[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (4.4.0-139.165)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Jan 14 23:13:59 PST 2019 

Synopsis: 4.4.0-139.165 can now be patched using Ksplice
CVEs: CVE-2018-10880 CVE-2018-13053 CVE-2018-14617 CVE-2018-14633

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.4.0-139.165.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-14617: Denial-of-service in HFS+ filesystem mounting.

A logic error when mounting an HFS+ filesystem could result in a NULL
pointer dereference and kernel crash.  A local user with the ability to
mount filesystems could use this flaw to crash the system with a
maliciously crafted filesystem image.


* NULL pointer dereference in BTRFS relocation cleanup.

A missing NULL pointer check could result in a kernel crash when
mounting a corrupted filesystem.  A user with the ability to mount
filesystems could use this flaw to crash the system with a maliciously
crafted image.


* Use-after-free when releasing device in USB XHCI driver.

A logic error when releasing device in USB XHCI driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service when an I/O error happens while reading OCFS2 block.

A logic error when an I/O error happens while reading OCFS2 block could
lead to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-13053: Integer overflow in alarm_timer_nsleep.

The alarm_timer_nsleep function in the kernel timekeeping code does not
check for overflow when adding two time values together, potentially
causing undefined behavior in the kernel.


* CVE-2018-10880: Out-of-bounds access when making inode space in ext4 filesystem.

A logic error when making inode space in ext4 filesystem could lead to
an out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 image to cause a denial-of-service.


* Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization.

Incorrect locking when initializing an OCFS2 DLM lock resource could
result in memory corruption and a kernel crash.


* CVE-2018-14633: Permission bypass in SCSI authentication request process.

A logic error in SCSI authentication request process could lead to a
buffer overflow. A local attacker could use this flaw to expose SCSI
content without permission.


* Denial-of-service in hfsplus filesystem mount path.

Improper error handling in the hfsplus filesystem's mount path can lead to
a NULL pointer dereference, and subsequent kernel panic.  A local attacker
could use this to cause a denial-of-service.


* Denial-of-service in hfsplus record insertion path.

Improper error handling the the hfsplus filesystem's record insertion path
can cause a return code to be stored in place of a pointer.  This can lead
to a panic if the data is accessed elsewhere.  This could be used to cause a
denial-of-service.


* Read of uninitialized memory in filesystem core.

An incorrect length check during a copy operation in the filesystem core can
lead to a read of uninitialized memory.  This could cause unexpected behavior,
including potential denial-of-service.


* Race condition in IPVS core.

A logic error in the IPVS core code path that handles new connections creates
a race condition, which can lead to an infinite loop.  This could be used to
cause a denial-of-service.


* Soft lockup in device-mapper core.

A failure to properly reschedule a process in the device-mapper core can result
in soft lockups.  These could result in degraded system performance, or
denial-of-service.


* NULL pointer dereference during initialization of the HTB packet scheduling algorithm.

A logic error during initialization of the Hierarchical Token Buckets
(HTB) packet scheduling algorithm could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access when initializing Hardware Multiqueue-aware Multi Band Queuing scheduler.

A logic error when initializing Hardware Multiqueue-aware Multi Band
Queuing scheduler could lead to an invalid memory access. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference during initialization of Heavy-Hitter Filter packet scheduling algorithm.

A logic error when initialization of Heavy-Hitter Filter packet
scheduling algorithm fails could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when initializing network emulator.

A logic error when initializing network emulator fails could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* NULL pointer dereference on initialization failure of Token Bucket Filter packet scheduling algorithm.

A logic error on initialization failure of Token Bucket Filter packet
scheduling algorithm could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Out-of-bounds access when handling INQUIRY command with Realtek PCI-E Card Reader RTS5208/5288 driver.

A logic error when handling INQUIRY command with Realtek PCI-E Card
Reader RTS5208/5288 driver could lead to an invalid memory access. A
local attacker could use this flaw to cause a denial-of-service.


* Memory leak on initialization failure of Texas Instruments shared transport line discipline driver.

A missing free of resources when initialization of Texas Instruments
shared transport line discipline driver fails could lead to a memory
leak. A local attacker could use this flaw to cause a denial-of-service.


* Double free when initialization of Userspace I/O drivers fails.

A logic error when initialization of Userspace I/O drivers fails could
lead a double free and to a denial-of-service.


* Invalid memory access in OKI SEMICONDUCTOR ML7213 IOH GPIO driver.

A logic error in OKI SEMICONDUCTOR ML7213 IOH GPIO driver could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access when mounting a f2fs filesystem.

A missing check when mounting a f2fs filesystem could lead to an
out-of-bounds access. A local attacker could use a crafted f2fs
filesystem to cause a denial-of-service.


* Out-of-bounds access when copying data in Netfilter Xtables.

A logic error when copying data in Netfilter Xtables could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in Honeywell HMC6352 compass driver.

