Debian Linux Security Advisory 4188-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
c04940bd4f6e00821a6373ebaafc1e5cd084607d9b3667203e468f8e5190068a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4188-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 01, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux
CVE ID : CVE-2017-5715 CVE-2017-5753 CVE-2017-17975 CVE-2017-18193
CVE-2017-18216 CVE-2017-18218 CVE-2017-18222 CVE-2017-18224
CVE-2017-18241 CVE-2017-18257 CVE-2018-1065 CVE-2018-1066
CVE-2018-1068 CVE-2018-1092 CVE-2018-1093 CVE-2018-1108
CVE-2018-5803 CVE-2018-7480 CVE-2018-7566 CVE-2018-7740
CVE-2018-7757 CVE-2018-7995 CVE-2018-8087 CVE-2018-8781
CVE-2018-8822 CVE-2018-10323 CVE-2018-1000199
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2017-5715
Multiple researchers have discovered a vulnerability in various
processors supporting speculative execution, enabling an attacker
controlling an unprivileged process to read memory from arbitrary
addresses, including from the kernel and all other processes
running on the system.
This specific attack has been named Spectre variant 2 (branch
target injection) and is mitigated for the x86 architecture (amd64
and i386) by using the "retpoline" compiler feature which allows
indirect branches to be isolated from speculative execution.
CVE-2017-5753
Multiple researchers have discovered a vulnerability in various
processors supporting speculative execution, enabling an attacker
controlling an unprivileged process to read memory from arbitrary
addresses, including from the kernel and all other processes
running on the system.
This specific attack has been named Spectre variant 1
(bounds-check bypass) and is mitigated by identifying vulnerable
code sections (array bounds checking followed by array access) and
replacing the array access with the speculation-safe
array_index_nospec() function.
More use sites will be added over time.
CVE-2017-17975
Tuba Yavuz reported a use-after-free flaw in the USBTV007
audio-video grabber driver. A local user could use this for denial
of service by triggering failure of audio registration.
CVE-2017-18193
Yunlei He reported that the f2fs implementation does not properly
handle extent trees, allowing a local user to cause a denial of
service via an application with multiple threads.
CVE-2017-18216
Alex Chen reported that the OCFS2 filesystem failed to hold a
necessary lock during nodemanager sysfs file operations,
potentially leading to a null pointer dereference. A local user
could use this for denial of service.
CVE-2017-18218
Jun He reported a user-after-free flaw in the Hisilicon HNS ethernet
driver. A local user could use this for denial of service.
CVE-2017-18222
It was reported that the Hisilicon Network Subsystem (HNS) driver
implementation does not properly handle ethtool private flags. A
local user could use this for denial of service or possibly have
other impact.
CVE-2017-18224
Alex Chen reported that the OCFS2 filesystem omits the use of a
semaphore and consequently has a race condition for access to the
extent tree during read operations in DIRECT mode. A local user
could use this for denial of service.
CVE-2017-18241
Yunlei He reported that the f2fs implementation does not properly
initialise its state if the "noflush_merge" mount option is used.
A local user with access to a filesystem mounted with this option
could use this to cause a denial of service.
CVE-2017-18257
It was reported that the f2fs implementation is prone to an infinite
loop caused by an integer overflow in the __get_data_block()
function. A local user can use this for denial of service via
crafted use of the open and fallocate system calls with an
FS_IOC_FIEMAP ioctl.
CVE-2018-1065
The syzkaller tool found a NULL pointer dereference flaw in the
netfilter subsystem when handling certain malformed iptables
rulesets. A local user with the CAP_NET_RAW or CAP_NET_ADMIN
capability (in any user namespace) could use this to cause a denial
of service. Debian disables unprivileged user namespaces by default.
CVE-2018-1066
Dan Aloni reported to Red Hat that the CIFS client implementation
would dereference a null pointer if the server sent an invalid
response during NTLMSSP setup negotiation. This could be used
by a malicious server for denial of service.
CVE-2018-1068
The syzkaller tool found that the 32-bit compatibility layer of
ebtables did not sufficiently validate offset values. On a 64-bit
kernel, a local user with the CAP_NET_ADMIN capability (in any user
namespace) could use this to overwrite kernel memory, possibly
leading to privilege escalation. Debian disables unprivileged user
namespaces by default.
CVE-2018-1092
Wen Xu reported that a crafted ext4 filesystem image would
trigger a null dereference when mounted. A local user able
to mount arbitrary filesystems could use this for denial of
service.
