[El-errata] New Ksplice updates for UEKR3 3.8.13 on OL6 and OL7 (ELSA-2019-4644)

Wed May 22 02:06:20 PDT 2019

Synopsis: ELSA-2019-4644 can now be patched using Ksplice
CVEs: CVE-2016-1583 CVE-2017-13305 CVE-2017-16650 CVE-2018-19985 CVE-2019-11190

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4644.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2019-4644.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR3 3.8.13 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Improved fix to CVE-2016-1583: Privilege escalation in eCryptfs.

The original upstream fix for CVE-2016-1583 restricted opening files
without an mmap handler, but could result in applications failing to
open files that did not need mmap on them.  The new fix defers this
until mmap is called.

Orabug: 29666607

* CVE-2017-13305: Information leak in encrypted keys subsystem.

Providing the encrypted keys subsystem with a shorter-than-expected
master key description could cause the key validation routine to read
beyond the end of the buffer, potentially exposing kernel memory.

Orabug: 29605993

* CVE-2018-19985: Out-of-bounds memory access in USB High Speed Mobile device driver.

A missing length check in the hso_probe can lead to an out-of-bounds
memory access.  This could cause a system to exhibit unexpected
behavior.

Orabug: 29605987

* CVE-2017-16650: Divide by zero error when binding a QMI WWAN USB device.

A missing check when binding a QMI WWAN network USB device could lead to
a divide by zero error. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 27215229

* CVE-2019-11190: Information leak using a setuid program and accessing process stats.

A late setup of credentials when running a setuid program could let an
attacker dump /proc/<pid>/stat and get more information about running
kernel.

Orabug: 29677234

* Ksplice NMI patching enablement update.

Patching the NMI entry/exit code is subject to race conditions when
disabling and re-enabling IBRS on concurrent NMI.

* Correctly clear the Micro Data Sampling (MDS) buffers on return to userspace.

An incorrect variant of the verw instruction was used to clear the MDS
buffers when returning to userspace, allowing an attacker to bypass the
mitigation for the MDS vulnerabilities.  The mitigation was also missing to
clear the MDS buffers from the NMI interrupt when returning to user
context.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.