[El-errata] New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2017-3535)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Apr 4 05:58:12 PDT 2017

Synopsis: ELSA-2017-3535 can now be patched using Ksplice
CVEs: CVE-2015-5707 CVE-2016-10088 CVE-2016-10142 CVE-2016-3140 
CVE-2016-3672 CVE-2016-4580 CVE-2016-7425 CVE-2016-8399 CVE-2016-8633 
CVE-2016-8645 CVE-2016-9576 CVE-2017-2636 CVE-2017-6345 CVE-2017-7187

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2017-3535.


We recommend that all users of Ksplice Uptrack running UEKR2 2.6.39 on
OL5 and OL6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


* CVE-2017-2636: Privilege escalation in High Level Data Synchronous TTY line discipline.

A race condition when flushing the transmit queue concurently to sending
frames in the HDLC TTY line discipline could lead to a double free.  A
local, unprivileged user could use this flaw to elevate his privileges.

* CVE-2017-6345: Denial of service in 802.2 LLC packet processing.

A logic error when receiving PDUs on an 802.2 LLC network socket can trigger a
kernel panic and denial of service when freeing memory.

* CVE-2016-3140: Denial of service in Digi AccelePort USB descriptor parsing.

A logic error in the Digi AccelePort USB driver can allow a malformed
USB descriptor with missing endpoints to trigger a NULL pointer
dereference and kernel panic.

* CVE-2016-4580: Kernel stack information leak in X25 facility negotiation.

Missing initialization of a stack data structure could result in leaking
up to 8 bytes of kernel stack information to a local, unprivileged user.

* Denial-of-service in the BSD Packet Filter just-in-time compiler.

A logic error in the BSD Packet Filter (BPF) just-in-time (jit) compiler
could lead the jit'ed program to contain only software breakpoints instead
of the intended opcodes.  A local, privileged user could use this flaw to
cause a denial-of-service by using a specially crafter BPF program.

* CVE-2016-7425: Heap corruption in ARECA SATA/SAS RAID host adapter.

Lack of bounds checking when copying data from userspace could lead to heap
corruption.  A local user with the ability to transfer messages to the
ARECA SATA/SAS RAID driver could use this flaw to gain kernel execution.

* CVE-2015-5707: Privilege escalation in generic SCSI character device.

An integer overflow in the SCSI generic driver in the Linux kernel could
allow a local user with write permission on a SCSI generic device to
escalate privileges.

* CVE-2016-8633: Remote code execution in the firewire driver.

Improper input validation when handling fragmented datagrams could allow a
remote attacker, through a specially crafted packet, to gain code
execution.  A remote attacker could use this flaw to compromise a system

* CVE-2016-8645: Denial of service when receiving TCP packet.

When collapsing multiple socket buffers into one, a bug in the code
could result in kernel panic. A remote attacker can trigger this by
sending specially crafted packets and cause denial of service.

* CVE-2016-3672: Incorrect mmap randomization in i386 and X86_32 mode.

An incorrect logic when randomizing mmap addresses could facilitate an
attack and allow a local attacker to escalate privileges.

* CVE-2016-10088, CVE-2016-9576: Use-after-free in SCSI device interface.

Incorrect validation of sendfile arguments can cause a use-after-free in
the SCSI subsystem. A local user with access to /dev/sg* devices could
use this flaw to read kernel memory or escalate privileges.

* CVE-2016-10142: Remote denial-of-service on ICMP Packet Too Big receival.

A flaw in the IPv6 protocol specification could allow a remote attacker to
trigger the use of fragmentation in arbitrary IPv6 streams by injecting
ICMP Packet Too Big (PTB) packets.  A remote attacker could use this flaw
to employ fragmentation based attacks and cause denial-of-service on the
IPv6 flow.

* CVE-2016-8399: Information leak using ICMP protocol.

A missing check on ICMP header length could cause an out-of-bounds read
of stack. A user could use this flaw to leak information about
kernel memory and facilitate an attack.

* CVE-2017-7187: Out-of-bounds write in SCSI NEXT_CMD_LEN ioctl.

The length specified by a user in the SCSI SG_NEXT_CMD_LEN ioctl is not
properly checked against its maximum allowed value, allowing a user to
cause an out-of-bounds write in the kernel and potential


Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list