CVE-2018-1093
Wen Xu reported that a crafted ext4 filesystem image could trigger
an out-of-bounds read in the ext4_valid_block_bitmap() function. A
local user able to mount arbitrary filesystems could use this for
denial of service.
CVE-2018-1108
Jann Horn reported that crng_ready() does not properly handle the
crng_init variable states and the RNG could be treated as
cryptographically safe too early after system boot.
CVE-2018-5803
Alexey Kodanev reported that the SCTP protocol did not range-check
the length of chunks to be created. A local or remote user could
use this to cause a denial of service.
CVE-2018-7480
Hou Tao discovered a double-free flaw in the blkcg_init_queue()
function in block/blk-cgroup.c. A local user could use this to cause
a denial of service or have other impact.
CVE-2018-7566
Fan LongFei reported a race condition in the ALSA (sound)
sequencer core, between write and ioctl operations. This could
lead to an out-of-bounds access or use-after-free. A local user
with access to a sequencer device could use this for denial of
service or possibly for privilege escalation.
CVE-2018-7740
Nic Losby reported that the hugetlbfs filesystem's mmap operation
did not properly range-check the file offset. A local user with
access to files on a hugetlbfs filesystem could use this to cause
a denial of service.
CVE-2018-7757
Jason Yan reported a memory leak in the SAS (Serial-Attached
SCSI) subsystem. A local user on a system with SAS devices
could use this to cause a denial of service.
CVE-2018-7995
Seunghun Han reported a race condition in the x86 MCE
(Machine Check Exception) driver. This is unlikely to have
any security impact.
CVE-2018-8087
A memory leak flaw was found in the hwsim_new_radio_nl() function in
the simulated radio testing tool driver for mac80211, allowing a
local user to cause a denial of service.
CVE-2018-8781
Eyal Itkin reported that the udl (DisplayLink) driver's mmap
operation did not properly range-check the file offset. A local
user with access to a udl framebuffer device could exploit this to
overwrite kernel memory, leading to privilege escalation.
CVE-2018-8822
Dr Silvio Cesare of InfoSect reported that the ncpfs client
implementation did not validate reply lengths from the server. An
ncpfs server could use this to cause a denial of service or
remote code execution in the client.
CVE-2018-10323
Wen Xu reported a NULL pointer dereference flaw in the
xfs_bmapi_write() function triggered when mounting and operating a
crafted xfs filesystem image. A local user able to mount arbitrary
filesystems could use this for denial of service.
CVE-2018-1000199
Andy Lutomirski discovered that the ptrace subsystem did not
sufficiently validate hardware breakpoint settings. Local users
can use this to cause a denial of service, or possibly for
privilege escalation, on x86 (amd64 and i386) and possibly other
architectures.
For the stable distribution (stretch), these problems have been fixed in
version 4.9.88-1.
We recommend that you upgrade your linux packages.
For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlron7dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Se0xAAmR31jrqeEkJhgh7qvKplrko9N27l7FCCrrqsR0cBjKtIpwBkIdm6UxP2
8HBxqK5oy3sUP/ViHBtTUqFlRbLq4fC2DsuJGGqtBk46yML4QOEV2CXA1gyhfSzG
ux5Z5nNkLDbzD7jPazbTwMusbQrDItojj6K5aoDVoRjjOpRHRViHv81kRU3KJytX
62f/vnEjxX0xkSOqLKXcUNDczLjcP2VxuKFb3si6w7YyCXq6XYhvoDch92QLJZfD
qtDUCKs1sEgWLzhktcYyhck3NGujSfLZuSLGnZowqGqaAvx/lq0sTOliKuPpnG+I
HztPR0iYQCuzsDgHbLlwGyuUnf446VRG+u/AP69qk0HqyWwCXqsTJ0rwMX04fXtR
7dR8Y1jbbXaH0+ai9V6c3zdz4UKH5rZOkpIIYSjCxVHUpE2cU4lFXYiWL/qJRBGV
150TtSgyAPBBBJa6cWgApXrHgriGEkZNscH2nmJfg2OBnDwnLJ4CvwNfij7daR8n
RlGOlvgKYCI1Ob54kKqvvxQhDrhTiBhti8T64wd2MzsrKLIRdlyTpSrsqK8VIJyg
ux1Y01sgA3JqS2XKL52ZTgCJhGkoX68+/se73P+jeRBP/tbNcXB2t2cE6gxIkiTX
eZEUmnS5IeoEcr7cYKm3M9GZvBBrVeTaFra3vSgeGDUr0XL2Yu4=
=uZGQ
-----END PGP SIGNATURE-----