Univention Bugzilla – Bug 46209
linux: Multiple security issues (4.2)
Last modified: 2018-04-04 16:17:34 CEST
Upstream Linux kernel version 4.9.79 fixes at least the following issues: * net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (CVE-2017-17450) * net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces (CVE-2017-17448) * The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. (CVE-2017-11472)
(In reply to Arvid Requate from comment #0) > * The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the > Linux kernel before 4.12 does not flush the operand cache and causes a > kernel stack dump, which allows local users to obtain sensitive information > from kernel memory and bypass the KASLR protection mechanism (in the kernel > through 4.9) via a crafted ACPI table. (CVE-2017-11472) This is not a valid issue as ACPI tables are trusted.
More issues (fixed in 4.9.79 and 4.9.80): active/CVE-2017-16911:4.9-upstream-stable: released (4.9.79) [ce601a07bc504b4748f8e7a34896684f79514e51] active/CVE-2018-1000028:4.9-upstream-stable: released (4.9.79) [f12d0602633decf073796f3aaa59eec7ff2da9e2] active/CVE-2018-5344:4.9-upstream-stable: released (4.9.80) [56bc086358cac1a2949783646eabd57447b9d672] ./tracker.py CVE-2017-16911 CVE-2018-1000028 CVE-2018-5344 CVE-2017-17450 CVE-2017-17448 CVE-2017- 16911 3.3 CVE-2017-16911 kernel: vhci_cd driver in usbip/vhci_sysfs.c:port_show_vhci() discloses kernel memory addresses to local attackers CVE-2017- 17448 4.4 CVE-2017-17448 kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure CVE-2017- 17450 4.4 CVE-2017-17450 kernel: Unchecked capabilities in net/netfilter/xt_osf.c allows for unprivileged modification to systemwide fingerprint list CVE-2018- 5344 5.5 CVE-2018-5344 kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service CVE-2018-1000028 4.3 CVE-2018-1000028 kernel: Improper sorting of GIDs in nfsd can lead to incorrect permissions being applied
r18001 | Bug #46209: linux-4.9.80 WIP
r18014 | Bug #46209: linux-4.9.81 WIP: grep TRUSTED_KEYRING /var/build/temp/tmp.*/linux-4.9.30/debian/build/build_i386_none_686/.config > CONFIG_SYSTEM_TRUSTED_KEYRING=y > CONFIG_SECONDARY_TRUSTED_KEYRING=y That was enabled for Bug #45961 but does not yet work as expected. Package: linux Version: 4.9.30-2A~4.2.0.201802141217 Version: 4.9.30-2A~4.2.0.201802142213 Version: 4.9.30-2A~4.2.0.201802142222 Branch: ucs_4.2-0 Scope: errata4.2-3 7f50811963 Bug #46209: Update to linux-4.9.81-ucs109 Package: univention-kernel-image Version: 10.0.0-12A~4.2.0.201802151039 Branch: ucs_4.2-0 Scope: errata4.2-3 11a3ef7377 Bug #46209: Update to linux-4.9.81-ucs109 Package: univention-kernel-image-signed Version: 3.0.2-16A~4.2.0.201802151124 Branch: ucs_4.2-0 Scope: errata4.2-3 OK: CVE-2017-5753: /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization OK: grep -e TRUSTED_KEYRING /boot/config-4.9.0-ucs109-amd64 OK: git log v4.9.78..v4.9.81 | sed -rne 's/^ *commit ([0-9a-f]{40})\>.*/\1/p' | grep -Ff - ~/REPOS/DEBIAN/security-tracker/data/CVE/list * CVE-2018-5344 * CVE-2018-1000028 * CVE-2017-16911 4f01026801 Bug #46209: Update to linux-4.9.81-ucs109 doc/errata/staging/linux.yaml | 30 ++++++++++++++++++++++++++++++ doc/errata/staging/univention-kernel-image-signed.yaml | 30 ++++++++++++++++++++++++++++++ doc/errata/staging/univention-kernel-image.yaml | 30 ++++++++++++++++++++++++++++++
4.9.82-rc (ETA Sat Feb 17 2018) CVE-2017-8824: use-after-free in DCCP code
Package: linux Version: 4.9.30-2A~4.2.0.201802181141 Branch: ucs_4.2-0
Package: univention-kernel-image-signed Version: 3.0.2-17A~4.2.0.201802190840 Branch: ucs_4.2-0 Scope: errata4.2-3 OK: amd64 @ kvm with SeaBIOS OK: amd64 @ kvm with OVMF SecureBoot OK: amd64 @ xen1 4a7b20cde8 Bug #46209: Update to linux-4.9.82-ucs109 YAML doc/errata/staging/linux.yaml | 9 +++++++-- doc/errata/staging/univention-kernel-image-signed.yaml | 9 +++++++-- doc/errata/staging/univention-kernel-image.yaml | 7 ++++++- 3 files changed, 20 insertions(+), 5 deletions(-)
4.9.83 with 77 patched, ETA: Fri Feb 23 12:44:14 UTC 2018
r18024 | Bug #46209: linux-4.9.83 Package: linux Version: 4.9.30-2A~4.2.0.201802230925 Branch: ucs_4.2-0 Scope: errata4.2-3 d0cc106946 Bug #46209 linux: Update to linux-4.9.83-ucs109 Package: univention-kernel-image-signed Version: 3.0.2-18A~4.2.0.201802231308 Branch: ucs_4.2-0 Scope: errata4.2-3 b9b67b57f0 Bug #46209: linux-4.9.83 doc/errata/staging/linux.yaml | 4 ++-- doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++-- doc/errata/staging/univention-kernel-image.yaml | 2 +- OK: amd64 KVM UEFI-SecureBoot OK: xen1
