Debian LTS: DLA-3065-1: linux security update | LinuxSecurity.com

Advisories

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3065-1                [email protected]
https://www.debian.org/lts/security/                        Ben Hutchings
June 30, 2022                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : linux
Version        : 4.9.320-2
CVE ID         : CVE-2018-1108 CVE-2021-4149 CVE-2021-39713 CVE-2022-0494
                 CVE-2022-0812 CVE-2022-0854 CVE-2022-1011 CVE-2022-1012
                 CVE-2022-1016 CVE-2022-1198 CVE-2022-1199 CVE-2022-1353
                 CVE-2022-1516 CVE-2022-1729 CVE-2022-1734 CVE-2022-1974
                 CVE-2022-1975 CVE-2022-2153 CVE-2022-21123 CVE-2022-21125
                 CVE-2022-21166 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038
                 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042
                 CVE-2022-23960 CVE-2022-24958 CVE-2022-26490 CVE-2022-26966
                 CVE-2022-27223 CVE-2022-28356 CVE-2022-28390 CVE-2022-30594
                 CVE-2022-32250 CVE-2022-32296 CVE-2022-33981
Debian Bug     : 922204

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

This update is unfortunately not available for the armel architecture.

CVE-2018-1108

    It was discovered that the random driver could generate random
    bytes through /dev/random and the getrandom() system call before
    gathering enough entropy that these would be unpredictable.  This
    could compromise the confidentiality and integrity of encrypted
    communications.

    The original fix for this issue had to be reverted because it
    caused the boot process to hang on many systems.  In this version,
    the random driver has been updated, making it more effective in
    gathering entropy without needing a hardware RNG.

CVE-2021-4149

    Hao Sun reported a flaw in the Btrfs fileysstem driver. There
    is a potential lock imbalance in an error path.  A local user
    might be able to exploit this for denial of service.

CVE-2021-39713

    The syzbot tool found a race condition in the network scheduling
    subsystem which could lead to a use-after-free.  A local user
    could exploit this for denial of service (memory corruption or
    crash) or possibly for privilege escalation.

CVE-2022-0494

    The scsi_ioctl() was susceptible to an information leak only
    exploitable by users with CAP_SYS_ADMIN or CAP_SYS_RAWIO
    capabilities.

CVE-2022-0812

    It was discovered that the RDMA transport for NFS (xprtrdma)
    miscalculated the size of message headers, which could lead to a
    leak of sensitive information between NFS servers and clients.

CVE-2022-0854

    Ali Haider discovered a potential information leak in the DMA
    subsystem. On systems where the swiotlb feature is needed, this
    might allow a local user to read sensitive information.

CVE-2022-1011

    Jann Horn discovered a flaw in the FUSE (Filesystem in User-Space)
    implementation. A local user permitted to mount FUSE filesystems
    could exploit this to cause a use-after-free and read sensitive
    information.

CVE-2022-1012, CVE-2022-32296

    Moshe Kol, Amit Klein, and Yossi Gilad discovered a weakness
    in randomisation of TCP source port selection.

CVE-2022-1016

    David Bouman discovered a flaw in the netfilter subsystem where
    the nft_do_chain function did not initialize register data that
    nf_tables expressions can read from and write to. A local attacker
    can take advantage of this to read sensitive information.

CVE-2022-1198

    Duoming Zhou discovered a race condition in the 6pack hamradio
    driver, which could lead to a use-after-free. A local user could
    exploit this to cause a denial of service (memory corruption or
    crash) or possibly for privilege escalation.

CVE-2022-1199

    Duoming Zhou discovered race conditions in the AX.25 hamradio
    protocol, which could lead to a use-after-free or null pointer
    dereference. A local user could exploit this to cause a denial of
    service (memory corruption or crash) or possibly for privilege
    escalation.

CVE-2022-1353

    The TCS Robot tool found an information leak in the PF_KEY
    subsystem. A local user can receive a netlink message when an
    IPsec daemon registers with the kernel, and this could include
    sensitive information.

CVE-2022-1516

    A NULL pointer dereference flaw in the implementation of the X.25
    set of standardized network protocols, which can result in denial
    of service.

    This driver is not enabled in Debian's official kernel
    configurations.

