Bug 46209 - linux: Multiple security issues (4.2)
linux: Multiple security issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P4 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-31 18:18 CET by Arvid Requate
Modified: 2018-04-04 16:17 CEST (History)
8 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-01-31 18:18:28 CET
Upstream Linux kernel version 4.9.79 fixes at least the following issues:

* net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces (CVE-2017-17450)

* net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces (CVE-2017-17448)

* The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. (CVE-2017-11472)
Comment 1 Philipp Hahn univentionstaff 2018-02-05 14:17:58 CET
(In reply to Arvid Requate from comment #0)
> * The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the
> Linux kernel before 4.12 does not flush the operand cache and causes a
> kernel stack dump, which allows local users to obtain sensitive information
> from kernel memory and bypass the KASLR protection mechanism (in the kernel
> through 4.9) via a crafted ACPI table. (CVE-2017-11472)

This is not a valid issue as ACPI tables are trusted.
Comment 2 Philipp Hahn univentionstaff 2018-02-05 14:20:27 CET
More issues (fixed in 4.9.79 and 4.9.80):
active/CVE-2017-16911:4.9-upstream-stable: released (4.9.79) [ce601a07bc504b4748f8e7a34896684f79514e51]
active/CVE-2018-1000028:4.9-upstream-stable: released (4.9.79) [f12d0602633decf073796f3aaa59eec7ff2da9e2]
active/CVE-2018-5344:4.9-upstream-stable: released (4.9.80) [56bc086358cac1a2949783646eabd57447b9d672]

./tracker.py CVE-2017-16911 CVE-2018-1000028 CVE-2018-5344 CVE-2017-17450 CVE-2017-17448
CVE-2017-  16911        3.3     CVE-2017-16911 kernel: vhci_cd driver in usbip/vhci_sysfs.c:port_show_vhci() discloses kernel memory addresses to local attackers
CVE-2017-  17448        4.4     CVE-2017-17448 kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure
CVE-2017-  17450        4.4     CVE-2017-17450 kernel: Unchecked capabilities in net/netfilter/xt_osf.c allows for unprivileged modification to systemwide fingerprint list
CVE-2018-   5344        5.5     CVE-2018-5344 kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service
CVE-2018-1000028        4.3     CVE-2018-1000028 kernel: Improper sorting of GIDs in nfsd can lead to incorrect permissions being applied
Comment 3 Philipp Hahn univentionstaff 2018-02-05 14:23:37 CET
r18001 | Bug #46209: linux-4.9.80 WIP
Comment 4 Philipp Hahn univentionstaff 2018-02-15 13:32:59 CET
r18014 | Bug #46209: linux-4.9.81

WIP: grep TRUSTED_KEYRING /var/build/temp/tmp.*/linux-4.9.30/debian/build/build_i386_none_686/.config
> CONFIG_SYSTEM_TRUSTED_KEYRING=y
> CONFIG_SECONDARY_TRUSTED_KEYRING=y
That was enabled for Bug #45961 but does not yet work as expected.

Package: linux
Version: 4.9.30-2A~4.2.0.201802141217
Version: 4.9.30-2A~4.2.0.201802142213
Version: 4.9.30-2A~4.2.0.201802142222
Branch: ucs_4.2-0
Scope: errata4.2-3

7f50811963 Bug #46209: Update to linux-4.9.81-ucs109

Package: univention-kernel-image
Version: 10.0.0-12A~4.2.0.201802151039
Branch: ucs_4.2-0
Scope: errata4.2-3

11a3ef7377 Bug #46209: Update to linux-4.9.81-ucs109

Package: univention-kernel-image-signed
Version: 3.0.2-16A~4.2.0.201802151124
Branch: ucs_4.2-0
Scope: errata4.2-3

OK: CVE-2017-5753: /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
OK: grep -e TRUSTED_KEYRING /boot/config-4.9.0-ucs109-amd64
OK: git log v4.9.78..v4.9.81 | sed -rne 's/^ *commit ([0-9a-f]{40})\>.*/\1/p' | grep -Ff - ~/REPOS/DEBIAN/security-tracker/data/CVE/list
* CVE-2018-5344
* CVE-2018-1000028
* CVE-2017-16911

