[Ksplice][Ubuntu-18.10-Updates] New Ksplice updates for Ubuntu 18.10 Cosmic (USN-3835-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Mon Dec 10 12:38:58 PST 2018
Synopsis: USN-3835-1 can now be patched using Ksplice
CVEs: CVE-2018-18445 CVE-2018-18653 CVE-2018-18955 CVE-2018-6559
Systems running Ubuntu 18.10 Cosmic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3835-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 18.10
Cosmic install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Memory leak in DRM fence submission.
A logic error when referencing fences in the DRM subsystem can result in
a memory leak. A local user with access to 3D acceleration could use
this flaw to exhaust system memory, leading to a denial-of-service.
* NULL pointer dereference in IP transform.
A failure to handle an error case in the IP transform subsystem can
result in a NULL pointer dereference leading to a kernel crash.
* CVE-2018-18653: Secure Boot restriction bypass when loading modules.
An error in the module loading code could allow a privileged local
user to bypass Secure Boot restrictions and load arbitrary kernel
modules.
* Improved fix for Spectre v1: Bounds check bypass in mac80211 hwsim.
A missing use of the indirect call protection macro in the mac80211
radio simulator code could lead to speculative execution. A local
attacker could use this flaw to leak information about the running
system.
* Denial-of-service in Aggregate MAC Service Data Unit on MAC 802.11.
A logic error in the mac80211 code could result in a kernel panic
when building up frames. This could be exploited to cause a denial-
of-service.
* Use-after-free in Berkeley Packet Filter TCP socket close.
A race condition in the bpf code could cause a use-after-free
condition and possible memory corruption or kernel panic. This
could be used to cause a denial of service.
* Denial-of-service in Berkeley Packet Filter when retrieving data.
Several logic errors in the BPF message data retrieval code could lead
to hangs or to invalid memory accesses. This could be exploited to cause
a denial of service.
* NULL pointer dereference when passing Fast Transition Information Element to the WLAN driver.
A missing check when passing Fast Transition Information Element to the
WLAN driver could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.
* Use-after-free in Ceph mount on error.
A failure to properly deal with errors in the ceph code could lead
to a use-after-free and possible kernel panic during mounting.
* Denial-of-service in iSCI target login failure.
A failure to properly handle a failure in the iscsi target login
code could lead to improper memory usage, such as a use-after-free
or double free. This could lead to memory corruption or a kernel
panic and be exploited for a denial-of-service attack.
* Denial-of-service when flushing netfilter rule set.
The netfilter code failed to properly release all held memory
during a flush, leading to a memory leak. This could be used
to exhaust memory resources on a system and cause a denial-of-
service.
* Invalid memory access in overlay filesystem with failed name lookup.
An improperly terminated string print-out in the case of an index
lookup in the overlay fs code could lead to an out-of-bounds
memory access.
* Unauthorized memory sharing with firmware buffers during firmware load.
A logic error in the firmware code could allow multiple different
device drivers to access memory given to another device driver,
potentially causing an information leak, memory corruption, or other
memory issues.
* Uninitialized memory access in firmware load with FW_OPT_NOCACHE.
A logic error in the firmware loader could result in a list object
not being properly initialized. When this object gets freed, it results
in an uninitialized memory access and possible kernel panic. This could
be exploited by a privileged user to cause a denial-of-service.
* Information leak in /proc kernel stack dumps.
A failure to restrict accessing /proc/self/task/*/stack to only
root could allow an unprivileged user to get information about the
stack and its contents on another process.
* Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization.
Incorrect locking when initializing an OCFS2 DLM lock resource could
result in memory corruption and a kernel crash.
* Use-after-free in DRM lease creation.
A race condition in the drm code could lead to an use-after-free
condition. This could be exploited to cause a denial-of-service.
* Kernel crash during device mapper cache resize operation.
A failure to reload dm-cache information during a resize operation can
result in a kernel crash.
* Denial-of-service during Flash-Friendly filesystem mount.
A logic error in the f2fs mount code could lead to an invalid memory
access and possible kernel panic. This could be exploited to cause
a denial-of-service.
* Use-after-free during RMDA Userspace Connection Manager close.
A race condition between closing a userspace RDMA connection and an IP
resolution call can result in a use-after-free. A local user with access
to RDMA could use this flaw to cause a kernel crash or potentially
escalate privileges.
