Arch Linux Security Advisory ASA-201702-17
=========================================
Severity: High
Date    : 2017-02-22
CVE-ID  : CVE-2016-10088 CVE-2016-9588 CVE-2017-5986 CVE-2017-6074
Package : linux
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-178

Summary
======
The package linux before version 4.9.11-1 is vulnerable to multiple
issues including privilege escalation and denial of service.

Resolution
=========
Upgrade to 4.9.11-1.

# pacman -Syu "linux>=4.9.11-1"

The problems have been fixed upstream in version 4.9.11.

Workaround
=========
None.

Description
==========
- CVE-2016-10088 (privilege escalation)

The sg implementation in the Linux kernel through 4.9 does not properly
restrict write operations in situations where the KERNEL_DS option is
set, which allows local users to read or write to arbitrary kernel
memory locations or cause a denial of service (use-after-free) by
leveraging access to a /dev/sg device, related to block/bsg.c and
drivers/scsi/sg.c. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2016-9576.

- CVE-2016-9588 (denial of service)

Linux kernel built with the KVM visualization support (CONFIG_KVM),
with nested visualization(nVMX) feature enabled(nested=1), is
vulnerable to an uncaught exception issue. It could occur if an L2
guest was to throw an exception which is not handled by an L1 guest.

- CVE-2017-5986 (denial of service)

It was reported that with Linux kernel, earlier than version v4.10-rc8,
an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the
socket tx buffer is full, a thread is waiting on it to queue more data,
and meanwhile another thread peels off the association being used by
the first thread. This issue may then lead to a segmentation fault
resulting in denial of service.

- CVE-2017-6074 (privilege escalation)

A use-after-free vulnerability has been discovered in the DCCP
implementation in the Linux kernel. The dccp_rcv_state_process function
in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles
DCCP_PKT_REQUEST packet data structures in the LISTEN state. A local
unprivileged user could use this flaw to alter the kernel memory,
allowing them to escalate their privileges on the system via an
application that makes an IPV6_RECVPKTINFO setsockopt system call.

Impact
=====
A local unprivileged attacker is able to perform a denial of service
attack or escalate their privileges on the system.

References
=========
https://github.com/torvalds/linux/commit/2dcab598484185dea7ec22219c76dcdd59e3cb90
https://seclists.org/oss-sec/2017/q1/432
https://github.com/torvalds/linux/commit/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
https://patchwork.ozlabs.org/project/netdev/patch/20170216162246.12783-1-andreyknvl@google.com/
https://security.archlinux.org/CVE-2016-10088
https://security.archlinux.org/CVE-2016-9588
https://security.archlinux.org/CVE-2017-5986
https://security.archlinux.org/CVE-2017-6074

ArchLinux: 201702-17: linux: multiple issues

February 22, 2017

Summary

- CVE-2016-10088 (privilege escalation) The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.
- CVE-2016-9588 (denial of service)
Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization(nVMX) feature enabled(nested=1), is vulnerable to an uncaught exception issue. It could occur if an L2 guest was to throw an exception which is not handled by an L1 guest.
- CVE-2017-5986 (denial of service)
It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. This issue may then lead to a segmentation fault resulting in denial of service.
- CVE-2017-6074 (privilege escalation)
A use-after-free vulnerability has been discovered in the DCCP implementation in the Linux kernel. The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state. A local unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system via an application that makes an IPV6_RECVPKTINFO setsockopt system call.

Resolution

Upgrade to 4.9.11-1. # pacman -Syu "linux>=4.9.11-1"
The problems have been fixed upstream in version 4.9.11.

References

https://github.com/torvalds/linux/commit/2dcab598484185dea7ec22219c76dcdd59e3cb90 https://seclists.org/oss-sec/2017/q1/432 https://github.com/torvalds/linux/commit/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 https://patchwork.ozlabs.org/project/netdev/patch/20170216162246.12783-1-andreyknvl@google.com/ https://security.archlinux.org/CVE-2016-10088 https://security.archlinux.org/CVE-2016-9588 https://security.archlinux.org/CVE-2017-5986 https://security.archlinux.org/CVE-2017-6074

Severity
Package : linux
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-178

Workaround

None.

Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved