[Ksplice][Ubuntu-14.04-Updates] New Ksplice updates for Ubuntu 14.04 Trusty (USN-3754-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Dec 7 04:27:09 PST 2018 

Synopsis: USN-3754-1 can now be patched using Ksplice
CVEs: CVE-2016-10208 CVE-2017-11472 CVE-2017-14991 CVE-2017-15649 CVE-2017-16526 CVE-2017-16527 CVE-2017-16529 CVE-2017-16531 CVE-2017-16532 CVE-2017-16533 CVE-2017-16535 CVE-2017-16536 CVE-2017-16537 CVE-2017-16538 CVE-2017-16643 CVE-2017-16644 CVE-2017-16645 CVE-2017-16650 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-17558 CVE-2017-2583 CVE-2017-2584 CVE-2017-2671 CVE-2017-5549 CVE-2017-5753 CVE-2017-5897 CVE-2017-6345 CVE-2017-6348 CVE-2017-7518 CVE-2017-7645 CVE-2017-8831 CVE-2017-9984 CVE-2018-1000204 CVE-2018-10021 CVE-2018-10087 CVE-2018-10124 CVE-2018-10323 CVE-2018-10675 CVE-2018-10877 CVE-2018-10881 CVE-2018-1092 CVE-2018-1093 CVE-2018-10940 CVE-2018-12233 CVE-2018-13094 CVE-2018-13405 CVE-2018-13406 CVE-2018-18255

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3754-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 14.04
Trusty install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-10087: Denial-of-service when using wait() syscall with a too big pid.

A missing check on user input when using wait() syscall with a pid
number higher than integer limit could lead to an overflow. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2017-2584: Denial-of-service when emulating sgdt/sidt instructions.

A missing check in KVM when emulating sgdt and sidt x86 instructions
could lead to a kernel memory leak or cause a use-after-free. An
attacker could use this flaw to cause a denial-of-service.


* CVE-2017-14991: Information leak in SCSI Generic Support driver.

Failing to initialize buffer when performing ioctl call for /dev/sg0
results in stale kernel data leaked into userspace. This allows local
users to obtain sensitive information about kernel heap memory.


* CVE-2017-16526: Denial-of-service in failed launch of UWB daemon.

A failure to handle an error case when launching the UWB management
daemon can result in an invalid pointer dereference leading to a kernel
crash.


* CVE-2017-15649: Use-after-free in socket fanout.

A logic error when enabling fanout on a socket can result in the socket
being added to a list twice, which can lead to a use-after-free. A local
user could use this flaw to cause a denial-of-service or possibly
escalate privileges.


* CVE-2017-2671: Use-after-free in ping implementation.

A race condition in the kernel ping implementation can result in a
use-after-free. A local attacker with access to ping sockets could use
this flaw to cause a kernel crash or escalate privileges.


* CVE-2017-16529: Out-of-bounds due to corrupted buffer parsing in USB audio.

A failure to validate buffer descriptors from a USB audio device can
result in an out-of-bounds memory access.


* CVE-2018-13405: Permissions bypass when creating file in SGID directory.

Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.


* CVE-2018-13094: NULL-pointer dereference when shrinking xfs inode.

When attempting to shrink an xfs inode for a file with corrupted
extended attributes, the non-existent attribute buffer might be
dereferenced, resulting in a denial-of-service.


* CVE-2018-10940: Information leak when checking if CD-ROM media changed.

A missing check when user checks if CD-ROM media changed using an IOCTL
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and facilitate an attack.


* CVE-2018-18255: Integer overflow when setting allocated CPU time for perf events.

A missing check on user input when setting allocated CPU time for perf
events could lead to an integer overflow. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2017-16650: Divide by zero error when binding a QMI WWAN USB device.

A missing check when binding a QMI WWAN network USB device could lead to
a divide by zero error. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-16536: NULL pointer dereference when registering a Conexant cx231xx USB video device.

A missing check when probing a Conexant cx231xx USB video device could
lead to a NULL pointer dereference. A local attacker could use a crafted
USB device to cause a denial-of-service.


* CVE-2017-16535: Out-of-bounds memory access when reading USB descriptors.

A missing check when reading USB descriptors could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-16914: Denial-of-service in USB over IP NULL transfer buffer handling.

