[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3910-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed May 1 16:24:39 PDT 2019 

Synopsis: USN-3910-1 can now be patched using Ksplice
CVEs: CVE-2017-0861 CVE-2017-18241 CVE-2017-5753 CVE-2018-1120 CVE-2018-11506 CVE-2018-19985 CVE-2018-3639 CVE-2018-5848 CVE-2018-7740 CVE-2019-6133

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3910-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-6133: Permission bypass of userspace Policykit protection.

When a non-root user try to control a systemd unit, the Policykit asks
for an administrator password. Once entered, polkit caches this password
up to five minutes for corresponding process based on PID and start_time
of the process. A race condition in the fork syscall could let an
attacker spawn a process with same start_time and same PID as targeted
process and thus control a systemd unit.


* NULL pointer dereference when running fstrim on Bcache driver.

A missing check when running fstrim on Bcache driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Memory corruption in IPv6 packet transmission alignment.

A logic error when aligning IPv6 packets for transmission can result in SLAB
corruption.


* Kernel panic in Queuing Discipline buffer removal.

A logic error when removing buffers from a queuing discipline can result in
dereferencing a poisoned pointer, leading to a kernel panic.


* Information leak via forwarding table from GRE device.

Dumping a forwarding database from a non-ethernet device can result in a kernel
information leak. A local user with access to a Generic Routing Encapsulation
device could use this flaw to facilitate a further attack.


* NULL pointer dereference in TCP loss probe timer.

A mismatch between the retransmission queue and packet count can result in a
NULL pointer dereference when the TCP loss probe timer executes.


* Denial-of-service in creation of tun device via netlink.

A logic error which allows the creation of a tun device via netlink can result
in a NULL pointer dereference, leading to a kernel crash.  A local user with
the ability to create network interfaces could use this flaw to cause a
denial-of-service.


* Denial-of-service during incremental send of BTRFS filesystem.

A logic error when performing an incremental send of a BTRFS filesystem can
result in the kernel entering an infinite loop. A local user with the ability
to modify and send a BTRFS filesystem could use this flaw to cause a
denial-of-service.


* Use-after-free in exportfs dentry release.

A reference count manipulation error can result in an early free, leading to a
use-after-free. A local user could use this flaw to potentially escalate
privileges.


* Deadlock during OCFS2 extent defragmentation.

A locking error when performing defragmentation of an OCFS2 extent can result
in taking the same lock twice, leading to a deadlock.


* Use-after-free in HFS and HFS+ error reporting.

A logic error when printing error information about a recently freed node can
result in a use-after-free. A local user could use this flaw to potentially
escalate privileges.


* Use-after-free during OCFS2 dentry tracing.

Failing to hold a reference to an OCFS2 inode when tracing can result in the
access of freed memory, leading to a use-after-free.


* Improved fix to CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.


* Improved fix to CVE-2018-3639: Speculative Store Bypass information leak for eBPF.

Malicious eBPF programs can be vulnerable to a speculative store bypass
attack without hardening or having the SSBD mitigation enabled whilst
running an eBPF program.


* CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver.

Improper length validation could lead to integer overflow and undefined
behaviour.  A local user could use this flaw to cause a memory corruption
and potentially escalate privileges.


* CVE-2018-7740: Denial-of-service when using remap_file_pages() system call.

A logic error in HugeTLB file system when using remap_file_pages()
system call could lead to a kernel assert. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2018-11506: Out-of-bounds stack write in SCSI ioctl handler.

An improperly-sized stack buffer was being used to hold ioctl
information. A malicious user could exploit this and potentially
overwrite data on the stack.


* Improved fix for Spectre v1: Bounds-check bypass in asynchronous I/O subsystem.

A missing sanitization of array index after bounds check in asynchronous
I/O subsystem could lead to an information leak. A local attacker
could use this flaw to leak information about running system.


* CVE-2017-18241: NULL pointer dereference when using flush command of F2FS filesystem.

A logic error when mounting a F2FS filesystem with noflush_merge option
could lead to NULL pointer dereference while flush command is called. A
local attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference in iSCSI session reset.

A logic error in the iscsi code when the iscsi state is set to
ISCSI_STATE_TERMINATE could lead to a NULL pointer dereference and
possible kernel panic or memory corruption.  This could be exploited
for a denial of service attack.


* Invalid memory write in ALSA Wavefront ioctl.

