[Ksplice][Ubuntu-16.04-Updates] New updates available via Ksplice (USN-2965-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Sat May 7 06:40:43 PDT 2016 

Synopsis: USN-2965-1 can now be patched using Ksplice
CVEs: CVE-2015-7833 CVE-2016-2184 CVE-2016-2185 CVE-2016-2186 CVE-2016-2188 CVE-2016-3136 CVE-2016-3137 CVE-2016-3138 CVE-2016-3140 CVE-2016-3156 CVE-2016-3157 CVE-2016-3672 CVE-2016-3689 CVE-2016-3951 CVE-2016-3955 CVE-2016-4557

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2965-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 16.04 Xenial
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2016-3951: Use-after-free in USB networking bind failure.

A race condition between probing a USB network device and error handling
could result in a use-after-free condition and kernel crash.


* CVE-2016-3951: Use-after-free in USB networking device probe failure.

Incorrect error handling when registering a USB networking device could
result in a use-after-free condition and kernel crash.


* Denial-of-service in KVM VCPU creation.

Incorrect error handling could result in an integer overflow, allowing a
user with permission to create virtual CPUs to trigger a kernel
assertion and crash the system.


* Denial-of-service in KVM invvpid and invept instruction emulation.

Incorrect handling of invalid invvpid and invept instructions could
result in a kernel hang.  A local user could use this flaw to crash the
system.


* CVE-2016-3157: Xen I/O port access privilege escalation in x86-64.

User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.


* Permissions bypass in nvdim ioctls().

Incorrect handling of ioctl() numbers could result in allowing write
operations to a dimmctl or ndctl device that was opened in read-only
mode.


* Denial-of-service in device mapper snapshot devices.

Creating a device mapper snapshot device where the copy-on-write and
origin devices used the same device would result in a NULL pointer
dereference and kernel crash.


* NULL pointer dereference in request-based device mapper devices.

Incorrect ordering in request queuing could result in a NULL pointer
dereference and kernel crash under specific conditions.


* CVE-2016-3138: Denial of service in CDC ADM USB descriptor parsing.

A logic error in the CDC ADM USB driver can allow a malformed USB
descriptor with an incorrect number of interfaces to trigger a NULL
pointer dereference and kernel panic.


* CVE-2016-2188: Denial of service in IO Warrior USB descriptor parsing.

A logic error in the IO Warrior USB driver can allow a malformed USB
descriptor with zero endpoints to trigger a NULL pointer dereference and
kernel panic.


* Denial of service in generic USB interface management.

A malformed USB descriptor can trigger a NULL pointer dereference and
kernel panic when the generic USB driver claims interfaces.


* CVE-2016-3136: Denial of service in MCT Serial USB descriptor parsing.

A logic error in the MCT Single Port Serial driver can allow a malformed
USB descriptor with missing ports to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-3140: Denial of service in Digi AccelePort USB descriptor parsing.

A logic error in the Digi AccelePort USB driver can allow a malformed
USB descriptor with missing endpoints to trigger a NULL pointer
dereference and kernel panic.


* CVE-2016-3137: Denial of service in USB Cypress M8 descriptor parsing.

A logic error in the Cypress M8 device driver can allow a malformed USB
descriptor with missing endpoints to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-2186: Denial of service in Griffin PowerMate USB descriptor parsing.

A logic error in the Griffin PowerMate USB driver can allow a malformed
USB descriptor with zero endpoints to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-2184: Denial of service in ALSA USB audio descriptor parsing.

A logic error in the ALSA USB audio driver can allow a malformed USB
descriptor with zero end-points to trigger a NULL pointer dereference
and kernel panic.


* Kernel stack information leak in cryptographic key wrapping.

Incorrect clearing of a kernel stack buffer could result in leaking
kernel stack contents to user-space.  A local user could use this flaw
to gain privileged kernel information.


* Kernel stack corruption in Intel Management Engine Interface transfers.

Performing transfers before the MEI device was enabled could result in
stack corruption during link reset and a subsequent kernel crash.


* Heap overflow in I2C USB HID reporting.

Missing bounds checks could result in a heap overflow when setting or
sending a report.  A local user with access to the device could use this
flaw to crash the system or potentially, escalate privileges.


