Debian: DSA-4187-1: linux security update

    Date01 May 2018
    CategoryDebian
    3584
    Posted ByAnthony Pell
    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-4187-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.debian.org/security/                            Ben Hutchings
    May 01, 2018                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : linux
    CVE ID         : CVE-2015-9016 CVE-2017-0861 CVE-2017-5715 CVE-2017-5753
                     CVE-2017-13166 CVE-2017-13220 CVE-2017-16526 CVE-2017-16911
                     CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017
                     CVE-2017-18203 CVE-2017-18216 CVE-2017-18232 CVE-2017-18241
                     CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-5332
                     CVE-2018-5333 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927
                     CVE-2018-7492 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757
                     CVE-2018-7995 CVE-2018-8781 CVE-2018-8822 CVE-2018-1000004
                     CVE-2018-1000199
    
    Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2015-9016
    
        Ming Lei reported a race condition in the multiqueue block layer
        (blk-mq).  On a system with a driver using blk-mq (mtip32xx,
        null_blk, or virtio_blk), a local user might be able to use this
        for denial of service or possibly for privilege escalation.
    
    CVE-2017-0861
    
        Robb Glasser reported a potential use-after-free in the ALSA (sound)
        PCM core.  We believe this was not possible in practice.
    
    CVE-2017-5715
    
        Multiple researchers have discovered a vulnerability in various
        processors supporting speculative execution, enabling an attacker
        controlling an unprivileged process to read memory from arbitrary
        addresses, including from the kernel and all other processes
        running on the system.
    
        This specific attack has been named Spectre variant 2 (branch
        target injection) and is mitigated for the x86 architecture (amd64
        and i386) by using the "retpoline" compiler feature which allows
        indirect branches to be isolated from speculative execution.
    
    CVE-2017-5753
    
        Multiple researchers have discovered a vulnerability in various
        processors supporting speculative execution, enabling an attacker
        controlling an unprivileged process to read memory from arbitrary
        addresses, including from the kernel and all other processes
        running on the system.
    
        This specific attack has been named Spectre variant 1
        (bounds-check bypass) and is mitigated by identifying vulnerable
        code sections (array bounds checking followed by array access) and
        replacing the array access with the speculation-safe
        array_index_nospec() function.
    
        More use sites will be added over time.
    
    CVE-2017-13166
    
        A bug in the 32-bit compatibility layer of the v4l2 ioctl handling
        code has been found. Memory protections ensuring user-provided
        buffers always point to userland memory were disabled, allowing
        destination addresses to be in kernel space. On a 64-bit kernel a
        local user with access to a suitable video device can exploit this
        to overwrite kernel memory, leading to privilege escalation.
    
    CVE-2017-13220
    
        Al Viro reported that the Bluetooth HIDP implementation could
        dereference a pointer before performing the necessary type check.
        A local user could use this to cause a denial of service.
    
    CVE-2017-16526
    
        Andrey Konovalov reported that the UWB subsystem may dereference
        an invalid pointer in an error case.  A local user might be able
        to use this for denial of service.
    
    CVE-2017-16911
    
        Secunia Research reported that the USB/IP vhci_hcd driver exposed
        kernel heap addresses to local users.  This information could aid the
        exploitation of other vulnerabilities.
    
    CVE-2017-16912
    
        Secunia Research reported that the USB/IP stub driver failed to
        perform a range check on a received packet header field, leading
        to an out-of-bounds read.  A remote user able to connect to the
        USB/IP server could use this for denial of service.
    
    CVE-2017-16913
    
        Secunia Research reported that the USB/IP stub driver failed to
        perform a range check on a received packet header field, leading
        to excessive memory allocation.  A remote user able to connect to
        the USB/IP server could use this for denial of service.
    
    CVE-2017-16914
    
        Secunia Research reported that the USB/IP stub driver failed to
        check for an invalid combination of fields in a received packet,
        leading to a null pointer dereference.  A remote user able to
        connect to the USB/IP server could use this for denial of service.
    
    CVE-2017-18017
    
        Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module
        failed to validate TCP header lengths, potentially leading to a
        use-after-free.  If this module is loaded, it could be used by a
        remote attacker for denial of service or possibly for code
        execution.
    
    CVE-2017-18203
    
        Hou Tao reported that there was a race condition in creation and
        deletion of device-mapper (DM) devices.  A local user could
        potentially use this for denial of service.
    
    CVE-2017-18216
    
        Alex Chen reported that the OCFS2 filesystem failed to hold a
        necessary lock during nodemanager sysfs file operations,
        potentially leading to a null pointer dereference.  A local user
        could use this for denial of service.
    
