[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4286-1)

[Oracle Ksplice]

Synopsis: USN-4286-1 can now be patched using Ksplice
CVEs: CVE-2019-15217 CVE-2019-15220 CVE-2019-15221 CVE-2019-19051 CVE-2019-19056 CVE-2019-19066 CVE-2019-19068 CVE-2019-19767 CVE-2019-19965 CVE-2019-20096 CVE-2019-5108

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4286-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-20096: Memory leak while changing DCCP socket SP feature values.

Under certain conditions, it is possible for the __feat_register_sp
function to leak small amounts of memory.  This could potentially be
exploited by a local attacker to waste system resources and degrade
performance, or to aid in another type of attack.


* CVE-2019-19965: NULL-pointer dereference when discovering SCSI ports.

A flaw in the libsas library used by SCSI devices could trigger a race
condition, resulting in a NULL-pointer dereference and
denial-of-service when a SCSI device was added.


* Use-after-free when failing to create iclog when mounting XFS image.

When mounting an XFS image, a failure to create the in-core log
structure could result in a use-after-free and kernel crash. A malicious
image might be able to exploit this issue to create a denial-of-service
if mounted.


* Denial-of-service due to missing synchronization in netfilter teardown.

When exiting a netfilter network namespace, missing synchronization
could cause teardown to occur in an unexpected order, resulting in a
kernel crash and denial-of-service.


* NULL dereference when connecting wireless device with RF switching support.

When connecting a wireless device that supports RF switching, the
generic RF switch subsystem does not properly validate that the driver
has correctly constructed its device structure. Accessing a device with
a flawed driver might therefore cause a NULL dereference and
denial-of-service.


* Memory leak when transmitting data on LAN78XX USB ethernet device.

When transmitting data over a Microchip LAN78XX USB ethernet adapter,
unexpected errors could result in the underlying packet buffer being
leaked, eventually resulting in performance degradation or a
denial-of-service.


* Memory leak when replying to SCTP command encounters error.

When generating a reply to a Stream Control Transmission Protocol
command packet, an unexpected error might result in the leak of the
command's associated memory chunk structure. A malicious client might be
able to exploit this by starving the system of memory, causing
performance degradation or a denial-of-service.


* Memory leak when creating netlink socket on VLAN ethernet fails.

A mishandled error condition when creating a netlink socket for a
VLAN ethernet device could result in the leak of the VLAN device
structure.


* Use-after-free when broadcasting ethernet header on vlan.

The generic handling of ethernet headers when broadcasting makes
assumptions about the lifetime of some vlan objects that may not hold
for certain ethernet devices. When using these devices, a local user
might be able to trigger a denial-of-service by repeated broadcast.

Additionally, this update fixes a denial-of-service introduced by the
original patch.


* Denial-of-service when connecting USB device with duplicate endpoints.

Connecting a USB device with an invalid configuration containing
duplicate endpoint addresses could cause those addresses to be written
to mistakenly. A malicious device might exploit this to cause memory
corruption or a denial-of-service.


* Use-after-free when failing to open file on character device.

A mishandled error case when opening a file on a generic character
device might result in a write to an invalid pointer, potentially
resulting in memory corruption or a denial-of-service.


* Out-of-bounds read in USB HID report descriptor size.

The size field for USB hardware ID reports is not correctly checked
against the maximum possible total buffer size, allowing for a
possibility where the report field extends past the total length of the
buffer. A malicious device might be able to exploit this to leak kernel
information or cause a denial-of-service.


* USB keyboard device with invalid keycodes causes out-of-bounds write.

The USB HID input driver looks up keys in an array-indexed table. A
malicious device with invalid keycodes could therefore trigger an
out-of-bounds write, potentially causing memory corruption or a
denial-of-service.


* CVE-2019-19066: Denial-of-service int SCSI bfa driver.

While querying port statistics in the SCSI bfa driver, incorrect error
handling causes a memory leak. An attacker could possibly exploit this
to cause a denial-of-service.


* CVE-2019-19068: Denial-of-service in realtek wifi driver.

Incorrect error handling on some Realtek wifi drivers could cause memory
leak. A malicious device could trigger this to cause a denial-of-service.


* Uninitialized structures in netfilter ARP tables causes NULL-pointer dereference.

An uninitialized network namespace pointer in the netfilter arptables
could result in a NULL-pointer dereference if a user sets a rule via
setsockopt() for the ARP or UNPSEC protocols. A user with the
CAP_NET_ADMIN permission could exploit this to cause a
denial-of-service.