CVE-2022-1729

    Norbert Slusarek discovered a race condition in the perf subsystem
    which could result in local privilege escalation to root. The
    default settings in Debian prevent exploitation unless more
    permissive settings have been applied in the
    kernel.perf_event_paranoid sysctl.

CVE-2022-1734

    Duoming Zhou discovered race conditions in the nfcmrvl NFC driver
    that could lead to a use-after-free, double-free or null pointer
    dereference. A local user might be able to exploit these for
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.

    This driver is not enabled in Debian's official kernel
    configurations.

CVE-2022-1974, CVE-2022-1975

    Duoming Zhou discovered that the NFC netlink interface was
    suspectible to denial of service.

CVE-2022-2153

    "kangel" reported a flaw in the KVM implementation for x86
    processors which could lead to a null pointer dereference. A local
    user permitted to access /dev/kvm could exploit this to cause a
    denial of service (crash).

CVE-2022-21123, CVE-2022-21125, CVE-2022-21166

    Various researchers discovered flaws in Intel x86 processors,
    collectively referred to as MMIO Stale Data vulnerabilities.
    These are similar to the previously published Microarchitectural
    Data Sampling (MDS) issues and could be exploited by local users
    to leak sensitive information.

    For some CPUs, the mitigations for these issues require updated
    microcode.  An updated intel-microcode package may be provided at
    a later date.  The updated CPU microcode may also be available as
    part of a system firmware ("BIOS") update.

    Further information on the mitigation can be found at
    
    or in the linux-doc-4.9 package.

CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039,
CVE-2022-23040, CVE-2022-23041, CVE-2022-23042 (XSA-396)

    Demi Marie Obenour and Simon Gaiser of Invisible Things Lab
    discovered flaws in several Xen PV device frontends. These drivers
    misused the Xen grant table API in a way that could be exploited
    by a malicious device backend to cause data corruption, leaks of
    sensitive information, or a denial of service (crash).

CVE-2022-23960

    Researchers at VUSec discovered that the Branch History Buffer in
    Arm processors can be exploited to create information side-
    channels with speculative execution.  This issue is similar to
    Spectre variant 2, but requires additional mitigations on some
    processors.

    This can be exploited to obtain sensitive information from a
    different security context, such as from user-space to the kernel,
    or from a KVM guest to the kernel.

CVE-2022-24958

    A flaw was discovered that the USB gadget subsystem that could
    lead to a use-after-free. A local user permitted to configure USB
    gadgets could exploit this to cause a denial of service (crash or
    memory corruption) or possibly for privilege escalation.

CVE-2022-26490

    Buffer overflows in the STMicroelectronics ST21NFCA core driver
    can result in denial of service or privilege escalation.

    This driver is not enabled in Debian's official kernel
    configurations.

CVE-2022-26966

    A flaw was discovered in the sr9700 USB networking driver. A local
    user able to attach a specially designed USB device could use this
    to leak sensitive information.

CVE-2022-27223

    A flaw was discovered in the udc-xilinx USB gadget-mode controller
    driver. On systems using this driver, a malicious USB host could
    exploit this to cause a denial of service (crash or memory
    corruption) or possibly to execute arbitrary code.

    This driver is not enabled in Debian's official kernel
    configurations.

CVE-2022-28356

    "Beraphin" discovered that the ANSI/IEEE 802.2 LLC type 2 driver did
    not properly perform reference counting on some error paths. A
    local attacker can take advantage of this flaw to cause a denial
    of service.

CVE-2022-28390

    A double free vulnerability was discovered in the EMS CPC-USB/ARM7
    CAN/USB interface driver.

CVE-2022-30594

    Jann Horn discovered a flaw in the interaction between ptrace and
    seccomp subsystems. A process sandboxed using seccomp() but still
    permitted to use ptrace() could exploit this to remove the seccomp
    restrictions.

CVE-2022-32250

    Aaron Adams discovered a use-after-free in Netfilter which may
    result in local privilege escalation to root.

CVE-2022-33981

    Yuan Ming from Tsinghua University reported a a race condition in
    the floppy driver involving use of the FDRAWCMD ioctl, which could
    lead to a use-after-free. A local user with access to a floppy
    drive device could exploit this to cause a denial of service
    (crash or memory corruption) or possibly for privilege escalation.
    This ioctl is now disabled by default.

