[Ksplice-Fedora-26-updates] New Ksplice updates for Fedora 26 (FEDORA-2017-c110ac0eb1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Mon Oct 30 06:32:05 PDT 2017
Synopsis: FEDORA-2017-c110ac0eb1 can now be patched using Ksplice
CVEs: CVE-2017-0786 CVE-2017-12188 CVE-2017-12190 CVE-2017-15265 CVE-2017-5123
Systems running Fedora 26 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2017-c110ac0eb1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Fedora 26
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Out-of-bounds memory access in SCTP event interface.
A failure to validate information from userspace can result in an
out-of-bounds read, resulting in undefined behaviour or a kernel crash.
* Denial-of-service during free of BPF map.
Incorrect locking during the free of a BPF map can result in a kernel
crash. A local user could use this flaw to cause a denial-of-service.
* Denial-of-service during qdisc classification.
A logic error during packet classification can result in dereference of
an invalid pointer, resulting in a kernel crash. A local user with the
ability to configure network interfaces could use this flaw to cause a
denial-of-service.
* Use-after-free in socket fanout.
A logic error when enabling fanout on a socket can result in the socket
being added to a list twice, which can lead to a use-after-free. A local
user could use this flaw to cause a denial-of-service or possibly
escalate privileges.
* Use-after-free in IP Virtual Tunnel Interface transmission.
A race condition in the Virtual Tunnel Interface implementation can
result in a use-after-free. A local user could use this flaw to cause a
denial-of-service or possibly escalate privileges.
* Out-of-bounds access in tun interface.
A failure to check bounds correctly when writing to a tun interface can
result in an out-of-bounds memory access. A local user could use this
flaw to cause a denial-of-service.
* Memory corruption in IPv6 to IPv4 socket cloning.
A logic error when transforming an IPv6 socket to an IPv4 socket can
result in releasing memory into the wrong cache. This flaw can result in
memory corruption.
* Denial-of-service in netlink dump implementation.
A failure to handle an error case can result in an invalid pointer
dereference when attempting to dump information via netlink. A local
user could use this flaw to cause a denial-of-service.
* Use-after-free in socket memory accounting.
Incorrect locking surrounding memory accounting when using BPF programs
on sockets can result in a use-after-free. A local user could use this
flaw to potentially escalate privileges
* Information disclosure in netlink statistics reporting.
A failure to correctly initialise memory can result in leaking of Kernel
stack information to userspace. A local user could use this flaw to
facilitate a further attack.
* Use-after-free in userfaultfd fork handling.
A logic error when duplicating userfaultfd events in a fork can result
in a use-after-free. A local user could use this flaw to possibly
escalate privileges.
* Denial-of-service in Tascam USB audio device memory allocation.
A failure to suppress memory allocation warning messages can result in
flooding the kernel log buffer with messages. A local user could use
this flaw to cause a denial-of-service.
* Information disclosure in driver_override sysfs interface.
A bounds checking error in the driver_override sysfs node can result in
reading past the end of a buffer, leaking sensitive information from
kernel memory. A local user could use this flaw to facilitate a further
attack.
* Out-of-bounds due to corrupted buffer parsing in USB audio.
A failure to validate buffer descriptors from a USB audio device can
result in an out-of-bounds memory access.
* Denial-of-service in USBFS URB submission.
A validation failure when processing URBs submitted from userspace can
result in an integer overflow leading to an unbounded memory allocation.
A local user could use this flaw to cause a denial-of-service.
* Out-of-bounds access in USB alternate setting enumeration.
A failure to correctly validate USB alternate information from a USB
device can result in an out-of-bounds memory access.
* Out-of-bounds access in USB CDC header parsing.
A failure to correctly validate a CDC header can result in an
out-of-bounds memory access.
* Out-of-bounds access in USB configuration parsing.
A failure to correctly validate a USB interface association description
can result in an out-of-bounds memory access.
* Denial-of-service in failed launch of UWB daemon.
A failure to handle an error case when launching the UWB management
daemon can result in an invalid pointer dereference leading to a kernel
crash.
* Denial-of-service in OverlayFS dentry reference count manipulation.
A failure to correctly handle an error case can result in the
dereference on an invalid pointer, leading to a kernel crash. A local
user could use this flaw to cause a denial-of-service.
* Denial-of-service in OverlayFS index cleanup.
A failure to handle and error case can result in a memory leak which
could lead to exhaustion of system memory. A local user with access to
an OverlayFS filesystem could use this flaw to cause a
denial-of-service.
* Denial-of-service in OverlayFS copy up operation.
Incorrect locking during an OverlayFS copy up operation could result in
a deadlock. A local user with access to an OverlayFS mount could use
this flaw to cause a denial-of-service.
* Denial-of-service in BTRFS block I/O memory allocation.
An integer overflow in BTRFS memory allocation can result in an
unbounded allocation of kernel memory. A local user could use this flaw
to cause a denial-of-service.
* Denial-of-service in dm crypt mount.
