Bug 46984 - linux: Multiple issues (4.3)
linux: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-0-errata
Assigned To: Philipp Hahn
Arvid Requate
https://hutten.knut.univention.de/med...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-09 12:47 CEST by Philipp Hahn
Modified: 2018-05-16 17:04 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.1 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-05-09 12:47:25 CEST
New Debian linux 4.9.88-1+deb9u1 fixes:
This update of the Linux kernel to version 4.9.88 addresses the following
issues:
* use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c (CVE-2017-17975)
* Mishandled extent trees in fs/f2fs/extent_cache.c can allow a local user to cause a denial of service (CVE-2017-18193)
* Null pointer dereference in fs/ocfs2/cluster/nodemanager.c allows local users to cause denial of service (CVE-2017-18216)
* Use-after-free vulnerability in drivers/net/ethernet/hisilicon/hns/hns_enet.c allows local attacker to cause denial of service (CVE-2017-18218)
* Memory corruption in ethtool_get_strings function in hns driver (CVE-2017-18222)
* race condition due to concurrent access to extent tree in fs/ocfs2/aops.c (CVE-2017-18224)
* Null pointer dereference in fs/f2fs/segment.c via mounting fs with noflush_merge option allows local denial of service (CVE-2017-18241)
* Inifinite loop caused by integer overflow in fs/f2fs/data.c:__get_data_block() allows for denial of service (CVE-2017-18257)
* netfilter: xtables NULL pointer dereference in ip6_tables.c:ip6t_do_table() leading to a crash (CVE-2018-1065)
* Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel (CVE-2018-1066)
* Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068)
* KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087)
* NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092)
* Out of bounds read in ext4/balloc.c:ext4_valid_block_bitmap() causes crash with crafted ext4 image (CVE-2018-1093)
* drivers: getrandom(2) unblocks too early after system boot (CVE-2018-1108)
* Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service (CVE-2018-5803)
* Double free in block/blk-cgroup.c:blkcg_init_queue() can allow a local user to cause a denial of service (CVE-2018-7480)
* race condition in snd_seq_write() may lead to UAF or OOB-access (CVE-2018-7566)
* Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740)
* Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c (CVE-2018-7757)
* Race condition in the store_int_with_restart() function in cpu/mcheck/mce.c (CVE-2018-7995)
* Memory leak in drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087)
* Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781)
* Memory corruption in ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c (CVE-2018-8822)
* error in exception handling leads to DoS (CVE-2018-8897)
* Invalid pointer dereference in xfs_bmapi_write() when mounting and operating on crafted xfs image allows denial of service (CVE-2018-10323)
* ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199)

CVE-2017-17975 kernel: use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c
CVE-2017-18193 kernel: Mishandled extent trees in fs/f2fs/extent_cache.c can allow a local user to cause a denial of service
CVE-2017-18216 kernel: Null pointer dereference in fs/ocfs2/cluster/nodemanager.c allows local users to cause denial of service
CVE-2017-18218 kernel: Use-after-free vulnerability in drivers/net/ethernet/hisilicon/hns/hns_enet.c allows local attacker to cause denial of service
CVE-2017-18222 kernel: Memory corruption in ethtool_get_strings function in hns driver
CVE-2017-18224 kernel: race condition due to concurrent access to extent tree in fs/ocfs2/aops.c
CVE-2017-18241 kernel: Null pointer dereference in fs/f2fs/segment.c via mounting fs with noflush_merge option allows local denial of service
CVE-2017-18257 kernel: Inifinite loop caused by integer overflow in fs/f2fs/data.c:__get_data_block() allows for denial of service
CVE-2018-1065 kernel: netfilter: xtables NULL pointer dereference in ip6_tables.c:ip6t_do_table() leading to a crash
CVE-2018-1066 kernel: Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel
CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c
CVE-2018-1087 Kernel: KVM: error in exception handling leads to wrong debug stack value
CVE-2018-1092 kernel: NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image
CVE-2018-1093 kernel: Out of bounds read in ext4/balloc.c:ext4_valid_block_bitmap() causes crash with crafted ext4 image
CVE-2018-1108 kernel: drivers: getrandom(2) unblocks too early after system boot
CVE-2018-5803 kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service
CVE-2018-7480 kernel: Double free in block/blk-cgroup.c:blkcg_init_queue() can allow a local user to cause a denial of service
CVE-2018-7566 kernel: race condition in snd_seq_write() may lead to UAF or OOB-access
CVE-2018-7740 kernel: Denial of service in resv_map_release function in mm/hugetlb.c
CVE-2018-7757 kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c
CVE-2018-7995 kernel: Race condition in the store_int_with_restart() function in cpu/mcheck/mce.c
CVE-2018-8087 kernel: Memory leak in drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service
CVE-2018-8781 kernel: Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space
CVE-2018-8822 kernel: Memory corruption in ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c
CVE-2018-8897 Kernel: error in exception handling leads to DoS
CVE-2018-10323 kernel: Invalid pointer dereference in xfs_bmapi_write() when mounting and operating on crafted xfs image allows denial of service
CVE-2018-1000199 kernel: ptrace() incorrect error handling leads to corruption and DoS
Comment 1 Philipp Hahn univentionstaff 2018-05-09 13:35:14 CEST
Package: univention-kernel-image-signed
Version: 4.0.0-3A~4.3.0.201805091310
Branch: ucs_4.3-0
Scope: errata4.3-0

[4.3-0] 16e5266fdc Bug #46984: linux_4.9.88-1+deb9u1 YAML
 doc/errata/staging/linux.yaml                          |  2 +-
 doc/errata/staging/univention-kernel-image-signed.yaml | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+), 1 deletion(-)

[4.3-0] 09d2de9abd Bug #46984: Update to linux-4.9.88
 kernel/univention-kernel-image-signed/debian/changelog                 |   6 ++++++
 kernel/univention-kernel-image-signed/vmlinuz-4.9.0-6-amd64.efi.signed | Bin 4224624 -> 4228720 bytes
 2 files changed, 6 insertions(+)

[4.3-0] bd1bed7490 Bug #46984: linux_4.9.88-1+deb9u1
 doc/errata/staging/linux.yaml | 95 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 95 insertions(+)

OK: apt-get install linux-image-4.9.0-6-amd64 linux-image-4.9.0-6-amd64-signed
OK: amd64 @ kvm-bios
OK: amd64 @ HW
OK: diff <(./linux-dmesg-norm 4.9.0-6-amd64.82) <(./linux-dmesg-norm 4.9.0-6-amd64.88)
 < Spectre V2 : Enabling Indirect Branch Prediction Barrier
 > Spectre V2 : Enabling Restricted Speculation for firmware calls
 > Spectre V2 : Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier
FYI: As there is no API change in the Debian Linux package, the package is still names the same and thus there is no need to update univention-kernel-image.
Comment 2 Arvid Requate univentionstaff 2018-05-15 10:41:49 CEST
* No UCS specific patches
* Comparison to previously shipped version ok
* Binary package update and reboot Ok
* Advisories Ok