Bug 44416 - linux: Multiple security issues (4.2)
linux: Multiple security issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-1-errata
Assigned To: Philipp Hahn
Arvid Requate
https://hutten.knut.univention.de/med...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-19 18:17 CEST by Arvid Requate
Modified: 2017-06-28 15:33 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-04-19 18:17:57 CEST
Upstream Debian package version 4.9.16-1 fixes these issues:

* tty: n_hdlc: get rid of racy n_hdlc.tbuf (CVE-2017-2636)
* ucount: Remove the atomicity from ucount->count (CVE-2017-6874)
* USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
Comment 1 Arvid Requate univentionstaff 2017-04-19 18:22:11 CEST
Upstream Debian package version 4.9.18-1 fixes these issues:

* xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (CVE-2017-7184)
* xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
* scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)
* [x86] vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() (CVE-2017-7261)
* [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294)
* net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
Comment 2 Arvid Requate univentionstaff 2017-06-01 15:24:10 CEST
git log v4.9.19..v4.9.20
CVE-2017-7374: 1b53cf9815bb4744958d41f3795d5d5a1d365e2d
CVE-2017-7184: f843ee6dd019bcece3e74e76ad9df0155655d0df
CVE-2017-7184: 677e806da4d916052585301785d847c3b3e6186a

git log v4.9.20..v4.9.21
CVE-2017-7187: bf33f87dd04c371ea33feb821b60d63d754e3124

git log v4.9.21..v4.9.22
CVE-2017-7616: cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
CVE-2017-7294: e7e11f99564222d82f0ce84bd521e57d78a6b678
CVE-2017-7261: 36274ab8c596f1240c606bb514da329add2a1bcd

git log v4.9.22..v4.9.23
CVE-2017-7308: 2b6867c2ce76c596676bec7d2d525af525fdc6e2

git log v4.9.23..v4.9.24
CVE-2017-6353: dfcb9f4f99f1e9a49e43398a7bfbf56927544af1
CVE-2017-8067: c4baad50297d84bde1a7ad45e50c73adae4a2192
CVE-2017-8063: 3f190e3aec212fc8c61e202c51400afa7384d4bc
CVE-2017-8061: 67b0503db9c29b04eadfeede6bebbfe5ddad94ef
CVE-2017-7889: a4866aa812518ed1a37d8ea0c881dc946409de94
CVE-2017-8064: 005145378c9ad7575a01b6ce1ba118fb427f583a
CVE-2017-7618: ef0579b64e93188710d48667cb5e014926af9f1b
CVE-2017-2596: 06ce521af9558814b8606c0476c54497cf83a653

git log v4.9.24..v4.9.25
CVE-2017-7472: c9f838d104fed6f2f61d68164712e3204bf5271b
CVE-2017-6951: c1644fe041ebaf6519f6809146a77c3ead9193af
CVE-2016-9604: ee8f844e3c5a73b999edf733df1c529d6503ec2f

git log v4.9.25..v4.9.26
CVE-2017-7477: 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee
CVE-2017-7645: 13bf9fbff0e5e099e2b6f003a0ab8ae145436309
CVE-2017-7645: db44bac41bbfc0c0d9dd943092d8bded3c9db19b
CVE-2017-7645: e6838a29ecb484c97e4efef9429643b9851fba6e
CVE-2017-7308: bcc5364bdcfe131e6379363f089e7b4108d35b70
CVE-2017-7308: 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
CVE-2017-2671: 43a6684519ab0a6c52024b5e25322476cabad893

git log v4.9.27..v4.9.28
CVE-2017-9150: 0d0e57697f162da4aa218b5feafe614fb666db07
CVE-2017-7477: 5294b83086cc1c35b4efeca03644cf9d12282e5b

git log v4.9.29..v4.9.30
CVE-2017-7487: ee0d8d8482345ff97a75a7d747efc309f13b0d80
CVE-2017-1000363: 3e21f4af170bebf47c187c1ff8bf155583c9f3b1


CVE Descriptions:

