[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2019-4746)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2019-4746 can now be patched using Ksplice
CVEs: CVE-2018-16871 CVE-2019-11833 CVE-2019-12378 CVE-2019-12381 CVE-2019-12382 CVE-2019-13272 CVE-2019-13631

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4746.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2019-4746.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-12381, CVE-2019-12378: NULL pointer dereferences in the IP to socket glue.

Failures to check that a kmalloc succeeded when allocating a new router
alert in the IPv4 and IPv6 to socket glue code could lead to a NULL pointer
dereference.  A remote user on the same network could use this flaw to
cause a denial-of-service.

Orabug: 29926004, 29926056


* CVE-2019-11833: Information leak in ext4 extent tree block.

A missing zeroing of uninitialized memory in ext4 extent tree block
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and facilitate an attack.

Orabug: 29925498


* Use-after-free in dentry cache handling code of OCFS2 driver.

A race condition in dentry cache handling code of OCFS2 driver could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 29957705


* Memory corruption in QLogic QED network driver module unload.

Missing locking when unloading the QLogic QED device driver could result
in memory corruption and a kernel crash.

Orabug: 29908708


* Memory corruption in QLogic QED connection termination.

Race conditions when terminating a QLogic QED connection could result in
multiple frees to a single resource and memory corruption.

Orabug: 29908708


* Denial-of-service when transmitting via QLogic ethernet device.

When transmitting data via a QLogic ethernet device, a race condition
could lead to accessing the underlying packet buffers after they were
freed, resulting in a potential kernel crash and denial-of-service.

Orabug: 29908708


* Information leak in QLogic ethernet driver.

During error condition when connecting a QLogic ethernet device, invalid
type conversions could result in out-of-bounds data on the stack being
written as error output.

Orabug: 29908708


* Out-of-bounds access in debug messages of QLogic QEDI 25/40/100Gb iSCSI Initiator driver.

A logic error in debug messages of QLogic QEDI 25/40/100Gb iSCSI
Initiator driver could lead to an out-of-bounds access. A local attacker
could use this flaw to cause a denial-of-service.


* Memory leak in the RDS Infiniband receive path when fragment size changes.

A missing release of ressources in the RDS Infiniband receive path when the
fragment size is updated leads to a memory leak.

Orabug: 30033646


* NULL pointer dereference in QLogic BNX2 restart.

Failure to correctly restart the BNX2 device when DMA allocation failed
could trigger a NULL pointer dereference and kernel crash.

Orabug: 30022604


* XSA-300: Denial-of-service in Xen memory ballooning.

A logic error in the Xen memory balloon device driver could result in
exhaustion of resources or crashes of the backend device drivers
resulting in IO stalls or guest failures.  A local privileged user could
use this flaw to cause a denial of service.

Orabug: 30073694


* Deadlock when performing controller ioctls in NVMe driver.

A locking error when performing controller ioctls in NVMe driver could
lead to deadlock. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 29962261


* Memory leak when uninitializing NVMe controller.

A logic error when uninitializing NVMe controller could lead to a memory
leak. A local attacker could use this flaw to exhaust kernel memory and
cause a denial-of-service.

Orabug: 29962261


* Integer overflow in namespace list calculation of NVMe driver.

A logic error in namespace list calculation of NVMe driver could lead to
an integer overflow. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 29962261


* Invalid memory access during open in Broadcom NetXtreme-C/E driver.

Missing check after an error occurs when opening Broadcom NetXtreme-C/E
interface could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* Kernel crash in MEGARAID SAS firmware crashdump loading.

Missing bounds checks when loading firmware crashdump could result in an
out-of-bounds access and kernel panic.

Orabug: 30109946


* CVE-2019-13631: Denial-of-service in GTCO CalComp/InterWrite tablet.

Missing range checks could allow an out-of-bounds stack memory write
when parsing USB descriptors.  A physically present user could use a
malicious device to trigger an out-of-bounds access leading to a kernel
crash.

Orabug: 30074412


* CVE-2019-13272: Privilege escalation in ptrace implementation.

A logic error in the ptrace implementation core can allow a malicious
user process to gain unintended privileges, which could be further
abused to ptrace an suid binary and gain root privileges.

Orabug: 30074408


* CVE-2018-16871: Denial-of-service in NFS copy and clone operations.

A logic error when performing NFS clone or copy operations could result
in a NULL pointer dereference and kernel crash.  A remote user with
permissions to mount an exported NFS filesystem could use this flaw to
crash the server.

Orabug: 29925432


* CVE-2019-12382: Denial-of-service in DRM firmware loading.

Incorrect error handling could result in a NULL pointer dereference and
crash when loading firmware under low memory conditions.

Orabug: 29925968

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.