-of-service in Broadcom TG3 ethernet driver.
In extremely high-traffic scenarios, the Broadcom TG3 ethernet driver
might cause a lockup in the associated device's layer-1 chip,
potentially resulting in a denial of network service.
* NULL dereference while cloning files on CIFS.
There is a potential NULL dereference while cloning a range of bytes for
copy-on-write on a CIFS filesystem. This could potentially be exploited
by a local attacker to cause a denial-of-service.
* Memory leak in GFS2 filesystem bitmap buffers.
Missing resource frees for a GFS2 filesystem could result in a memory
leak. A local user with privileges to mount a filesystem could use this
flaw to exhaust system memory.
* BTRFS filesystem corruption in transaction aborts.
Missing locking when destroying a pinned extent could result in
filesystem corruption during transaction aborts.
* NULL dereference while loading userspace I/O driver.
The userspace I/O driver can potentially attempt to access an
uninitialized pointer while the module is loading. This leads
to a NULL dereference and subsequent kernel panic. This flaw
could potentially be exploited to cause a denial-of-service.
* Improved fix for Spectre v1: Information leak in SGI GRU driver.
An unsanitized user-controlled value is used as an index to a buffer
in SGI's Global Reference Unit driver. This could be exploited to leak
information about the running system.
* Information leak in uhid character device driver.
Under certain circumstances, the uhid character device driver will
allow kernel memory to be copied from a user specified location. This
flaw could be exploited to leak information about the running system.
* Memory corruption when failing readdir on 9Pfs.
When failing a readdir on the Plan 9 Filesystem Protocol, the stat
structure might be improperly freed twice, resulting in memory
corruption or a potential denial-of-service.
* Use-after-free when disconnecting sctp connection with outstanding data.
If an sctp connection is shut down with data still remaining to be sent,
in rare cases the structures holding this data can be accessed after
they are freed, resulting in potential memory corruption or a
denial-of-service.
* Use-after-free in link-layer with non-TCP/DCCP traffic.
When receiving data from a non-TCP or DCCP protocol, a race condition
might occur between processing data received on the link and freeing it.
This results in a use-after-free, and potential memory corruption or
denial-of-service.
* Denial-of-service when accessing arvif list in Atheros 802.11ac wireless cards driver.
A locking error when accessing arvif list in Atheros 802.11ac wireless
cards driver could lead to a kernel panic. A local attacker could use
this flaw to cause a denial-of-service.
* NULL pointer dereference when dequeuing skb in Marvell WiFi-Ex driver.
A logic error when dequeuing skb in Marvell WiFi-Ex driver could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.
* Out-of-bounds accesses in Universal Flash Storage Controller driver.
Multiple errors in Universal Flash Storage Controller driver could lead
to out-of-bounds accesses or NULL pointer dereferences. A local attacker
could use this flaw to cause a denial-of-service.
* Potential information leak via lingering terminal buffer.
In several cases, data in terminal buffers is not cleared after use.
This data would be a valuable target for malicious users.
* Denial-of-service in tmpfs page release path.
When a hugepage backed tmpfs filesystem is under heavy load, a kernel
assertion can fail while attempting to free backing pages, due to a
race with a hugepage split operation. A malicious local attacker could
exploit this flaw to cause a denial-of-service.
* Unsafe locking in hugepage split path.
The hugepage split path attempts to take a lock that is not IRQ-safe,
without disabling interrupts. This can lead to unexpected behavior,
including a potential deadlock.
* Use-after-free when disconnecting a Empia EM28xx USB device.
A logic error when disconnecting a Empia EM28xx USB device could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.
* Packet loss due to incorrect flagging in networking core.
A failure to clear a flag on forwarded packets in the networking core
can lead to the packets being blocked unexpectedly. This could cause
unexpected behavior.
* Use-after-free in RapidIO Ethernet over messaging driver.
A logic error in RapidIO Ethernet over messaging driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* Shadow page table corruption during emulated writes.
A race condition while writing to KVM's shadow page tables can lead
to guest PTEs and shadow PTEs being out of sync. This can cause
unexpected behavior, including improper memory accesses.
* Improved fix for CVE-2017-5715: Information leak due to missing IBPB calls in SVM.
A potential Spectre v2 attack vector exists in the KVM code that
supports SVM-enabled processors, due to a failure to call
indirect_branch_prediction_barrier when freeing vcpus. This can be
exploited by a local attacker to leak information about the running
system.
* CVE-2018-19407: Denial-of-service in KVM IOAPIC scan.
A missing safety check in KVM's IOAPIC scan path can cause the kernel
to attempt access certain objects that have not been initialized. This
can cause unexpected behavior, including a potential system crash.
* Buffer overflow in btrfs_control_ioctl.
A failure to check that a user-supplied string is NULL-terminated can
lead to a buffer overflow in the btrfs ioctl handler. This could lead
to unexpected behavior, including a potential denial-of-service.
* Shift overflow during AC97-SPSA control write.
A logic error in the AC97 driver's snd_ac97_put_spsa routine can cause
a bitwise shift exponent to be calculated incorrectly, resulting in a
shift operation that overflows beyond the 32 bits allocated to store
the result. This could result in unexpected behavior on some systems.
* Use-after-free in sound driver control interface.
A race condition that exists in the sound driver core, when processes
attempt to concurrently add and remove user control elements. This
race condition can result in a use-after-free scenario, which can cause
unexpected behavior, including a potential system crash.