* The built-in keyrings for security tokens can be joined as a session and then modified by the root user (CVE-2016-9604)
* The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references (CVE-2017-2596)
* The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (CVE-2017-2671)
* net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (CVE-2017-6353)
* The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the "dead" type (CVE-2017-6951)
* The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability (CVE-2017-7184)
* The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7261)
* The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7294)
* The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls (CVE-2017-7308)
* Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely (CVE-2017-7374)
* The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls (CVE-2017-7472)
* Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function (CVE-2017-7477)
* The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (CVE-2017-7487)
* crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue (CVE-2017-7618)
* The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (CVE-2017-7645)
* The mm subsystem in the Linux kernel through 4.10.10 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (CVE-2017-7889)
* drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist (CVE-2017-8061)
* drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist (CVE-2017-8063)
* drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist (CVE-2017-8064)
* drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist (CVE-2017-8067)
* The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive address information via crafted bpf system calls (CVE-2017-9150)
* lp.c Out-of-Bounds Write via Kernel Command-line (CVE-2017-1000363)
Comment 3 Philipp Hahn univentionstaff 2017-06-12 10:52:18 CEST
r17535 | Bug #44416: linux-4.9.31
r17536 | Bug #44416: linux-4.9.31 v2
r17537 | Bug #44416: linux-4.9.31 v3

Package: linux
Version: 4.9.30-1A~4.2.0.201706121006
Branch: ucs_4.2-0
Scope: errata4.2-0

git log v4.1.30..v4.1.31
active/CVE-2017-8890 4eed44029507acc666ac7afe9c6a8ea0abf857b7 dccp/tcp: do not inherit mc_list from parent
active/CVE-2017-9074 a2c845e51a820549a6df5a1e8907ee754422119e ipv6: Prevent overrun when parsing v6 header options
active/CVE-2017-9075 5e7d9f0b3f729a64b99e58047f7bb0ff36acb759 sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
active/CVE-2017-9076 4bd8f5e38e5a1612ce4373068b518b14d3e38ec8 ipv6/dccp: do not inherit ipv6_mc_list from parent (dccp_v6_request_recv_sock)
active/CVE-2017-9077 4bd8f5e38e5a1612ce4373068b518b14d3e38ec8 ipv6/dccp: do not inherit ipv6_mc_list from parent (tcp_v6_syn_recv_sock)
active/CVE-2017-9242 304b41014acbdc5fa5126c86bac31dc41a245f9f ipv6: fix out of bound writes in __ip6_append_data()
retired/CVE-2017-9211 4472887cbd1373d7781bea9d8935f2d4968dd580 crypto: skcipher - Add missing API setkey checks

r80114 | Bug #44416: linux-4.9.31 YAML WIP
        A       doc/errata/staging/linux.yaml
        A       doc/errata/staging/univention-kernel-image.yaml
        A       doc/errata/staging/univention-kernel-image-signed.yaml
Comment 4 Philipp Hahn univentionstaff 2017-06-13 09:28:35 CEST
(In reply to Philipp Hahn from comment #3)
> r17535 | Bug #44416: linux-4.9.31
> r17536 | Bug #44416: linux-4.9.31 v2
> r17537 | Bug #44416: linux-4.9.31 v3
r17538 | Bug #44416: linux-4.9.31 v4

> Package: linux
> Version: 4.9.30-1A~4.2.0.201706121006
Version: 4.9.30-1A~4.2.0.201706121456
> Branch: ucs_4.2-0
> Scope: errata4.2-0

r80131 | Bug #44416: Update to linux-4.9.31-ucs104

Package: univention-kernel-image-signed
Version: 3.0.2-3A~4.2.0.201706130838
Branch: ucs_4.2-0
Scope: errata4.2-0

r80132 | Bug #44416: Update to linux-4.9.31-ucs104

Package: univention-kernel-image
Version: 10.0.0-7A~4.2.0.201706130848
Branch: ucs_4.2-0
Scope: errata4.2-0

QA-OK: dmesg
+ima: No TPM chip found, activating TPM-bypass!
QA-OK: zless /usr/share/doc/linux-image-4.9.0-ucs104-amd64/changelog.Debian.gz

FYI: 4.9-32 review will end 2017-06-14 fixing the following issues:
 CVE-2017-7346: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
 CVE-2017-xxxx: infoleak due to a data race in ALSA timer
 CVE-2017-0605: trace: resolve stack corruption due to string copy
Comment 5 Philipp Hahn univentionstaff 2017-06-14 15:42:55 CEST
r80184 | Bug #44416: linux-4.9.31 YAML
        M       doc/errata/staging/linux.yaml
        M       doc/errata/staging/univention-kernel-image.yaml
        M       doc/errata/staging/univention-kernel-image-signed.yaml
Comment 6 Arvid Requate univentionstaff 2017-06-14 19:48:49 CEST
Ok, let's pick up 4.9.32, which fixes:

