[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3753-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Nov 16 10:50:08 PST 2018 

Synopsis: USN-3753-1 can now be patched using Ksplice
CVEs: CVE-2017-13168 CVE-2017-5753 CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-12233 CVE-2018-13094 CVE-2018-13405 CVE-2018-13406

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3753-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Stack overflow in Elan I2C/SMBus touchpad driver.

Incorrectly sized stack structures in the Elan I2C/SMBus touchpad driver
could potentially allow overwriting stack values when initializing or
calibrating the device.


* Kernel information leak in the TCP subsystem.

An integer overflow when copying received TCP data to userspace could
lead to disclosure of sensitive kernel memory to userspace. This could
lead to privilege escalation.


* Denial-of-service when mapping large files into memory.

When mapping large files and block devices into memory, buggy drivers
could overflow size limit on 32-bit systems. This may be exploited by
malicious unprivileged local user to cause a denial-of-service.


* Data loss when performing fsync on XFS filesystem.

An error when flushing logs during fsync on an XFS filesystem could lead
to inadvertent data-loss if the system crashes or loses power.


* Denial-of-service when disconnecting DCCP.

Early cleanup on DCCP could lead to use-after-free if a half-connection
times out after disconnect. An unprivileged local user could exploit
this to cause a denial-of-service.


* Privilege escalation when executing user command in DIVAS driver.

A race-condition when invoking user command on an adapter in the Eicon
DIVA Server card driver could allow a malicious user to inject
inconsistent data into the kernel. This could lead to privilege
escalation and a denial-of-service.


* Denial-of-service when validating TCP packet.

Failure to take the size of packet header into account during validation
leads to a use-after-free in the TCP networking subsystem.  A local
attacker with CAP_NET_RAW capability could use this flaw to trigger a
buffer overflow resulting in a system crash or a privilege escalation.


* Denial-of-service in the Mellanox multicast subsystem.

Failure to obtain interrupt-safe lock when looking up queue-pair in the
Mellanox mlx4 multicast subsystem could lead to deadlock in the kernel.
An attacker could exploit this to create a denial-of-service.


* Denial-of-service when creating route in the netlink subsystem.

Missing validation of netlink message from userspace could lead to
undefined behavior in the kernel. This could lead to a
denial-of-service.


* Denial-of-service when adding IPsec key extension.

Failure to validate data from userspace when adding key extension in the
IPSec subsystem leads to a memory allocation error. An attacker may exploit
this to cause a denial-of-service.


* CVE-2018-13405: Permissions bypass when creating file in SGID directory.

Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.


* CVE-2018-13094: NULL-pointer dereference when shrinking xfs inode.

When attempting to shrink an xfs inode for a file with corrupted
extended attributes, the non-existent attribute buffer might be
dereferenced, resulting in a denial-of-service.


* CVE-2018-12233: Out-of-bounds access using extended attributes with JFS filesystem.

An incorrect size for buffer allocation could lead to an out-of-bounds
access when changing attributes on a JFS file from user space. An
unprivileged user could use this flaw to cause a denial-of-service.


* Denial-of-service when decoding IPsec session.

When decoding IPv6 IPsec session, an integer overflow triggers a kernel
BUG. A local user with privilege to create IPsec tunnel can exploit this
to create a denial-of-service.


* Denial-of-service when filtering ethernet packets.

Failure to validate userspace data when matching ethernet packets with
filtering rules in the ebtables subsystem leads to out-of-bound write in
the kernel. An attacker could exploit this to corrupt kernel memory and
possibly escalate privilege.


* NULL pointer dereference in ALSA PCM stream attach.

A failure to correctly handle a memory allocation failure can result in
partial initialization of a PCM stream, leading to a subsequent NULL
pointer dereference.


* Improved fix for CVE-2017-5753: Speculative execution in array accesses.

The current fix for CVE-2017-5753 fails to correctly disable compiler
optimization, which results in some array accesses not being correctly
protected against speculative execution attacks.


* Memory corruption in ALSA Dynamic Power Management driver.

When unloading an ALSA audio device that uses the Dynamic Power
Management feature, the device is not removed from the global list
before being freed. This can result in memory corruption or a
denial-of-service.


* Use-after-free in FUSE when failing to create superblock.

If an error occurs while creating a Filesystem in Userspace superblock
after the connection to the FUSE service is made, the connection is not
torn down, resulting in a use-after-free and potential denial-of-service
when the superblock is freed.


* NULL-pointer dereference in FUSE when failing to create inode.

