[El-errata] New Ksplice updates for Oracle Enhanced RHCK 7 (ELSA-2018:3083)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Nov 20 08:56:38 PST 2018 

Synopsis: ELSA-2018:3083 can now be patched using Ksplice CVEs:
CVE-2015-8830 CVE-2016-4913 CVE-2017-0861 CVE-2017-10661 CVE-2017-17805
CVE-2017-18208 CVE-2017-18344 CVE-2018-1000026 CVE-2018-10322
CVE-2018-10878 CVE-2018-10879 CVE-2018-10881 CVE-2018-10883 CVE-2018-10902
CVE-2018-1092 CVE-2018-1094 CVE-2018-10940 CVE-2018-1118 CVE-2018-1120
CVE-2018-1130 CVE-2018-13405 CVE-2018-5344 CVE-2018-5803 CVE-2018-5848
CVE-2018-7740 CVE-2018-7757 CVE-2018-8781

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018:3083.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Oracle Enhanced
RHCK 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION


* CVE-2015-8830: Kernel crash in Asynchronous IO subsystem with large IO vector sizes.

Improper bounds checking on the transfer size of individual asynchronous
requests can lead to a kernel crash.


* CVE-2016-4913: Information leak in ISO9660 filename parsing.

Incorrect handling of NUL termination bytes could result in reading
excessive data from a kernel buffer into user-space.  A local user with
permissions to mount a maliciously crafted filesystem could use this
flaw to leak the contents of sensitive memory.


* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.


* CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.

Missing serialization when canceling timer file descriptors could cause
the cancels to race, causing a data race or use-after-free, potentially
resulting in a kernel crash and denial-of-service.


* CVE-2017-17805: Denial-of-service in SALSA20 block cipher.

Incorrect handling of zero length buffers could result in an invalid
pointer dereference and kernel crash.  A local, unprivileged user could
use this flaw to crash the system, or potentially, escalate privileges.


* CVE-2017-18208: Denial-of-service when using madvise system call.

A logic error when using madvise system call with WILLNEED option on a
Direct Access filesystem could lead to a deadlock. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2017-18344: Information disclosure in POSIX timers.

Incorrect validation of POSIX timers could allow a local, unprivileged
user to leak the contents of arbitrary memory through /proc/$PID/timers.


* CVE-2018-1092: NULL pointer dereference when using unallocated root directory on ext4 filesystem.

A missing check when using unallocated root directory on ext4 filesystem
could lead to a NULL pointer dereference. A local attacker could mount a
crafted ext4 filesystem and cause a denial-of-service.


* CVE-2018-1094: NULL pointer dereference when filling extended attributes on ext4 filesystem.

A missing initialization of crypto driver used to fill extended
attributes on ext4 filesystem could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2018-1118: Information leak when creating a new message in vhost driver.

A missing initialization of a variable passed to user space when
creating a new message in vhost driver could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.


* CVE-2018-1120: Denial-of-service when mmapping specifc part of process memory on a slow filesystem.

A missing check when an user mmap() specific part of process memory on a
slow filesystem could lead to delay in accessing those specific part
from kernel side. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-1130: Denial-of-service in DCCP message send.

A logic error in the dccp code could lead to a NULL pointer dereference
when transmitting messages, leading to a kernel panic.  An attacker could
use this to cause a denial-of-service.


* CVE-2018-5344: Use-after-free when opening a loopback device.

A race condition between opening and releasing a loopback device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.

A missing check when receiving a forged packet with custom properties
over SCTP socket could lead to a kernel assert. A remote attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver.

Improper length validation could lead to integer overdlow and undefined
behaviour.  A local user could use this flaw to cause a memory corruption
and potentially escalate privileges.


* CVE-2018-7740: Denial-of-service when using remap_file_pages() system call.

A logic error in HugeTLB file system when using remap_file_pages()
system call could lead to a kernel assert. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2018-7757: Memory leak when reading invalid_dword_count attribute of SAS Domain Transport driver.

A missing free when reading invalid_dword_count attribute of SAS Domain
Transport driver could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* CVE-2018-8781: Integer overflow when mapping memory in USB Display Link video driver.

A missing check on user input when mapping memory in USB Display Link
video driver could lead to an integer overflow. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-10878: Out-of-bounds access when initializing ext4 block bitmap.

A logic error when initializing ext4 block bitmap could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 image to cause a denial-of-service.


* CVE-2018-10879: Use-after-free when setting extended attribute entry on ext4 filesystem.

A logic error when setting extended attribute entry on ext4 filesystem
could lead to a use-after-free. A local attacker could use this flaw
with a crafted ext4 filesystem to cause a denial-of-service.


* CVE-2018-10881: Data corruption when using indirect blocks with ext4 filesystem.

A missing data zeroing when using indirect blocks with ext4 filesystem
could lead to data corruption or a kernel assert. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-10883: Out-of-bounds access in ext4 block journal handling.

A logic error in ext4 block journal handling could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 filesystem to cause a denial-of-service.


* CVE-2018-10902: Denial-of-service in ALSA rawmidi ioctl.

Race conditions in the SNDRV_RAWMIDI_IOCTL_PARAMS ioctl code could result
in memory corruption.  This could be exploited to cause a denial-of-service.


* CVE-2018-10940: Information leak in CD-ROM status ioctl.

An incorrect bounds check in the CD-ROM driver could allow an
out-of-bounds access and kernel information leak to an unprivileged
user.


* CVE-2018-13405: Permissions bypass when creating file in SGID directory.

Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.


* CVE-2018-1000026: Denial-of-service when receiving invalid packet on bnx2x network card.

A missing input validation when receiving invalid packet on bnx2x
network card could lead to network outage. A remote attacker could use
this flaw to cause a denial-of-service.


* CVE-2018-10322: NULL pointer dereference when mounting crafted XFS image.

Untrusted input from an XFS image was not validated properly before being
used, lead to an invalid pointer dereference.  A local, privileged user
with the ability to mount XFS images could use this flaw to cause a
denial-of-service.


SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list