[El-errata] New Ksplice updates for Oracle Enhanced RHCK 7 (ELBA-2018-1062-1)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Apr 25 03:41:54 PDT 2018 

Synopsis: ELBA-2018-1062-1 can now be patched using Ksplice
CVEs: CVE-2016-3672 CVE-2016-7913 CVE-2016-8633 CVE-2016-8658 CVE-2017-0786
CVE-2017-1000252 CVE-2017-1000407 CVE-2017-1000410 CVE-2017-12154 CVE-2017-12190
CVE-2017-13080 CVE-2017-13166 CVE-2017-14051 CVE-2017-14140 CVE-2017-15129
CVE-2017-15265 CVE-2017-15299 CVE-2017-16528 CVE-2017-17448 CVE-2017-17449
CVE-2017-17558 CVE-2017-18017 CVE-2017-18203 CVE-2017-7346 CVE-2017-8824
CVE-2017-8925 CVE-2017-9605 CVE-2017-9725 CVE-2018-1000004 CVE-2018-5750
CVE-2018-6927

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Bug Fix Advisory, ELBA-2018-1062-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Oracle Enhanced
RHCK 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-8824: Privileges escalation when calling disconnect() system call on
a DCCP socket.

A missing free when calling disconnect() system call on a DCCP socket
while it is in DCCP_LISTEN state could lead to a use-after-free. A local
attacker could use this flaw to escalate privileges.


* CVE-2016-8633: Buffer overflow in firewire net driver.

A logic error on incoming packets checks could lead to a rx buffer
overflow. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-12190: Denial-of-service in block I/O page merging.

A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.


* CVE-2016-3672: ASLR bypass on 32-bit processes.

Enabling an unlimited stack size would completely disable ASLR for
process with the limit applied.  A local user could use this flaw to
reduce the security of a setuid/setgid application.


* CVE-2017-1000252: Denial-of-service when receiving out of bounds KVM guest
interrupt.

A kernel assert when receiving out of bounds guest interrupts in KVM
could lead to a kernel hang. A local attacker from a guest VM could use
this flaw to cause a denial-of-service.


* CVE-2017-13080: Key Reinstallation Attacks (KRACK) on WPA2 protocol.

A weakness in the four-way handshake of the WPA2 protocol allows an
attacker within radio range to force reuse a nonce.  This could allow he
attacker to eavesdrop on encrypted communications as well as inject and
manipulate data into a WiFi stream.


* CVE-2017-15299: Denial-of-service in uninstantiated key configuration.

A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.


* CVE-2017-0786: Privilege escalation in Broadcom WIFI driver.

A failure to validate the results of a scan could result in kernel
memory corruption. A remote attacker could use this flaw to escalate
privileges.


* CVE-2016-8658: Memory corruption when configuring Broadcom 802.11 AP.

Missing data validation when configuring an 802.11 access point using a
Broadcom chipset can allow a privileged local user to trigger kernel
memory corruption and potentially gain elevated privileges.


* CVE-2017-9605: Information leak when user defines surface in VMware Virtual
GPU driver.

A missing initialization of local variable when user defines surface in
VMXGFX driver could leak stack information. A local attacker could use
this flaw to gain information about the running kernel and facilitate an
attack.


* CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler.

A failure to validate information from userspace can result in an
unbounded kernel memory allocation. A local user could use this flaw to
cause memory exhaustion or a kernel crash, resulting in a
denial-of-service.


* CVE-2017-7346: Denial-of-service when user defines surface in VMware Virtual
GPU driver.

A missing check on user input could lead to an infinite loop. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2017-16528: Use-after-free when unbinding a MIDI sequencer device.

A missing canceling of a work queue when unbinding a MIDI sequencer
device could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2017-8925: Memory leak when opening an Omninet serial driver.

An extra reference on the TTY was taken in the Omninet serial driver on
open, leading to a memory leak.  A local, unprivileged user could use this
flaw to exhaust the memory on the system and cause a denial-of-service.


* CVE-2017-18203: Denial-of-service during device mapper destruction.

A race condition between creation and destruction of device mapper
objects can result in an assertion failure, leading to a kernel crash. A
local user could use this flaw to cause a denial-of-service.


* CVE-2017-9725: Memory corruption in contiguous memory allocation.

A type conversion error when allocating contiguous memory for Direct
Memory Access can result in memory corruption outside of the allocated
memory. A local user could use this flaw to cause undefined behavior or
a Kernel crash.


* CVE-2017-12154: Denial-of-service when using KVM nested virtualization.

A missing flag when setting up a nested virtualization using KVM could
give access to CR8 register to L2 guest. A local attacker could use this
register to disable system external interrupts from L2 guest and cause a
denial-of-service.


* CVE-2017-15129: Use-after-free in network namespace when getting namespace ids.

A race condition in the net namespace code could lead to a double
free and memory corruption.


* CVE-2017-15265: Use-after-free in ALSA seq port creation.

Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.


* CVE-2017-17448: Unprivileged access to netlink namespace creation.

net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4
does not require the CAP_NET_ADMIN capability for new, get, and del
operations, which allows local users to bypass intended access
restrictions because the nfnl_cthelper_list data structure is shared
across all net namespaces.


* CVE-2017-17449: Missing permission check in netlink monitoring.

Netlink monitoring is not correctly restricted to the local namespace.
Nlmon can currently be used to sniff packets on the entire system.


* CVE-2017-17558: Buffer overrun in USB core via integer overflow.

Failing to sanitize the bNumInterfaces field in a USB device descriptor
could allow a malicious device to induce a buffer overrun, potentially
causing a denial-of-service.


* CVE-2017-18017: Use-after-free when processing TCP packets in netfliter TCPMSS
target.

A missing check when using TCPMSS target for TCP could lead to an
use-after-free. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-5750: Information leak when registering ACPI Smart Battery System driver.

A too verbose printk when registering ACPI Smart Battery System driver
leaks kernel addresses. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* CVE-2018-1000004: Use-after-free when using MIDI sequencer ioctl.

A race condition when using MIDI sequencer ioctl could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-6927: Integer overflow when re queuing a futex.

A missing check when calling futex system call with "requeue" option could
lead to an integer overflow. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2016-7913: Use-after-free of XC2028 TV tuner driver name string.

The priv->ctrl.fname string containing the firmware name can be freed
twice, potentially causing memory corruption and a kernel panic or other
exploitable behavior.


* CVE-2017-1000407: Denial-of-service from KVM guest on Intel processors.

A KVM guest on Intel VMX processors could flood the I/O port 0x80 with
write requests, leading to a host crash.  An attacker could use this flaw
to cause a host denial-of-service from the guest.


* CVE-2017-1000410: Information leak in Bluetooth L2CAP messages.

Incorrect handling of short EFS elements in an L2CAP message could allow
an attacker to leak the contents of kernel memory.


* CVE-2017-13166: Privilege escalation when using V4L2 ioctls.

Logic errors in multiple V4L2 ioctls could lead to arbitrary execution
of user space defined addresses. A local attacker could use this flaw to escalate
privileges.


* CVE-2017-14140: Permission bypass when checking credentials for filesystem
accesses.

A flaw in the ptrace access checks allows a temporarily unprivileged
process to access files that it was not supposed to.  A local, unprivileged
user could potentially use this flaw to escalate privileges.


* Improve the interface to freeze tasks.

Provides an alternative method for freezing selected tasks using a flag in
struct task_struct.  This is useful starting with 3.10 due to freezer
optimizations.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list