[Ksplice-Fedora-26-updates] New Ksplice updates for Fedora 26 (4.12.8-300.fc26)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Aug 25 11:15:58 PDT 2017 

Synopsis: 4.12.8-300.fc26 can now be patched using Ksplice
CVEs: CVE-2016-7097 CVE-2017-1000112 CVE-2017-12134

Systems running Fedora 26 can now use Ksplice to patch against the
latest Fedora kernel update, 4.12.8-300.fc26.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 26
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for CVE-2017-1000112: Privilege escalation using the UDP Fragmentation Offload (UFO) code.

Multiple missing checks on headers length when using UDP Fragmentation
Offload (UFO) protocol while sending packets could lead to out-of-bounds
accesses. A local attacker with CAP_NET_RAW capability, or on a system
with unprivileged namespace enabled, could use this flaw to cause a
denial-of-service or execute arbitrary code.


* CVE-2017-12134, XSA-229: Privilege escalation in Xen block IO requests.

Incorrect merging of block IO vectors could result in corruption of data
accesses to/from a block device.  A malicious guest could use this flaw
to crash the host, or potentially, gain privileges in the host.


* Array underflow when using SCSI procfs entries.

A missing check when writing into SCSI procfs entry: /proc/scsi/scsi
could lead to an array underflow. A local attacker could use this flaw
to cause a denial-of-service.


* Out-of-bounds access when sending QoS station command to Intel Wireless driver.

A logic error when sending QoS station command to Intel Wireless WiFi
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.


* Memory leak when registering Broadcom FullMAC WLAN driver over SDIO.

A redundant allocation when registering Broadcom FullMAC WLAN device
over SDIO bus could lead to a memory leak. A local attacker could
register this driver multiple time to cause a denial-of-service.


* Privilege escalation using raw capture ioctl from TI Davinci V4L2 driver.

Logic errors in raw capture iocl of TI Davinci V4L2 driver could lead to
privilege escalation by using user controlled memory pointer. A
local attacker could use this flaw to escalate privileges.


* Denial-of-service when using Generic Target Core Mod from userspace.

A missing initialization of stack data when queueing command from
userspace to Generic Target Core Mod could lead to kernel assert or
memory leak.  A local attacker could use this flaw to cause a
denial-of-service.


* Data corruption using ext4 resize command.

A missing cast when using ext4 resize command could lead to a data
corruption on the filesystem.


* Privilege escalation when changing a file access control in ext4.

An incorrect error handling when changing file access control on ext4
filesystem could lead to privilege escalation by not setting correct
access control. A local attacker could use this flaw to escalate
privilege.


* Permissions bypass using setxattr syscall on OCFS2 filesystem.

A logic error when inheriting access control list from a parent
directory after setting extended attribute on OCFS2 filesystem could
lead to a permission bypass. A local attacker could use this flaw to
access sensitive information.


* CVE-2016-7097: Permissions bypass using setxattr syscall on ext4 filesystem.

A logic error when inheriting access control list from a parent
directory after setting extended attribute on ext4 filesystem could
lead to a permission bypass. A local attacker could use this flaw to
access sensitive information.


* Array overflow when sending a INIT ACK command over sctp.

An error on array initialization when sending a SCTP_CMD_GEN_INIT_ACK
(INIT ACK) command over sctp could lead to an array overflow. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when using TCP syncookie over IPV4 or IPV6.

A missing initialization when using TCP syncookie over IPV4 or IPV6 could
lead to usage of uninitialized memory. A local attacker could use this
flaw to cause a denial-of-service.


* Out-of-bounds access when passing network interface name.

A missing check on user provided network interface name could lead to
out-of-bounds accesses. A local attacker could use this flaw to cause a
denial-of-service.


* Array overflow when setting MAC address on a routing netlink socket interface.

A logic error when setting MAC address on a routing netlink socket
interface could lead to an array overflow. A local attacker could use
this flaw to cause a denial-of-service.


* Information leak when sending packet over MosChip MCS7780 IrDA-USB dongle.

Usage of an on-stack buffer for an USB transfer when sending packet over
MosChip MCS7780 IrDA-USB dongle could leak stack information. A local
attacker could use this flaw to leak information about running kernel
and facilitate an attack.


* Out-of-bounds access when using Netfilter connection tracking on Open vSwitch socket.

A missing check when configuring Netfilter connection tracking on Open
vSwitch socket could lead to out-of-bounds access. A local attacker
could use this flaw to cause a denial-of-service.


* Use-after-free when setting socket option on Packet family socket.

A missing check when setting socket option on Packet family socket could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Multiple memory leaks when using DCCP Protocol over IPV4 or IPV6.

Missing checks when using DCCP Protocol over IPV4 or IPV6 could lead to
memory leaks. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when sending command over MLX5 driver.

Redundant free when sending command over Mellanox Technologies
ConnectX-4 and Connect-IB (MLX5) driver could lead to a use-after-free.
A local attacker could use this flaw to cause a denial-of-service.


* Memory leak when sending command over MLX5 driver.

A missing free when sending command over Mellanox Technologies
ConnectX-4 and Connect-IB (MLX5) driver could lead to a memory leak. A
local attacker could use this flaw to cause a denial-of-service.


* Memory leak when sending command over MLX5 driver.

A missing free when sending command over Mellanox Technologies
ConnectX-4 and Connect-IB (MLX5) driver could lead to a memory leak. A
local attacker could use this flaw to cause a denial-of-service.


* Uninitialized memory access when sending packets over IPV6 SCTP socket.

A missing check when sending packets over IPV6 SCTP socket could lead to
uninitialized memory access. A local attacker could use this flaw to
cause a denial-of-service.


* Memory leak when receiving packets over UDP6 socket.

A missing free when receiving packets over UDP6 socket could lead to a
memory leak. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when unregistering a not configured network interface.

A missing check when unregistering a network interface with no
configured IP address could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Divide by zero when using Fastopen TCP socket option.

A missing check when using Fastopen TCP socket option could lead to a
divide by zero. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when using TCP_FASTOPEN_CONNECT option on TCP socket.

A missing check when using TCP_FASTOPEN_CONNECT option on TCP socket
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when disconnecting USB WWAN LTE/3G devices.

A missing check on disconnect when using USB WWAN LTE/3G devices could
lead to a NULL pointer dereference. A local attacker could use this
flaw to cause a denial-of-service.


* List corruption when setting shared memory attributes.

A logic error when setting shared memory attributes while shared memory
pages are being shrinked could lead to a list corruption. A local
attacker could use this flaw to cause a denial-of-service.


* Memory leak when discarding block I/O on XFS filesystem.

A missing release reference when discarding block I/O on XFS filesystem
could lead to a memory leak. A local attacker could use this flaw to
cause a denial-of-service.


* Memory leak when sending text command to iSCSI Target Mode Stack driver.

A missing free when sending text command to iSCSI Target Mode Stack
driver could lead to a memory leak. A local attacker could use this flaw
to cause a denial-of-service.


* Memory leak when using NFS Flexfiles client.

A missing free when using NFS Flexfiles client could lead to a memory
leak. A local attacker could use this flaw to cause a denial-of-service.


* Out-of-bounds access when setting palette/gamma unit in Intel I915 GPU driver.

A logic error when setting palette/gamma unit in Intel I915 GPU driver
could lead to an out-of-bounds access. A local attacker could use this
flaw to cause a denial-of-service.


* Denial-of-service when using network scheduler with iptables.

Missing initializations when using network scheduler with iptables could
lead to a kernel panic. A local attacker could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-26-Updates mailing list