[Ksplice][Ubuntu-16.04-Updates] New updates available via Ksplice (USN-3070-1)

[Oracle Ksplice]

Synopsis: USN-3070-1 can now be patched using Ksplice
CVEs: CVE-2016-1237 CVE-2016-5244 CVE-2016-5400 CVE-2016-5696 CVE-2016-5728 CVE-2016-5829 CVE-2016-6197

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3070-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 16.04 Xenial
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2016-5244: Information leak in the RDS network protocol.

Lack of on-stack struct initialization in the RDS network protocol leads to
one byte of kernel stack being leaked to userspace.  A local attacker could
use this flaw to gain information about the running kernel and facilitate
an attack.


* CVE-2016-5728: Memory corruption in virtio MIC driver.

A race-condition in the virtio MIC host driver can allow a malicious
guest to cause memory corruption in the host when adding a new guest MIC
device.


* CVE-2016-5400: Memory leak in AirSpy SDR device initialization.

A logic error when failing to initialize a AirSpy USB SDR device can
trigger a kernel memory leak and subsequent kernel panic. A local user
with USB access can use this flaw to cause a denial of service.


* Use after free in 802.11 mesh networking station cleanup.

A race condition when destroying 802.11 mesh network station information
can trigger a use after free and kernel panic.


* Deadlock when establishing new InfiniBand connection.

Incorrect locking in the InfiniBand connection manager can trigger a
deadlock and kernel panic when a new connection has been established.


* Permission bypass when mounting filesystem in user namespace.

A logic error when mounting a filesystem can allow a read-only
filesystem to be mounted read-write in a user namespace allowing an
unprivileged user to write data outside their namespace.


* Memory leak in NFS atomic file opening.

Incorrect reference counting in the kernel NFS client when an error is
encountered opening a file atomically can trigger a memory leak and
kernel panic.


* Memory leak when releasing IPv6 routes.

A logic error when an IPv6 route is released can lead to a kernel memory
leak and subsequent kernel panic. A remote attacker may be able to
trigger this issue by creating and destroying many routes.


* Kernel panic when removing ELO USB touchscreen device.

A logic error when removing a ELO USB 4000/4500 touchscreen device can
trigger a use after free condition and kernel panic.


* CVE-2016-5829: Memory corruption in unknown USB HID devices.

The USB HID driver does not validate USB data when an unknown HID device
is encountered which can allow a malicious USB device to trigger kernel
memory corruption and gain execution.


* Kernel panic with trace points with non-constant formats.

An invalid optimization can trigger a NULL pointer dereference and
kernel panic when a trace point contains a non-constant format string.


* Memory leak in industrial IO device polling.

Memory is incorrectly freed when attaching a polling function to an
industrial device fails which can trigger a kernel memory leak and
kernel panic.


* Information leak in virtual terminal key mapping.

A logic error when mapping raw scan codes to keys in the virtual
terminal driver can trigger an out-of-bounds read which can leak the
contents of kernel memory to userspace.


* Use after free when closing dummy soundcard.

Incorrect reference counting when closing a dummy soundcard with a
high-resolution timer backend can trigger a use after free condition and
kernel panic.


* Memory corruption when removing Echoaudio ALSA devices.

A logic error when allocating memory for Echoaudio ALSA devices can
trigger kernel memory corruption and kernel panic.


* Use after free when closing ALSA digital audio stream.

A logic error when closing an ALSA digital audio stream with channel
mapping controls can trigger a use after free and kernel panic.


* Denial of service in OverlayFS directory removal.

A race condition can allow a malicious user to remove an upper directory
while it is being hidden in the lower directory which can trigger a
kernel panic.


* Memory corruption in CIFS NTLM authentication.

Incorrect memory management in the kernel SMB server can allow a remote
user to cause kernel memory corruption by providing an over-sized
NTMLSSP message.


* CVE-2016-1237: Permission bypass in NFS filesystem when setting ACLs.

Missing permission checks when setting the ACLs on a file from a NFS mount
could allow unprivileged users to grant themselves access to an otherwise
not allowed file.  This could potentially be used to escalate privileges.


* CVE-2016-6197: Denial-of-service in OverlayFS.

Incorrect handling of hard links could result in a kernel panic when a
rename operation targets a hardlink. This flaw could be used by local
user to cause a denial of service.


* Denial of service in Emulex LightPulse device reset.

A logic error when resetting an Emulex LightPulse Fibre Channel device
which can trigger a NULL pointer dereference and kernel panic.


* Permission bypass when updating attributes on overlayfs files.

A logic error when updating attributes on an overlayfs file can allow a
local user to write to a setuid or setgid file. This could be used by a
malicious user to gain elevated privileges.


* CVE-2016-5696: Session hijacking in TCP connections.

A logic error in the core TCP subsystem can allow attackers to easily
guess secret information and inject arbitrary packets into a TCP stream.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.