Copied from Bug #46029 comment 10 .. r18025 | Bug #46209: linux-4.9.84 Package: linux Version: 4.9.30-2A~4.2.0.201802251630 Branch: ucs_4.2-0 Scope: errata4.2-3 c0a60a76b0 Bug #46029: Update to linux-4.9.84-ucs109 Package: univention-kernel-image-signed Version: 3.0.2-19A~4.2.0.201802260839 Branch: ucs_4.2-0 Scope: errata4.2-3 f06a6b5c96 Bug #46029: Update to linux-4.9.84-ucs109 YAML doc/errata/staging/linux.yaml | 4 ++-- doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++-- doc/errata/staging/univention-kernel-image.yaml | 2 +- OK: amd64 @ xen1 OK: amd64 @ kvm+SeaBIOS OK: amd64 @ kvm+OVMF+Secure-Boot OK: dmesg OK: grep . /sys/devices/system/cpu/vulnerabilities/*
r18029 | Bug #46209: linux-4.9.85 Package: linux Version: 4.9.30-2A~4.2.0.201802282204 Branch: ucs_4.2-0 Scope: errata4.2-3
ea80945e9b Bug #46209 kernel: Update to linux-4.9.85-ucs109 Package: univention-kernel-image-signed Version: 3.0.2-20A~4.2.0.201803011023 Branch: ucs_4.2-0 Scope: errata4.2-3 44c759d196 Bug #46209: linux-4.9.85 YAML doc/errata/staging/linux.yaml | 4 ++-- doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++-- doc/errata/staging/univention-kernel-image.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) OK: amd64 @ kvm with OVMF SecureBoot OK: dmesg OK: grep . /sys/devices/system/cpu/vulnerabilities/*
r18040 | Bug #46209: linux-4.9.86 Package: linux Version: 4.9.30-2A~4.2.0.201803051536 Branch: ucs_4.2-0 Scope: errata4.2-3
[4.2-3] d571ec3222 Bug #46209: Update to linux-4.9.86-ucs109 Package: univention-kernel-image-signed Version: 3.0.2-21A~4.2.0.201803060820 Branch: ucs_4.2-0 Scope: errata4.2-3 [4.2-3] 93e27d5f30 Bug #46209: linux-4.9.86 doc/errata/staging/linux.yaml | 7 +++++-- doc/errata/staging/univention-kernel-image-signed.yaml | 7 +++++-- doc/errata/staging/univention-kernel-image.yaml | 5 ++++- CVE-2017-18193 fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles OK: vimdiff <(./linux-dmesg-norm 4.9.0-ucs109-amd64) <(./linux-dmesg-norm 4.9.0-ucs109-amd64.86) OK: grep . /sys/devices/system/cpu/vulnerabilities/* OK: amd64 @ kvm + UEFI-OVMF-SecureBoot OK: amd64 @ kvm + SeaBIOS OK: amd64 @ xen1
r18061 | Bug #46209: linux-4.9.89 Package: linux Version: 4.9.30-2A~4.2.0.201803221415 Branch: ucs_4.2-0 Scope: errata4.2-3
[4.2-3] 2ad68a9f80 Bug #46209: Update to linux-4.9.89-ucs109 Package: univention-kernel-image-signed Version: 3.0.2-22A~4.2.0.201803231159 Branch: ucs_4.2-0 Scope: errata4.2-3 [4.2-3] ad72baa4a8 Bug #46209: linux-4.9.89 YAML doc/errata/staging/linux.yaml | 5 ++++- doc/errata/staging/univention-kernel-image-signed.yaml | 7 +++++-- doc/errata/staging/univention-kernel-image.yaml | 5 ++++- OK: amd64 @ kvm+SeaBIOS OK: amd64 @ kvm+OVMF+SecureBoot OK: amd64 @ xen1 OK: cat /proc/version OK: zless /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz
* Patches: Ok * Package update: Ok * dmesg: Ok * Advisory: Ok
Ah, just metadata but could you also have a quick look at this: ====================================================================== arequate@dimma:~$ repo_get_version.py -r 4.2 -s errata4.2-3 -p gcc-4.9 Usage: repo_get_version.py [options] repo_get_version.py: error: The package does not exist. ======================================================================
Seems to be a generic issue with the gcc-* package: arequate@dimma:~$ repo_stat.py gcc-4.9 Version 4.9.2-10 Rev 99267 Date 2017-06-07 05:34:48 Release 4.2-0-0 Version 4.9.2-10+deb8u1 Rev 123613 Date 2018-02-19 14:30:41 Release 4.2-0-0 Scope errata4.2-3 arequate@dimma:~$ repo_stat.py gcc-6 Version 6.3.0-18+deb9u1 Rev 123794 Date 2018-02-28 11:55:53 Release 4.3-0-0 arequate@dimma:~$ repo_get_version.py -r 4.3 -p gcc-6 Usage: repo_get_version.py [options] repo_get_version.py: error: The package does not exist. Worked till this version and stopped working in UCS 4.2 / gcc-4.8: arequate@dimma:~$ repo_get_version.py -r 4.0 -p gcc-4.7 Package: gcc-4.7 Source rev tag : 54980 Current version: 4.7.2-5 Patch path: ~/svn/patches/gcc-4.7/4.0-0-0-ucs/4.7.2-5/ Patch prefix: gcc-4.7-4.7.2
<http://errata.software-univention.de/ucs/4.2/318.html> <http://errata.software-univention.de/ucs/4.2/319.html> <http://errata.software-univention.de/ucs/4.2/320.html> <http://errata.software-univention.de/ucs/4.2/321.html>