[El-errata] New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELBA-2024-12391)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Jun 5 07:20:20 UTC 2024 

Synopsis: ELBA-2024-12391 can now be patched using Ksplice
CVEs: CVE-2023-52644 CVE-2023-7042 CVE-2024-0841 CVE-2024-26688 CVE-2024-26763 CVE-2024-26766 CVE-2024-26778 CVE-2024-26791 CVE-2024-26804 CVE-2024-26805 CVE-2024-26816 CVE-2024-26840 CVE-2024-26851 CVE-2024-26852 CVE-2024-26855 CVE-2024-26857 CVE-2024-26859 CVE-2024-26862 CVE-2024-26863 CVE-2024-26875 CVE-2024-26878 CVE-2024-26882 CVE-2024-26889 CVE-2024-26901 CVE-2024-27388 CVE-2024-27414 CVE-2024-27417 CVE-2024-27436 CVE-2024-35807 CVE-2024-35828 CVE-2024-35830

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Bug Fix Advisory, ELBA-2024-12391.
More information about this errata can be found at
https://linux.oracle.com/errata/ELBA-2024-12391.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2023-52644: Denial-of-service in Broadcom B43 wireless driver.

During DMA transmission in the Broadcom B43 wireless driver, an
incorrect priority queue value can be set when QoS is disabled.
This can lead to an attempt to selecting a non-existing queue
instead of the queue which we want to stop / wake up. A local
attacker can exploit this flaw to cause a denial-of-service or
aid in other types of attacks.


* CVE-2023-7042: Denial-of-service in Atheros WiFi driver.

Failure to check the existence of a TLV before accessing it when
handling management tx complete events in the Atheros WiFi driver
can lead to a null-pointer dereference. A local attacker can exploit
this flaw to cause a denial-of-service.


* CVE-2024-0841, CVE-2024-26688: Denial-of-service when configuring a HugeTLB file system.

A logic error when configuring a HugeTLB file system using fsconfig
syscall could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2024-26763: Data corruption using dm-crypt.

A logic error in dm-crypt driver when reading data while encrypting it
could lead to data corruption. A local attacker could use this flaw to
corrupt data.


* CVE-2024-26766: Out-of-bounds write in Intel OPA Gen1 adapter driver.

A logical error in the Intel OPA Gen1 adapter driver can lead to an
off-by-one error, lead to an out-of-bounds write which can be triggered
by a simple sendmsg() syscall. A local attacker can exploit this flaw
to cause a denial-of-service or privilege escalation.


* CVE-2024-26778: Denial-of-service when using S3 Savage framebuffer driver.

A missing check on user input when using S3 Savage framebuffer ioctl
could lead to a divide by zero error. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2024-26791: Information leak when using btrfs replace.

An invalid check on user input when using btrfs replace command could
lead to an out-of-bounds access. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* CVE-2024-26804: Denial-of-service in IPv4 networking stack.

A logical error in IPv4 networking stack can lead to the continuous
increase of headroom size in socket buffer, eventually leading to a
use-after-free. A local attacker can exploit this flaw to cause a
denial-of-service.


* CVE-2024-26805: Information leak in Netlink driver during packet creation.

An incorrect buffer length calculation in when creating new packets in
the Netlink driver causes uninitialized memory to be copied into a
packet buffer. This flaw could be exploited to leak sensitive
information from the running kernel.


* CVE-2024-26816: Information leak in /sys/kernel/notes for x86 systems.

An unprivileged attacker can read /sys/kernel/notes which contains
relocations of Xen variables. As System.map file is also readable
by an unprivileged attacker, KASLR can by bypassed since the attacker
can find out the relative offsets and combine that with the Xen
relocation address to find the address of any kernel symbol, which
can facilitate an attack, like privilege escalation.


* CVE-2024-26840: Denial-of-service when using caching filesystem.

A missing free of resources when unbinding caching filesystem
(/dev/cachefiles) could lead to a memory leak. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2024-26851: Denial-of-service in Network packet filtering framework.

A missing check when using Network packet filtering framework
(Netfilter) could lead to an out-of-bounds access. A local attacker
could use this flaw to cause a denial-of-service or facilitate an
attack.


* CVE-2024-26852: Privilege escalation when using IPV6 multipath routes.

A logic error when using IPV6 multipath routes could lead to a
use-after-free. A local attacker could use this flaw to escalate
privilege.


* CVE-2024-26855: Denial-of-service in Intel Ethernet Connection E800 Series driver.

Due to a logical error, a null-pointer dereference is possible in the
Intel Ethernet Connection E800 Series driver. A local attacker can
exploit this flaw to cause a denial-of-service.


* CVE-2024-26857: Information leak in Generic Network Virtualization Encapsulation driver.

