[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3420-1)

[Oracle Ksplice]

Synopsis: USN-3420-1 can now be patched using Ksplice
CVEs: CVE-2017-1000251 CVE-2017-1000371 CVE-2017-10663 CVE-2017-7542

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3420-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak when using Trust Platform Module chip driver.

A missing initialization when using Trust Platform Module chip driver
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Array underflow when using SCSI procfs entries.

A missing check when writing into SCSI procfs entry: /proc/scsi/scsi
could lead to an array underflow. A local attacker could use this flaw
to cause a denial-of-service.


* Data corruption using ext4 resize command.

A missing cast when using ext4 resize command could lead to a data
corruption on the filesystem.


* Privilege escalation using raw capture ioctl from TI Davinci V4L2 driver.

Logic errors in raw capture iocl of TI Davinci V4L2 driver could lead to
privilege escalation by using user controlled memory pointer. A
local attacker could use this flaw to escalate privileges.


* Denial-of-service when using TCP syncookie over IPV4 or IPV6.

A missing initialization when using TCP syncookie over IPV4 or IPV6 could
lead to usage of uninitialized memory. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.

An incorrect data type when parsing IPV6 fragments header could lead to
a buffer overflow and to an infinite loop. A remote attacker could use
this flaw to cause a denial-of-service.


* Array overflow when setting MAC address on a routing netlink socket interface.

A logic error when setting MAC address on a routing netlink socket
interface could lead to an array overflow. A local attacker could use
this flaw to cause a denial-of-service.


* Information leak when sending packet over MosChip MCS7780 IrDA-USB dongle.

Usage of an on-stack buffer for an USB transfer when sending packet over
MosChip MCS7780 IrDA-USB dongle could leak stack information. A local
attacker could use this flaw to leak information about running kernel
and facilitate an attack.


* Out-of-bounds access when using Netfilter connection tracking on Open vSwitch socket.

A missing check when configuring Netfilter connection tracking on Open
vSwitch socket could lead to out-of-bounds access. A local attacker
could use this flaw to cause a denial-of-service.


* Use-after-free when setting socket option on Packet family socket.

A missing check when setting socket option on Packet family socket could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Multiple memory leaks when using DCCP Protocol over IPV4 or IPV6.

Missing checks when using DCCP Protocol over IPV4 or IPV6 could lead to
memory leaks. A local attacker could use this flaw to cause a
denial-of-service.


* Uninitialized memory access when sending packets over IPV6 SCTP socket.

A missing check when sending packets over IPV6 SCTP socket could lead to
uninitialized memory access. A local attacker could use this flaw to
cause a denial-of-service.


* Memory leak when sending command over MLX5 driver.

A missing free when sending command over Mellanox Technologies
ConnectX-4 and Connect-IB (MLX5) driver could lead to a memory leak. A
local attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in qla2xxx IO read/write.

A race condition in the qla2xxx scsi driver can result in memory
corruption leading to a kernel crash.


* Divide by zero when using Fastopen TCP socket option.

A missing check when using Fastopen TCP socket option could lead to a
divide by zero. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when using TCP_FASTOPEN_CONNECT option on TCP socket.

A missing check when using TCP_FASTOPEN_CONNECT option on TCP socket
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Memory leak when sending text command to iSCSI Target Mode Stack driver.

A missing free when sending text command to iSCSI Target Mode Stack
driver could lead to a memory leak. A local attacker could use this flaw
to cause a denial-of-service.


* Memory leak when using NFS Flexfiles client.

A missing free when using NFS Flexfiles client could lead to a memory
leak. A local attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in IPsec cryptography subsystem.

Null pointer dereference when decrypting IPsec packet with extended
sequence number results in kernel crash. A malicious user can exploit
this to cause denial-of-service.


* Out-of-bound memory access in IPsec configuration subsystem.

A type confusion during XFRM (IPsec configuration and monitoring
framework) policy lookup results in out-of-bound memory access. A
malicious local user could exploit this for privilege escalation.


* Information leak in page allocator.

Some kernel debug messages inadvertently dump kernel addresses. This
may allow an attacker to probe kernel memory layout and use the
information to enhance other attacks.


* Denial-of-service in iSCSI Extension for RDMA subsystem.

A null pointer dereference in iSCSI Extension for RDMA (iSER) subsystem
results in kernel crash. A malicious local user can exploit this to
cause denial-of-service.


* CVE-2017-10663: Privilege escalation when mounting F2FS image.

Missing sanity-checks in Flash-Friendly File System allows out-of-bound
write operations. This could enable a malicious user to escalate privilege
when a raw F2FS image is mounted.


* Information leak when performing netdevice ioctl.

A missing NULL-terminator allows out-of-bound read when performing
SIOCGIFNAME ioctl. This could allow an attacker to inspect kernel
memory.


* Denial-of-service when querying TIGON3 network device.

A race condition in TIGON3 driver leads to double-free when querying
network interface statistics. This allows an attacker to cause
denial-of-service.


* Denial-of-service in Marvell WiFi-Ex driver.

A null pointer dereference when scanning for wifi BSS / IBSS results in
kernel crash. This could be exploited to cause denial-of-service.


* Data loss in Non-Volatile Memory Device (NVDIMM) driver.

Failure to handle error properly results in failed write being reported
as successful. This may lead to inconspicuous data loss.


* Denial-of-service in ALSA System-on-Chip front-end.

A logic error in ALSA System-on-Chip (ASoC) PCM front-end could result
in use-after-free. An attacker can exploit this to cause
denial-of-service.


* CVE-2017-1000251: Privilege escalation in Bluetooth subsystem.

A stack overflow vulnerability when processing L2CAP configurations
responses in native Bluetooth stack (BlueZ) allows a remote attacker to
execute arbitrary code with escalated privilege.


* Improved fix to CVE-2017-1000371: Privilege escalation when executing a program.

The original vendor fix for CVE-2017-1000371 broke key assumptions
about memory layout that some applications made.  This could result in
applications failing to start or operate correctly.


* Denial-of-service during I/O on memory-mapped XFS block.

Mixing direct I/O and memory-mapped I/O on an XFS block results in
crashing the kernel. A malicious local user can exploit this to cause
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.