If inode creation fails for a Filesystem in Userspace file, the
connection teardown to the FUSE service might improperly try to cleanup
the non-existent inode, resulting in a NULL-pointer dereference and
denial-of-service.


* Invalid assertion in RDMA-over-Infiniband causes denial-of-service.

An invalid assertion could in rare cases cause a kernel panic and
denial-of-service when an unknown work request was received through a
management diagram.


* Denial-of-service due to overflow in UBIFS journal allocation.

Failing to validate the entry size and length of an array allocation
when allocating a data node for the Unsorted Block Image File System
could result in an overflow in the allocation and denial-of-service.


* Stack corruption in NFSv4 idmapper verification with large uid.

When attempting to verify a uid or gid above 2147483647 in the NFSv4
idmapper code, a single NULL-byte will be written out-of-bounds on the
stack, resulting in a kernel panic and denial-of-service.


* CVE-2018-13406: Denial-of-service due to overflow in VBE2+ video driver.

Failing to validate the size and number of entries in an array
allocation in the Video BIOS 2.0 driver could result in an overflowed
allocation and denial-of-service.


* Denial-of-service in UDF filesystem with incorrect directory size.

If a directory on the UDF filesystem reported a larger-than-accurate
size when being read, the entry could become further corrupted or
result in a denial-of-service.


* Out-of-bounds access in Network Control Model communications driver.

A logic error when reserving space for a packet can result in an out of
bounds memory access, leading to memory corruption or a Kernel crash.


* Denial-of-service due to invalid assertion in netfilter chain.

An invalid assertion when processing an exceptionally long netfilter
chain could cause a denial-of-service.


* CVE-2017-13168: Denial-of-service in sg read/write implementation.

An unsafe implementation of read/write in the sg driver can result in
userspace being able to corrupt Kernel memory. A local user with access
to an sg device could use this flaw to cause undefined behaviour or a
Kernel crash, leading to a denial-of-service.


* Denial-of-service in CIFS filesystem mount.

A failure to correctly handle signals during a CIFS mount operation can
result in an infinite loop. A local user with the ability to mount a
CIFS filesystem could use this flaw to cause a denial-of-service.


* CVE-2018-10883: Out-of-bounds access in ext4 block journal handling.

A logic error in ext4 block journal handling could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 filesystem to cause a denial-of-service.


* CVE-2018-10878, CVE-2018-10879: Out-of-bounds access when initializing ext4 block bitmap.

A logic error when initializing ext4 block bitmap could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 image to cause a denial-of-service.


* CVE-2018-10877: Out-of-bounds access when using corrupted ext4 filesystem with abnormal extent tree.

A missing check when using corrupted ext4 filesystem with abnormal
extent tree could lead to an out-of-bounds access. A local attacker
could use this flaw with a crafted ext4 image to cause a
denial-of-service.


* CVE-2018-10881: Data corruption when using indirect blocks with ext4 filesystem.

A missing data zeroing when using indirect blocks with ext4 filesystem
could lead to data corruption or a kernel assert. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-10882: Out-of-bounds access when unmounting a crafted ext4 filesystem.

A logic error when unmounting a crafted ext4 filesystem could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Improved fix for CVE-2017-5753: Indirect branch speculation.

Information controlled by userspace can be used to disclose kernel
memory via speculation in the Human Input Device driver. A local user
could use this flaw to facilitate a further attack on the system.


* Denial-of-service when navigating SLAB page list.

Kernel may migrate certain threads to a different CPU from where the
thread originated. This could corrupt per-cpu SLAB page list during page
allocation and lead to an inadvertent denial-of-service when the thread
tries to access the page.


* Denial-of-service in netfilter log target.

Incorrect locking in the netfilter log target can result in deadlock
when accessing memory backed by a userfaultfd region. A local user with
access to netfilter and userfaultfd could use this flaw to cause a
denial-of-service.


* Denial-of-service when reading from GPIO device.

A null pointer dereference when reading from a GPIO device leads to a
kernel crash. This could be exploited by a malicious local user to cause
a denial-of-service.


* Denial-of-service when allocating buffer in device mapper.

If a system is under memory pressure, attempting to allocate new buffer
in device mapper driver could cause a deadlock. A malicious local user
could exploit this to cause a denial-of-service.


* CVE-2018-10876: Use-after-free when removing space in ext4 filesystem.

A logic error when removing space in ext4 filesystem could lead to a
use-after-free. A local attacker could use this flaw with a crafted ext4
image to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list