[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3161-1)

[Oracle Ksplice]

Synopsis: USN-3161-1 can now be patched using Ksplice
CVEs: CVE-2015-8964 CVE-2016-6213 CVE-2016-8630 CVE-2016-8645 CVE-2016-9178 CVE-2016-9555

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3161-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in V4L2 buffer dequeuing.

A NULL pointer dereference in the buffer dequeuing logic for DVB devices
could result in a kernel crash, triggerable by a local user with access
to a DVB device.


* Use-after-free in error path when mounting file systems.

An incorrect error handling when mounting filesystem could lead to
use-after-free. A local user with mount permissions could cause a
denial-of-service by using this flaw.


* Denial-of-service when syncing log of BTRFS filesystem.

A locking error when syncing logs of BTRFS could lead to a list
corruption. An attacker could use this flaw to cause a
denial-of-service.


* Infinite loop in getdents() syscall from UBI filesystem.

An incorrect error handling in the getdents() syscall path for UBI
filesystem could lead to an infinite loop in the LIBC. An attacker
could use this flaw to cause a denial-of-service.


* Denial-of-service when resizing a virtual terminal.

Missing check during Virtual Terminal resizing could lead to an
invalid memory access. A local user could use this flaw to cause a
denial-of-service.


* Memory leak when resizing a virtual terminal.

Error in arguments sanitizing during Virtual Terminal resizing could
lead to a memory leak. A local user could use this flaw to exhaust
memory and cause a denial-of-service.


* NULL pointer dereference when destroying a device mapper.

A logic error in DM_DEV_REMOVE and DM_REMOVE_ALL ioctls path could lead
to a NULL pointer dereference. A local user with the capabilities to
use those ioctls could cause a denial-of-service.


* Use-after-free when removing a KVM Virtual Machine.

An incorrect logic while clearing Virtual CPU related data could cause
a use-after-free. An attacker able to load and unload VMs could use
this flaw to cause a denial-of-service.


* Data corruption during copy-up in Overlay Filesystem.

A missing cache flush after a copy-up in Overlayfs could lead to data
corruption in case of a crash.


* Buffer overflow in firewire net driver.

A logic error on incoming packets checks could lead to a rx buffer
overflow. A remote attacker could use this flaw to cause a
denial-of-service.


* Data loss when passing command to megaraid controller.

A bug in the way SYNCHRONIZE_CACHE command was handled resulted in
cached data not being flushed to disk properly in JBOD mode. This
results in data integrity failure.


* CVE-2016-8630: NULL pointer dereference in KVM instruction decoding.

A missing check during instruction decoding operations could lead to a
NULL pointer dereference. An attacker from a Virtual Machine could
inject instructions with specific properties to cause a
denial-of-service of the host.


* Use-after-free in TCP stack when IPv6 is used.

Incorrect data manipulation in TCP stack resulted in use-after-free when
using IPv6. An attacker can exploit this to execute arbitrary code in
kernel mode.


* Denial of service in IPv4 subsystem.

Incorrect locking in the sysctl interface to IPv4 subsystem let to
inconsistent lock state which could cause the kernel to get stuck in a
deadlock.


* Privilege escalation in SCTP getsockopt().

Incorrect integer operation when getting SCTP_EVENTS socket option leads
to undefined behavior. An attacker can use this to execute arbitrary code
in kernel mode.


* CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

A missing bound-check in one of the state functions caused memory use
beyond what has been allocated. This could lead to memory corruption and
other undefined behaviors.


* Memory exhaustion in procfs sound info.

A missing argument sanitizing in write() callback of sound infos
procfs entries could lead to an user-controlled memory size allocation.
An attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Use of uninitialized memory in Intel Management Engine Interface.

A logic error could lead to a uninitialized memory access while enabling
Intel MEI phy. A user with the capability to set an interface using
this phy up, could cause a denial-of-service.


* Memory corruption when sending messages over tcp socket.

An incorrect check on max_skb_frags sysctl value when sending tcp
messages could lead to a memory corruption. An attacker could use this
flaw to cause a denial-of-service.


* NULL pointer dereference when binding DCCP IPv6 socket.

A missing callback in dccp_v6 ops could cause a NULL pointer dereference
when binding a socket. A local user with capabilities to bind dccpv6
socket could use this flaw to cause a denial-of-service.


* Use-after-free when using setsockopt() or connect() on sctp socket.

A race condition in the connect() and setsockopt() syscalls for a sctp
socket could lead to a use-after-free. A local user with capabilities to
use those syscalls could cause a denial-of-service.


* Denial-of-service when mounting a crafted EXT4 image as read-only.

A missing check when mounting a crafted EXT4 image as read-only could
lead to a kernel panic. An attacker with mount capabilities could use
this flaw to cause a denial-of-service.


* Memory leak when using InfiniBand userspace driver.

A missing free of Queue Pairs during cleanup when userspace release
the driver could lead to a memory leak. An attacker could use this
flaw to cause a denial-of-service.


* Data leak in TIOCMGET ioctl for CP210X UART to USB bridge.

An incorrect error handling in TIOCMGET ioctl for CP210X driver could
lead to a leakage of 8 bits from the kernel stack. An attacker could
use this flaw to gain information about the running kernel and
facilitate an attack.


* CVE-2016-8645: Denial-of-service during TCP packet reception.

When collapsing multiple socket buffers into one, a bug in the code
could result in kernel panic. A remote attacker could trigger this by
sending specially crafted packets and cause a denial-of-service.


* Denial-of-service due to TCP write queue overflow.

Setting a large default write queue for TCP packets can cause an
overflow in the kernel, leading to stalling of TCP connections followed
by a reset after timeout.


* Denial-of-service due to incorrect TCP checksum calculation.

When both MTU probing and TX offload checksumming is enabled incorrect
TCP checksums can be generated which can cause a TCP connection to
stall, preventing further transmission.


* CVE-2015-8964: Use-after-free in tty line discipline configuration.

Incorrect initialization in the tty subsystem can cause a tty driver to
access previously freed memory. A local attacker could use this to
obtain sensitive information from the kernel.


* Denial-of-service due to memory leak in TCP subsystem.

A malicious TCP client could cause the kernel to leak memory via the use
of crafted selective acknowledgements. This could result in stalling the
TCP stack for all connections or exhausting system memory.


* CVE-2016-9178: Information disclosure in get_user.

Due to incorrect initialisation of inline assembly, a local user could
obtain sensitive information from the kernel stack.


* Denial-of-service during routing table query.

A local user could cause a deadlock in the kernel by issuing a query
for the current IPv4 or IPv6 routing table.


* Memory leak during GENEVE device creation.

Incorrect error handling during GENEVE device creation can cause a
memory leak.


* Memory leak during GENEVE device deletion.

Incorrect configuration of GENEVE devices can cause kernel memory to be
leaked when they are deleted.


* NULL pointer dereference during tg3 probe.

Incorrect error handling in the tg3 driver can cause a NULL pointer
dereference during the driver probe.


* CVE-2016-6213: Denial-of-service when bind mounting filesystems.

A missing limit could cause an overflow of the mount table. A user with
mount permissions could cause a denial-of-service by bind mounting many
filesystems and overflowing the mount table.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.