* NULL pointer dereference in TTY line discipline reception.

A missing NULL pointer check could result in a NULL pointer dereference
when receiving a buffer under specific conditions.


* Use-after-free in Infra-red terminal opening.

Use of a stale pointer when opening an IrTTY device could result in a
use-after-free condition and subsequent kernel crash.  A local user with
access to the IrTTY device could use this flaw to crash the system.


* Journalling filesystem corruption on unmount under memory pressure.

Unmounting a filesystem under memory pressure could result in journal
corruption on a subsequent remount.


* NULL pointer dereference in Infiniband CSI RDMA Protocol Target.

Missing SRP targets could result in a NULL pointer dereference and
subsequent kernel crash under specific conditions.


* Kernel crash in block cache device initialization.

A race between initializing a block cache device and the writeback
thread could result in triggering a kernel assertion and crashing the
system.


* NULL pointer dereference in block cache registration failure.

Allocation failures whilst creating a block cache device could result in
a NULL pointer dereference and kernel crash when the system was under
memory pressure.


* Heap buffer overflow in Bluetooth Add Advertising command handler.

Missing bounds checks could result in a heap buffer overflow when
performing an Add Advertising operation.  A local user with permissions
to perform Bluetooth management operations could use this flaw to
escalate privileges or crash the system.


* Denial-of-service in pipe splicing with no pages.

Splicing from a pipe with no pages could result in a NULL pointer
dereference and kernel crash.  Under specific conditions a local user
could use this flaw to crash the system.


* Kernel crash in disk quota initialization.

Missing array initialization could result in dereferencing an invalid
pointer and a kernel crash when initializing a quota for an inode and
experiencing an error.


* Denial-of-service in coredump writing.

Under specific conditions, the kernel could write corefiles for SUID
processes into a user-controlled directory.  This flaw could be used to
exhaust disk space and trigger a denial-of-service.


* Kernel crash in IP-over-Infiniband multicast group joining.

A race condition when joining an IP-over-Infiniband multicast group
could result in a NULL pointer dereference and kernel crash.


* Denial-of-service in NFS server buffer decoding.

Integer overflows in the NFS buffer decoding operations could result in
out-of-bounds accesses and a kernel crash.  A malicious client could use
this flaw to crash the system.


* Denial-of-service in NFS secinfo+readdir operations.

Incorrect locking could allow a malicious client to deadlock the system
with unexpected compound operations.


* Use-after-free in writeback operations.

Incorrect reference counting could result in a use-after-free during
writeback operations.  Under specific conditions this could result in a
kernel crash.


* CVE-2016-3689: Denial of service in IMS PCU USB descriptor parsing.

A logic error in the IMS PCU USB driver can allow a malformed USB
descriptor with missing interfaces to trigger a NULL pointer dereference
and kernel panic.


* CVE-2016-2185: Denial of service in ATI/Philips USB RF remote descriptor parsing.

A logic error in the ATI/Philips USB RF remote driver can allow a
malformed USB descriptor to trigger a NULL pointer dereference and
kernel panic.


* Kernel hang in OCFS2 Distributed Lock Manager convert and recovery operations.

A race condition between convert and recovery operations could result in
a system hang under specific conditions.


* Kernel crash in OCFS2 Distributed Lock Manager during master loss.

A race condition when the DLM master went down could result in
triggering a kernel assertion and crashing the system under specific
conditions.


* Use-after-free in Maxim MAX1111 ADC channel read.

Incorrect clearing of the MAX1111 global pointer on removal could result
in a use-after-free and kernel crash.  A local, privileged user could
use this flaw to crash the system.


* Kernel crash in ALSA timer arming.

Incorrect use of the timer API could result in triggering a kernel
assertion when rearming the ALSA system timer.


* Kernel crash in NUMA page migration.

Incorrect handling of NUMA nodes could result in a kernel crash when
allocating memory during page isolation.


* Denial-of-service in PPP interface creation failure.

Imbalanced locking when PPP interface creation failed could result in a
permanently held lock and failure to create future interfaces.


* CVE-2016-3156: Denial-of-service when removing a network interface.

