[Ksplice-Fedora-26-updates] New Ksplice updates for Fedora 26 (FEDORA-2017-ba6b6e71f7)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Dec 22 11:42:34 PST 2017


Synopsis: FEDORA-2017-ba6b6e71f7 can now be patched using Ksplice
CVEs: CVE-2017-0861 CVE-2017-1000407 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-8824

Systems running Fedora 26 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2017-ba6b6e71f7.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 26
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Buffer overrun in serial device bus error handling.

Missing validation when receiving buffers from serial device bus drivers
could read outside the intended bounds when an unexpected value was
received. A local, unprivileged user could use this flaw to cause a
denial-of-service or gain information about the running kernel.


* NULL pointer dereference in serial device bus hangup.

When hanging up a terminal device in the serdev serial device bus
driver, a missing refcount could potentially allow a data race, and a
NULL pointer dereference, resulting in a denial-of-service.


* Memory leak in Kvaser USB CAN vehicle bus error paths.

Missing cleanup in error paths when transferring data to the USB bus
could cause the request buffer to be leaked, causing performance
degradation and an eventual denial-of-service.


* Denial-of-service in various USB CAN drivers.

Incorrect logic when disconnecting several USB CAN vehicle bus devices
could send the driver into an infinite loop, stalling the CPU and
causing a denial-of-service.


* Data corruption in SCSI non-coherent DMA mode when flushing cache.

The generic SCSI backend does not properly guarantee the alignment of
its DMA buffers, potentially allowing them to become corrupted if the
associated memory cache becomes invalidated, causing a possible
denial-of-service.


* Information leak in Abstract Syntax Notation One decoder.

When decoding an Abstract Syntax Notation One structure, indefinite-sized
items were not properly bounds-checked. This could allow a specially
crafted ASN.1 message to reveal kernel memory.


* Memory leak in Abstract Syntax Notation One decoder.

When decoding Abstract Syntax Notation One structures, certain
operations failed to free their associated memory. This could allow a
user to deliberately leak kernel memory, causing a potential
denial-of-service.


* Permissions bypass when requesting key on default keyring.

When calling request_key() with no keyring specified, the requested key
is generated and added to the keyring even if the user does not have
write permissions.


* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.


* Out-of-bound stack write in ALSA sound device descriptor.

When reading the AudioControl Interface Descriptor for an ALSA sound
device, an iClockSource value of 0 could cause the driver to improperly
write memory out of bounds in the stack, potentially causing a
denial-of-service.


* Invalid memory access when accessing DiBcom 3000P/M-C Tuner device.

An invalid setup of USB DMA when accessing DiBcom 3000P/M-C Tuner device
could lead to invalid memory accesses. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2017-1000407: Denial-of-service from KVM guest on Intel processors.

A KVM guest on Intel VMX processors could flood the I/O port 0x80 with
write requests, leading to a host crash.  An attacker could use this flaw
to cause a host denial-of-service from the guest.


* Memory leak in Redpine Signals wireless card driver.

When communicating with a Redpine Signals wireless card, in cases where
the read or write length is invalid, the driver will allocate and not
release memory, potentially eventually leading to a denial-of-service.


* Missing unlock in xfs inode reclaim causes potential stall.

In rare cases, an error path when freeing unused inodes failed to unlock
a read-copy-update lock before returning. This could potentially cause a
system stall.


* Double-free in SCTP message send.

When sending an SCTP message, a flawed state transition could cause the
socket's association structure to be freed twice, potentially corrupting
memory or causing a denial-of-service.


* Information leak in Transport Layer Security AEAD request.

When allocating memory for an Authenticated Encryption with Associated
Data request, the Transport Layer Security code fails to initialize the
unused parts of the buffer, potentially exposing kernel memory.


* CVE-2017-8824: Privileges escalation when calling connect() system call on a DCCP socket.

A missing free when calling connect() system call on a DCCP socket while it is
in DCCP_LISTEN state could lead to a use-after-free. A local attacker
could use this flaw to escalate privileges.


* CVE-2017-17558: Buffer overrun in USB core via integer overflow.

Failing to sanitize the bNumInterfaces field in a USB device descriptor
could allow a malicious device to induce a buffer overrun, potentially
causing a denial-of-service.


* CVE-2017-17450: Unprivileged access to netlink namespaces.

A missing permission check in the netfilter xt_osf code allows an
unprivileged user to create user and net namespaces without the proper
permissions.


* CVE-2017-17448: Unprivileged access to netlink namespace creation.

net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4
does not require the CAP_NET_ADMIN capability for new, get, and del
operations, which allows local users to bypass intended access
restrictions because the nfnl_cthelper_list data structure is shared
across all net namespaces.


* CVE-2017-17449: Missing permission check in netlink monitoring.

Netlink monitoring is not correctly restricted to the local namespace.
Nlmon can currently be used to sniff packets on the entire system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.





More information about the Ksplice-Fedora-26-Updates mailing list