[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4008-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Jun 19 07:16:34 PDT 2019 

Synopsis: USN-4008-1 can now be patched using Ksplice
CVEs: CVE-2019-11190 CVE-2019-11486 CVE-2019-11815

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4008-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Potential kernel crash in UDF filesystem's truncate() error path.

An incorrectly handled error case in the truncate(2) syscall on a UDF
filesystem can trip a kernel BUG(), leading to a kernel panic.  This
could potentially be exploited to cause a denial-of-service.


* Denial-of-service in ext4 filesystem during journal operation.

A null pointer dereference in the ext4 filesystem when updating the
journal leads to a crash in the kernel journaling thread. An attacker
could exploit this flaw to cause a denial-of-service.


* Data corruption on ext4 filesystems while performing direct AIO.

Under certain conditions, it is possible for unaligned direct AIO
operations on an ext4 filesystem to corrupt previously written
filesystem blocks.  A malicious user could potentially exploit this flaw
to corrupt filesystem data.


* Information leak in v4l2 and uvc device drivers.

A failure to properly zero an event structure used in both the v4l2 and
uvc USB device drivers can lead to privileged kernel information being
leaked to userspace.  This could potentially be exploited to leak
information about the running system.


* Kernel hang in directory entry invalidation race.

A race condition when calling d_invalidate() could result in a kernel
hang and then panic due to watchdog timeout.  A system under heavy I/O
load could become unresponsive and hang under specific conditions.


* Denial-of-service when disconnecting generic USB device.

The number of configuration options is not properly validated when
disconnecting a USB device. A malicious device could exploit this to
improperly free memory, potentially resulting in a denial-of-service.


* Stack corruption when connecting ROSE socket.

When establishing a Remote Operations Service Element connection, the
net facilities structure can actually consume more space on the stack
than is allocated. A malicious attacker might potentially be able to
abuse this out-of-bounds access to escalate their privileges.


* Out-of-bounds memory access when changing PCM parameters on ALSA device.

When altering PCM parameters for an ALSA sound device, incorrect
ordering of allocations could result in an out-of-bounds memory access,
potentially resulting in memory corruption or a denial-of-service.


* NULL-pointer dereference when closing SCSI disk device with outstanding traffic.

When closing a SCSI disk device when outstanding I/O still processing,
incorrect synchronization could result in a race condition and
NULL-pointer dereference, causing a kernel crash and denial-of-service.


* Out-of-bounds access when reading data over I2C bus.

A missing check on user input when reading data over I2C bus could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer dereference on node creation of OCFS2 file system.

A logic error on node creation of OCFS2 file system could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when using device mapper with Thin provisioning support.

A missing check when using device mapper with Thin provisioning support
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when mounting a CIFS filesystem with invalid mount option.

A missing check when mounting a CIFS filesystem with an invalid devname
as a mount option could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when suspending ALSA PCM drivers.

A missing check when suspending ALSA PCM drivers could lead to a NULL
pointer dereference for some of the PCM drivers. A local attacker could
use this flaw to cause a denial-of-service.


* Out-of-bounds access when trying to display a logo bigger than screen size.

A missing check when trying to display a logo bigger than screen size in
the framebuffer driver could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2019-11190: Information leak using a setuid program and accessing process stats.

A late setup of credentials when running a setuid program could let an
attacker dump /proc/<pid>/stat and get more information about running
kernel.


* CVE-2019-11486: Denial-of-service in Siemens R3964 line discipline drivers.

Multiple race conditions in the r3964 line discipline driver could lead to
various conditions that could be exploited to cause a denial-of-service.


* Use-after-free condition in IPv6 tunnel receive.

A logic error in the ipv6 code could result in a use-after-free condition
while getting headers during a receive.


* CVE-2019-11815: Use-after-free in RDS socket creation.

A logic error in the RDS code could fail to properly clean up a socket once
it is destroyed, which could then lead to a use-after-free on a new socket
creation.  This could be used to cause a denial-of-service.


* Kernel information leak during SCTP socket IPv4 address copying.

A failure to properly initialize the ipv4 address before copying it to the
user could leak some kernel memory to the user.


* Denial-of-service in ALSA ioctl calls.

An invalid assumption in the ALSA code could result in an invalid memory
access when accessing userspace strings in the ioctl code.  This could be
used for a denial-of-service attack.


* Memory leak in block bio layer when adding a page fails.

A failure to properly handle an error condition with adding a page in the
block bio layer results in a memory leak.  This could be exploited to cause
a denial-of-service attack.


* Denial-of-service in Xen ioctl when processing command input.

A failure to validate user input in the Xen ioctl code could result in an
out of bounds memory access, leading to possible memory corruption or a
kernel panic.  This could be used for a denial-of-service attack.


* NULL pointer dereference in fair schedule load calculation.

A race condition in the fair scheduler code could lead to a NULL pointer
dereference and possible memory corruption or kernel panic.


* NULL pointer dereference during Echo Audio driver initialization.

A failure to ensure that an ioremap operation was successful can lead to
a NULL pointer dereference in snd_echo_create.  This could potentially
be used to cause a denial-of-service.


* Filesystem data corruption during certain ext4 operations.

Under certain conditions, it is possible for an ext4 filesystem to
attempt to clear out unused space using information gathered from stale
metadata.  This could lead to portions of filesystem data being erased
unexpectedly.


* Improved fix for Spectre v1: Information leak in ATM LAN emulation driver.

A failure to sanitize a user controlled array index in the Asynchronous
Transfer Mode LAN emulation driver can lead to kernel memory being
leaked to userspace.  A local attacker could exploit this flaw to leak
information about the running system.


* Use-after-free in the Foo-over-UDP driver's packet receive path.

In certain cases, it's possible for the FOU driver to attempt to access
packet header data which may have already been freed.  This can cause
a system to exhibit unexpected behavior, and could lead to a
denial-of-service.


* Denial-of-service when unlinking anonymous VMAs.

A kernel assert when unlinking anonymous VMAs with existing childs could
lead to a denial-of-service.


* Denial-of-service using System Trace Module device.

A missing check when using System Trace Module device could lead to a
user controllable allocation. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* NULL pointer dereference when opening System Trace Module device while registering it.

A race condition when opening a System Trace Module device while it is
being registered could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when unregistering Redpine Signals Inc 91x WLAN device.

A logic error when unregistering Redpine Signals Inc 91x WLAN device
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service by receiving specific request on a Plan 9 Resource Sharing service.

A missing check when receiving specific request on a Plan 9 Resource
Sharing service could lead to a deadlock. A local attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service when mounting a crafted F2FS image with incorrect segment number.

A logic error when mounting a crafted F2FS image with incorrect segment
number could lead to buffer overflow. A local attacker could use this
flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list