Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Linux)  >   Ping Vendors:
(Oracle Issues Fix for Oracle Linux) Linux ping Use-After-Free Memory Error Lets Local Users Deny Service and Gain Elevated Privileges
SecurityTracker Alert ID:  1033200
SecurityTracker URL:
CVE Reference:   CVE-2015-3636   (Links to External Site)
Date:  Aug 6 2015
Impact:   Denial of service via local system, Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Oracle Linux 7
Description:   A vulnerability was reported in Linux ping. A local user can cause denial of service conditions on the target system. A local user can obtain elevated privileges on the target system.

A local user can make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocols and then make a connect() system call after a disconnect to trigger a use-after-free in the ping_unhash() function to execute arbitrary code or cause the system to crash.

Impact:   A local user can cause the target system to crash.

A local user can obtain root privileges on the target system.

Solution:   Oracle has issued a fix for Oracle Linux.

The Oracle Linux advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   This archive entry is a follow-up to the message listed below.
Aug 6 2015 Linux ping Use-After-Free Memory Error Lets Local Users Deny Service and Gain Elevated Privileges

 Source Message Contents

Subject:  [El-errata] ELSA-2015-1534 Moderate: Oracle Linux 7 kernel security and bug fix update

Oracle Linux Security Advisory ELSA-2015-1534

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- Oracle Linux certificates (Alexey Petrenko)

- [fs] Fixing lease renewal (Steve Dickson) [1226328 1205048]
- [fs] revert "nfs: Fixing lease renewal" (Carlos Maiolino) [1226328 
- [redhat] spec: Update dracut dependency to 033-241.[el7|ael7b]_1.5 
(Phillip Lougher) [1241571 1241344]

- [redhat] spec: Update dracut dependency to pull in drbg module 
(Phillip Lougher) [1241571 1241344]

- [crypto] krng: Remove krng (Herbert Xu) [1238210 1229738]
- [crypto] drbg: Add stdrng alias and increase priority (Herbert Xu) 
[1238210 1229738]
- [crypto] seqiv: Move IV seeding into init function (Herbert Xu) 
[1238210 1229738]
- [crypto] eseqiv: Move IV seeding into init function (Herbert Xu) 
[1238210 1229738]
- [crypto] chainiv: Move IV seeding into init function (Herbert Xu) 
[1238210 1229738]
- [s390] crypto: ghash - Fix incorrect ghash icv buffer handling 
(Herbert Xu) [1238211 1207598]
- [kernel] module: Call module notifier on failure after 
complete_formation() (Bandan Das) [1238937 1236273]
- [net] ipv4: kABI fix for 0bbf87d backport (Aristeu Rozanski) [1238208 
- [net] ipv4: Convert ipv4.ip_local_port_range to be per netns (Aristeu 
Rozanski) [1238208 1184764]
- [of] Eliminate of_allnodes list (Gustavo Duarte) [1236983 1210533]
- [scsi] ipr: Increase default adapter init stage change timeout (Steve 
Best) [1236139 1229217]
- [fs] libceph: fix double __remove_osd() problem (Sage Weil) [1236462 
- [fs] ext4: fix data corruption caused by unwritten and delayed extents 
(Lukas Czerner) [1235563 1213487]
- [kernel] watchdog: update watchdog_thresh properly (Ulrich Obergfell) 
[1223924 1216074]
- [kernel] watchdog: update watchdog attributes atomically (Ulrich 
Obergfell) [1223924 1216074]
- [virt] kvm: ensure hard lockup detection is disabled by default 
(Andrew Jones) [1236461 1111262]
- [watchdog] control hard lockup detection default (Andrew Jones) 
[1236461 1111262]
- [watchdog] Fix print-once on enable (Andrew Jones) [1236461 1111262]

- [fs] fs-cache: The retrieval remaining-pages counter needs to be 
atomic_t (David Howells) [1231809 1130457]
- [net] libceph: tcp_nodelay support (Sage Weil) [1231803 1197952]
- [powerpc] pseries: Simplify check for suspendability during 
suspend/migration (Gustavo Duarte) [1231638 1207295]
- [powerpc] pseries: Introduce api_version to migration sysfs interface 
(Gustavo Duarte) [1231638 1207295]
- [powerpc] pseries: Little endian fixes for post mobility device tree 
update (Gustavo Duarte) [1231638 1207295]
- [fs] sunrpc: Add missing support for 
RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT (Steve Dickson) [1227825 1111712]
- [fs] nfs: Fixing lease renewal (Benjamin Coddington) [1226328 1205048]
- [powerpc] iommu: ddw: Fix endianness (Steve Best) [1224406 1189040]
- [usb] fix use-after-free bug in usb_hcd_unlink_urb() (Don Zickus) 
[1223239 1187256]
- [net] ipv4: Missing sk_nulls_node_init() in ping_unhash() (Denys 
Vlasenko) [1218104 1218105] {CVE-2015-3636}
- [net] nf_conntrack: reserve two bytes for nf_ct_ext->len (Marcelo 
Leitner) [1211096 1206164] {CVE-2014-9715}
- [net] ipv6: Don't reduce hop limit for an interface (Denys Vlasenko) 
[1208494 1208496] {CVE-2015-2922}
- [x86] kernel: execution in the early microcode loader (Jacob 
Tanenbaum) [1206829 1206830] {CVE-2015-2666}
- [fs] pipe: fix pipe corruption and iovec overrun on partial copy (Seth 
Jennings) [1202861 1198843] {CVE-2015-1805}

El-errata mailing list

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC