[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3469-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue Oct 31 14:15:20 PDT 2017 

Synopsis: USN-3469-1 can now be patched using Ksplice
CVEs: CVE-2017-1000252 CVE-2017-10911 CVE-2017-12153 CVE-2017-12154 CVE-2017-14051 CVE-2017-14156 CVE-2017-14340 CVE-2017-14489 CVE-2017-14991 CVE-2017-7542 CVE-2017-9984

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3469-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Double-free when registering a new driver on any bus.

A logic error in error path when adding a new driver to a bus could lead
to a double free. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when using Atheros 802.11ac wireless cards.

A logic error when initializing Atheros 802.11ac wireless cards could
lead to a memory leak. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when registering a new Realtek WiFi adapter.

A logic error in error path when registering a new Realtek WiFi adapter
over PCI could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* Double-free when registering a Distributed Lock Manager filesystem.

A logic error in error path when registering a Distributed Lock Manager
filesystem could lead to a double-free. A local attacker could use this
flaw to cause a denial-of-service.


* Buffer overflow when getting scan result from Marvel WiFi-Ex adapter.

A logic error when getting scan results from Marvel WiFi-Ex adapter
could lead to a buffer overflow. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2017-9984: Denial-of-service when reading DSP messages in Turtle Beach MultiSound drivers.

A logic error when receiving messages from DSP in Turtle Beach
MultiSound drivers could lead to out-of-bounds accesses. A local
attacker could use this flaw to cause a denial-of-service.


* Use-after-free when writing back to Network File System.

A logic error when writing back data to NFS could lead to multiple
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-14340: Denial-of-service when flushing data on XFS without a realtime device.

Lack of input validation before trying to flush data to a real-time device
on XFS where the device might not be present leads to a NULL pointer
dereference.  A local, unprivileged user can use this flaw to cause a
denial-of-service.


* CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler.

A failure to validate information from userspace can result in an
unbounded kernel memory allocation. A local user could use this flaw to
cause memory exhaustion or a kernel crash, resulting in a
denial-of-service.


* CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.

A logic error when checking the bounds to be read from a netlink socket in
the SCSI could lead to a NULL pointer dereference.  A local user could use
this flaw to cause a denial-of-service.


* Denial-of-service when reading negative key.

Invalid memory access when reading key negative from kernel key management
facility results in a crash. An unprivileged local user can exploit this
to cause denial-of-service.


* CVE-2017-12153: NULL pointer dereference in the Wireless configuration layer.

A failure to verify netlink attributes existence before processing them
could lead to a NULL pointer dereference.  A local user with CAP_NET_ADMIN
could use this flaw to cause a denial-of-service.


* Use-after-free in SCSI Generic block device job error case.

An incorrect free during the error path of job creation for an SCSI
Generic block device can result in potential a use-after-free. A local
user with access to a SCSI Generic block device could use this flaw to
potentially escalate privileges.


* CVE-2017-1000252: Denial-of-service when receiving out of bounds KVM's guest interrupts.

A kernel assert when receiving out of bounds guest interrupts in KVM
could lead to a kernel hang. A local attacker from a guest VM could use
this flaw to cause a denial-of-service.


* CVE-2017-12154: Denial-of-service when using KVM nested virtualization.

A missing flag when setting up a nested virtualization using KVM could
give access to CR8 register to L2 guest. A local attacker could use this
register to disable system external interrupts from L2 guest and cause a
denial-of-service.


* Denial-of-service during BTRFS relocation removal.

A logic error when freeing a relocation can result in a NULL pointer
dereference, leading to a Kernel crash. A local user with the ability to
rebalance or remove devices from a BTRFS filesystem could use this flaw
to cause a denial-of-service.


* Denial-of-service in BTRFS deduplication implementation.

A failure to correctly handle an error case can result in the access of
freed pages, leading to undefined behaviour. A local user could use this
flaw to cause a denial-of-service.


* Denial-of-service due to invalid default subvolume ID.

A failure to validate the specified ID when setting the default
subvolume can result in an unmountable filesystem. A local user with the
ability to set the default subvolume ID of a BTRFS filesystem could use
this flaw to cause a denial-of-service.


* Information disclosure in FPU restoration after signal.

A failure to correctly handle an error case can result in a warning
being displayed and FPU information from another process being leaked. A
local user could use this flaw to facilitate a further attack.


* CVE-2017-14156: Information leak in the ATI Rage 128 video drivers when copying clock information.

A missing struct initialization when copying clock information could lead
to uninitialized memory being leaked to userspace.  This could help an
attacker bypass protections like ASLR or infer memory layouts that would
otherwise be hidden.


* CVE-2017-10911: Information leak in Xen block-device backend driver.

A data structure allocated on stack in Xen block-device backend driver
may leak sensitive data through padding fields. A malicious unprivileged
guest may be able to obtain sensitive information from the host or other
guests.


* Denial-of-service in r8152 driver.

An uninitialized list could cause a NULL pointer dereference while
polling.  An attacker could exploit this to cause a denial-of-service.


* Denial-of-service when reading from bcache sysfs.

A buffer overflow when reading from bcache writeback rate from sysfs
leads to kernel crash. A malicious local user can exploit this to cause
denial-of-service.


* Memory corruption in USB Video Class driver.

Failing to validate buffer size when mapping V4L2 control through
extension unit results in heap overflow. A malicious local user can
exploit this to corrupt kernel memory.


* CVE-2017-14991: Information leak in SCSI Generic Support driver.

Failing to initialize buffer when performing ioctl call for /dev/sg0
results in stale kernel data leaked into userspace. This allows local
users to obtain sensitive information about kernel heap memory.


* Improved fix for CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.

An incorrect data type when parsing IPV6 fragments header could lead to
a buffer overflow and to an infinite loop. A remote attacker could use
this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list