[El-errata] New Ksplice updates for RHCK 7 (ELSA-2020-4060)

Fri Oct 30 07:27:19 PDT 2020

Synopsis: ELSA-2020-4060 can now be patched using Ksplice
CVEs: CVE-2015-8964 CVE-2017-18551 CVE-2018-20836 CVE-2019-12614 CVE-2019-15217 CVE-2019-15807 CVE-2019-15917 CVE-2019-16231 CVE-2019-16233 CVE-2019-16994 CVE-2019-17053 CVE-2019-17055 CVE-2019-18808 CVE-2019-19046 CVE-2019-19055 CVE-2019-19058 CVE-2019-19059 CVE-2019-19062 CVE-2019-19063 CVE-2019-19332 CVE-2019-19447 CVE-2019-19523 CVE-2019-19524 CVE-2019-19530 CVE-2019-19534 CVE-2019-19537 CVE-2019-19767 CVE-2019-19807 CVE-2019-20054 CVE-2019-20095 CVE-2019-20636 CVE-2019-9454 CVE-2019-9458 CVE-2020-10732 CVE-2020-10742 CVE-2020-10751 CVE-2020-10942 CVE-2020-11565 CVE-2020-12770 CVE-2020-12826 CVE-2020-14305 CVE-2020-1749 CVE-2020-2732 CVE-2020-8647 CVE-2020-8649 CVE-2020-9383

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-4060.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-4060.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 7 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2015-8964: Use-after-free in tty line discipline configuration.

Incorrect initialization in the tty subsystem can cause a tty driver to
access previously freed memory. A local attacker could use this to
obtain sensitive information from the kernel.

* CVE-2017-18551, CVE-2019-9454: Out-of-bounds access when reading data over I2C bus.

A missing check on user input when reading data over I2C bus could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2018-20836: Use-after-free in SCSI SAS timeout.

A logic error when performing task completion for a SCSI SAS SMP timeout
could result in a use-after-free and kernel crash.

* CVE-2019-9458: Use-after-free in V4L2 event subscription.

Due to insufficient locking in the V4L2 driver, an event subscription
could be freed while it is still in use. A malicious user could use
this to cause denial of service or potentially elevate privileges.

* Note: Oracle will not be providing a Ksplice update for CVE-2019-12614.

CVE-2019-12614 only impacts the powerpc architecture.

* CVE-2019-15217: NULL pointer deference when using USB ZR364XX Camera driver.

A missing check when querying capabilities of USB ZR364XX Camera device
from user space could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.

* CVE-2019-15807: Denial-of-service when discovering expander in SAS Domain fails.

A logic error when discovering expander in SAS Domain Transport
Attributes fails could lead to a kernel assert. A local attacker could
use this flaw to cause a denial-of-service.

* CVE-2019-15917: Use-after-free when registering Bluetooth HCI uart device.

A logic error when registering Bluetooth HCI uart device could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2019-16231: NULL pointer dereference when registering FUJITSU Extended Socket Network Device driver.

A missing check when registering FUJITSU Extended Socket Network Device
driver fails could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.

* CVE-2019-16233: NULL pointer dereference when registering QLogic Fibre Channel driver.

A missing check when registering QLogic Fibre Channel driver fails could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.

* CVE-2019-16994: Denial-of-service in IPv6-in-IPv4 tunnel registration.

A missing free of resources when registering an IPv6-in-IPv4 tunnel fails
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.

* CVE-2019-17053: Permission bypass when creating a IEEE 802.15.4 socket.

A missing check on user capabilities when creating a IEEE 802.15.4
socket could lead to a permission bypass.

* CVE-2019-17055: Permission bypass when creating a Modular ISDN socket.

A missing check on user capabilities when creating a Modular ISDN socket
could lead to a permission bypass.

* CVE-2019-18808: Memory leak in the cryptographic subsystem.

Failure to release allocate memory when running a SHA command from the
Cryptographic Coprocessor device driver leads to a memory leak.  A local
user could use this flaw to exhaust the memory on the system and cause a
denial-of-service.

* CVE-2019-19046: Memory leak in the Intelligent Platform Management Interface.

Failure to release allocated memory on device probe failure in the IPMI
drivers leads to a memory leak.  A local attacker could potentially use
this flaw to exhaust the memory on the system and cause a
denial-of-service.

* CVE-2019-19055: Memory leak when retrieving FTM responder statistics in cfg80211 driver.

A missing free of resources when retrieving FTM responder statistics in
cfg80211 driver could lead to a memory leak. A local attacker could use
this flaw to leak information about running kernel and facilitate an
attack.

* CVE-2019-19058: Denial-of-service in iwlwifi firmware interface.

A memory leak while querying iwlwifi firmware debug interface could
cause kernel memory exhaustion. An attacker with permission to read the
firmware debug file could exploit this to cause a denial-of-service.

* CVE-2019-19059: Denial-of-service in Intel iwlwifi PCIe driver.

Incorrect error handling in Intel iwlwifi driver during device
initialization leads to memory leak. An attacker could exploit this to
exhaust kernel memory and cause a denial-of-service.

* CVE-2019-19062: Denial-of-service in the crypto subsystem.

Incomplete error handling while reporting statistics through procfs
in the crypto subsystem leads to memory leak. An unprivileged local
user could exploit this to exhaust kernel memory and cause a
denial-of-service.

* CVE-2019-19063: Denial-of-service in the rtlwifi driver.

