-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
- ------------------------------------------------------------------------- Debian Security Advisory DSA-3981-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 20, 2017 https://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : linux CVE ID : CVE-2017-7518 CVE-2017-7558 CVE-2017-10661 CVE-2017-11600 CVE-2017-12134 CVE-2017-12146 CVE-2017-12153 CVE-2017-12154 CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340 CVE-2017-14489 CVE-2017-14497 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-1000251 CVE-2017-1000252 CVE-2017-1000370 CVE-2017-1000371 CVE-2017-1000380 Debian Bug : 866511 875881
Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.
CVE-2017-7518
Andy Lutomirski discovered that KVM is prone to an incorrect debug exception (#DB) error occurring while emulating a syscall instruction. A process inside a guest can take advantage of this flaw for privilege escalation inside a guest.
CVE-2017-7558 (stretch only)
Stefano Brivio of Red Hat discovered that the SCTP subsystem is prone to a data leak vulnerability due to an out-of-bounds read flaw, allowing to leak up to 100 uninitialized bytes to userspace.
CVE-2017-10661 (jessie only)
Dmitry Vyukov of Google reported that the timerfd facility does not properly handle certain concurrent operations on a single file descriptor. This allows a local attacker to cause a denial of service or potentially execute arbitrary code.
CVE-2017-11600
Bo Zhang reported that the xfrm subsystem does not properly validate one of the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability can use this to cause a denial of service or potentially to execute arbitrary code.
CVE-2017-12134 / #866511 / XSA-229
Jan H. Schoenherr of Amazon discovered that when Linux is running in a Xen PV domain on an x86 system, it may incorrectly merge block I/O requests. A buggy or malicious guest may trigger this bug in dom0 or a PV driver domain, causing a denial of service or potentially execution of arbitrary code.
This issue can be mitigated by disabling merges on the underlying back-end block devices, e.g.: echo 2 > /sys/block/nvme0n1/queue/nomerges
CVE-2017-12146 (stretch only)
Adrian Salido of Google reported a race condition in access to the "driver_override" attribute for platform devices in sysfs. If unprivileged users are permitted to access this attribute, this might allow them to gain privileges.
CVE-2017-12153
bo Zhang reported that the cfg80211 (wifi) subsystem does not properly validate the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability (in any user namespace with a wifi device) can use this to cause a denial of service.
CVE-2017-12154
Jim Mattson of Google reported that the KVM implementation for Intel x86 processors did not correctly handle certain nested hypervisor configurations. A malicious guest (or nested guest in a suitable L1 hypervisor) could use this for denial of service.
CVE-2017-14106
Andrey Konovalov discovered that a user-triggerable division by zero in the tcp_disconnect() function could result in local denial of service.
CVE-2017-14140
Otto Ebeling reported that the move_pages() system call performed insufficient validation of the UIDs of the calling and target processes, resulting in a partial ASLR bypass. This made it easier for local users to exploit vulnerabilities in programs installed with the set-UID permission bit set.
CVE-2017-14156
"sohu0106" reported an information leak in the atyfb video driver. A local user with access to a framebuffer device handled by this driver could use this to obtain sensitive information.
CVE-2017-14340
Richard Wareing discovered that the XFS implementation allows the creation of files with the "realtime" flag on a filesystem with no realtime device, which can result in a crash (oops). A local user with access to an XFS filesystem that does not have a realtime device can use this for denial of service.
CVE-2017-14489
ChunYu Wang of Red Hat discovered that the iSCSI subsystem does not properly validate the length of a netlink message, leading to memory corruption. A local user with permission to manage iSCSI devices can use this for denial of service or possibly to execute arbitrary code.
CVE-2017-14497 (stretch only)
Benjamin Poirier of SUSE reported that vnet headers are not properly handled within the tpacket_rcv() function in the raw packet (af_packet) feature. A local user with the CAP_NET_RAW capability can take advantage of this flaw to cause a denial of service (buffer overflow, and disk and memory corruption) or have other impact.
CVE-2017-1000111
Andrey Konovalov of Google reported a race condition in the raw packet (af_packet) feature. Local users with the CAP_NET_RAW capability can use this for denial of service or possibly to execute arbitrary code.
CVE-2017-1000112
Andrey Konovalov of Google reported a race condition flaw in the UDP Fragmentation Offload (UFO) code. A local user can use this flaw for denial of service or possibly to execute arbitrary code.
CVE-2017-1000251 / #875881
Armis Labs discovered that the Bluetooth subsystem does not properly validate L2CAP configuration responses, leading to a stack buffer overflow. This is one of several vulnerabilities dubbed "Blueborne". A nearby attacker can use this to cause a denial of service or possibly to execute arbitrary code on a system with Bluetooth enabled.
CVE-2017-1000252 (stretch only)
Jan H. Schoenherr of Amazon reported that the KVM implementation for Intel x86 processors did not correctly validate interrupt injection requests. A local user with permission to use KVM could use this for denial of service.
CVE-2017-1000370
The Qualys Research Labs reported that a large argument or environment list can result in ASLR bypass for 32-bit PIE binaries.
CVE-2017-1000371
The Qualys Research Labs reported that a large argument orenvironment list can result in a stack/heap clash for 32-bit PIE binaries.
CVE-2017-1000380
Alexander Potapenko of Google reported a race condition in the ALSA (sound) timer driver, leading to an information leak. A local user with permission to access sound devices could use this to obtain sensitive information.
Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.
For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u5.
For the stable distribution (stretch), these problems have been fixed in version 4.9.30-2+deb9u5.
We recommend that you upgrade your linux packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnC3oNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TV4A//YKPZIGwx784py9DEwJuPApBQD0OKxbry0Rvz16bvE+Oi4iVlLsjXb1WP thCzf9CiCHPIM0pBjMUWYGWyoRFcjDtvXOSSYG8SpiwpK7jVRlqgZz1CzSoJhEaC a/twAzmT/+AHMNwCmryk29qGHr/TqbKe8hsHcuiBo9TWjqsZWalsUvau1mGhMGXd U0gDBqy3lS1YsLwGpkeF0zY3x6As7D6W4cB4R7nn2dWzObb8fEItn+4ZO/3wpgiR iTPF2MtdfjLIWwsDcXmmCt6mlhr8dztpYKxKWce33rnwVV4SfTidJNcXm2xsfS7Y yprrFX7FUV/MHvdsvnVWI+SardVgP7KCcB2S+j1WzBtuKJ5YnSDqwDowDJ9mZia3 MrOXAr/NaBmQxTDNB0O6s8knNXIOvfSl+TNMAVVTN2o1bBg+dVg/Enu0C6I1Ui9c 9JbbEd1n4dOxbHE+9XSeAK8F9sDdAxmy1xpPFd6h+eFNFC7dQ6XYrjArSsEOcSEv Yi3TOtdveFWLHCjgpkfEaqWYGZ1tiBjaVqyN5ItNjy3Kn4beyUcWOg2w7PwoK/lc wgF5z+hjEZ9ottwTddRlwqb1HdjCYA4SOa6ojF7euCwCM9hq1gv2PMlXSHGYjo3d F5Ua2VpPcCc+hmGN6mm56zeAZ+boFwIqxiCIOTGfjrusseJBmkY= =EuYF -----END PGP SIGNATURE-----
|