[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4211-1)

[Oracle Ksplice]

Synopsis: USN-4211-1 can now be patched using Ksplice
CVEs: CVE-2018-20784 CVE-2019-17075 CVE-2019-17133 CVE-2019-19049 CVE-2019-19532

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4211-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-17133: Denial-of-service in WiFI SIOCGIWESSID ioctl().

Missing bounds checks when copying an SSID in the SIOCGIWESSID ioctl()
for an 802.11 WiFi device could result in a buffer overflow and kernel
crash.


* Information leak in u32 Packet Classifier.

A missing length check on a user-controlled buffer in the Universal 32-bit key
Packet Classifier module can allow a local attacker to leak information about
the running system.


* CVE-2019-17075: Denial-of-service in Chelsio T4/T5 RDMA TPT entries.

Incorrect mapping of transfer buffers could result in performing DMA to
an incorrect physical address leading to memory corruption and use of
uninitialized values.  An attacker could use this flaw to crash the
system.


* CVE-2018-20784: Denial-of-service in task scheduling.

A logic in the kernel task scheduler could result in an infinite loop
under high load conditions.  A local, unprivileged user could use this
flaw to cause a denial of service.


* Denial-of-service when adding packet action.

An infinite loop during sendmsg in Packet Action API interface could
block a kernel thread indefinitely. An attacker with permission to add
packet action could exploit this bug to cause a denial-of-service.


* Denial-of-service when sealing a file descriptor.

Incorrect locking when adding a seal to a file descriptor triggers a
kernel fail-safe protection. A local attacker can exploit this bug to
cause a kernel crash and an eventual denial-of-service.


* Denial-of-service when removing TUSB3410 USB device.

Incorrect locking when closing a port leads to a use-after-free bug when
removing TUSB3410 serial USB device. A malicious device could exploit
this bug to cause a denial-of-service or possibly to escalate privilege.


* Information leak when reading from LD Didactic USB device.

Incorrect read implementation in LD Didactic USB driver leads to
uninitialized kernel memory leaked to the device. A malicious device
could exploit this to escalate privilege.


* Denial-of-service when scanning APs in mac80211 subsystem.

Missing SSID length validation in mac80211 subsystem could lead to
out-of-bound read in the kernel when scanning access points. A malicious
AP could exploit this to cause a denial-of-service.


* Denial-of-service when enumerating free inodes number on ocfs2.

A missing error check when allocating memory leads to NULL pointer
dereference when performing OCFS2_INFO_FREEINODE ioctl operation.
A local user could exploit this to cause a denial-of-service.


* Denial-of-service when creating extra attributes in OCFS2.

Missing check for memory allocation failure when creating extra
attribute in an OCFS2 filesystem leads to a NULL pointer dereference. An
unprivileged local user could exploit this bug to cause a
denial-of-service.


* Memory leak in NFS client when handling SETCLIENTID.

Multiple concurrent SETCLIENTID operation when mounting an NFS
filesystem could lead to memory leak. A local attacker with mount
privilege could exploit this to exhaust kernel memory and cause a
denial-of-service.


* Privilege escalation in the exec syscall.

Incorrect determination of the interpreter path during the exec system
call could allow execution of attacker controlled binary in a privileged
context. This bug could potentially be used to escalate privilege.


* Data corruption when opening a file from a FUSE mount.

When opening a file with O_TRUNC flag from a FUSE mounted path, incorrect
locking could lead to operation reordering. This could cause inadvertent
data loss.


* Memory corruption when reading from a USB device.

Inadequate locking when reading from an LD Didactic-based USB device
could corrupt kernel memory. An attacker could exploit this bug to cause
a denial-of-service.


* Denial-of-service in whiteheat USB to serial converter.

Failing to sanitize user input in the whiteheat driver causes kernel
memory corruption. An attacker can craft a malicious device that
exploits this bug to cause a denial-of-service and possibly escalate
privilege.


* CVE-2019-19532: Denial-of-service when initializing HID devices.

A failure to properly check a device-controlled parameter in the USB
HID (bluetooth) subsystem lead to reading or writing past memory
bounds. An attacker can exploit this bug with a specially crafted USB
device to escalate privileges or cause a denial-of-service.


* Oracle will not provide zero-downtime update for CVE-2019-19049.

Oracle has determined that the vulnerability does not affect a
running system.


* Denial-of-service when reading from CIFS (SMB2) filesystem.

Incorrect locking in the CIFS filesystem read / write operation could
cause a deadlock in case of network outage. This could lead to a
denial-of-service.


* Denial-of-service when allocating page fragment for socket buffer.

Out-of-bound write due to incorrect page fragment allocation in the socket
subsystem leads to kernel memory corruption. An attacker could exploit
this to cause a denial-of-service and possibly escalate privilege.


* Denial-of-service when establishing connection in LLC subsystem.

a reference counting error in the connect call in LLC socket subsystem
could cause allocated memory not being cleaned up after use. This causes
kernel memory exhaustion and could lead to a denial-of-service
eventually.


* Data race when queueing UDP packets.

Unprotected concurrent access when queuing and dequeing datagram packets
leads to undefined behavior in the kernel. This could cause a
denial-of-service.


* Denial-of-service when creating extra attributes on an ext4 inode.

Creating a directory on an ext4 filesystem causes a null pointer
dereference when SMACK security rule is attached. An attacker could
exploit this bug to cause a denial-of-service.


* Memory leak when sending a message over SCTP socket.

Incorrect initialization of SCTP socket leads to memory leak when
performing sendmsg call. An unprivileged local attacker could exploit
this bug to cause kernel memory exhaustion.


* Privileged information leak in the socket subsystem.

Some kernel subsystems and userspace programs use "jiffies" (number of
ticks occurred since system start-up) to seed pseudorandom number
generator. This information is thus considered privileged. A bug in the
socket subsystem leaks jiffies on the wire, which could allow a remote
attacker to weaken some data-concealment measures.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.