For Debian 9 stretch, these problems have been fixed in version
4.9.320-2.

For the armhf architecture, this update enables optimised
implementations of several cryptographic and CRC algorithms.  For at
least AES, this should remove a timing side-channel that could lead to
a leak of sensitive information.

This update includes many more bug fixes from stable updates
4.9.304-4.9.320 inclusive.  The random driver has been backported from
Linux 5.19, fixing numerous performance and correctness issues.  Some
changes will be visible:

- The entropy pool size is now 256 bits instead of 4096.  You may need
  to adjust the configuration of system monitoring or user-space
  entropy gathering services to allow for this.

- On systems without a hardware RNG, the kernel will log many more
  uses of /dev/urandom before it is fully initialised.  These uses
  were previously under-counted and this is not a regression.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3065-1: linux security update

July 1, 2022
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks

Summary

This update is unfortunately not available for the armel architecture.

CVE-2018-1108

It was discovered that the random driver could generate random
bytes through /dev/random and the getrandom() system call before
gathering enough entropy that these would be unpredictable. This
could compromise the confidentiality and integrity of encrypted
communications.

The original fix for this issue had to be reverted because it
caused the boot process to hang on many systems. In this version,
the random driver has been updated, making it more effective in
gathering entropy without needing a hardware RNG.

CVE-2021-4149

Hao Sun reported a flaw in the Btrfs fileysstem driver. There
is a potential lock imbalance in an error path. A local user
might be able to exploit this for denial of service.

CVE-2021-39713

The syzbot tool found a race condition in the network scheduling
subsystem which could lead to a use-after-free. A local user
could exploit this for denial of service (memory corruption or
crash) or possibly for privilege escalation.

CVE-2022-0494

The scsi_ioctl() was susceptible to an information leak only
exploitable by users with CAP_SYS_ADMIN or CAP_SYS_RAWIO
capabilities.

CVE-2022-0812

It was discovered that the RDMA transport for NFS (xprtrdma)
miscalculated the size of message headers, which could lead to a
leak of sensitive information between NFS servers and clients.

CVE-2022-0854

Ali Haider discovered a potential information leak in the DMA
subsystem. On systems where the swiotlb feature is needed, this
might allow a local user to read sensitive information.

CVE-2022-1011

Jann Horn discovered a flaw in the FUSE (Filesystem in User-Space)
implementation. A local user permitted to mount FUSE filesystems
could exploit this to cause a use-after-free and read sensitive
information.

CVE-2022-1012, CVE-2022-32296

Moshe Kol, Amit Klein, and Yossi Gilad discovered a weakness
in randomisation of TCP source port selection.

CVE-2022-1016

David Bouman discovered a flaw in the netfilter subsystem where
the nft_do_chain function did not initialize register data that
nf_tables expressions can read from and write to. A local attacker
can take advantage of this to read sensitive information.

CVE-2022-1198

Duoming Zhou discovered a race condition in the 6pack hamradio
driver, which could lead to a use-after-free. A local user could
exploit this to cause a denial of service (memory corruption or
crash) or possibly for privilege escalation.

CVE-2022-1199

Duoming Zhou discovered race conditions in the AX.25 hamradio
protocol, which could lead to a use-after-free or null pointer
dereference. A local user could exploit this to cause a denial of
service (memory corruption or crash) or possibly for privilege
escalation.

CVE-2022-1353

The TCS Robot tool found an information leak in the PF_KEY
subsystem. A local user can receive a netlink message when an
IPsec daemon registers with the kernel, and this could include
sensitive information.

CVE-2022-1516

A NULL pointer dereference flaw in the implementation of the X.25
set of standardized network protocols, which can result in denial
of service.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-1729

Norbert Slusarek discovered a race condition in the perf subsystem
which could result in local privilege escalation to root. The
default settings in Debian prevent exploitation unless more
permissive settings have been applied in the
kernel.perf_event_paranoid sysctl.

CVE-2022-1734

Duoming Zhou discovered race conditions in the nfcmrvl NFC driver
that could lead to a use-after-free, double-free or null pointer
dereference. A local user might be able to exploit these for
denial of service (crash or memory corruption) or possibly for
privilege escalation.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-1974, CVE-2022-1975

Duoming Zhou discovered that the NFC netlink interface was
suspectible to denial of service.