* Use-after-free when setting extended attributes for EXT2 filesystems.
A refcount error when setting extended attributes for EXT2 filesystems
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* NULL dereference in DRM open path.
Improper handling of an error condition while attempting to open the
/dev/drm device file can lead to a NULL dereference and subsequent
kernel panic. This could potentially be used by a local attacker to
cause a denial-of-service.
* Information leak when getting attributes in Chelsio Communications FCoE driver.
Mutliple logic errors when getting attributes in Chelsio Communications
FCoE driver could lead to an information leak. A local attacker could
use this flaw to exhaust kernel memory and cause a denial-of-service.
* Race condition when creating vcpu on SVM causes guest failure.
Missing synchronization when creating the vcpu for an SVM guest could
result in a race condition, preventing the proper creation of a memory
region and causing a disruption in guest machine creation.
* Use-after-free when dumping free space in BTRFS filesystem.
A locking issue when dumping free space in BTRFS filesystem could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* CVE-2018-16862: Potential memory corruption in inode truncation path.
A logic error in the memory manager's inode truncation path can lead to
an inode not being properly cleaned up. If another file is created with
the same inode, it is possible to read old leftover data, instead of
the expected data, when attempting to read the new file. This could
cause a system to exhibit unexpected behavior.
* Improved fix to CVE-2018-3639: Speculative Store Bypass information leak for eBPF.
Malicious eBPF programs can be vulnerable to a speculative store bypass
attack without hardening or having the SSBD mitigation enabled whilst
running an eBPF program.
* CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver.
Improper length validation could lead to integer overflow and undefined
behaviour. A local user could use this flaw to cause a memory corruption
and potentially escalate privileges.
* CVE-2018-14611: Use-after-free when reading invalid BTRFS chunk.
A failure to validate the type of a BTRFS chunk can result in a
use-after-free. A local user with the ability to mount a crafted BTRFS
filesystem could use this flaw to potentially escalate privileges.
* CVE-2018-14610: Denial-of-service due to invalid BTRFS chunk block mappings.
A failure to validate chunk and block mappings during mount of a BTRFS
filesystem can result in a kernel crash. A local user with the ability
to mount a BTRFS filesystem could use this flaw to cause a
denial-of-service.
* CVE-2018-18690: XFS filesystem failure during extended attribute replacement.
Incorrect handling of extended attribute replacement on an XFS
filesystem could result in a filesystem shutdown. A local, unprivileged
user could use this flaw to trigger a denial of service.
* CVE-2018-12896: Denial-of-service via POSIX timer overflow.
The POSIX timer overrun value can potentially overflow an integer value
if the timer has a sufficiently long interval and expiry time. A
malicious user to create such a timer to cause a denial-of-service.
* CVE-2018-1129: Signature check bypass of cephx message.
A wrong computation of message's signature in the cephx authentication
protocol could let an attacker bypass signature check and alter message
payload. Note that any existing ceph client will not be protected
against this CVE and needs to be restarted.
* CVE-2018-14612: NULL pointer dereference when using btrfs image with missing group items.
A missing check when using a crafted btrfs image with an unbalanced
number of chunks and groups could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.
* CVE-2017-18249: Denial-of-service when handling node ids in F2FS filesystem.
A race condition in the way node ids are handled in F2FS filesystem
could lead to a denial-of-service. A local attacker could use this flaw
to cause a denial-of-service.
* CVE-2018-13097: Out-of-bounds access in superblock of F2FS filesystem.
A missing check in code handling superblock of F2FS filesystem could
lead to an out-of-bounds access or a divide by zero error. A local
attacker could use this flaw to cause a denial-of-service.
* CVE-2018-14614: Out-of-bounds access when removing dirty segment in F2FS filesystem.
A logic error when removing dirty segment in F2FS filesystem could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.
* NULL pointer dereference when uninitializing framebuffer for bochs driver.
A logic error when uninitializing framebuffer for bochs driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.
* Invalid memory access when doing an incremental send in BTRFS driver.
A logic error when doing an incremental send in BTRFS driver could lead
to an invalid memory access. A local attacker could use this flaw to
cause a denial-of-service.
* Use-after-free in perf subsystem when iterating children siblings.
A race condition in perf subsystem when iterating children siblings
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* Use-after-free when unloading USB/IP virtual USB device controller driver.
A logic error when unloading USB/IP virtual USB device controller driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* Multiple memory leaks in QLogic QED driver.
Several logic errors in the QLogic QED driver can lead to memory leaks.
These flaws could potentially be exploited to waste system resources
and degrade performance.
* Denial-of-service when using platform CAN driver.
A missing check when using platform CAN driver could lead to a kernel
assert. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when building SIT entries in F2FS filesystem.
A missing check when building SIT entries in F2FS filesystem could lead
to an invalid memory access. A local attacker could use this flaw to
cause a denial-of-service.
* CVE-2018-13096: Out-of-bounds access when mounting F2FS image.
A logic error when mounting a specially crafted F2FS image with an
abnormal bitmap size could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.
* CVE-2018-13100: Denial-of-service when mounting a crafted F2FS image with an invalid secs_per_zone.
A missing check when mounting a crafted F2FS image with an invalid
secs_per_zone could lead to a divide by zero error. A local attacker
could use this flaw to cause a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Debian-9.0-Updates
mailing list