A failure to correctly validate a NULL transfer buffer in the USB over
IP subsystem can result in a NULL pointer dereference, leading to a
Kernel crash. A local user with access to a USB over IP device could use
this flaw to cause a denial-of-service.


* CVE-2018-10021: Denial-of-service in SAS device abort and failover.

Incorrect error handling when aborting or failing over a SAS device
could result in resource starvation and IO hangs.  A physically present
malicious user could use this flaw to cause a denial of service.


* CVE-2018-1000204: Kernel information leak when performing SG_IO ioctl.

A vulnerability in the SCSI subsystem allows copying uninitialized
kernel memory to userspace. This could provide an attacker with
sensitive kernel information.


* CVE-2017-9984: Denial-of-service when reading DSP messages in Turtle Beach MultiSound drivers.

A logic error when receiving messages from DSP in Turtle Beach
MultiSound drivers could lead to out-of-bounds accesses. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

If an NFS version 2 or 3 client appends extraneous data to their RPC
calls or replies, the server fails to correctly allocate sufficient
memory, potentially causing memory corruption and a denial-of-service.


* CVE-2017-6345: Denial of service in 802.2 LLC packet processing.

A logic error when receiving PDUs on an 802.2 LLC network socket can trigger a
kernel panic and denial of service when freeing memory.


* CVE-2017-5897: Denial-of-service in IPV6 GRE tunnel error handling.

A logic error in IPV6 GRE error handling could lead to an out of bound
access. A remote attacker could use this flaw and forge a specific IPV6
packet to cause a denial-of-service.


* CVE-2017-17558: Buffer overrun in USB core via integer overflow.

Failing to sanitize the bNumInterfaces field in a USB device descriptor
could allow a malicious device to induce a buffer overrun, potentially
causing a denial-of-service.


* CVE-2017-6348: Deadlock in Infrared socket teardown.

Invalid locking in the infrared networking subsystem can trigger a deadlock and
kernel panic when tearing down sockets. A local user can use this flaw to
trigger a denial of service.


* CVE-2018-10124: Denial-of-service when using kill() syscall with a too big pid.

A missing check on user input when using kill() syscall with a pid
number higher than integer limit could lead to an overflow. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2017-16531: Out-of-bounds access in USB configuration parsing.

A failure to correctly validate a USB interface association description
can result in an out-of-bounds memory access.


* CVE-2017-16643: Out-of-bounds access in GTCO CalComp/InterWrite USB tablet HID parsing.

A validation failure when parsing a HID report from a GTCO
CalComp/InterWrite USB tablet can result in an out-of-bounds memory
access. A user with physical access to a system could use this flaw to
cause undefined behaviour or potentially escalate privileges.


* CVE-2017-16537: NULL pointer dereference when registering SoundGraph iMON Receiver and Display driver.

A missing check when registering SoundGraph iMON Receiver and Display
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-16532: NULL pointer dereference when running USB tests with a crafted USB device.

A missing check when running USB tests with a USB device exposing
invalid endpoints configuration could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2017-5549: Information leak when using USB KL5KUSB105 serial driver.

An invalid check when getting line state of KL5KUSB105 USB serial driver
through multiple ioctls leads to a kernel information leak in a log
buffer. A local user could use this flaw to gain information about
running kernel and generate an exploit.


* CVE-2017-16645: Out-of-bounds access when using IMS Passenger Control Unit Devices.

A missing check when using IMS Passenger Control Unit Devices could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2017-16538: Denial-of-service in DVB-USB subsystem.

A missing warm-start check and incorrect attach timing allows local
users to cause a denial of service (general protection fault and system
crash) or possibly have unspecified other impact via a crafted USB
device.


* CVE-2017-16533: Out-of-bounds access during parsing of Human Interface Device information.

A failure to validate information supplied by a USB device can result in
a out-of-bounds memory write, leading to undefined behaviour.


* CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.

A missing check on user input when using NXP SAA7164 video driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2018-10675: Use-after-free in get_mempolicy due to incorrect reference counting.

A reference count error in the get_mempolicy ioctl implementation can
result in a use-after-free. A local user could use this flaw to
escalate privileges.


* CVE-2018-12233: Out-of-bounds access using extended attributes with JFS filesystem.

An incorrect size for buffer allocation could lead to an out-of-bounds
access when changing attributes on a JFS file from user space. An
unprivileged user could use this flaw to cause a denial-of-service.


* CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.