A missing use of the indirect call protection macro in Honeywell HMC6352
compass driver could lead to speculative execution. A local attacker
could use this flaw to leak information about the running system.


* Use-after-free when setting usb interface with xHCI USB Host.

A logic error when setting usb interface with xHCI USB Host could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access in completion handler of USB Inside Out Edgeport Serial driver.

A missing check in completion handler of USB Inside Out Edgeport Serial
driver could lead to an out-of-bounds access. A local user could use a
malicious USB device to cause a denial-of-service.


* Out-of-bounds access based on user input in Yurex USB driver.

A missing check on user input in Yurex USB driver could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Integer overflow when finding CIFS entries.

A missing check when finding CIFS entries could lead to an integer
overflow. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free in system-call auditing driver.

A locking error when adding a watcher in system-call auditing driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference when using KFD ioctls in HSA kernel driver for AMD GPU devices.

A wrong return code when using KFD ioctls in HSA kernel driver for AMD
GPU devices could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* NULL pointer dereference when accessing TI BQ4802 RTC registers.

A wrong error-handling in TI BQ4802 RTC driver could lead to a NULL
pointer dereference when accessing RTC registers. A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-bounds access in interrupt handler of USB TI 3410/5052 Serial driver.

A missing check in interrupt handler of USB TI 3410/5052 Serial driver
could lead to an out-of-bounds access. A local user could use a
malicious USB device to cause a denial-of-service.


* NULL pointer dereference when using Intel Management Engine Interface.

A logic error when using Intel Management Engine Interface could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Out-of-bounds access when handling NFC SHDLC I-Frame commands.

A missing check when handling NFC SHDLC I-Frame commands could lead to
an out-of-bounds access. A local attacker could use a malicious NFC
device to cause a denial-of-service.


* Information leak in SNDRV_EMU10K1_IOCTL_INFO Alsa ioctl.

A missing zeroing of variable in SNDRV_EMU10K1_IOCTL_INFO Alsa ioctl
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and cause a denial-of-service.


* Memory leak when sending HDMI commands in Alienware Special feature control.

A missing free of resources when sending HDMI commands in Alienware
Special feature control could lead to a memory leak. A local attacker
could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Information leak when using Performance Monitoring Counter in a Xen guest.

A missing initialization of on-stack data when using Performance
Monitoring Counter in a Xen guest could lead to an information leak. A
local attacker could use this flaw to leak information about running
kernel and facilitate an attack.


* Use-after-free when transmitting packets over IPV6.

A logic error when transmitting packets over IPV6 could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in Virtual terminal driver.

A missing use of the indirect call protection macro in Virtual terminal
driver could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.


* Divide by zero error when deleting corrupted inline directories in ext4 filesystem.

A logic error when deleting corrupted inline directories in ext4
filesystem could lead to a divide by zero error. A local attacker could
use this flaw to cause a denial-of-service.


* Use-after-free when flushing queue pairs multiple times in Chelsio T4/T5 RDMA driver.

A missing check when flushing queue pairs multiple times in Chelsio
T4/T5 RDMA driver could lead to a use-after-free. A local attacker could
use this flaw to cause a denial-of-service.


* Invalid memory access when getting user queue pairs in VMware VMCI driver.

A logic error when getting user queue pairs in VMware VMCI driver could
lead to an invalid memory access. A local attacker could use this flaw
to cause a denial-of-service.


* Denial-of-service when handling packets over IPv6 over Low power Wireless Personal Area Network.

A logic error when handling packets over IPv6 over Low power Wireless
Personal Area Network could lead to a kernel assert. A local attacker
could use this flaw to cause a denial-of-service.


* Use-after-free when registering error detection and correction driver for Intel i7 processors.

Wrong error handling when registering  error detection and correction
driver for Intel i7 processors could lead to a use-after-free. A local
attacker could use this flaw to cause a denial-of-service.


* Use-after-free when claiming USB interface.

A logic error in error path when claiming USB interface could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when configuring USB host.

A missing check when configuring USB host could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when setting ring parameters of e1000 network interface.

A logic error when setting ring parameters of e1000 network interface
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Memory leak when setting ring parameters of e1000 network interface.

A missing free of resources when setting ring parameters of e1000
network interface could lead to a memory leak. A local attacker could
use this flaw to exhaust kernel memory and cause a denial-of-service.


* NULL pointer dereference when passing Fast Transition Information Element to the WLAN driver.

A missing check when passing Fast Transition Information Element to the
WLAN driver could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* Memory corruption when registering Rocketport PCI serial device.

When registering a Rocketport PCI serial device, if the number of
connected PCI boards exceeds 8, the device info will be written
out-of-bounds, potentially resulting in memory corruption or a
denial-of-service.


* Information leak in /proc kernel stack dumps.

A failure to restrict accessing /proc/self/task/*/stack to only
root could allow an unprivileged user to get information about the
stack and its contents on another process.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list