A bug in the error path during initialization in rtlwifi USB driver leads
to memory leak. An attacker with physical access may possibly exploit
this bug to cause a denial-of-service.

* CVE-2019-19332: Denial-of-service in KVM cpuid emulation reporting.

A failure to correctly validate a request for KVM cpuid emulation
information a can lead to an out-of-bounds memory access, leading to a
kernel crash. A local user with the ability to use KVM could use this
flaw to cause a denial-of-service.

* CVE-2019-19447: Use-after-free when unmounting corrupt ext4 filesystem.

On an ext4 filesystem containing an inode with a corrupt link count,
deleting the inode's parent directory and then unmounting could result
in a use-after-free and memory corruption. Mounting a crafted filesystem
image could therefore result in a denial-of-service or other unspecified
impact.

* CVE-2019-19523: Use-after-free when disconnecting ADU USB devices.

Logic errors when disconnecting ADU USB devices could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2019-19524: Use-after-free when unregistering memoryless force-feedback driver.

A missing free of a timer when unregistering memoryless force-feedback
driver could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.

* CVE-2019-19530: Denial-of-service in USB CDC-ACM probing.

Incorrect reference counting when probing a USB CDC-ACM device could
result in a use-after-free and kernel crash.  A local user with the
ability to insert USB devices could use this flaw to crash the system.

* CVE-2019-19534: Information leak using PEAK PCAN-USB/USB Pro interfaces for CAN 2.0b/CAN-FD.

A missing zeroing of heap buffer passed to user space in PEAK
PCAN-USB/USB Pro interfaces for CAN 2.0b/CAN-FD driver could lead to an
information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.

* CVE-2019-19537: Denial-of-service in USB character device registration.

Incorrect locking when registering and deregistering a USB character
device could result in a use-after-free and kernel crash.  A local user
with the ability to insert USB devices could use this flaw to crash the
system.

* CVE-2019-19807: Use-after-free when registering timer in ALSA driver.

A logic error when registering timer in ALSA driver fails could lead to
a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.

Incorrect handling of emulated instructions and IO bitmaps could allow
an unprivileged user in a nested KVM guest instance to crash the system
or potentially, escalate privileges.

* CVE-2020-8647, CVE-2020-8649: Use-after-free in the VGA text console driver.

A missing check when resizing console in the VGA text console driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2020-9383: Information leak in floppy disk driver.

A flaw in floppy driver could lead to an out-of-bounds read causing
the information leak when assigning the floppy disk controller.

* CVE-2020-10732: Information leak in corefiles in per-thread info.

When generating a corefile, the per-thread core information is not
properly sanitized, potentially leaking sensitive kernel data into the
filesystem.

* CVE-2020-10742: Out of bonds memory write in NFS client when using direct IO.

A buffer too small to contain a direct IO buffer when reading or writing on
an NFS mount leads to an out-of-bounds memory overwrite.  A local,
unprivileged user could use this flaw to escalate privileges.

* CVE-2020-10751: Missing validation of netlink messages when sent coupled.

When multiple netlink messages are sent within a single sk_buff
structure, only the first message is correctly validated by SELinux,
allowing later messages to bypass proper validation.

* CVE-2020-10942: Out-of-bounds memory access in the Virtual host driver.

Invalid input validation could lead to type confusion and out-of-bounds
memory accesses.  A local unprivileged user could use this to cause a
denial-of-service or potentially escalate privileges.

* CVE-2020-11565: Out-of-bounds access when mounting tmpfs.

A missing check on mpol mount option when mounting tmpfs could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2020-12770: Information leak/DoS in SCSI generic userspace write.

When copying data from userspace to a SCSI generic (sg) device, the
associated list entry is not properly removed, potentially causing a
denial-of-service or leaking sensitive kernel information.

* CVE-2020-14305: Remote out-of-bounds memory access in voice over IP connection tracking.

A failure to properly initialize the data length for the netfilter helper
in the voice over IP "Q.931" module could lead to out-of-bounds memory
writes.  A remote attcker with the ability to connect on 1720 could use
this flaw to potentially gain kernel execution.

* CVE-2019-20054: Denial-of-service in procfs sysctl removal.

A missing NULL pointer check could result in a NULL pointer derefence
and kernel crash when removing a sysctl table from procfs.  A local,
privileged user could use this flaw to crash the system.

* CVE-2019-20095: Denial-of-service in Marvell MWIFIEX driver.

A memory leak in the Marvell MWIFIEX driver could result in memory
exhaustion and kernel crash.  A local, privileged user could use this
flaw to crash the system.

* CVE-2019-20636: Out-of-bounds write via crafted keycode table.

A validation error when parsing a keycode table supplied by userspace to
an input device can result in an out-of-bounds write. A local user with
the ability to configure an input device could use this flaw to cause a
denial-of-service or potentially escalate privileges.

* CVE-2020-12826: Privilege escalation in process signal handling.

A logic error in the way signal are passed from child to parent could
lead to a child sending any signal to a parent. A local attacker could
use this flaw to escalate privileges.

* CVE-2020-1749: Information disclosure in IPv6 IPSec tunneling.

A logic error in the IPv6 implementation of IPSec can lead to some
protocols being routed outside of the IPSec tunnel in an unencrypted
form. A network based attacker could use this flaw to read confidential
information.

* CVE-2019-19767: Use-after-free in with malformed ext4 filesystems.

Missing error handling in the ext4 inode size handling code could result
in a use-after-free and kernel crash.  A malformed ext4 filesystem could
crash the system at mount time.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.