A failure to correctly validate bitmap information from an ext4
filesystem can result in an out-of-bounds read, leading to a Kernel
crash. A local user with the ability to mount an ext4 filesystem could
use this flaw to cause a denial-of-service.


* CVE-2018-1092: NULL pointer dereference when using unallocated root directory on ext4 filesystem.

A missing check when using unallocated root directory on ext4 filesystem
could lead to a NULL pointer dereference. A local attacker could mount a
crafted ext4 filesystem and cause a denial-of-service.


* CVE-2018-10881: Data corruption when using indirect blocks with ext4 filesystem.

A missing data zeroing when using indirect blocks with ext4 filesystem
could lead to data corruption or a kernel assert. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-10877: Out-of-bounds access when using corrupted ext4 filesystem with abnormal extent tree.

A missing check when using corrupted ext4 filesystem with abnormal
extent tree could lead to an out-of-bounds access. A local attacker
could use this flaw with a crafted ext4 image to cause a
denial-of-service.


* CVE-2018-13406: Denial-of-service due to overflow in VBE2+ video driver.

Failing to validate the size and number of entries in an array
allocation in the Video BIOS 2.0 driver could result in an overflowed
allocation and denial-of-service.


* CVE-2018-10323: NULL pointer dereference when converting extents-format to B+tree in XFS filesystem.

A logic error when converting extents-format to B+tree in XFS filesystem
could lead to a NULL pointer dereference. A local attacker could use
this flaw with a crafted XFS image to cause a denial-of-service.


* CVE-2016-10208: Denial-of-service when using a crafted ext4 image.

Missing check in ext4 meta block groups validation could lead to an out
of bound access. A Local attacker could use this flaw to cause a
denial-of-service.


* Improved fix for CVE-2017-5753: Speculative execution in array accesses.

The current fix for CVE-2017-5753 fails to correctly disable compiler
optimization, which results in some array accesses not being correctly
protected against speculative execution attacks.


* Improved fix for Spectre v1: Bounds-check bypass in userspace interaction.

A missing sanitization of array index after bounds check in get_user()
could lead to an information leak. A local attacker could use this flaw
to leak information about running system.


* Improved fix for CVE-2017-5753: Bounds-check bypass in 80211 transmission parameter parsing.

A missing use of indirect calls protection macro in the nl80211 driver
could lead to speculative execution. A local attacker could use this
flaw to leak information about running system.


* CVE-2017-7518: Privilege escalation in KVM emulation subsystem.

An implementation error in the syscall instruction emulation in KVM
leads to a kernel exception raised in userspace. A user/process inside
guest could use this flaw to potentially escalate their privileges
inside guest.


* CVE-2017-2583: Denial-of-service due to incorrect segments configuration within VMs.

A logic error leads to an incorrect configuration of segment selector
within a Virtual Machine. An attacker could use this incorrect
configuration to cause a denial-of-service of the VM.


* CVE-2017-16912, CVE-2017-16913: Denial-of-service in USBIP command validation.

A validation error when parsing information from an USB over IP packet
can result in an out-of-bounds memory access leading to a Kernel crash.
A remote USB over IP client could use this flaw to cause a
denial-of-service.


* CVE-2017-16911: Information disclosure in USB over IP HCI status report.

A failure to correctly sanitize information reported by the Kernel about
USB over IP HCI device can result in a sensitive memory address being
disclosed to userspace. A local, unprivileged user could use this flaw
to facilitate a further attack.


* CVE-2017-11472: Kernel information leak in ACPI operand cache.

Failing to flush the ACPI operand cache could print a kernel stack dump
in the log, revealing kernel addresses to an unprivileged user.


* CVE-2017-16644: Denial-of-service in Hauppauge HD PVR driver.

Incorrect error handling during device probe for a Hauppauge HD PVR
device could result in a kernel crash.  A user with physical access to
the system and a malicious device could use this flaw to crash the
system.


* CVE-2017-16527: Use-after-free when creating mixer for USB Audio device.

A missing free in error path when creating mixer for USB Audio device
could lead to a use-after-free. A local attacker could use a crafted USB
Audio device to cause a denial-of-service.


* CVE-2017-15649: Use-after-free in AF_PACKET socket fanout.

A logic error when enabling fanout on a socket can result in the socket
being added to a list twice, which can lead to a use-after-free. A local
user could use this flaw to cause a denial-of-service or possibly
escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-14.04-updates mailing list