* NULL-pointer dereference when handling netfilter ipset with ATTR_LINENO.

If a netfilter ipset has the attribute IPSET_ATTR_LINENO, calling the
IPSET_CMD_TEST command on it from userspace will result in a
NULL-pointer dereference and denial-of-service. A malicious user with
the CAP_NET_ADMIN permission could exploit this to cause a
denial-of-service.


* CVE-2019-5108: Denial-of-service of a wireless access point during roaming of a station.

A logic error in protocol implementation when a station connect to an
access point during roaming could let an attacker within the internal
network cause a denial-of-service of the access point.


* CVE-2019-15217: NULL pointer deference when using USB ZR364XX Camera driver.

A missing check when querying capabilities of USB ZR364XX Camera device
from user space could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Note: Oracle will not provide zero-downtime update for CVE-2019-15220.

The vulnerability is in firmware loading which is a privileged
operation. This also requires user interaction and physical access to
the system.


* CVE-2019-15221: Out-of-bounds write in Line6 POD USB audio interface driver.

The driver for Line6 POD USB audio interfaces allocates a buffer based
on the usb_maxpacket value reported by the device itself. A malicious
device could report a value of zero to cause an out-of-bounds write,
potentially resulting in memory corruption.


* CVE-2019-19051: Memory leak when changing power status of Intel Wireless WiMAX Connection 2400 driver.

A missing free of resources when changing power status of Intel Wireless
WiMAX Connection 2400 driver could lead to a memory leak. A local
attacker could use this flaw to leak information about running kernel
and facilitate an attack.


* Information leak when transmitting CAN packet.

When generating a Controller Area Network packet for transmission
through a virtual CAN bus, uninitialized data might be inadvertently
included in an unused area of the CAN packet's buffer and transmitted
over the virtual network.


* CVE-2019-19056: Denial-of-service in the Marvell mwifiex PCIe driver.

Failure to handle error during initialization of Marvell mwifiex PCIe
driver leads to memory leak. An attacker could exploit this to exhaust
kernel memory that eventually may cause a denial-of-service.


* XSA-300: Denial-of-service in Xen memory ballooning.

A logic error in the Xen memory balloon device driver could result in
exhaustion of resources or crashes of the backend device drivers
resulting in IO stalls or guest failures.  A local privileged user could
use this flaw to cause a denial of service.


* CVE-2019-19767: Use-after-free in with malformed ext4 filesystems.

Missing error handling in the ext4 inode size handling code could result
in a use-after-free and kernel crash.  A malformed ext4 filesystem could
crash the system at mount time.


* Denial-of-service when reading from ALSA sequencer procfs.

A race condition when reading ALSA sequencer timer through the procfs
interface could cause a use-after-free error. An attacker could exploit
this bug to cause a denial-of-service.


* Denial-of-service in edgeport USB serial driver callbacks.

Synchronization and sanitization bugs in the edgeport USB serial
driver interrupt and completion callback path leads to multiple NULL
pointer dereference and deadlock. An attacker could exploit these to
cause a denial-of-service.


* Denial-of-service when configuring keyspan USB serial device.

Missing error handling during control request completion in the keyspan
USB serial driver could cause a NULL pointer dereference. An attacker
could exploit this flaw to cause a denial-of-service.


* Denial-of-service when writing back dirty pages to reclaim memory.

A division-by-zero error in the memory management subsystem when
determining whether to write back dirty pages to disk could cause a
kernel panic. This could inadvertently lead to a denial-of-service.


* Denial-of-service when releasing ipset.

A use-after-free bug when releasing an ipset in the netfilter subsystem
could cause kernel crash, and eventual denial-of-service  or possibly
allow an attacker to escalate privilege.


* Denial-of-service when initializing realtek rtl8152 driver.

An out-of-bound memory access when loading rtl8152 driver leads to a
NULL pointer dereference. An attacker could exploit this flaw to cause a
denial-of-service.


* Denial-of-service when configuring some mac80211-based wifi devices.

Trying to set device parameters on certain wireless device which don't
allow such configuration causes a NULL pointer dereference. An attacker
could exploit this to cause a denial-of-service.


* Denial-of-service when querying quatech2 USB serial device.

Missing error handling in the quatech2 USB serial driver could cause a
NULL pointer dereference when querying line or modem status. An attacker
could exploit this to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.