A failure to free memory when mounting a dm crypt device can result in a
memory leak. A local user could use this flaw to exhaust system memory,
resulting in a denial-of-service.
* Denial-of-service in multicast support for WIFI devices.
A logic error in the iwlwifi driver can result in the trigger of warning
from userspace. A local user with the ability to configure network
interfaces could use this flaw to flood the kernel print buffer,
resulting in a denial-of-service.
* CVE-2017-0786: Privilege escalation in Broadcom WIFI driver.
A failure to validate the results of a scan could result in kernel
memory corruption. A remote attacker could use this flaw to escalate
privileges.
* Information disclosure in 802.11 packet attribute parsing.
A failure to correctly validate a buffer can result in an out-of-bounds
access leading to disclosure of kernel memory to userspace. A local user
could use this flaw to facilitate a further attack.
* Denial-of-service in uninstantiated key configuration.
A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.
* CVE-2017-5123: Privilege escalation in waitid system call.
A flaw in the validation of a memory address can result in userspace
being able to write to arbitrary Kernel memory. A local user could use
this flaw to escalate privileges.
* Denial-of-service during release of NFS file layout.
A missing check when freeing NFS filesystem information can result in
NULL pointer dereference leading to a kernel crash. A local user could
use this flaw to cause a Denial-of-service.
* Out-of-bounds access during parsing of Human Interface Device information.
A failure to validate information supplied by a USB device can result in
a out-of-bounds memory write, leading to undefined behaviour.
* Denial-of-service in crypto subsystem cipher implementation.
A failure to check for zero length input to a cipher in the crypto
subsystem can result in a Kernel crash. A local user could use this flaw
to cause a denial-of-service.
* Denial-of-service in crypto subsystem hash implementation.
A failure to check for zero length input in the hashing implementation
of the crypto subsystem can result in a Kernel crash. A local user could
use this flaw to cause a denial-of-service.
* Denial-of-service due to memory allocation failures for killed processes.
A logic error when allocating memory to killed tasks can result in a
subsequent kernel crash. A local user could use this flaw to cause a
denial of service.
* Denial-of-service in FAT filesystem read/write page cleanup.
Incorrect locking when feeing read/write pages in a FAT filesystem can
result in an assertion failure, leading to a Kernel crash. A local user
with access to a FAT filesystem could use this flaw to cause a
Denial-of-service.
* CVE-2017-15265: Use-after-free in ALSA seq port creation.
Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.
* Use-after-free in Native Instruments USB audio devices.
A failure to correctly free a URB when a Native Instruments USB audio
device probe fails can result in a use-after-free.
* Denial-of-service in Line 6 POD USB device disconnection.
A failure to handle an error case when probing a Line 6 POD USB device
can result in a kernel crash when the device is disconnected.
* Invalid memory access during Line 6 POD USB device probe.
A race condition in the probe of a Line 6 POD USB device can result in
the access of uninitialised memory leading to a Kernel crash.
* Denial-of-service during Line 6 POD USB device probe.
A failure to correctly handle an error case can result in a URB not
being cleaned up, which can later lead to a Kernel crash.
* Out-of-bounds memory access in i915 gamma lookup table.
A logic error in the i915 gamma correction table lookup can result in an
out-of-bounds memory access. A local user could use this flaw to cause
undefined behaviour.
* Denial-of-service in Direct IO page submission.
A missing check when submitting a page for Direct IO can result in a
NULL pointer dereference, leading to a Kernel crash. A local user could
use this flaw to cause a denial-of-service.
* Use-after-free in USB serial console disconnect.
A logic error in the disconnection logic for USB serial devices can lead
to an incorrect free which can result in a use-after-free.
* Use-after-free in USB serial console setup failure.
A failure to handle an error case during USB serial console setup can lead to
a use-after-free.
* CVE-2017-12190: Denial-of-service in block I/O page merging.
A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.
* CVE-2017-12188: Out-of-bounds memory access during KVM page table walk.
A logic error in the page table management of KVM guests can result in
an out-of-bounds memory access. A guest virtual machine could use this
flaw to crash the host or potentially execute malicious code with host
privileges.
* Out-of-bounds memory access in I2C Human Interface Device buffer allocation.
A logic error when allocating memory for a host to device message can
result in an out-of-bounds memory access. A local user with access to an
I2C HID device could use this flaw to cause undefined behaviour.
* Denial-of-service in SMACK security attribute retrieval.
A logic error when reading SMACK security attributes from an inode can
result in a memory leak. A local user could use this flaw to exhaust
Kernel memory, resulting in a denial-of-service.
* Denial-of-service in page lazy free handling.
A logic error when marking a page as free on a system with swap enabled
can lead to a infinite loop in the Kernel or corruption of data within
the page. A local user could use this flaw to cause a denial-of-service.
* Use-after-free when freeing traffic control classifier actions.
A race condition in the freeing of a traffic control classifier action
can result in the dereference of a freed pointer. A local user could use
this flaw to escalate privileges.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Fedora-26-Updates
mailing list