[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3910-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Wed May 1 16:24:39 PDT 2019
Synopsis: USN-3910-1 can now be patched using Ksplice
CVEs: CVE-2017-0861 CVE-2017-18241 CVE-2017-5753 CVE-2018-1120 CVE-2018-11506 CVE-2018-19985 CVE-2018-3639 CVE-2018-5848 CVE-2018-7740 CVE-2019-6133
Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3910-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2019-6133: Permission bypass of userspace Policykit protection.
When a non-root user try to control a systemd unit, the Policykit asks
for an administrator password. Once entered, polkit caches this password
up to five minutes for corresponding process based on PID and start_time
of the process. A race condition in the fork syscall could let an
attacker spawn a process with same start_time and same PID as targeted
process and thus control a systemd unit.
* NULL pointer dereference when running fstrim on Bcache driver.
A missing check when running fstrim on Bcache driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.
* Memory corruption in IPv6 packet transmission alignment.
A logic error when aligning IPv6 packets for transmission can result in SLAB
corruption.
* Kernel panic in Queuing Discipline buffer removal.
A logic error when removing buffers from a queuing discipline can result in
dereferencing a poisoned pointer, leading to a kernel panic.
* Information leak via forwarding table from GRE device.
Dumping a forwarding database from a non-ethernet device can result in a kernel
information leak. A local user with access to a Generic Routing Encapsulation
device could use this flaw to facilitate a further attack.
* NULL pointer dereference in TCP loss probe timer.
A mismatch between the retransmission queue and packet count can result in a
NULL pointer dereference when the TCP loss probe timer executes.
* Denial-of-service in creation of tun device via netlink.
A logic error which allows the creation of a tun device via netlink can result
in a NULL pointer dereference, leading to a kernel crash. A local user with
the ability to create network interfaces could use this flaw to cause a
denial-of-service.
* Denial-of-service during incremental send of BTRFS filesystem.
A logic error when performing an incremental send of a BTRFS filesystem can
result in the kernel entering an infinite loop. A local user with the ability
to modify and send a BTRFS filesystem could use this flaw to cause a
denial-of-service.
* Use-after-free in exportfs dentry release.
A reference count manipulation error can result in an early free, leading to a
use-after-free. A local user could use this flaw to potentially escalate
privileges.
* Deadlock during OCFS2 extent defragmentation.
A locking error when performing defragmentation of an OCFS2 extent can result
in taking the same lock twice, leading to a deadlock.
* Use-after-free in HFS and HFS+ error reporting.
A logic error when printing error information about a recently freed node can
result in a use-after-free. A local user could use this flaw to potentially
escalate privileges.
* Use-after-free during OCFS2 dentry tracing.
Failing to hold a reference to an OCFS2 inode when tracing can result in the
access of freed memory, leading to a use-after-free.
* Improved fix to CVE-2017-0861: Use-after-free in ALSA sound subsystem.
A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.
* Improved fix to CVE-2018-3639: Speculative Store Bypass information leak for eBPF.
Malicious eBPF programs can be vulnerable to a speculative store bypass
attack without hardening or having the SSBD mitigation enabled whilst
running an eBPF program.
* CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver.
Improper length validation could lead to integer overflow and undefined
behaviour. A local user could use this flaw to cause a memory corruption
and potentially escalate privileges.
* CVE-2018-7740: Denial-of-service when using remap_file_pages() system call.
A logic error in HugeTLB file system when using remap_file_pages()
system call could lead to a kernel assert. A local attacker could use
this flaw to cause a denial-of-service.
* CVE-2018-11506: Out-of-bounds stack write in SCSI ioctl handler.
An improperly-sized stack buffer was being used to hold ioctl
information. A malicious user could exploit this and potentially
overwrite data on the stack.
* Improved fix for Spectre v1: Bounds-check bypass in asynchronous I/O subsystem.
A missing sanitization of array index after bounds check in asynchronous
I/O subsystem could lead to an information leak. A local attacker
could use this flaw to leak information about running system.
* CVE-2017-18241: NULL pointer dereference when using flush command of F2FS filesystem.
A logic error when mounting a F2FS filesystem with noflush_merge option
could lead to NULL pointer dereference while flush command is called. A
local attacker could use this flaw to cause a denial-of-service.
* NULL pointer dereference in iSCSI session reset.
A logic error in the iscsi code when the iscsi state is set to
ISCSI_STATE_TERMINATE could lead to a NULL pointer dereference and
possible kernel panic or memory corruption. This could be exploited
for a denial of service attack.
