[Ksplice][Ubuntu-14.04-Updates] New Ksplice updates for Ubuntu 14.04 Trusty (3.13.0-142.191)

[Oracle Ksplice]

Synopsis: 3.13.0-142.191 can now be patched using Ksplice
CVEs: CVE-2017-0750 CVE-2017-0861 CVE-2017-1000407 CVE-2017-12153 CVE-2017-12190 CVE-2017-12192 CVE-2017-14051 CVE-2017-14140 CVE-2017-14156 CVE-2017-14489 CVE-2017-15102 CVE-2017-15115 CVE-2017-15274 CVE-2017-15868 CVE-2017-16525 CVE-2017-17450 CVE-2017-17806 CVE-2017-18017 CVE-2017-5669 CVE-2017-7542 CVE-2017-7889 CVE-2017-8824 CVE-2018-5333 CVE-2018-5344

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-142.191.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 14.04
Trusty install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-8824: Privileges escalation when calling connect() system call on a DCCP socket.

A missing free when calling connect() system call on a DCCP socket while it is
in DCCP_LISTEN state could lead to a use-after-free. A local attacker
could use this flaw to escalate privileges.


* CVE-2017-7889: Permissions bypass via /dev/mem file.

The mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM
protection mechanism, which allows local users to read or write to
kernel memory locations via an application that opens the /dev/mem file.


* CVE-2017-0750: Privilege escalation when mounting f2fs filesystem.

Failure to validate filesystem image before mounting results in kernel
memory corruption. An attacker can exploit this to execute arbitrary
code in kernel context.


* CVE-2017-5669: Privilege bypass when using shmat() syscall to map page zero.

A logic error when mapping a page using shmat() syscall could allow a
user to map page zero and consequently bypass a protection mechanism
that exists for the mmap() system call.


* CVE-2017-14156: Information leak in the ATI Rage 128 video drivers when copying clock information.

A missing struct initialization when copying clock information could lead
to uninitialized memory being leaked to userspace.  This could help an
attacker bypass protections like ASLR or infer memory layouts that would
otherwise be hidden.


* CVE-2017-12192: Denial-of-service when reading negative key.

Invalid memory access when reading key negative from kernel key management
facility results in a crash. An unprivileged local user can exploit this
to cause denial-of-service.


* CVE-2017-15102: NULL pointer dereference when probing Lego Mindstorms infrared device.

A race condition when probing Lego Mindstorms infrared device can trigger
a NULL pointer dereference and cause a local denial of service.


* Improved fix for CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.

An incorrect data type when parsing IPV6 fragments header could lead to
a buffer overflow and to an infinite loop. A remote attacker could use
this flaw to cause a denial-of-service.


* CVE-2017-16525: Use-after-free in USB serial console setup failure.

A failure to handle an error case during USB serial console setup can lead to
a use-after-free.


* CVE-2017-12153: NULL pointer dereference in the Wireless configuration layer.

A failure to verify netlink attributes existence before processing them
could lead to a NULL pointer dereference.  A local user with CAP_NET_ADMIN
could use this flaw to cause a denial-of-service.


* CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.

A logic error when checking the bounds to be read from a netlink socket in
the SCSI could lead to a NULL pointer dereference.  A local user could use
this flaw to cause a denial-of-service.


* CVE-2017-15115: Use-after-free in SCTP peel off operation inside network namespace.

A logic error when performing an SCTP peel off operation from a network
namespace can result in an incorrect free, leading to a subsequent
use-after-free. A local user could use this flaw to cause a
denial-of-service, or potentially escalate privileges.


* CVE-2017-14140: ASLR bypass due to insufficient permissions checks in move_pages.

A failure to correctly check permissions when using the move_pages
system call can allow an attacker to map out the address space of a
process which shares the same uid. A local user could use this flaw to
facilitate a further attack.


* CVE-2017-15274: Denial-of-service when adding a key using the key control subsystem.

A missing check on user input when using add_key syscall of keyctl could
lead to a NULL pointer dereference if the key type is asymmetric,
cifs.idmap, cifs.spnego, or pkcs7_test.  A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2017-12190: Denial-of-service in block I/O page merging.

A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.


* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver.

A missing check when freeing resources in Reliable Datagram Sockets
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-15868: Privilege escalation in the Bluetooth stack when adding connections.

Multiple missing checks that a socket belongs to the L2CAP layer leads to
type confusion and kernel crash.  A local user with the ability to create a
BNEP (Bluetooth Network Encapsulation Protocol), Human Interface Device
Protocol (HIDP) or a CAPI Message Transport Protocol (CMTP) connection
could use this flaw to escalate privileges.


* CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler.

A failure to validate information from userspace can result in an
unbounded kernel memory allocation. A local user could use this flaw to
cause memory exhaustion or a kernel crash, resulting in a
denial-of-service.


* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.


* CVE-2017-1000407: Denial-of-service from KVM guest on Intel processors.

A KVM guest on Intel VMX processors could flood the I/O port 0x80 with
write requests, leading to a host crash.  An attacker could use this flaw
to cause a host denial-of-service from the guest.


* CVE-2018-5344: Use-after-free when opening a loopback device.

A race condition between opening and releasing a loopback device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2017-17450: Permission bypass with Passive OS Fingerprinting match module.

A missing permission check when using Passive OS Fingerprinting match
module allows an unprivileged user to modify the global OS fingerprint
list without the proper permissions.


* CVE-2017-18017: Use-after-free when using TCPMSS Netfilter.

A missing check in the netfilter TCP MSS code could lead to a
use-after-free condition.  A remote attacker could exploit this
to cause a denial of service.


* CVE-2017-17806: Denial-of-service in HMAC algorithms.

Invalid algorithm combinations could result in buffer overflows or other
undefined behaviour when using a keyed hash algorithm.  A local,
unprivileged user could use this flaw to crash the system, or
potentially, escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.