[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3631-1)

[Oracle Ksplice]

Synopsis: USN-3631-1 can now be patched using Ksplice
CVEs: CVE-2017-13166 CVE-2017-16538 CVE-2017-5715 CVE-2018-1000004 CVE-2018-5750 CVE-2018-7566

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3631-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for Spectre v2: Speculative execution when making indirect calls during emulation.

A missing use of indirect calls protection macro during emulation could
lead to speculative execution. A local attacker could use this flaw to
leak information about running system.


* Divide by zero errors when running an eBPF program.

A missing check when running an eBPF program could lead to a divide by
zero error. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-1000004: Use-after-free when using MIDI sequencer ioctl.

A race condition when using MIDI sequencer ioctl could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access when AES cipher algorithms on X86.

A missing check on a destination buffer when using AES cipher algorithms
on X86 architecture could lead to an invalid memory access. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when hot plugging an Intel(R) 82575/82576 PCI-Express Gigabit Ethernet device.

A missing check when hot plugging an Intel(R) 82575/82576 PCI-Express
Gigabit Ethernet device could lead to a kernel assert. A local attacker
could use this flaw to cause a denial-of-service.


* Deadlock in BTRFS when filling space cache.

A missing unlock in the error path when filling the space cache in the
BTRFS filesystem could cause a lock ordering problem and system
deadlock, resulting in a denial-of-service.


* Deadlock in Edgeport USB/Serial converter data receive.

When processing received data in Edgeport USB/Serial converter driver,
the driver erroneously sleeps while holding a spinlock, potentially
causing a deadlock and denial-of-service.


* NULL-pointer dereference in setsockopt during selinux security scan.

If a setsockopt system call is performed during an selinux security
scan, a race condition could result in a NULL-pointer dereference and
denial-of-service.


* Information leak via USB-over-IP sysfs status file.

The generic USB-over-IP driver provides a sysfs status file that
contains an unsanitized TCP socket address.


* Double unlock in IPv6 multicast dump routine.

When dumping IPv6 multicast entries multiple times, the cache iterator
pointer might still contain the value from the previous dump call,
potentially double-unlocking the associated lock and causing a
denial-of-service.


* Kernel hang in QLogic mailbox handling.

Incorrect locking could result in deadlock and a kernel hang when
processing mailboxes on a QLogic network adapter.

Orabug: 27337130


* Use-after-free in IPv4 TCP disconnect.

IPv4 TCP sockets are re-used after disconnect. Their associated memory
pages must be correctly released, or subsequent sockets might attempt to
utilize unallocated memory, causing a potential denial-of-service.


* Information leak in encrypted keys subsystem.

Providing the encrypted keys subsystem with a shorter-than-expected
master key description could cause the key validation routine to read
beyond the end of the buffer, potentially exposing kernel memory.


* Information leak when using CIFS filesystem.

Missing free of resources when using CIFS filesystem could lead to
information leak. A local attacker could use this flaw to leak
information about encrypted data and access it.


* CVE-2017-16538: Denial-of-service in DVB-USB subsystem.

A missing warm-start check and incorrect attach timing allows local
users to cause a denial of service (general protection fault and system
crash) or possibly have unspecified other impact via a crafted USB
device.


* NULL pointer dereference when registering a key for NFS.

A missing check when registering a key for NFS through keyctl can lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Use-after-free in nsfs directory cache.

Incorrect use of flags when releasing a directory cache entry in the
system namespace file descriptor interface could result in the cache
entry being used after it was freed, potentially corrupting memory or
causing a denial-of-service.


* CVE-2017-13166: Privileges escalation when using V4L2 ioctls.

Logic errors in multiple V4L2 ioctls could lead to arbitrary execution
of user space defined addresses. A local attacker could use this flaw to escalate
privileges.


* CVE-2018-5750: Information leak when registering ACPI Smart Battery System driver.

A too verbose printk when registering ACPI Smart Battery System driver
leaks kernel addresses. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* Kernel information leak in dummy console driver.

Incorrect initialization of a kernel data structure in the dummy console
driver leads to stack memory leaking into userspace. This could be
exploited to introspect kernel memory and enhance existing attacks based
on that information.


* Multiple denial-of-service vulnerabilities in Btrfs filesystem.

A range of bugs in Btrfs filesystem operations results in
use-after-free, race condition and memory leak. A malicious local user
can exploit these bugs to cause data loss, kernel memory exhaustion and
denial-of-service.


* CVE-2018-7566: Denial-of-service when initializing ALSA sequence pool.

A race condition when initializing ALSA sequence pool leads to
use-after-free and out-of-bound memory access. An attacker can exploit
this to cause denial-of-service.


* Data loss when writing to RAID block device.

Failure to propagate error status when performing chained block I/O on a
RAID device results in incorrect success response from the driver. This
may lead to data corruption.


* Denial-of-service via empty pathname lookup.

Looking up an empty directory path via namei() can trigger the creation
of a directory cache entry that isn't properly freed, resulting in a
potential use-after-free. This could corrupt memory or cause a
denial-of-service.


* Denial-of-service when using Metadata Server protocol over NFS.

An error in resources handling when using Metadata Server protocol over
NFS could lead to deadlock. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service when using Packet writing on CD/DVD media.

Logic errors when using Packet writing on CD/DVD media could lead to
NULL pointer dereference or kernel assert. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-guest-service when resetting guest CPU in KVM.

Mis-handling VCPU flags when resetting a KVM guest virtual machine could
cause the VM entry to fail, resulting in a denial-of-service on the
guest machine.


* Infinite loop in SUNRPC TCP socket connect with unreachable host.

When attempting to connect a TCP socket backing a SUNRPC connection, an
unreachable host would cause the socket to retry indefinitely.


* Race condition in Unsorted Block Image device driver causes DoS.

Missing thread safety locks in the Unsorted Block Images subsection of
the Memory Technology Devices driver could allow a race condition where
multiple data blocks were created on top of each other, likely resulting
in a denial-of-service.


* Improved fix for CVE-2017-5715: Denial-of-service when ptracing a process while AppArmor is running.

A logic error when ptracing a process from another process while
AppArmor is enabled could lead to a deadlock. A local
attacker could use this flaw to cause a denial-of-service.


* Improved fix to CVE-2017-5715: Always JIT compile BPF programs.

The BPF interpreter is vulnerable to Spectre variant 2 attacks when
not running in just-in-time compilation mode. Forcing JIT should prevent
an unprivileged user from gaining information from this system in this
way.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.