    CVE-2017-18232
    
        Jason Yan reported a race condition in the SAS (Serial-Attached
        SCSI) subsystem, between probing and destroying a port.  This
        could lead to a deadlock.  A physically present attacker could
        use this to cause a denial of service.
    
    CVE-2017-18241
    
        Yunlei He reported that the f2fs implementation does not properly
        initialise its state if the "noflush_merge" mount option is used.
        A local user with access to a filesystem mounted with this option
        could use this to cause a denial of service.
    
    CVE-2018-1066
    
        Dan Aloni reported to Red Hat that the CIFS client implementation
        would dereference a null pointer if the server sent an invalid
        response during NTLMSSP setup negotiation.  This could be used
        by a malicious server for denial of service.
    
    CVE-2018-1068
    
        The syzkaller tool found that the 32-bit compatibility layer of
        ebtables did not sufficiently validate offset values. On a 64-bit
        kernel, a local user with the CAP_NET_ADMIN capability (in any user
        namespace) could use this to overwrite kernel memory, possibly
        leading to privilege escalation. Debian disables unprivileged user
        namespaces by default.
    
    CVE-2018-1092
    
        Wen Xu reported that a crafted ext4 filesystem image would
        trigger a null dereference when mounted.  A local user able
        to mount arbitrary filesystems could use this for denial of
        service.
    
    CVE-2018-5332
    
        Mohamed Ghannam reported that the RDS protocol did not
        sufficiently validate RDMA requests, leading to an out-of-bounds
        write.  A local attacker on a system with the rds module loaded
        could use this for denial of service or possibly for privilege
        escalation.
    
    CVE-2018-5333
    
        Mohamed Ghannam reported that the RDS protocol did not properly
        handle an error case, leading to a null pointer dereference.  A
        local attacker on a system with the rds module loaded could
        possibly use this for denial of service.
    
    CVE-2018-5750
    
        Wang Qize reported that the ACPI sbshc driver logged a kernel heap
        address.  This information could aid the exploitation of other
        vulnerabilities.
    
    CVE-2018-5803
    
        Alexey Kodanev reported that the SCTP protocol did not range-check
        the length of chunks to be created.  A local or remote user could
        use this to cause a denial of service.
    
    CVE-2018-6927
    
        Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did
        not check for negative parameter values, which might lead to a
        denial of service or other security impact.
    
    CVE-2018-7492
    
        The syzkaller tool found that the RDS protocol was lacking a null
        pointer check.  A local attacker on a system with the rds module
        loaded could use this for denial of service.
    
    CVE-2018-7566
    
        Fan LongFei reported a race condition in the ALSA (sound)
        sequencer core, between write and ioctl operations.  This could
        lead to an out-of-bounds access or use-after-free.  A local user
        with access to a sequencer device could use this for denial of
        service or possibly for privilege escalation.
    
    CVE-2018-7740
    
        Nic Losby reported that the hugetlbfs filesystem's mmap operation
        did not properly range-check the file offset.  A local user with
        access to files on a hugetlbfs filesystem could use this to cause
        a denial of service.
    
    CVE-2018-7757
    
        Jason Yan reported a memory leak in the SAS (Serial-Attached
        SCSI) subsystem.  A local user on a system with SAS devices
        could use this to cause a denial of service.
    
    CVE-2018-7995
    
        Seunghun Han reported a race condition in the x86 MCE
        (Machine Check Exception) driver.  This is unlikely to have
        any security impact.
    
    CVE-2018-8781
    
        Eyal Itkin reported that the udl (DisplayLink) driver's mmap
        operation did not properly range-check the file offset.  A local
        user with access to a udl framebuffer device could exploit this to
        overwrite kernel memory, leading to privilege escalation.
    
    CVE-2018-8822
    
        Dr Silvio Cesare of InfoSect reported that the ncpfs client
        implementation did not validate reply lengths from the server.  An
        ncpfs server could use this to cause a denial of service or
        remote code execution in the client.
    
    CVE-2018-1000004
    
        Luo Quan reported a race condition in the ALSA (sound) sequencer
        core, between multiple ioctl operations.  This could lead to a
        deadlock or use-after-free.  A local user with access to a
        sequencer device could use this for denial of service or possibly
        for privilege escalation.
    
    CVE-2018-1000199
    
        Andy Lutomirski discovered that the ptrace subsystem did not
        sufficiently validate hardware breakpoint settings.  Local users
        can use this to cause a denial of service, or possibly for
        privilege escalation, on x86 (amd64 and i386) and possibly other
        architectures.
    
    For the oldstable distribution (jessie), these problems have been fixed
    in version 3.16.56-1.
    
    We recommend that you upgrade your linux packages.
    
    For the detailed security status of linux please refer to its security
    tracker page at:
    https://security-tracker.debian.org/tracker/linux
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    Advisories

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.