[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3509-1)

[Oracle Ksplice]

Synopsis: USN-3509-1 can now be patched using Ksplice
CVEs: CVE-2017-1000380 CVE-2017-1000405 CVE-2017-12193 CVE-2017-16643 CVE-2017-16939

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3509-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in Ceph I/O capability flushing.

A failure to correctly handle errors when flushing capabilities to disk
can result in a deadlock. A local user with access to a Ceph filesystem
could use this flaw to cause a Denial-of-service.


* Denial-of-service when stopping an USB device connected to a XHCI host controller.

A missing check when stopping an USB device connected to a XHCI host
controller could lead to a deadlock or to a memory leak. A local
attacker could use this flaw to cause a denial-of-service.


* Out-of-bounds access during Xen Grant device memory unmapping.

A failure to handle an error case when mapping memory in a Xen Grant
device can result in an out-of-bounds access during unmap. A local user
with access to a Xen Grant device could use this flaw to cause undefined
behaviour or potentially escalate privileges.


* CVE-2017-16643: Out-of-bounds access in GTCO CalComp/InterWrite USB tablet HID parsing.

A validation failure when parsing a HID report from a GTCO
CalComp/InterWrite USB tablet can result in an out-of-bounds memory
access. A user with physical access to a system could use this flaw to
cause undefined behaviour or potentially escalate privileges.


* CVE-2017-12193: Denial-of-service in generic associative array implementation.

A logic error when inserting a new entry into an associative array can
result in a NULL pointer dereference, leading to a Kernel crash. A local
user could use this flaw to cause a denial-of-service.


* Out-of-bounds access in SCSI device when creating a request table.

An off-by-one error when processing a list of SCSI requests can result
in an out-of-bounds memory access. A local user could use this flaw to
cause undefined behaviour or potentially escalate privileges.


* NULL pointer dereference when revoking a master key of type 'user' in ecryptfs driver.

A missing check when requesting a user key after revoking the associated
master key could lead to a NULL pointer dereference in ecryptfs driver.
A local attacker could use this flaw to cause a denial-of-service.


* Improved fix for CVE-2017-1000380: Information leak when reading timer information from ALSA devices.

A race condition when reading timer information from ALSA driver results
in use-after-free which leads to kernel information leaking into
userspace. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.


* Denial-of-service when validating CIFS path.

A validation error combined with a memory leak in error path could
result in kernel memory exhaustion. A malicious user can exploit this to
cause denial-of-service.


* Denial-of-service when parsing ASN.1 key.

Out-of-bound read in the kernel key management facility when parsing
ASN.1 key could lead to kernel crash. An unprivileged attacker can
exploit this vulnerability to cause denial-of-service.


* Data corruption when trimming OCFS2 filesystem.

A bug in the implementation of FITRIM ioctl in OCFS2 could result in
data corruption when trimming the filesystem. The resulting corruption
cannot be fixed using fsck.


* Double-free of IP-over-IB on concurrent transaction.

Failing to reinitialize the work item list for an IP-over-IB transaction
could lead to a use-after-free or list corruptions.  A local user could use
this flaw to cause a denial-of-service or potentially escalate privileges.


* Denial-of-service due to race condition in workqueue manipulation.

A race condition during concurrent manipulation of a workqueue by a
kernel thread and an interrupt handler can result in a NULL pointer
dereference, leading to a Kernel crash.


* Denial-of-service in AVX2 SHA1 implementation.

An unaligned access in the AVX2 SHA1 implementation can result in a
Kernel crash. A local user could use this flaw to cause a
denial-of-service.


* Denial-of-service in ASN.1 certificate parsing.

A logic error when parsing an ASN.1 encoded certificate can result in a
NULL pointer dereference. A local user user could use this flaw to cause
a denial-of-service.


* Out-of-bounds memory access in OSS emulation.

A logic error in the ALSA emulation of an OSS sequencer can result in an
out-of-bounds memory access when processing events, leading to undefined
behaviour or a Kernel crash. A local user could use this flaw to cause a
denial-of-service.


* Denial-of-service in Ceph RADOS Block Device cloned images.

A logic error when processing cloned Ceph images stored on a RADOS Block
Device can result in a deadlock. A local user with access to a Ceph
filesystem could use this flaw to cause a denial-of-service.


* NULL pointer dereferences caused by B+trees manipulation in XFS filesystem.

Logic errors when manipulation B+trees in XFS driver could lead to NULL
pointer dereferences. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in Industrial Input/Output trigger driver error handling.

Incorrect reference count manipulation in the Industrial Input/Output
trigger subsystem can result in the incorrect freeing of memory, leading
to a potential use-after-free.


* Uninitialized memory access during IPSec Authentication Header processing.

A failure to handle an error case when performing a cryptographic hash
operation on an IPSec Authentication Header can result in the use of
uninitialized memory, leading to undefined behaviour.


* Denial-of-service in netfilter table loopback packet processing.

A logic error in netfilter when processing packets on a loopback device
can result in repeated triggering of a warning which could flood the
kernel message buffer. A local user with the ability to administer
netfilter tables could use this flaw to cause a denial-of-service.


* Information disclosure of key material from Kernel key subsystem.

A failure to clear memory when freeing keys in the Kernel key subsystem
could result in disclosure of key material. A local user could use this
flaw to facilitate a further attack on the system.


* Userspace memory corruption when reading key.

An out-of-bound write in kernel key management facility results in
user memory corruption. This could result in incorrect control flow and
denial-of-service in userspace.


* NULL pointer dereference in ipv6 route additions and deletions.

A failure to properly register and unregister ipv6 routes could lead to
a NULL pointer dereference and kernel crash. An attacker could exploit
this to cause a denial-of-service.


* Out-of-bounds memory access in Ceph crush mapping.

A validation failure when processing crush buckets in a Ceph filesystem
can result in an out-of-bounds memory access, resulting in a Kernel
crash. A local user with the ability to administer a Ceph filesystem
could use this flaw to cause a denial-of-service.


* CVE-2017-16939: Denial-of-service in IPSEC transform policy netlink dump.

A failure to handle an error case when dumping IPSEC transform
information via netlink can result in a Kernel crash. A local user with
the ability to administer an IPSEC tunnel could use this flaw to cause a
denial-of-service.


* CVE-2017-1000405: Privilege escalation when writing into a Transparent Huge Page.

A logic error in internal Transparent Huge Page handling of the kernel
could let an attacker overwrite read-only data and escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.