[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3485-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Nov 22 14:40:20 PST 2017 

Synopsis: USN-3485-1 can now be patched using Ksplice
CVEs: CVE-2016-7097 CVE-2017-0786 CVE-2017-12190 CVE-2017-15265

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3485-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out-of-bounds due to corrupted buffer parsing in USB audio.

A failure to validate buffer descriptors from a USB audio device can
result in an out-of-bounds memory access.


* Denial-of-service in SMACK security attribute retrieval.

A logic error when reading SMACK security attributes from an inode can
result in a memory leak. A local user could use this flaw to exhaust
Kernel memory, resulting in a denial-of-service.


* Denial-of-service in Tascam USB audio device memory allocation.

A failure to suppress memory allocation warning messages can result in
flooding the kernel log buffer with messages. A local user could use
this flaw to cause a denial-of-service.


* Information disclosure in driver_override sysfs interface.

A bounds checking error in the driver_override sysfs node can result in
reading past the end of a buffer, leaking sensitive information from
kernel memory. A local user could use this flaw to facilitate a further
attack.


* Out-of-bounds memory access in I2C Human Interface Device buffer allocation.

A logic error when allocating memory for a host to device message can
result in an out-of-bounds memory access. A local user with access to an
I2C HID device could use this flaw to cause undefined behaviour.


* Out-of-bounds access in USB alternate setting enumeration.

A failure to correctly validate USB alternate information from a USB
device can result in an out-of-bounds memory access.


* Out-of-bounds access in USB CDC header parsing.

A failure to correctly validate a CDC header can result in an
out-of-bounds memory access.


* Out-of-bounds access in USB configuration parsing.

A failure to correctly validate a USB interface association description
can result in an out-of-bounds memory access.


* Denial-of-service in failed launch of UWB daemon.

A failure to handle an error case when launching the UWB management
daemon can result in an invalid pointer dereference leading to a kernel
crash.


* Data corruption on ext4 filesystem when writing through mmap.

A time-of-check-time-of-use race condition in the ext4 filesystem when
submitting pages to be written to persistent storage could cause data
corruptions on concurrent mmap writes.


* CVE-2016-7097: Permissions bypass using setxattr syscall on ext4 filesystem.

A logic error when inheriting access control list from a parent
directory after setting extended attribute on ext4 filesystem could
lead to a permission bypass. A local attacker could use this flaw to
access sensitive information.


* Information disclosure in 802.11 packet attribute parsing.

A failure to correctly validate a buffer can result in an out-of-bounds
access leading to disclosure of kernel memory to userspace. A local user
could use this flaw to facilitate a further attack.


* Denial-of-service in multicast support for WIFI devices.

A logic error in the iwlwifi driver can result in the trigger of warning
from userspace. A local user with the ability to configure network
interfaces could use this flaw to flood the kernel print buffer,
resulting in a denial-of-service.


* Out-of-bounds access during parsing of Human Interface Device information.

A failure to validate information supplied by a USB device can result in
a out-of-bounds memory write, leading to undefined behaviour.


* Denial-of-service in crypto subsystem hash implementation.

A failure to check for zero length input in the hashing implementation
of the crypto subsystem can result in a Kernel crash. A local user could
use this flaw to cause a denial-of-service.


* CVE-2017-15265: Use-after-free in ALSA seq port creation.

Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.


* Use-after-free in Native Instruments USB audio devices.

A failure to correctly free a URB when a Native Instruments USB audio
device probe fails can result in a use-after-free.


* Denial-of-service during Line 6 POD USB device probe.

A failure to correctly handle an error case can result in a URB not
being cleaned up, which can later lead to a Kernel crash.


* Denial-of-service in Direct IO page submission.

A missing check when submitting a page for Direct IO can result in a
NULL pointer dereference, leading to a Kernel crash. A local user could
use this flaw to cause a denial-of-service.


* Use-after-free in USB serial console setup failure.

A failure to handle an error case during USB serial console setup can lead to
a use-after-free.


* Out-of-bounds memory access in SCTP event interface.

A failure to validate information from userspace can result in an
out-of-bounds read, resulting in undefined behaviour or a kernel crash.


* Use-after-free in AF_PACKET socket fanout.

A logic error when enabling fanout on a socket can result in the socket
being added to a list twice, which can lead to a use-after-free. A local
user could use this flaw to cause a denial-of-service or possibly
escalate privileges.


* Use-after-free in IP Virtual Tunnel Interface transmission.

A race condition in the Virtual Tunnel Interface implementation can
result in a use-after-free. A local user could use this flaw to cause a
denial-of-service or possibly escalate privileges.


* Out-of-bounds access in tun interface.

A failure to check bounds correctly when writing to a tun interface can
result in an out-of-bounds memory access. A local user could use this
flaw to cause a denial-of-service.


* Memory corruption in IPv6 to IPv4 socket cloning.

A logic error when transforming an IPv6 socket to an IPv4 socket can
result in releasing memory into the wrong cache. This flaw can result in
memory corruption.


* Denial-of-service in uninstantiated key configuration.

A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.


* Data loss when setting f2fs encryption policy.

Missing validation when processing the F2FS_IOC_SET_ENCRYPTION_POLICY
ioctl can allow a user to set the encryption policy on a read-only
filesystem which can potentially cause data loss.


* CVE-2017-0786: Privilege escalation in Broadcom WIFI driver.

A failure to validate the results of a scan could result in kernel
memory corruption. A remote attacker could use this flaw to escalate
privileges.


* CVE-2017-12190: Denial-of-service in block I/O page merging.

A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.


* Out-of-bounds write in generic USB device capability buffer.

When calling usb_get_bos_descriptor(), the capability header structure
is not properly bounds-checked before being written. This could
potentially allow a malicious device to overwrite kernel memory.


* Use-after-free in System Trace Module device teardown.

When unregistering a System Trace Module device, the device structure
would be prematurely freed, allowing a potential invalid memory access
and denial-of-service.


* Information leak via GUID partition table size overflow.

The size of GUID partition tables is not properly checked, allowing a
out-of-bounds access when reading partition information, potentially
causing a denial-of-service or exposing kernel memory.


* Denial-of-service due to bad synchronization in some netfilter operations.

Incorrect usage of the read-copy-update kernel API in netfilter could
allow an invalid pointer access, causing a kernel panic and
denial-of-service.


* Encrypted ext4 filesystem allows file rename without key.

The EXT4 filesystem erroneously allows renames on encrypted files
without the key. This could potentially allow overwriting encrypted data
via a file rename.


* Denial-of-service in pkcs7 cryptographic provider error case.

In rare cases, when processing a pkcs7 cryptographic key, a missing info
field could lead to a NULL pointer dereference and denial-of-service.


* Memory leak in SCSI generic block device job creation.

Failing to initialize a job in the SCSI generic block device driver
could leak memory, eventually resulting in a denial-of-service.


* Use-after-free in USB generic gadget driver when re-binding.

If a USB gadget device driver has an empty manufacturer ID string,
re-binding the driver might cause an invalid memory access of the ID
string's generated replacement, causing a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list