* NULL pointer dereference during UBIFS mount.
A missing NULL pointer check when reading the device name in a UBIFS
filesystem can result in a NULL pointer dereference, leading to a kernel
crash.
* Kernel crash during ath10k scan operation.
A logic error when calculating the size of a scan message in the ath10k
driver can result in an out-of-bounds write, leading to memory
corruption and a kernel crash.
* Denial-of-service in IPv4 and IPv4 tunnel packet transmission.
An incorrect assumption in the IPv4 and IPv6 tunnel implementations can
result in attempting to access uninitialized memory, leading to undefined
behavior. A local user with access to an IP tunnel could use this flaw
to cause a denial of service.
* Use-after-free in IP ancillary message reception.
Reading a stale IP header value in the ancillary message path can result
in a use-after-free.
* Use-after-free in IPv6 raw socket header sending.
A failure in the ipv6 error handling code could lead to a
use-after-free and possible kernel panic. This could be
exploited to cause a denial-of-service.
* Denial-of-service in netlink IPv4 netlabel management.
An incorrect assumption about the format of a netlink netlabel request
can result in a NULL pointer dereference, leading to a kernel crash. A
local user with the ability to configure netlabels could use this flaw
to cause a kernel crash.
* Invalid memory access when setting Mellanox mlx5 e-switch vport rate.
A logic error in the mlx5 code caused the code to access memory beyond
an array limit, leading to possible kernel panic.
* Invalid memory access in Bluetooth pairing with out-of-bound data.
A failure to use the correct pointer when handling OOB data by
the Bluetooth code resulted in an invalid memory access and kernel
crash. This could be exploited to generate a denial-of-service
attack.
* Denial-of-service in Bluetooth HCI UART on TTY close.
A failure to properly free memory after a close in the Bluetooth
HCI code could lead to invalid memory usage and a possible kernel
crash. This could be used to cause a denial-of-service attack.
* Invalid memory access in trace printing.
An off-by-one error in the kernel tracing print functions could result
in the print functions accessing invalid memory, leading to a potential
kernel panic. This could be used to cause a denial-of-service.
* Kernel crash during HD audio device initialisation.
A race condition during initialisation of an HD audio device can result
in an interrupt being delivered before the driver is ready to receive
it, leading to a kernel crash.
* Kernel crash in ACPI i2c transaction execution.
A failure to correctly set the length of an i2c transaction can result
in the kernel reading an invalid value, leading to a kernel crash.
* Out-of-bounds write in AF9035 DVB tuner i2c implementation.
A logic error when transferring a small number of bytes via an i2c
interface to an AF9035 DVB tuner can result in an integer underflow,
leading to an out-of-bounds memory write. A local user with access to an
AF9035 DVB tuner could use this flaw to cause a denial-of-service.
* Information leak in B.A.T.M.A.N. Echo Location Protocol probe.
A failure to properly initialize packet bytes in the Batman ELP
probing code could result in data being leaked within those packets.
* Invalid memory access in Advanced B.A.T.M.A.N sysfs access.
Logic errors in the batman-advanced code could result in an
invalid memory access and possible memory corruption or kernel
panic. This could be exploited to generate a denial-of-service.
* Invalid memory access in IBM vSCSI target string handling.
Logic errors in the ibm vscsi code could result in invalid memory
accesses, which could be exploited for a denial-of-service attack.
* Undefined behavior in XFRM selector.
A failure to properly validate user input in the xfrm selector can
lead to undefined and invalid behavior.
* Denial-of-service in XFRM user templates with IP_XFRM_POLICY.
A failure to validate user input in the xfrm code could lead to
a invalid memory read and possible kernel panic. This could be
exploited to cause a denial-of-service.
* Improved fix for Spectre v1: Bounds check bypass on nl80211 with TXRATE_HT.
A missing use of the indirect call protection macro in the nl80211 code
with NL80211_TXRATE_HT set could lead to speculative execution. A local
attacker could use this flaw to leak information about the running system.
* Improved fix for Spectre v1: Bounds check bypass in nl80211 CQM RSSI.
A missing use of the indirect call protection macro in the Netlink 802.11
code when updating the cqm rssi parameters could lead to speculative
execution. A local attacker could use this flaw to leak information about
the running system.
* Denial-of-service in Bluetooth device unpair.
