[Ksplice][Ubuntu-16.04-Updates] New updates available via Ksplice (USN-3016-1)

Jamie Iles jamie.iles at oracle.com
Wed Jun 29 01:36:47 PDT 2016 

Synopsis: USN-3016-1 can now be patched using Ksplice
CVEs: CVE-2016-3134 CVE-2016-4482 CVE-2016-4569 CVE-2016-4578 CVE-2016-4580 CVE-2016-4913 CVE-2016-4951 CVE-2016-4997 CVE-2016-4998

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3016-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 16.04 Xenial
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference in DECnet routing.

Missing NULL pointer checks could result in a NULL pointer dereference
and kernel crash when outputting a DECnet packet.  A local, unprivileged
user could use this flaw to crash the system.


* Information leak in mclist netlink attribute.

The netlink interface for querying the mclist attribute does not
initialize memory which leaks the contents of kernel memory to
userspace. A local user could use this flaw to infer the layout of
kernel memory.


* Data corruption in openvswitch ipv6 checksum recalculation.

Incorrect flag check prior to recalculating ipv6 checksums in
openvswitch may result in the recalculation being skipped.


* NULL pointer dereference in Berkeley Packet Filter performance counters.

Incorrect validation of a BPF program could allow an unprivileged, local
user to trigger a NULL pointer dereference and kernel crash under
specific conditions.


* Use-after-free in network bridge ioctl().

Missing locking in the bridge ioctl handler for receiving network
interface indices could result in a use-after-free and kernel crash
under specific conditions.


* CVE-2016-4580: Kernel stack information leak in X25 facility negotiation.

Missing initialization of a stack data structure could result in leaking
up to 8 bytes of kernel stack information to a local, unprivileged user.


* Denial-of-service in compressed memory allocator scanning.

An integer overflow in compactable page calculation for the compressed
memory allocator could result in excessive compaction, and heavy
resource utilization.


* CVE-2016-4913: Information leak in ISO9660 filename parsing.

Incorrect handling of NUL termination bytes could result in reading
excessive data from a kernel buffer into user-space.  A local user with
permissions to mount a maliciously crafted filesystem could use this
flaw to leak the contents of sensitive memory.


* Denial-of-service in Video4Linux buffer dequeuing.

A NULL pointer dereference in the buffer dequeuing logic for DVB devices
could result in a kernel crash, triggerable by a local user with access
to a DVB device.


* CVE-2016-4578, CVE-2016-4569: Information leak in sound timers.

Missing initialization of stack data structures could result in leaking
the contents of kernel stack memory to user-space.  A local user with
access to the sound device could use this flaw to infer the layout of
kernel memory.


* CVE-2016-4951: NULL pointer dereference in TIPC nested attribute parsing.

A missing NULL pointer check could result in a NULL pointer dereference
when parsing nested attributes for a published socket.


* CVE-2016-4482: Information leak in USB devfs ioctl.

The USB devfs driver can leak the contents on the kernel stack to
userspace when performing a USBDEVFS_CONNECTINFO operation.


* Privilege escalation when opening performance events.

A race condition between perf_event_open and execve can allow an
unprivileged user to trace a privileged process, potentially allowing an
unprivileged user to escalate privileges.


* Filesystem corruption in EXT4 extent moving.

A missing update of the buffer head could result in filesystem
corruption when moving extent data.


* Use after free in Bluetooth VHCI device opening.

The kernel Bluetooth driver does not correctly handle opening VHCI
devices, used for emulating HCI devices, which can trigger a use after
free and kernel panic.


* Memory leak in Bluetooth VHCI device opening.

The kernel Bluetooth driver does not handle closing a VHCI device before
packets are delivered to userspace which leads to a kernel memory leak
and subsequent denial of service.


* Privilege escalation when probing Keyspan USB Serial devices.

A logic error when failing to probe a Keyspan USB Serial device can
trigger a use-after-free and possible privilege escalation.


* Privilege escalation when probing Quatech USB Serial devices.

A logic error when failing to probe a Quatech USB Serial device can
trigger a use-after-free and possible privilege escalation.


* Kernel panic when setting baud-rate on generic PCI serial devices.

Setting the baud-rate of a generic PCI serial device can trigger a
divide-by-zero error and subsequent kernel panic. A local user could
use this flaw to trigger a denial of service.


* Kernel panic when sending SCSI commands to a InfiniBand devices.

A logic error can trigger an assertion failure when sending SCSI
commands to an InfiniBand RDMA device with debugging enabled.


* Kernel panic when detaching Thunderbolt devices.

A logic error in the Thunderbolt kernel driver can trigger a double-free
and kernel panic when a Thunderbolt device is detaching while being
probed.


* Use after free when loading Atheros 10k WiFi driver.

A race condition between initializing an Atheros 10k device and
receiving frames can trigger a use after free and kernel panic.


* Kernel panic when initializing Realtek 8xxx WiFi device.

Invalid locking when resetting the transfer/receive ring-buffers for
Realtek 8xxx devices can trigger an assertion trigger a kernel panic.


* Kernel panic when resuming Xen VM from suspend.

A logic error when resuming a Xen VM from suspend can trigger an
assertion failure and kernel panic when moving IRQs that have been
disabled.


* Denial of service with corrupt orphan list on ext4 filesystem.

The kernel ext4 filesystem driver does not correctly corrupt orphan
inode lists which can trigger an infinite loop and kernel deadlock.


* Kernel panic when adding orphaned inodes on ext4 filesystem.

A logic error when adding orphaned inodes on ext4 filesystems can
trigger memory corruption and kernel panic.


* Use after free in when failing xfs inode writeback.

Incorrect locking when flushing inodes on an xfs filesystem can trigger
a use after free and kernel panic.


* Kernel panic when DMA enabled on DAS1800 devices.

A logic error in the DAS1800 data acquisition device driver can trigger
a NULL pointer dereference and kernel panic when DMA is enabled on a
device.


* Privilege escalation when probing Moxa USB Serial devices.

A logic error when failing to probe a Moxa USB Serial device can trigger
a use-after-free and possible privilege escalation.


* Kernel panic when probing Maxim MAX8997 haptic devices.

A logic error when probing Maxim MAX8997 haptic devices can trigger a
NULL pointer dereference and kernel panic when probing a device.


* Memory corruption in Radeon display drivers with multiple displays.

Incorrect memory management can lead to kernel memory corruption when
querying info about a Radeon display device with multiple displays.


* CVE-2016-3134, CVE-2016-4997, CVE-2016-4998: Memory corruption in SO_SET_REPLACE netfilter interface.

The netfilter subsystem does not correctly validate IPT_SO_SET_REPLACE
data from userspace which can allow local users with CAP_NET_ADMIN
privileges to trigger kernel memory corruption and possibly gain
elevated privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list