CVE-2022-2153

"kangel" reported a flaw in the KVM implementation for x86
processors which could lead to a null pointer dereference. A local
user permitted to access /dev/kvm could exploit this to cause a
denial of service (crash).

CVE-2022-21123, CVE-2022-21125, CVE-2022-21166

Various researchers discovered flaws in Intel x86 processors,
collectively referred to as MMIO Stale Data vulnerabilities.
These are similar to the previously published Microarchitectural
Data Sampling (MDS) issues and could be exploited by local users
to leak sensitive information.

For some CPUs, the mitigations for these issues require updated
microcode. An updated intel-microcode package may be provided at
a later date. The updated CPU microcode may also be available as
part of a system firmware ("BIOS") update.

Further information on the mitigation can be found at

or in the linux-doc-4.9 package.

CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039,
CVE-2022-23040, CVE-2022-23041, CVE-2022-23042 (XSA-396)

Demi Marie Obenour and Simon Gaiser of Invisible Things Lab
discovered flaws in several Xen PV device frontends. These drivers
misused the Xen grant table API in a way that could be exploited
by a malicious device backend to cause data corruption, leaks of
sensitive information, or a denial of service (crash).

CVE-2022-23960

Researchers at VUSec discovered that the Branch History Buffer in
Arm processors can be exploited to create information side-
channels with speculative execution. This issue is similar to
Spectre variant 2, but requires additional mitigations on some
processors.

This can be exploited to obtain sensitive information from a
different security context, such as from user-space to the kernel,
or from a KVM guest to the kernel.

CVE-2022-24958

A flaw was discovered that the USB gadget subsystem that could
lead to a use-after-free. A local user permitted to configure USB
gadgets could exploit this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.

CVE-2022-26490

Buffer overflows in the STMicroelectronics ST21NFCA core driver
can result in denial of service or privilege escalation.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-26966

A flaw was discovered in the sr9700 USB networking driver. A local
user able to attach a specially designed USB device could use this
to leak sensitive information.

CVE-2022-27223

A flaw was discovered in the udc-xilinx USB gadget-mode controller
driver. On systems using this driver, a malicious USB host could
exploit this to cause a denial of service (crash or memory
corruption) or possibly to execute arbitrary code.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-28356

"Beraphin" discovered that the ANSI/IEEE 802.2 LLC type 2 driver did
not properly perform reference counting on some error paths. A
local attacker can take advantage of this flaw to cause a denial
of service.

CVE-2022-28390

A double free vulnerability was discovered in the EMS CPC-USB/ARM7
CAN/USB interface driver.

CVE-2022-30594

Jann Horn discovered a flaw in the interaction between ptrace and
seccomp subsystems. A process sandboxed using seccomp() but still
permitted to use ptrace() could exploit this to remove the seccomp
restrictions.

CVE-2022-32250

Aaron Adams discovered a use-after-free in Netfilter which may
result in local privilege escalation to root.

CVE-2022-33981

Yuan Ming from Tsinghua University reported a a race condition in
the floppy driver involving use of the FDRAWCMD ioctl, which could
lead to a use-after-free. A local user with access to a floppy
drive device could exploit this to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.
This ioctl is now disabled by default.

For Debian 9 stretch, these problems have been fixed in version
4.9.320-2.

For the armhf architecture, this update enables optimised
implementations of several cryptographic and CRC algorithms. For at
least AES, this should remove a timing side-channel that could lead to
a leak of sensitive information.

This update includes many more bug fixes from stable updates
4.9.304-4.9.320 inclusive. The random driver has been backported from
Linux 5.19, fixing numerous performance and correctness issues. Some
changes will be visible:

- The entropy pool size is now 256 bits instead of 4096. You may need
to adjust the configuration of system monitoring or user-space
entropy gathering services to allow for this.

- On systems without a hardware RNG, the kernel will log many more
uses of /dev/urandom before it is fully initialised. These uses
were previously under-counted and this is not a regression.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Severity
Package : linux
Version : 4.9.320-2
CVE ID : CVE-2018-1108 CVE-2021-4149 CVE-2021-39713 CVE-2022-0494
Debian Bug : 922204

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.