[Ksplice][Ubuntu-14.04-Updates] New Ksplice updates for Ubuntu 14.04 Trusty (USN-3422-1)

[Oracle Ksplice]

Synopsis: USN-3422-1 can now be patched using Ksplice
CVEs: CVE-2016-10044 CVE-2016-10200 CVE-2016-7097 CVE-2016-8650 CVE-2016-9083 CVE-2016-9191 CVE-2016-9604 CVE-2016-9754 CVE-2017-1000251 CVE-2017-5970 CVE-2017-6214 CVE-2017-6346 CVE-2017-6951 CVE-2017-7187 CVE-2017-7472 CVE-2017-7541

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3422-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 14.04
Trusty install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-7541: Buffer overflow in Broadcom IEEE802.11n embedded FullMAC WLAN driver.

A logic error in Broadcom IEEE802.11n embedded FullMAC WLAN driver could
lead to buffer overflow when user send a crafted NL80211_CMD_FRAME
packet via netlink. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-7187: Denial-of-service in SCSI driver ioctl handler.

The ioctl handler function in SCSI driver allows local users to cause a
denial of service (stack-based buffer overflow) or possibly have
unspecified other impact via a large command size in an SG_NEXT_CMD_LEN
ioctl call, leading to out-of-bounds write access in the sg_write
function.


* CVE-2017-7472: Denial-of-service when setting default request-key keyring.

A logic error when a user set default request-key keyring multiple
times could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a kernel panic.


* CVE-2017-6951: Denial-of-service from userspace via dead security keys.

Dead security keys were improperly assigned a type with name "dead",
which allowed them to be accessed by users with the
key_get_type_from_user() syscall, causing a kernel panic and
denial-of-service.


* CVE-2017-6214: Denial-of-service when splicing from TCP socket.

A specially crafted packet can be queued to trigger an infinite loop in
IPv4 subsystem. This can be exploited by an remote attacker to cause
denial-of-service.


* CVE-2017-6346: Use-after-free in AF_PACKET fanout.

Invalid locking when processing the PACKET_FANOUT sockopt for AF_PACKET sockets
can trigger a use-after-free condition and kernel panic. A local user could use
this flaw to elevate privileges.


* CVE-2017-5970: Denial-of-service in ipv4 options field handling.

Incorrect behaviour when ipv4 options are used can result in a kernel
crash.  A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2016-8650: NULL pointer dereference in the key management subsystem.

A missing check in the Multiprecision maths library used to implement
RSA digital signature verification could lead to a NULL pointer
dereference. A local user could use this flaw to cause a denial-of-service.


* CVE-2016-9191: Denial-of-service when using sysctl concurrently.

A refcounting error in sysctl handling could lead to an infinite loop if
unregister_sysctl_table() is called concurrently with sysctl actions
from userspace. An attacker could use this flaw to cause a
denial-of-service.


* CVE-2016-9604: Permission bypass when creating key using keyring subsystem.

A missing check when an user create a key beginning with '.' could lead
to a permission bypass. A local attacker could use this flaw to access
sensitive information.


* CVE-2016-9083: Integer overflow in PCI VFIO bus driver.

An error in user-supplied arguments sanitizing of VFIO_DEVICE_SET_IRQS
ioctl could lead to an integer overflow. A local user with capability to
use this ioctl could cause a denial-of-service.


* CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.

A missing check when creating L2TP socket could lead to a use-after-free
if a concurrent thread modify socket's flag while creating it. An attacker
could use this flaw to cause a denial-of-service.


* CVE-2016-9754: Overflow in trace ring buffer on resize.

Incorrectly computing the needed memory when resizing the trace ring
buffer could allow a local user to escalate privileges by triggering a
buffer overflow.


* CVE-2016-7097: Permission bypass in Overlay filesystem when setting POSIX ACLs.

A logic error when setting POSIX ACLs in the Overlay filesystem causes
the set-group-ID to not be cleared.  A local, unprivileged user could
use this flaw to escalate privileges.


* CVE-2016-10044: Permission bypass when setting up an async io filesystem.

Missing limitation on execution access when setting up an async io
filesystem could allow a local attacker to bypass SELinux restrictions
and leads to permission bypass.


* CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.

Incorrectly parsing a Bluetooth L2CAP configuration buffer could allow
it to overwrite data on the stack, potentially allowing a remote
attacker to execute arbitrary code in the kernel.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.