[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3312-1)

[Oracle Ksplice]

Synopsis: USN-3312-1 can now be patched using Ksplice
CVEs: CVE-2016-7913 CVE-2016-8632 CVE-2016-9083 CVE-2016-9604 CVE-2017-0605 CVE-2017-2596 CVE-2017-2671 CVE-2017-6001 CVE-2017-6951 CVE-2017-7472 CVE-2017-7618 CVE-2017-7889 CVE-2017-7895 CVE-2017-8064 CVE-2017-8067

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3312-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Reference leak in iSCSI session shutdown causes denial-of-service.

Incorrect reference logic in iSCSI session shutdown could cause a leak
of a memory record, potentially causing a kernel panic and
denial-of-service.


* Information leak via SCSI driver capability check.

Incorrectly parsing the length of a SCSI capability buffer returned from
an older device could read off the end of the buffer, potentially
leaking kernel information.


* Denial-of-service in non-volatile memory fault handling.

Incorrect lock logic in libnvdimm could cause a lock order reversal
while handling a memory fault on non-volatile memory, potentially
causing a kernel hang and denial-of-service.


* CVE-2017-2596: Memory leak in KVM VMXON emulated instruction.

When processing a VMXON instruction for a guest machine, the reference
count of the emulated VMXON memory region could be over-incremented,
resulting in a leak of the region and eventual denial-of-service


* Denial-of-service in zram unaligned page compression.

Incorrectly copying memory from a non page-aligned boundary in the zram
driver could corrupt kernel memory, causing a kernel panic and
denial-of-service.


* CVE-2017-7618: Remote denial of service in asynchronous hash functions.

In certain cases, a remote attacker could trigger an edge condition in the
kernel's CRC and cryptographic hash function facilities. This could cause
the kernel to crash or lock up.


* CVE-2017-8064: Kernel stack memory access via USB DVD device name.

An erroneous copy of a USB DVD device name to the stack could overflow,
potentially allowing an attacker to manipulate stack memory, causing a
denial-of-service or privilege escalation.


* CVE-2017-7889: Permissions bypass via /dev/mem file.

The mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM
protection mechanism, which allows local users to read or write to
kernel memory locations via an application that opens the /dev/mem file.


* CVE-2017-8067: Denial-of-service via console driver memory mapping.

An incorrect usage of mapped memory from the stack in the virtio-console
driver could allow an attacker to alter kernel stack memory, causing a
privilege escalation of denial-of-service.


* Denial-of-service when doing DMA transfer on Pegasus USB device.

An incorrect usage of DMA buffer on the stack could lead to a stack
corruption since CONFIG_VMAP_STACK is enabled. A local attacker could
use this flaw to cause a denial-of-service.


* Denial-of-service when reading USB RTL8150 registers.

An incorrect usage of DMA buffer on the stack could lead to a stack
corruption since CONFIG_VMAP_STACK is enabled. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2016-9604: Permission bypass when creating key using keyring subsystem.

A missing check when an user create a key beginning with '.' could lead
to a permission bypass. A local attacker could use this flaw to access
sensitive information.


* CVE-2017-6951: Denial-of-service from userspace via dead security keys.

Dead security keys were improperly assigned a type with name "dead",
which allowed them to be accessed by users with the
key_get_type_from_user() syscall, causing a kernel panic and
denial-of-service.


* CVE-2017-7472: Denial-of-service when setting default request-key keyring.

A logic error when a user set default request-key keyring multiple
times could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a kernel panic.


* Denial-of-service in block device teardown.

A race condition in the block device teardown code could allow an
attacker to cause a NULL pointer dereference, resulting in a
denial-of-service.


* Information leak in netfilter batch netlink message processing.

The netfilter netlink interface does not correctly handle batch messages
with invalid lengths which can cause the contents of kernel memory to be
leaked to userspace. A local user with CAP_NET_ADMIN could potentially
escalate privileges.


* CVE-2016-8632: Denial-of-service when using TIPC and too short MTU.

Missing checks when checking TIPC (Transparent Inter Process
Communication) header could lead to a buffer overflow if device MTU is
too short. An attacker with ability to configure MTU could use this flaw
to cause a denial-of-service.


* CVE-2016-9083: Integer overflow in PCI VFIO bus driver.

An error in user-supplied arguments sanitizing of VFIO_DEVICE_SET_IRQS
ioctl could lead to an integer overflow. A local user with capability to
use this ioctl could cause a denial-of-service.


* CVE-2017-2671: Use-after-free in ping implementation.