4f01026801 Bug #46209: Update to linux-4.9.81-ucs109
 doc/errata/staging/linux.yaml                          | 30 ++++++++++++++++++++++++++++++
 doc/errata/staging/univention-kernel-image-signed.yaml | 30 ++++++++++++++++++++++++++++++
 doc/errata/staging/univention-kernel-image.yaml        | 30 ++++++++++++++++++++++++++++++
Comment 5 Philipp Hahn univentionstaff 2018-02-16 09:57:49 CET
4.9.82-rc (ETA Sat Feb 17 2018)
 CVE-2017-8824: use-after-free in DCCP code
Comment 6 Philipp Hahn univentionstaff 2018-02-18 11:58:35 CET
Package: linux
Version: 4.9.30-2A~4.2.0.201802181141
Branch: ucs_4.2-0
Comment 7 Philipp Hahn univentionstaff 2018-02-19 09:30:24 CET
Package: univention-kernel-image-signed
Version: 3.0.2-17A~4.2.0.201802190840
Branch: ucs_4.2-0
Scope: errata4.2-3

OK: amd64 @ kvm with SeaBIOS
OK: amd64 @ kvm with OVMF SecureBoot
OK: amd64 @ xen1

4a7b20cde8 Bug #46209: Update to linux-4.9.82-ucs109 YAML
 doc/errata/staging/linux.yaml                          | 9 +++++++--
 doc/errata/staging/univention-kernel-image-signed.yaml | 9 +++++++--
 doc/errata/staging/univention-kernel-image.yaml        | 7 ++++++-
 3 files changed, 20 insertions(+), 5 deletions(-)
Comment 8 Philipp Hahn univentionstaff 2018-02-22 08:49:52 CET
4.9.83 with 77 patched, ETA: Fri Feb 23 12:44:14 UTC 2018
Comment 9 Philipp Hahn univentionstaff 2018-02-23 14:22:02 CET
r18024 | Bug #46209: linux-4.9.83

Package: linux
Version: 4.9.30-2A~4.2.0.201802230925
Branch: ucs_4.2-0
Scope: errata4.2-3

d0cc106946 Bug #46209 linux: Update to linux-4.9.83-ucs109

Package: univention-kernel-image-signed
Version: 3.0.2-18A~4.2.0.201802231308
Branch: ucs_4.2-0
Scope: errata4.2-3

b9b67b57f0 Bug #46209: linux-4.9.83
 doc/errata/staging/linux.yaml                          | 4 ++--
 doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++--
 doc/errata/staging/univention-kernel-image.yaml        | 2 +-

OK: amd64 KVM UEFI-SecureBoot
OK: xen1
Comment 10 Philipp Hahn univentionstaff 2018-02-26 09:47:02 CET
Copied from Bug #46029 comment 10 ..

r18025 | Bug #46209: linux-4.9.84

Package: linux
Version: 4.9.30-2A~4.2.0.201802251630
Branch: ucs_4.2-0
Scope: errata4.2-3

c0a60a76b0 Bug #46029: Update to linux-4.9.84-ucs109

Package: univention-kernel-image-signed
Version: 3.0.2-19A~4.2.0.201802260839
Branch: ucs_4.2-0
Scope: errata4.2-3

f06a6b5c96 Bug #46029: Update to linux-4.9.84-ucs109 YAML
 doc/errata/staging/linux.yaml                          | 4 ++--
 doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++--
 doc/errata/staging/univention-kernel-image.yaml        | 2 +-

OK: amd64 @ xen1
OK: amd64 @ kvm+SeaBIOS
OK: amd64 @ kvm+OVMF+Secure-Boot
OK: dmesg
OK: grep . /sys/devices/system/cpu/vulnerabilities/*
Comment 11 Philipp Hahn univentionstaff 2018-02-28 22:05:15 CET
r18029 | Bug #46209: linux-4.9.85

Package: linux
Version: 4.9.30-2A~4.2.0.201802282204
Branch: ucs_4.2-0
Scope: errata4.2-3
Comment 12 Philipp Hahn univentionstaff 2018-03-01 11:33:53 CET
ea80945e9b Bug #46209 kernel: Update to linux-4.9.85-ucs109

Package: univention-kernel-image-signed
Version: 3.0.2-20A~4.2.0.201803011023
Branch: ucs_4.2-0
Scope: errata4.2-3

44c759d196 Bug #46209: linux-4.9.85 YAML
 doc/errata/staging/linux.yaml                          | 4 ++--
 doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++--
 doc/errata/staging/univention-kernel-image.yaml        | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