A failure to validate user input from the ALSA wavefront code could
lead to an out-of-bounds memory write.  This could be exploited by a
privileged user to cause a denial-of-service.


* CVE-2018-19985: Out-of-bounds memory access in USB High Speed Mobile device driver.

A missing length check in the hso_probe can lead to an out-of-bounds
memory access.  This could cause a system to exhibit unexpected
behavior.


* Information leak in Memory Type Range Register ioctl.

A structure used for transferring data between user space and kernel
space in mtrr_ioctl contains a padding field that is not zeroed before
the structure is handed off to user space.  This flaw could be exploited
by a local attacker to leak information about the running system.


* Improved fix for CVE-2017-5753: Spectre v1 vulnerability in DRM driver's ioctl handler.

A value that is indirectly controlled by userspace is used to index a
buffer in drm_ioctl.  A local attacker could use a Spectre-style attack
to exploit this flaw and cause unexpected behavior, or a
denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in multicast ioctls.

The ioctl handlers for the ip6mr and ipmr multicast routing systems are
potentially vulnerable to Spectre variant 1 speculative execution
attacks.


* Use-after-free in AX.25 radio device driver.

Logic errors in the AX.25 amateur radio device driver can result in
use-after-free in several error paths, potentially resulting in a
denial-of-service.


* NULL-pointer dereference when transmitting IEEE 802.15.4 packets.

When transmitting packets over an IEEE 802.15.4 device, a missing daddr
field might result in a NULL-pointer dereference and denial-of-service.


* Race conditions in IPv6 tunnel code cause memory corruption.

Several rare race conditions in the IPv6 tunnel code could lead to
use-after-free of memory, potentially resulting in memory corruption or
a denial-of-service.


* Information leak in CAPI ISDN ioctl.

When reading device information via sysctl for a CAPI ISDN device, the
device manufacturer field might potentially contain unsanitized kernel
data, potentially leaking information to a malicious user.


* Invalid memory access in network packet address.

A failure to properly validate input could lead to an invalid length
being used for the network packed address, causing an invalid memory
access.  This could be used for a denial-of-service attack.


* Information leak in IPv6 SCTP address setting.

A failure to properly initialize the IPv6 address in getsockopt for SCTP
could allow information to leak from the kernel to user space.


* NULL-pointer dereference when removing vxlan interface with GRO enabled.

When receiving data with Generic Receive Offload enabled on a vxlan
tunnel interface, a race condition can result in a NULL-pointer
dereference and denial-of-service.


* Improved fix for Spectre v1: Bounds-check bypass in ALSA sound drivers.

Several ALSA sound device drivers contain array accesses whose values
are controlled by userspace input, and might therefore be vulnerable to
a Spectre variant 1 speculative bounds-check bypass attack.


* NULL pointer dereference in QLogic FCoE offload driver.

A missing check in QLogic FCoE offload driver error handling could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Memory leak during cache lookup in SUNRPC driver.

A logic error during cache lookup in SUNRPC driver could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* NULL pointer dereference in probe of Cirrus Logic CS46XX driver.

A missing check in probe of Cirrus Logic CS46XX driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* Out-of-bounds accesses in usb audio driver.

A missing check in usb audio driver could lead to out-of-bounds
accesses. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leaks in Distributed Lock Manager.

Missing free of resources in Distributed Lock Manager could lead to
multiple memory leaks. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.


* Denial-of-service when mounting a 9p remote filesystem.

A missing check of parameters when mounting a 9p remote filesystem could
lead to a kernel panic. A local attacker could use this flaw to cause a
denial-of-service.


* Denial-of-service in Intel Trace Hub Memory nr pages attribute setting.

A failure to validate userspace input in the intel trace hub code could
lead to an out-of-bounds memory access.  This could be exploited to
cause a denial-of-service.


* NULL pointer dereference during MAC spoofing with Redpine driver.

A failure to properly handle a custom mac address when mac spoof is
enabled via user space could lead to a NULL pointer dereference and
kernel crash.


* Denial-of-service in KVM SVM spec_set_guest and host.

A logic error in the KVM code could cause a lock inversion to occur.  This
could be exploited for a denial of service attack.


* CVE-2018-1120: Denial-of-service when mmapping specifc part of process memory on a slow filesystem.

A missing check when an user mmap() specific part of process memory on a
slow filesystem could lead to delay in accessing those specific part
from kernel side. A local attacker could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list