During reception of packets in GENEVE driver, uninitialised memory can
be accessed due to incorrect handling of headers of the socket buffer.
An attacker (local or remote) can exploit this flaw to access sensitive
information from the kernel memory or facilitate an attack.


* CVE-2024-26859: Denial-of-service in Broadcom NetXtremeII 10Gb driver.

Error handling logic in the Broadcom NetXtremeII 10Gb driver can lead
to a race between timeout and reset codepaths, leading to null-pointer
dereference in an attempt to free an already freed pointer. A local
attacker can exploit this flaw to cause a denial-of-service.


* CVE-2024-26862: Data race in Packet protocol stack and core net subsystem.

An "ignore_outgoing" flag set during the setting of socket options
can race with reading the same flag in other places in the Packet
protocol stack and the core net subsystem. A local attacker can
exploit this flaw to cause a denial-of-service or aid in other
types of attacks.


* CVE-2024-26863: Information leak in HSR networking stack.

Missing check for the HSR tag after the Ethernet header in the
High-availability Seamless Redundancy networking stack can lead
to accessing uninitialised memory. An attacker (local or remote)
can exploit this flaw to extract sensitive information from the
kernel memory or facilitate an attack.


* CVE-2024-26875: Use-after-free in Hauppauge WinTV-PVR USB2 driver.

A race can happen in the Hauppauge WinTV-PVR USB2 driver between
context disconnect and check in another thread, leading to a
use-after-free. A local attacker can exploit this flaw to cause a
denial-of-service, privilege escalation, or run arbitrary code.


* CVE-2024-26878: Denial-of-service in disk quota support in fs core.

A race between inode freeing and quota_off in the disk quota support
code in core fs subsystem can lead to a null-pointer dereference. A
local attacker can exploit this flaw to cause a denial-of-service.


* CVE-2024-26882: Information leak in IP tunneling stack.

During reception of packets in IP tunneling stack, uninitialised memory
can be accessed due to incorrect handling of headers of the socket
buffer. An attacker (local or remote) can exploit this flaw to access
sensitive information from the kernel memory or facilitate an attack.


* CVE-2024-26889: Out-of-bounds write in core Bluetooth subsystem.

When using the HCIGETDEVINFO ioctl command, a buffer overflow is
possible if the device name is bigger than expected. A remote
attacker can exploit this flaw to cause a denial-of-service or
privilege escalation.


* CVE-2024-26901: Information leak in file handle syscalls.

Incorrect initialisation in file handle code in core fs subsystem can
lead to information leak. A local attacker can exploit this flaw to
extract sensitive information from the kernel memory or aid in other
types of attacks.


* CVE-2024-27388: Resource leak in SUNRPC networking stack.

There is a missing free in SUNRPC stack's GSS Proxy upcall module.
A local attacker can exploit this flaw to cause denial-of-service.


* CVE-2024-27414: Out-of-bounds write in core net subsystem.

A logical error when handling rtnetlink RTM_SETLINK messages (which
is about modifying link configuration by a user) in the core net
subsystem can lead to an out-of-bounds write. A local attacker with
necessary privileges can exploit this flaw to cause denial-of-service
or privilege escalation.


* CVE-2024-27417: Resource exhaustion in IPv6 networking stack.

A logical error in the IPv6 networking stack when handling malformed
arguments given by the userspace for RTM_GETADDR messages can lead to
a resource leak. A local attacker can exploit this flaw to cause
resource exhaustion and thus denial-of-service.


* CVE-2024-27436: Out-of-bounds write in ALSA USB driver.

Due to a missing bound check for the number of channels in the USB audio
driver for ALSA, an out-of-bounds write is possible. A local attacker
can exploit this flaw to cause a denial-of-service or privilege
escalation.


* CVE-2024-35807: Data corruption in ext4 filesystem.

A logical error in the ext4 filesystem when doing an online resize
across an 8 GiB boundary can lead to data corruption. A privileged
attacker can exploit this flaw to cause data loss and corruption.

Orabug: 36342902


* CVE-2024-35828: Resource leak in Marvell 8xxx Libertas WLAN driver.

Missing free in Marvell 8xxx Libertas WLAN driver when allocating
command buffers (typically done during device add) will lead to a
resource leak. A local or physical attacker can exploit this flaw
to cause a denial-of-service.


* CVE-2024-35830: Denial-of-service in Toshiba TC358743 decoder driver.

Incorrect setup in Toshiba TC358743 decoder driver allows the userspace
access to the async sub-device before the setup is even successful. A
local attacker can exploit this flaw to cause denial-of-service or aid
in other types of attacks.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://oss.oracle.com/pipermail/el-errata/attachments/20240605/45001ab9/attachment-0001.sig>

More information about the El-errata mailing list