[El-errata] New Ksplice updates for Oracle Enhanced RHCK 7 (ELBA-2020-1016-1)

[Errata Announcements for Oracle Linux]

Synopsis: ELBA-2020-1016-1 can now be patched using Ksplice CVEs:
CVE-2015-9289 CVE-2017-17807 CVE-2018-19985 CVE-2018-20169 CVE-2018-7191
CVE-2019-10207 CVE-2019-10638 CVE-2019-10639 CVE-2019-11190 CVE-2019-11884
CVE-2019-12382 CVE-2019-13233 CVE-2019-14283 CVE-2019-15916 CVE-2019-16746
CVE-2019-3901 CVE-2019-9503

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Bug Fix Advisory, ELBA-2020-1016-1.
More information about this errata can be found at
https://linux.oracle.com/errata/ELBA-2020-1016-1.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Oracle Enhanced
RHCK 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-9289: Privilege escalation in DVB frontend.

Missing user input validation could allow a local user with access to
the device to trigger buffer overflows when reading or writing data.
This out of bounds access could result in a kernel crash or potentially
escalate privileges.

Orabug: 30254282


* CVE-2017-17807: Permissions bypass when requesting key on default keyring.

When calling request_key() with no keyring specified, the requested key
is generated and added to the keyring even if the user does not have
write permissions.


* CVE-2018-7191: Denial-of-service in network tunnel TUNSETIFF ioctl().

Missing error checking when setting a network tunnel device interface
could result in a NULL pointer dereference when passed a malformed
interface name.  A local user with privileges to create TUN devices
could use this flaw to crash the system.


* CVE-2018-19985, CVE-2018-20169: Missing bound check when reading extra USB descriptors.

A failure to properly check the minimum and maximum size of an extra USB
descriptor in the USB sub-system could lead to reading or writing past
memory bounds.  An attacker with the ability to send specially crafted
extra descriptors from a USB device could use this flaw to escalate
privileges or cause a denial-of-service.


* CVE-2019-3901: Privilege escalation when opening performance events.

A race condition between perf_event_open and execve can allow an
unprivileged user to trace a privileged process, potentially allowing an
unprivileged user to escalate privileges.


* CVE-2019-9503: Denial-of-service when receiving firmware event frames over a Broadcom WLAN USB dongle.

A failure to validate firmware event frames received over a Broadcom
WLAN USB dongle could let a remote attacker cause a denial-of-service.


* CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.

A missing check in some Bluetooth drivers could lead to a NULL
pointer dereference triggered by an unprivileged user while executing
certain tty operations.  This could be exploited to cause a denial of
service attack.


* CVE-2019-11884: Information leak in Bluetooth HIDP HIDPCONNADD ioctl().

Missing string termination in the Bluetooth HIDP HIDPCONNADD ioctl()
could result in leaking the contents of the kernel stack to a local
user.


* CVE-2019-12382: Denial-of-service in DRM firmware loading.

Incorrect error handling could result in a NULL pointer dereference and
crash when loading firmware under low memory conditions.


* CVE-2019-13233: Use-after-free when accessing LDT entry.

A locking error while accessing LDT entry could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.

Missing input validation in the floppy disk geometry setting calls could
allow a malicious local user with access to the floppy device to cause
an out-of-bounds access either crashing the system or leaking the
contents of kernel memory.


* CVE-2019-15916: Denial-of-service in network device registration.

A missing free of resources when registering a kobject for a net device
fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* Note: Oracle will not be providing a zero downtime update for CVE-2019-10638.

CVE-2019-10638 is a flaw in the IP ID generation code that could allow a
remote user to track remote Linux devices.


* Note: Oracle will not be providing a zero downtime update for CVE-2019-10639.

CVE-2019-10639 could allow a remote user to derive the value of the IP ID
field and thus partially defeating kernel address space layout randomizaton.


* CVE-2019-11190: Information leak using a setuid program and accessing process stats.

A late setup of credentials when running a setuid program could let an
attacker dump /proc/<pid>/stat and get more information about running
kernel.


* CVE-2019-16746: Potential buffer overflow when processing IEEE80211 beacon head.

A failure to validate the beacon frame header along with other beacon
frame attributes can lead to malformed data eventually being processed.
This can potentially be exploited by a remote attacker to cause a buffer
overflow, which can be leveraged to perform other types of attacks.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.