A race condition in the Bluetooth code could cause an invalid memory
access and subsequent kernel crashing if unpair_device gets called
at the same time that a device pairing is in progress.
* Denial-of-service in QLogic QEDI iSCSI driver stats handling.
A failure to properly initialize a mutex could lead to a NULL pointer
dereference and kernel crash. This could be used for a denial-of-service
attack.
* Use-after-free in 802.11 configuration regulatory process handling.
A logic error in the cfg80211 code could result in a use-after-free
condition. This could be used to cause a denial-of-service.
* Invalid memory access in CHELSIO T3 ioctl.
A failure to completely verify user-supplied memory in the cxgb3 code
could allow a malicious user to modify memory used in the driver, leading
to undefined behavior.
* Invalid memory access in RAM radio modem ioctl.
A failure to properly check user-supplied memory in the yam driver
code could allow a malicious user to modify memory that is used by
the driver, leading to undefined behavior.
* Denial-of-service in OCFS2 cluster duplication.
A logic error in the ocfs2 code could lead to a crash during
cluster duplication if a page is dirty. This could be used for a
denial-of-service attack.
* Denial-of-service in transparent huge pages with failed allocation.
A logic error in the migration code could result in a kernel crash
when a memory allocations fails due to an invalid page split. This
could be exploited for a denial-of-service attack.
* NULL pointer dereference during Elastic Network Adapter bringup.
A race condition during the initialization of the ENA network driver can
result in a kernel crash.
* Denial-of-service in IPv6 netfilter with IPv6 defragmentation.
A logic error in the netfilter code could result in a kernel crash
with ipv6 packets. This could be used for a denial-of-service.
* Use-after-free in IPv6 multicast check.
A race condition in the ipv6 code could lead to a use-after-free
condition while checking the packet. This could be used for a
denial-of-service attack.
* Invalid memory access in ethtool ioctl.
A failure to properly check user-supplied memory in the ethtool code
could allow a malicious user to modify memory that is used by the kernel,
leading to undefined behavior.
* Uninitialized memory access in Rtnetlink forwarding database configuration.
A failure to properly check the device type in rtnetlink could cause the
rtnetlink code to attempt to configure an invalid device, making it
use uninitialized memory. This could be exploited by a malicious user.
* Use-after-free in SCTP ID association lookup.
A race condition in the sctp code could result in a use-after-free
condition. This could be exploited to cause a denial-of-service.
* Improved fix for Spectre v1: Bounds check bypass in Vhost ioctl.
A missing use of the indirect call protection macro in the vhost ioctl
code could lead to speculative execution. A locaal attacker could use
this flaw to leak information about the running system.
* Privilege escalation in ethtool ethcmd.
A failure to properly check user input in the ethtool code could allow
a malicious user to change memory in use by the ethtool code in order
to execute commands they lack the privilege for.
* Denial-of-service in SCTP message send while waiting for connection.
A race condition in the sctp code could cause a double free during
message send. This could be used to cause a denial-of-service.
* CVE-2018-6559: Information disclosure via overlayfs in user namespace.
A failure to correctly handle user namespaces in overlayfs can result in
a user namespace being able to obtain names of restricted files and
directories.
* Kernel crash during Elastic Network Appliance removal.
A logic error when freeing an ENA instance can result in accessing an
invalid pointer, leading to a kernel crash.
* CVE-2018-18955: Privilege escalation in user namespace mappings.
A logic error in the user mappings between the host and a nested user
namespace can result in a process with the CAP_SYS_ADMIN capability in
the nested user namespace being able to bypass permissions restrictions
on resources outside of its namespace.
* Information disclosure via bind mount manipulation.
A logic error when checking mount permissions can result in a namespaced
process being able to view filesystem content outside of its namespace.
A local user could use this flaw to view restricted information.
* Denial-of-service in netfilter garbage collection.
A logic error in the netfilter code could result in invalid memory
usage, leading to a possible kernel panic. This could be exploited
to cause a denial-of-service.
* CVE-2018-18445: Out-of-bounds access in BPF verifier.
An incorrect truncation when using 32-bit ALU operations in the BPF verifier
can result in an out-of-bounds memory access, leading to a kernel crash. A
local user with the ability to create BPF programs could use this flaw to cause
a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-18.10-updates
mailing list