A race condition in the kernel ping implementation can result in a
use-after-free. A local attacker with access to ping sockets could use
this flaw to cause a kernel crash or escalate privileges.


* Kernel hang with Xen under nested virtualization.

Incorrect handling of event interrupts in Xen can result in a Kernel
hang on platforms with unreliable TSC, such as QEMU.


* Denial of service in IP neighbour probing.

A missing pointer check can trigger a NULL pointer dereference and kernel panic
when an interface needs to solicit information from a neighbour.


* Denial of service when listening on SCTP socket.

A logic error in the SCTP subsystem can trigger a kernel panic and denial of
service when attempting to listen on a non-listening socket.


* Memory leak when disconnecting TCP socket.

Incorrect reference counting when closing a TCP socket can allow a local
attacker to trigger kernel memory corruption and potentially gain elevated
privileges.


* Denial of service when removing IPv6 multicast interfaces.

The IPv6 subsystem does not correctly handle IPv6 interfaces with multicast
routing support which can cause interfaces to be removed twice and trigger a
kernel assertion.


* Memory leak when destroying MAC-VLAN devices.

Incorrect reference counting when destroying a MAC-VLAN device can cause a
kernel memory leak and subsequent kernel panic.


* Memory corruption when calculating nexthop of IPv6 tunnel.

A logic error when passing IPv4 traffic through an IPv6 tunnel can trigger an
out-of-bounds write and kernel memory corruption.


* Memory corruption when reading Plan9 directories.

A logic error when the Plan9 filesystems reads a directory from a remote server
can trigger memory corruption and a kernel panic.


* Remote denial-of-service via overly sized NFS2/3 RPC call.

If an NFS version 2 or 3 client appends extraneous data to their RPC
calls or replies, the server fails to correctly allocate sufficient
memory, potentially causing memory corruption and a denial-of-service.


* Data race when canceling timer file descriptors causes denial-of-service.

Missing serialization when canceling timer file descriptors could cause
the cancels to race, causing a data race or use-after-free, potentially
resulting in a kernel crash and denial-of-service.


* CVE-2017-7895: Remote information leak in kernel NFS server.

Missing bounds checks could result in an out-of-bounds memory access,
allowing a remote attacker to leak the contents of kernel memory.


* Information leak via multiple disk (RAID/LVM) device ioctl.

Failing to initialize an unused data field in multiple device ioctls
could allow kernel stack information to be exposed to userspace.


* Denial-of-service when flashing firmware of dvb usb devices.

Wrong usage of an on-stack buffer for DMA transfers could lead to memory
corruption. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-6001: Use-after-free in the perf subsystem on concurrent perf_event_open.

Incorrect locking in the perf subsystem could lead to a use-after-free on
concurrent perf_event_open().  A local unprivileged user could use this
flaw to potentially elevate privileges depending on the perf_event paranoid
setting.


* Memory corruption in crypto subsystem test manager.

A logic flaws in the tests for the crypto subsystem can result in
out-of-bounds memory access. A local attacker could use these flaws to
crash the kernel.


* Data loss when calculating the checksum in the ext4 filesystem.

A logic error when calculating the checksum for an inode in ext4
filesystem leads to valid inodes being identified as corrupted which
can cause inadvertent data loss.


* Denial-of-service when sending TIPC packet over IPv6.

Failure to allocate enough memory to send a TIPC packet over IPv6 can
lead to kernel panic. A remote attacker could leverage this flaw to
cause a denial-of-service.


* CVE-2016-7913: Use-after-free when configuring xc2028 tuner driver.

A use-after-free vulnerability in xc2028 tuner driver allows local
users to gain privileges or cause a denial of service by omitting the
firmware name from a certain data structure.


* Denial-of-service when expanding ext4 inode.

When expanding an ext4 filesystem inode that contains extra attributes,
failure to validate the attributes leads to kernel panic. A local user
with the ability to mount filesystems could leverage this flaw to
cause a denial-of-service.


* Denial-of-service when reading from RAID1 array.

An off-by-one error when reading from a RAID1 device leads to infinite
loop and memory exhaustion. This can be exploited to cause
denial-of-service.


* CVE-2017-0605: Privilege escalation when using kernel tracing subsystem.

Usage of strcpy() when using kernel tracing subsystem and retrieving
traced process command line could lead to a stack overflow. A local
attacker could use this flaw to execute arbitrary code in the kernel and
escalate privilege.


* Denial-of-service when cloning IPv6 route.

Missing flag validation when configuring IPv6 route allows a local
process to create malformed route. A malicious user can exploit this
to trigger a null-pointer dereference and cause denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.