[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3234-1)

Thu Mar 16 10:31:21 PDT 2017

Synopsis: USN-3234-1 can now be patched using Ksplice
CVEs: CVE-2016-10208 CVE-2016-8405 CVE-2017-2618 CVE-2017-5547 CVE-2017-5548 CVE-2017-5551

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3234-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Kernel panic when destroying Mellanox 4 queue pairs.

A logic error when destroying the queue pair for Mellanox InfiniBand queue
pairs can trigger an out-of-bounds read and subsequent kernel panic.

* CVE-2017-5551: Permission bypass in Overlay filesystem when setting POSIX ACLs.

The initial fix for CVE-2016-7097 did not handle overlay filesystems on
tmpfs mounts which could allow local, unprivileged users to escalate
privileges.

* Memory leak in SunRPC GSSAPI teardown.

A logic error when handling GSS_PROC_DESTROY messages can allow a remote user
to cause a kernel memory leak when establishing a connection to the kernel NFS
daemon.

* Use after free when aborting FUSE connection.

A race condition when aborting a FUSE connection can trigger a use after free
and kernel panic. A local, privileged user can trigger this issue to cause a
denial of service.

* CVE-2017-5547: Kernel panic in Corsair HID device driver.

The Corsair HID driver incorrectly DMAs memory which can trigger memory
corruption and a kernel panic.

* CVE-2017-5548: Kernel panic in ATUSB IEEE 802.15.4 transceiver.

The kernel IEEE 802.15.4 driver for ATUSB devices incorrectly DMAs memory which
can trigger memory corruption and a kernel panic.

* Kernel panic when probing QLogic Fibre Channel devices.

The kernel QLogic QLA2XXX device driver does not handle NULL pointers correctly
which can trigger a kernel panic.

* Kernel panic in SunRPC RDMA transport.

The RDMA transport for SunRPC messages does not correctly free resources on
errors which can cause memory to be released multiple times causing a kernel
panic.

* CVE-2016-8405: Information leak via frame buffer color map.

An out-of-bounds read when copying frame buffer color maps to userspace
could potentially expose kernel memory to an unprivileged userspace
application.

* Use-after-free in memory-policy causes kernel memory corruption.

A race condition when allocating memory pages could cause a memory
policy structure to be accessed while being freed, potentially causing
memory corruption and a denial-of-service.

* Null pointer dereference in Controller Area Network driver.

Probing an attached Controller Area Network driver could cause an unset
function pointer to be called, potentially causing an invalid memory
access and denial-of-service.

* Missing mode after NFSv4 SETATTR creates file with default permissions.

When creating a file over NFSv4 with O_EXCL, the file permissions bits
might not be sent, resulting in a file created with the server's default
permissions.

* Memory leak in Mellanox switch packet transmission.

Incorrect reference counting in the Mellanox switch driver when transmitting
packets can cause a kernel memory leak and subsequent kernel panic.

* Denial of service in AX.25 socket disconnection.

A logic error in the AX.25 networking subsystem can trigger a NULL pointer
dereference and kernel panic when closing a connection.

* Deadlock when disabling IPv6 network interface.

Incorrect locking in the IPv6 address auto-configuration when disabling a
network interface can trigger a deadlock and kernel panic.

* Deadlock in UNIX domain socket binding.

Incorrect locking when binding a UNIX domain socket and splicing to a pipe can
trigger a kernel deadlock and denial of service.

* CVE-2016-10208: Denial-of-service when mounting ext4 image with large metablock group.

A missing check when mounting an ext4 image with a high first metablock
group value could lead to a buffer overflow. A local attacker with mount
capability could use this flaw to cause a denial-of-service.

* Denial-of-service when accessing valid_zones sysfs entry.

A logic error when reading valid_zones sysfs entry on a system with more
than 64GB of memory could lead to a kernel panic. A local attacker could
use this flaw to cause a denial-of-service.

* Memory leak in AppArmor label merge.

When routinely merging AppArmor labels, the newly created label would be
created with an erroneously high reference count, leaking the label and
over time causing degraded system performance and a potential
denial-of-service.

* Memory leak in AppArmor labels if unused.

If an AppArmor label was created but never used, its reference count
would not be properly decremented and the memory would be leaked,
causing performance degradations and an eventual denial-of-service.

* Denial-of-service when mounting AppArmor filesystem fails.

Incorrect logic in the error path when mounting the AppArmor filesystem
failed causes a kernel oops and denial-of-service.

* Memory leak in AppArmor namespace when removing profiles.

Missing reference decrements would cause a leak of the AppArmor namespace
when removing profiles from a policy, causing performance degradation
and an eventual denial-of-service.

* Flock permission erroneously granted through AppArmor file cache.

If a file present in the AppArmor permissions cache was queried for the
flock permission, it would be granted instead of correctly audited.

* Deadlock in block multi-queue allocations causes denial-of-service.

Incorrectly specified memory page flags when initializing a block
multi-queue could cause the memory manager to attempt to reclaim the
memory it was currently allocating, causing a deadlock and
denial-of-service.

* CVE-2017-2618: Information leak in SELinux attribute handling.

An off-by-one error in SELinux attribute handling can cause sensitive
information to be leaked from the kernel. A local attacker could use
this flaw to facilitate an exploit.

* Denial-of-service during ALSA sequencer queue creation.

A logic error when creating an ALSA sequencer queue can lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* Denial-of-service in ALSA sequencer memory management.

A race condition when use of a memory pool is finished can trigger a
use-after-free causing a kernel crash. A local attacker could use this
flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.