[Ksplice][Ubuntu-14.04-Updates] New Ksplice updates for Ubuntu 14.04 Trusty (USN-3849-1)

[Oracle Ksplice]

Synopsis: USN-3849-1 can now be patched using Ksplice
CVEs: CVE-2017-2647 CVE-2017-5753 CVE-2018-10902 CVE-2018-12896 CVE-2018-14734 CVE-2018-16276 CVE-2018-18386 CVE-2018-18690 CVE-2018-18710

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3849-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 14.04
Trusty install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-2647: Denial-of-service when invoking request_key() syscall.

A missing check in request_key() syscall could lead to a NULL pointer
dereference. A local unprivileged user could use this flaw to cause a
denial-of-service.


* CVE-2018-14734: Use-after-free in Infiniband leave_multicast function.

A race condition in the infiniband code could allow the leave_multicast
function to use a structure that was allocated but subsequently freed in
the process_join function, leading to memory corruption and possible system
crash.


* CVE-2018-18690: XFS filesystem failure during extended attribute replacement.

Incorrect handling of extended attribute replacement on an XFS
filesystem could result in a filesystem shutdown.  A local, unprivileged
user could use this flaw to trigger a denial of service.


* CVE-2018-18710: Information leak when checking the CD-ROM slot status.

An incorrect bounds check in the CD-ROM driver could allow an out-of-bounds
access and kernel information leak to an unprivileged user.


* Improved fix for CVE-2017-5753: Speculative execution in array accesses.

The current fix for CVE-2017-5753 fails to correctly disable compiler
optimization, which results in some array accesses not being correctly
protected against speculative execution attacks.


* Improved fix for Spectre v1: Bounds-check bypass in various ALSA sound drivers.

Various arrays in the ALSA sound driver code are potentially vulnerable
to a Spectre variant 1 speculative execution attack.


* Improved fix for CVE-2017-5753: Bounds-check bypass in ATM LAN emulation.

A missing use of the indirect call protection macro in the ATM LAN
emulation driver could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in ZeitNet ZN1221/ZN1225 driver.

A missing sanitization of array index after bounds check in ZeitNet
ZN1221/ZN1225 driver could lead to an information leak. A local attacker
could use this flaw to leak information about running system.


* Updated fix for CVE-2017-5753: Spectre attack on getrlimit syscall.

The 'resource' parameter of the getrlimit syscall is vulnerable to a
Spectre variant 1 speculative execution attack.


* Improved fix for CVE-2017-5753: Indirect branch speculation in USB HID devices.

Information controlled by userspace can be used to disclose kernel
memory via speculation in the Human Input Device driver. A local user
could use this flaw to facilitate a further attack on the system.


* Improved fix for Spectre v1: Bounds-check bypass in Chelsio Communications T3 10Gb Ethernet driver.

A missing sanitization of array index after bounds check in Chelsio
Communications T3 10Gb Ethernet driver could lead to an information
leak. A local attacker could use this flaw to leak information about
running system.


* Improved fix for Spectre v1: Information leak in filesystem quota control code.

A missing sanitization of an array index in filesystem quota control code can
lead to kernel memory being leaked to userspace.  A local attacker could exploit
this flaw to leak information about the running system.


* CVE-2018-10902: Denial-of-service in ALSA rawmidi ioctl.

Race conditions in the SNDRV_RAWMIDI_IOCTL_PARAMS ioctl code could result
in memory corruption.  This could be exploited to cause a denial-of-service.


* CVE-2018-16276: Privilege escalation in USB Yurex read handler.

A logic error in the USB Yurex read handler code could allow the driver
to access userspace memory outside the bounds of the userspace buffer,
potentially leading to memory corruption or privilege escalation inside
userspace.


* CVE-2018-12896: Denial-of-service via POSIX timer overflow.

The POSIX timer overrun value can potentially overflow an integer value
if the timer has a sufficiently long interval and expiry time. A
malicious user to create such a timer to cause a denial-of-service.


* CVE-2018-18386: Denial-of-service in pseudo terminal management.

A type confusion error in the pseudo terminal driver can result in a terminal
blocking any further input. A local user could use this flaw to prevent use of
a pseudo terminal, leading to a denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in socketcall syscall.

A missing use of the indirect call protection macro in socketcall
syscall could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass during netlink creation.

A missing use of the indirect call protection macro during netlink
creation could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in ext4 multiblocks allocation routines.

A missing use of the indirect call protection macro in ext4 multiblocks
allocation routines could lead to speculative execution. A local
attacker could use this flaw to leak information about the running
system.


* Improved fix for Spectre v1: Bounds-check bypass in perf events.

A missing use of the indirect call protection macro during perf event retrieval
could lead to speculative execution. A local attacker could use this flaw to
leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass during AHCI LED control.

A missing use of the indirect call protection macro during AHCI LED
configuration could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in Honeywell HMC6352 compass driver.

A missing use of the indirect call protection macro in Honeywell HMC6352
compass driver could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Improved fix for Spectre v1: Bounds-check bypass in Virtual terminal driver.

A missing use of the indirect call protection macro in Virtual terminal
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.