* Invalid memory write in ALSA Wavefront ioctl.
A failure to validate user input from the ALSA wavefront code could
lead to an out-of-bounds memory write. This could be exploited by a
privileged user to cause a denial-of-service.
* CVE-2018-19985: Out-of-bounds memory access in USB High Speed Mobile device driver.
A missing length check in the hso_probe can lead to an out-of-bounds
memory access. This could cause a system to exhibit unexpected
behavior.
* Information leak in Memory Type Range Register ioctl.
A structure used for transferring data between user space and kernel
space in mtrr_ioctl contains a padding field that is not zeroed before
the structure is handed off to user space. This flaw could be exploited
by a local attacker to leak information about the running system.
* Improved fix for CVE-2017-5753: Spectre v1 vulnerability in DRM driver's ioctl handler.
A value that is indirectly controlled by userspace is used to index a
buffer in drm_ioctl. A local attacker could use a Spectre-style attack
to exploit this flaw and cause unexpected behavior, or a
denial-of-service.
* Improved fix for Spectre v1: Bounds-check bypass in multicast ioctls.
The ioctl handlers for the ip6mr and ipmr multicast routing systems are
potentially vulnerable to Spectre variant 1 speculative execution
attacks.
* Use-after-free in AX.25 radio device driver.
Logic errors in the AX.25 amateur radio device driver can result in
use-after-free in several error paths, potentially resulting in a
denial-of-service.
* NULL-pointer dereference when transmitting IEEE 802.15.4 packets.
When transmitting packets over an IEEE 802.15.4 device, a missing daddr
field might result in a NULL-pointer dereference and denial-of-service.
* Race conditions in IPv6 tunnel code cause memory corruption.
Several rare race conditions in the IPv6 tunnel code could lead to
use-after-free of memory, potentially resulting in memory corruption or
a denial-of-service.
* Information leak in CAPI ISDN ioctl.
When reading device information via sysctl for a CAPI ISDN device, the
device manufacturer field might potentially contain unsanitized kernel
data, potentially leaking information to a malicious user.
* Invalid memory access in network packet address.
A failure to properly validate input could lead to an invalid length
being used for the network packed address, causing an invalid memory
access. This could be used for a denial-of-service attack.
* Information leak in IPv6 SCTP address setting.
A failure to properly initialize the IPv6 address in getsockopt for SCTP
could allow information to leak from the kernel to user space.
* NULL-pointer dereference when removing vxlan interface with GRO enabled.
When receiving data with Generic Receive Offload enabled on a vxlan
tunnel interface, a race condition can result in a NULL-pointer
dereference and denial-of-service.
* Improved fix for Spectre v1: Bounds-check bypass in ALSA sound drivers.
Several ALSA sound device drivers contain array accesses whose values
are controlled by userspace input, and might therefore be vulnerable to
a Spectre variant 1 speculative bounds-check bypass attack.
* NULL pointer dereference in QLogic FCoE offload driver.
A missing check in QLogic FCoE offload driver error handling could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.
* Memory leak during cache lookup in SUNRPC driver.
A logic error during cache lookup in SUNRPC driver could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.
* NULL pointer dereference in probe of Cirrus Logic CS46XX driver.
A missing check in probe of Cirrus Logic CS46XX driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.
* Out-of-bounds accesses in usb audio driver.
A missing check in usb audio driver could lead to out-of-bounds
accesses. A local attacker could use this flaw to cause a
denial-of-service.
* Memory leaks in Distributed Lock Manager.
Missing free of resources in Distributed Lock Manager could lead to
multiple memory leaks. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.
* Denial-of-service when mounting a 9p remote filesystem.
A missing check of parameters when mounting a 9p remote filesystem could
lead to a kernel panic. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service in Intel Trace Hub Memory nr pages attribute setting.
A failure to validate userspace input in the intel trace hub code could
lead to an out-of-bounds memory access. This could be exploited to
cause a denial-of-service.
* NULL pointer dereference during MAC spoofing with Redpine driver.
A failure to properly handle a custom mac address when mac spoof is
enabled via user space could lead to a NULL pointer dereference and
kernel crash.
* Denial-of-service in KVM SVM spec_set_guest and host.
A logic error in the KVM code could cause a lock inversion to occur. This
could be exploited for a denial of service attack.
* CVE-2018-1120: Denial-of-service when mmapping specifc part of process memory on a slow filesystem.
A missing check when an user mmap() specific part of process memory on a
slow filesystem could lead to delay in accessing those specific part
from kernel side. A local attacker could use this flaw to cause a
denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-16.04-updates
mailing list