OK: amd64 @ kvm with OVMF SecureBoot
OK: dmesg
OK: grep . /sys/devices/system/cpu/vulnerabilities/*
Comment 13 Philipp Hahn univentionstaff 2018-03-05 15:39:06 CET
r18040 | Bug #46209: linux-4.9.86

Package: linux
Version: 4.9.30-2A~4.2.0.201803051536
Branch: ucs_4.2-0
Scope: errata4.2-3
Comment 14 Philipp Hahn univentionstaff 2018-03-06 08:55:27 CET
[4.2-3] d571ec3222 Bug #46209: Update to linux-4.9.86-ucs109

Package: univention-kernel-image-signed
Version: 3.0.2-21A~4.2.0.201803060820
Branch: ucs_4.2-0
Scope: errata4.2-3

[4.2-3] 93e27d5f30 Bug #46209: linux-4.9.86
 doc/errata/staging/linux.yaml                          | 7 +++++--
 doc/errata/staging/univention-kernel-image-signed.yaml | 7 +++++--
 doc/errata/staging/univention-kernel-image.yaml        | 5 ++++-

CVE-2017-18193 fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles

OK: vimdiff <(./linux-dmesg-norm 4.9.0-ucs109-amd64) <(./linux-dmesg-norm 4.9.0-ucs109-amd64.86)
OK: grep . /sys/devices/system/cpu/vulnerabilities/*
OK: amd64 @ kvm + UEFI-OVMF-SecureBoot
OK: amd64 @ kvm + SeaBIOS
OK: amd64 @ xen1
Comment 15 Philipp Hahn univentionstaff 2018-03-22 14:15:41 CET
r18061 | Bug #46209: linux-4.9.89

Package: linux
Version: 4.9.30-2A~4.2.0.201803221415
Branch: ucs_4.2-0
Scope: errata4.2-3
Comment 16 Philipp Hahn univentionstaff 2018-03-23 13:03:30 CET
[4.2-3] 2ad68a9f80 Bug #46209: Update to linux-4.9.89-ucs109

Package: univention-kernel-image-signed
Version: 3.0.2-22A~4.2.0.201803231159
Branch: ucs_4.2-0
Scope: errata4.2-3

[4.2-3] ad72baa4a8 Bug #46209: linux-4.9.89 YAML
 doc/errata/staging/linux.yaml                          | 5 ++++-
 doc/errata/staging/univention-kernel-image-signed.yaml | 7 +++++--
 doc/errata/staging/univention-kernel-image.yaml        | 5 ++++-

OK: amd64 @ kvm+SeaBIOS
OK: amd64 @ kvm+OVMF+SecureBoot
OK: amd64 @ xen1
OK: cat /proc/version
OK: zless /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz
Comment 17 Arvid Requate univentionstaff 2018-03-29 16:48:43 CEST
* Patches: Ok
* Package update: Ok
* dmesg: Ok
* Advisory: Ok
Comment 18 Arvid Requate univentionstaff 2018-03-29 18:45:47 CEST
Ah, just metadata but could you also have a quick look at this:

======================================================================
arequate@dimma:~$ repo_get_version.py -r 4.2 -s errata4.2-3 -p gcc-4.9
Usage: repo_get_version.py [options]

repo_get_version.py: error: The package does not exist.
======================================================================
Comment 19 Arvid Requate univentionstaff 2018-03-29 18:52:59 CEST
Seems to be a generic issue with the gcc-* package:

arequate@dimma:~$ repo_stat.py gcc-4.9
Version 4.9.2-10        Rev 99267       Date 2017-06-07 05:34:48
        Release 4.2-0-0
Version 4.9.2-10+deb8u1 Rev 123613      Date 2018-02-19 14:30:41
        Release 4.2-0-0 Scope errata4.2-3
arequate@dimma:~$ repo_stat.py gcc-6
Version 6.3.0-18+deb9u1 Rev 123794      Date 2018-02-28 11:55:53
        Release 4.3-0-0
arequate@dimma:~$ repo_get_version.py -r 4.3 -p gcc-6                                                                                                                          
Usage: repo_get_version.py [options]

repo_get_version.py: error: The package does not exist.


Worked till this version and stopped working in UCS 4.2 / gcc-4.8:

arequate@dimma:~$ repo_get_version.py -r 4.0 -p gcc-4.7
Package: gcc-4.7
Source rev tag : 54980
Current version: 4.7.2-5
Patch path: ~/svn/patches/gcc-4.7/4.0-0-0-ucs/4.7.2-5/
Patch prefix: gcc-4.7-4.7.2