[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3405-1)

[Oracle Ksplice]

Synopsis: USN-3405-1 can now be patched using Ksplice
CVEs: CVE-2015-7837 CVE-2017-1000112 CVE-2017-1000371 CVE-2017-7495 CVE-2017-7541

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3405-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Double free when sharing USB device over IP.

A logic error when releasing USB over IP packets could lead to a
double free. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when requesting master key for encrypted keys.

The error return value when failing to request the master key to decrypt
encrypted keys in the kernel keyring was incorrectly set to NULL and not
handled correctly by consumers, potentially causing a denial-of-service
or other exploitable behavior when the pointer was dereferenced.


* Out of bound access when setting RDMA Infiniband port.

A missing check on user input when setting port number supplied by
Infiniband user verbs commands could lead to an out of bound access in
kernel memory. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in message queue notify syscall.

A race condition when closing a message queue file descriptor could
cause the memory for the associated socket to be freed twice, corrupting
memory or causing a denial-of-service.


* Denial-of-service when disconnecting a TCP connection over IPV4.

A missing release of resources when disconnecting a TCP connection over
iPV4 could lead to a reference count leak. A local attacker could use
this flaw to cause a denial-of-service.


* Memory leak when using Generic Receive Offload technology.

A missing free when using Generic Receive Offload network technology
could lead to invalid reference count and thus memory leak. A local
attacker could use this flaw to cause a denial-of-service.


* Reference leak when using Reliable Datagram Sockets.

A logic error when establishing a TCP Connection using Reliable Datagram
Sockets could lead to a reference leak. An attacker could use this flaw
to cause a denial-of-service.


* CVE-2017-7541: Buffer overflow in Broadcom IEEE802.11n embedded FullMAC WLAN driver.

A logic error in Broadcom IEEE802.11n embedded FullMAC WLAN driver could
lead to buffer overflow when user send a crafted NL80211_CMD_FRAME
packet via netlink. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-1000371: Privilege escalation when executing a shared object file.

A logic error when loading shared object file with ELF format could
facilitate an exploit leading to privilege escalation.


* CVE-2017-1000371: Privilege escalation when executing a program.

A missing limit of stack usage when passing many argument to a program
could facilitate an exploit and leads to privilege escalation.


* Out of bound access when using AVX2 instructions for SHA1.

An error when using AVX2 instruction on X86 with SHA1 could lead to an
out of bound access. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when sending packets over a socket with Segmentation Offload enabled.

A logic error when sending packets over a socket with Segmentation
Offload enabled could lead to kernel warnings. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-7495: Information leak when ext4 ordered data mode is used.

A logic error when flushing data to be written to an ext4 filesystem
could lead to information leak. A local attacker could use this flaw to
read any other files and escalate privileges.


* Improved fix for CVE-2017-1000112: Privilege escalation using the UDP Fragmentation Offload (UFO) code.

Multiple missing checks on headers length when using UDP Fragmentation
Offload (UFO) protocol while sending packets could lead to out-of-bounds
accesses. A local attacker with CAP_NET_RAW capability, or on a system
with unprivileged namespace enabled, could use this flaw to cause a
denial-of-service or execute arbitrary code.


* Use-after-free during qdisc creation failure.

A failure to correctly handle a failure case during qdisc creation can
result in a use-after-free. A local attacker with the ability to
configure network interfaces could use this flaw to escalate
privileges.


* Uninitialized memory accesses when using PMKID services of cfg80211.

Missing check on user inputs when using PMKID services could lead to an
uninitialized memory access. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service in IPSEC key request parsing.

Incorrect parsing of an IPSEC key request structure can result in
out-of-bounds memory access. A local user could use this flaw to cause
undefined behaviour or a kernel crash, resulting in a denial-of-service.


* Denial-of-service in NFC target activation.

A failure to validate NFC attributes can result in a NULL pointer
dereference when activating an NFC target.  A local user with access to
an NFC device could use this flaw to cause a kernel crash, resulting in
a denial-of-service.


* Information disclosure in NFC socket connect.

A failure to validate userspace information can result in kernel stack
information being leaked to userspace. A local user could use this flaw
to facilitate a further attack on the kernel.


* Denial-of-service in NFC socket bind.

A failure to validate userspace information can result in the kernel
accessing uninitialized memory. A local user could use this flaw to
cause undefined behaviour, potentially resulting in a kernel crash,
leading to a denial-of-service.


* Denial-of-service in NFS dentry invalidation.

A logic error in dentry invalidation on NFS filesystems can result in
dentrys being incorrectly invalidated. A local user with access to a
filesystem mounted on top of an NFS filesystem can use this flaw to
unmount the filesystem, leading to a denial-of-service.


* Denial-of-service in UDF filesystem truncation operation.

A logic error can result in a deadlock during a truncation operation on
a file in a UDF filesystem. A local user with access to a UDF filesystem
could use this flaw to cause a denial-of-service.


* CVE-2015-7837: Secure boot bypass via kexec.

A logic error in kexec can result in a newly booted kernel to not
inherit secure boot protections. A privileged user could use this flaw
to bypass secure boot restrictions.


* Improved fix for denial-of-service when creating connection tracking entry.

A missing initialization when creating a connection tracking entry using
Synproxy socket could lead to kernel crashes. A local attacker could use
this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.