CVE-2017-7346
CVE-2017-9074
CVE-2017-9605
CVE-2017-1000380


Also, I would suggest applying the full patch-4.9.31.gz rather than cherrypicked patches. Otherwise we might end up with a Univention-specific issue. Also it makes QA simpler.
Comment 7 Philipp Hahn univentionstaff 2017-06-15 10:15:42 CEST
(In reply to Arvid Requate from comment #6)
> Ok, let's pick up 4.9.32, which fixes:
> 
> CVE-2017-7346
> CVE-2017-9074
> CVE-2017-9605
> CVE-2017-1000380

r17543 | Bug #44416: linux-4.9.32

Package: linux
Version: 4.9.30-1A~4.2.0.201706150839
Branch: ucs_4.2-0
Scope: errata4.2-0

> Also, I would suggest applying the full patch-4.9.31.gz rather than
> cherrypicked patches. Otherwise we might end up with a Univention-specific
> issue. Also it makes QA simpler.

There was nothing cherry-picked: 60_patch-4.9.3?.quilt are the incremental patches from kernel.org.
Comment 8 Philipp Hahn univentionstaff 2017-06-15 16:00:03 CEST
Package: linux
Version: 4.9.30-1A~4.2.0.201706150842
Branch: ucs_4.2-0-errata4.2-0
Scope: errata4.2-0

r80208 | Bug #44416: Update to linux-4.9.32-ucs104

Package: univention-kernel-image-signed
Version: 3.0.2-4A~4.2.0.201706151338
Branch: ucs_4.2-0
Scope: errata4.2-0

r80212 | Bug #44416: linux-4.9.32 YAML
        M       doc/errata/staging/linux.yaml
        M       doc/errata/staging/univention-kernel-image.yaml
        M       doc/errata/staging/univention-kernel-image-signed.yaml

QA-OK: dmesg 
QA-OK: 4.9.0-ucs104-amd64 @ kvm
QA-OK: 4.9.0-ucs104-amd64 @ xen1
QA-WIP: 4.9-0-ucs104-amd64 @ UEFI-kvm
Comment 9 Philipp Hahn univentionstaff 2017-06-15 18:46:21 CEST
(In reply to Philipp Hahn from comment #8)
> QA-OK: dmesg 
> QA-OK: 4.9.0-ucs104-amd64 @ kvm
> QA-OK: 4.9.0-ucs104-amd64 @ xen1
> QA-WIP: 4.9-0-ucs104-amd64 @ UEFI-kvm

QA-OK: UEFI-kvm
Comment 10 Philipp Hahn univentionstaff 2017-06-16 10:41:12 CEST
(In reply to Philipp Hahn from comment #7)
> (In reply to Arvid Requate from comment #6)
> > Ok, let's pick up 4.9.32, which fixes:
> r17543 | Bug #44416: linux-4.9.32

FYI: 4.9.33 with 108 patches is in the review phase and scheduled for tomorrow.
Comment 11 Philipp Hahn univentionstaff 2017-06-17 11:40:12 CEST
REOPEN: switch to Debian-Stretch 4.9.30-2 + 4.9.33 to fix regressions
Comment 12 Philipp Hahn univentionstaff 2017-06-20 09:46:32 CEST
r17547 | Bug #44416: linux-4.9.33
r17548 | Bug #44416: linux-4.9.33

Package: linux
Version: 4.9.30-2A~4.2.0.201706171152
Branch: ucs_4.2-0
Scope: errata4.2-0

r80268 | Bug #44416: Update to linux-4.9.33-ucs104

Package: univention-kernel-image-signed
Version: 3.0.2-5A~4.2.0.201706190940
Branch: ucs_4.2-0
Scope: errata4.2-0

r80311 | Bug #44416: linux-4.9.33 YAML

QA-OK: amd64 @ kvm
QA-OK: amd64 @ kvm-UEFI
QA-OK: amd64 @ xen1
Comment 13 Philipp Hahn univentionstaff 2017-06-20 12:24:36 CEST
r80330 | Bug #44416: linux-4.9.33 YAML
Comment 14 Arvid Requate univentionstaff 2017-06-21 19:30:06 CEST
* Upstream Debian package version 4.9.30-2 imported in errata4.2-0
* Upstream patches applied:
  https://www.kernel.org/pub/linux/kernel/v4.x/incr/patch-4.9.30-31.gz
  https://www.kernel.org/pub/linux/kernel/v4.x/incr/patch-4.9.31-32.gz
  https://www.kernel.org/pub/linux/kernel/v4.x/incr/patch-4.9.32-33.gz
* Package update ok
* Reboot ok, dmesg ok
* Uefi Hardware boot ok
* Advisories ok
Comment 15 Arvid Requate univentionstaff 2017-06-21 19:35:36 CEST
I've moved the advisories to ucs-4.2-1/doc/errata/staging and adjusted
version: [0,1]