Removal of a network interface with lots of IPv4 addresses may lead to the
kernel hanging for a long time, with all network operation blocked.  A
local, privileged user in a container could use this flaw to block network
access and cause a denial-of-service.


* Denial-of-service in recvmmsg() error handling.

Incorrect reference counting could result in a use-after-free in the
recvmmsg() system call.  A local, unprivileged user could use this flaw
to trigger a denial-of-service.


* Use-after-free in PPP ioctl() handling.

Incorrect locking in the PPP ioctl handler could result in dereferencing
an invalid pointer and a kernel crash.  A local user with access to the
PPP device could use this flaw to crash the system.


* NULL pointer dereference in the CDC USB Ethernet driver.

A lack of NULL pointer check in the Communication Device Class (CDC) USB
Ethernet driver when checking the RNDIS descriptor leads to a Kernel panic.
An attacker with physical access could plug such rogue device to cause a
denial-of-service.


* Denial-of-service in 802.11 interface stopping.

Missing locking could result in memory corruption and dereferencing an
invalid pointer.  A local, privileged user could use this flaw to crash
the system.


* BTRFS filesystem data loss during fsync() after rename and inode creation.

Renaming a file on a BTRFS filesystem followed by creation of a new
inode with the same name could result in data loss if the filesystem is
uncleanly mounted.


* Kernel crash in Wacom Bamboo ONE driver.

Incorrect handling of Bamboo ONE devices during registration could
result in a NULL pointer dereference when processing events for the
device.


* CVE-2015-7833: Kernel crash when probing USBVision device driver.

Missing input validation when probing for USBVision devices could in
certain circumstances cause the kernel to access invalid memory. A
malicious user with physical access to the machine could use this to
cause denial of service or worse.


* CVE-2016-3672: ASLR bypass on 32-bit processes.

Enabling an unlimited stack size would completely disable ASLR for
process with the limit applied.  A local user could use this flaw to
reduce the security of a setuid/setgid application.


* CVE-2016-3955: Privilege escalation in IP over USB driver.

Missing user supplied input validation could result in an out-of-bounds
write allowing a local user to crash the system or potentially escalate
privileges.


* Denial-of-service in USB stack during device unplug.

Incorrect handing of USB devices during unplug could result in memory
corruption and a kernel crash.  A user with physical access to the
system could use this flaw to crash the system.


* NULL pointer dereference in Transparent Inter Process Communication (TIPC) transmission.

A race condition in the transmission on TIPC sockets for a congested
channel could result in a NULL pointer dereference and kernel crash.  A
local, unprivileged user could use this flaw to crash the system.


* Trust bypass in PKCS#7 trust validation.

An uninitialized variable could result in trusting a PKCS#7 SignedInfo
block when the verification had actually failed.


* Infinite loop when calculating the IP checksum on destination link failure.

Lack of proper memory zeroing in case of destination link failure could
lead to an infinite loop when calculating IP checksums.


* Use-after-free when decrypting a packet after the netdevice was unregistered.

Asynchronous decryptions of packets on the netdevice receive queue were not
properly taking a reference on the netdevice, potentially leading to a
use-after-free if the netdevice is unregistered after queueing such packets
for decryption.


* Kernel BUG when sending a UDP over IPv6 longer than the MTU.

Failure to account for the space needed for the extension headers when
sending a UDP message over IPv6 when the packet is longer than the MTU
leads to a kernel BUG.  A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Invalid pointer dereference in the MultiProtocol Label Switching router.

A missing check when looking up the network device to route packets to when
sending a packet through the MultiProtocol Label Switching stack could lead
to an invalid pointer dereference and kernel panic.  A local, unprivileged
user could use this flaw to cause a denial-of-service.


* Use-after-free in the perf subsystem on error in the perf_event_open syscall.

A double-free condition can be triggered in the perf_event_open() syscall
on error opening the event file, leading to a use-after-free and kernel
panic.  A local user with CAP_SYS_ADMIN or unprivileged user in case of a
permissive perf_event paranoid setting could use this flaw to cause a
denial-of-service.


* CVE-2016-4557: Privilege escalation in Berkeley Packet Filter.

A use-after-free in the Berkeley Packet Filter could allow a local,
unprivileged user to crash the system or escalate privileges with a
carefully crafted BPF program.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list