[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2018-4304)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Mon Dec 17 01:17:44 PST 2018 

Synopsis: ELSA-2018-4304 can now be patched using Ksplice
CVEs: CVE-2018-1000204 CVE-2018-10322 CVE-2018-10902 CVE-2018-1108 CVE-2018-1118
CVE-2018-1120 CVE-2018-13094 CVE-2018-18445 CVE-2018-18710 CVE-2018-5333
CVE-2018-5848 CVE-2018-7755

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4304.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-10902: Denial-of-service in ALSA rawmidi ioctl.

Race conditions in the SNDRV_RAWMIDI_IOCTL_PARAMS ioctl code could result
in memory corruption.  This could be exploited to cause a denial-of-service.

Orabug: 28893798


* CVE-2018-13094: NULL-pointer dereference when shrinking xfs inode.

When attempting to shrink an xfs inode for a file with corrupted
extended attributes, the non-existent attribute buffer might be
dereferenced, resulting in a denial-of-service.

Orabug: 28893785


* CVE-2018-1118: System hang in virtio host driver.

A logic error in the vhost driver can lead some processes to spin indefinitely,
waiting for an event to occur.  This could be used to cause a denial-of-service.

Orabug: 28892623


* CVE-2018-1120: Denial-of-service when mmapping specific part of process memory
on a slow filesystem.

A missing check when an user mmap() specific part of process memory on a
slow filesystem could lead to delay in accessing those specific part
from kernel side. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 28863722


* CVE-2018-1108: Information leak when relying on kernel random generator for
cryptographic use.

Cryptographic drivers may use kernel random generator which doesn't have
enough entropy to generate true random data after boot. A local attacker
could use this flaw to decrypt sensitive data and leak information.

Orabug: 28863713


* CVE-2018-1000204: Kernel information leak when performing SG_IO ioctl.

A vulnerability in the SCSI subsystem allows copying uninitialized
kernel memory to userspace. This could provide an attacker with
sensitive kernel information.

Orabug: 28884433


* Denial-of-service when forking a process with hugetlb mappings.

A logic error when forking a process with hugetlb mappings could lead to
a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 28886647


* CVE-2018-18445: Out-of-bounds access in BPF verifier.

An incorrect truncation when using 32-bit ALU operations in the BPF verifier
can result in an out-of-bounds memory access, leading to a kernel crash. A
local user with the ability to create BPF programs could use this flaw to cause
a denial-of-service.

Orabug: 28861785


* CVE-2018-18710: Information leak when checking the CD-ROM slot status.

An incorrect bounds check in the CD-ROM driver could allow an out-of-bounds
access and kernel information leak to an unprivileged user.

Orabug: 28929755


* Denial-of-service in the Xen block backend driver when finding a queue.

Failure to reset the number of rings when handling a low memory condition
in the Xen block backend driver could lead to a kernel panic.

Orabug: 28918690


* NULL pointer dereference during RDS reconnection.

A fragment size mismatch during an RDS reconnection can result in a NULL
pointer dereference, leading to a kernel crash.

Orabug: 28748049


* CVE-2018-7755: Information leak through floppy disk driver ioctl.

A logic error when using floppy disk driver ioctl could lead to a kernel
address leak.  A local attacker could use this flaw to get address of
running kernel and facilitate an attack.

Orabug: 28956546


* CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver.

Improper length validation could lead to integer overflow and undefined
behaviour.  A local user could use this flaw to cause a memory corruption
and potentially escalate privileges.

Orabug: 28951267


* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable
Datagram Sockets driver.

A missing check when freeing resources in Reliable Datagram Sockets
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

Orabug: 28020694


* CVE-2018-10322: NULL pointer dereference when mounting crafted XFS image.

Untrusted input from an XFS image was not validated properly before being
used, lead to an invalid pointer dereference.  A local, privileged user
with the ability to mount XFS images could use this flaw to cause a
denial-of-service.

Orabug: 28943579


* Filesystem corruption in EXT4 direct write implementation.

A race condition during direct writes to an EXT4 filesystem can result in
filesystem corruption.

Orabug: 28869428


* Filesystem corruption in BTRFS range cloning.

A failure to specify a full fsync is required after cloning a file range in the
BTRFS filesystem can result in filesystem corruption.

Orabug: 28905635


* Denial-of-service in huge page truncation.

A race condition between a page fault and a hugetlbfs page truncation can
result in an assertion failure, leading to a kernel crash. A local user could
use this flaw to cause a denial-of-service.

Orabug: 28896279


* NULL pointer dereference during iSCSI connection reset.

A missing check when resetting an iSCSI connection which is already terminating
can result in a NULL pointer dereference, leading to a kernel crash.

Orabug: 28946206

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list