Bug 47894 - linux: Multiple issues (4.3)
linux: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-2-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-02 08:44 CEST by Quality Assurance
Modified: 2018-10-04 14:27 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-10-02 08:44:12 CEST
New Debian linux 4.9.110-3+deb9u5 fixes:
This update addresses the following issues:
* irda: Memory leak caused by repeated binds of irda socket (CVE-2018-6554)
* irda: use-after-free vulnerability in the hashbin list (CVE-2018-6555)
* Information exposure in fd_locked_ioctl function in drivers/block/floppy.c  (CVE-2018-7755)
* Buffer overflow in hidp_process_report (CVE-2018-9363)
* HID: debug: Buffer overflow in hid_debug_events_read() in  drivers/hid/hid-debug.c (CVE-2018-9516)
* MIDI driver race condition leads to a double-free (CVE-2018-10902)
* infinite loop in net/ipv4/cipso_ipv4.c:cipso_v4_optptr() allows for DoS  (CVE-2018-10938)
* out-of-bounds memory access in fs/f2fs/inline.c (CVE-2018-13099)
* Invalid pointer dereference in fs/btrfs/relocation.c:__del_reloc_root()  when mounting crafted btrfs image (CVE-2018-14609)
* NULL pointer dereference in fs/hfsplus/dir.c:hfsplus_lookup() when  operating on a file in a crafted hfs+ image (CVE-2018-14617)
* stack-based buffer overflow in chap_server_compute_md5() in iscsi target  (CVE-2018-14633)
* Uninitialized state in x86 PV failsafe callback path (XSA-274)  (CVE-2018-14678)
* use-after-free in ucma_leave_multicast in drivers/infiniband/core/ucma.c  (CVE-2018-14734)
* hw: cpu: userspace-userspace spectreRSB attack (CVE-2018-15572)
* Mishandling of indirect calls weakens Spectre mitigation for paravirtual  guests (CVE-2018-15594)
* incorrect bounds checking in yurex_read in drivers/usb/misc/yurex.c  (CVE-2018-16276)
* Information leak in cdrom_ioctl_drive_status (CVE-2018-16658)
* Use-after-free in the vmacache_flush_all function resulting in a possible  privilege escalation (CVE-2018-17182)
Comment 1 Quality Assurance univentionstaff 2018-10-02 09:01:13 CEST
--- mirror/ftp/4.3/unmaintained/4.3-2/source/linux_4.9.110-3+deb9u4.dsc
+++ apt/ucs_4.3-0-errata4.3-2/source/linux_4.9.110-3+deb9u5.dsc
@@ -1,3 +1,37 @@
+4.9.110-3+deb9u5 [Sun, 30 Sep 2018 17:37:51 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  [ Salvatore Bonaccorso ]
+  * irda: Fix memory leak caused by repeated binds of irda socket
+    (CVE-2018-6554)
+  * irda: Only insert new objects into the global database via setsockopt
+    (CVE-2018-6555)
+  * mm: get rid of vmacache_flush_all() entirely (CVE-2018-17182)
+  * floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
+    (CVE-2018-7755)
+  * Bluetooth: hidp: buffer overflow in hidp_process_report (CVE-2018-9363)
+  * ALSA: rawmidi: Change resized buffers atomically (CVE-2018-10902)
+  * scsi: target: iscsi: Use hex2bin instead of a re-implementation
+    (CVE-2018-14633)
+  * [x86] entry/64: Remove %ebx handling from error_entry/exit
+    (CVE-2018-14678)
+  * infiniband: fix a possible use-after-free bug (CVE-2018-14734)
+  * [x86] speculation: Protect against userspace-userspace spectreRSB
+    (CVE-2018-15572)
+  * [x86] paravirt: Fix spectre-v2 mitigations for paravirt guests
+    (CVE-2018-15594)
+
+  [ Ben Hutchings ]
+  * mm: Avoid ABI change for CVE-2018-17182 fix
+  * HID: debug: check length before copy_to_user() (CVE-2018-9516)
+  * Cipso: cipso_v4_optptr enter infinite loop (CVE-2018-10938)
+  * f2fs: fix to do sanity check with reserved blkaddr of inline inode
+    (CVE-2018-13099)
+  * btrfs: relocation: Only remove reloc rb_trees if reloc control has been
+    initialized (CVE-2018-14609)
+  * hfsplus: fix NULL dereference in hfsplus_lookup() (CVE-2018-14617)
+  * USB: yurex: fix out-of-bounds uaccess in read handler (CVE-2018-16276)
+  * cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (CVE-2018-16658)
+
 4.9.110-3+deb9u4 [Tue, 21 Aug 2018 16:50:09 +0200] Salvatore Bonaccorso <carnil@debian.org>:
 
   * init: rename and re-order boot_cpu_state_init()

<http://10.200.17.11/4.3-2/#5024331900875433010>
Comment 2 Philipp Hahn univentionstaff 2018-10-02 11:07:39 CEST
4.3-2] 28dba5a72f Bug #47894: Update to linux-4.9.110-3+deb9u5
 .../debian/changelog                               |   6 ++++++
 .../univention-kernel-image-signed/debian/control  |   4 ++--
 .../vmlinuz-4.9.0-8-amd64.efi.signed               | Bin 4241008 -> 4241008 bytes
 3 files changed, 8 insertions(+), 2 deletions(-)

Package: univention-kernel-image-signed
Version: 4.0.0-7A~4.3.0.201810021026
Branch: ucs_4.3-0
Scope: errata4.3-2

[4.3-2] 23a48fbbae Bug #47894: univention-kernel-image-signed 4.0.0-7A~4.3.0.201810021026
 doc/errata/staging/linux.yaml                      |  1 +
 .../staging/univention-kernel-image-signed.yaml    | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)

OK: diff <(./linux-dmesg-norm 4.9.0-8-amd64.4.9.110-3+deb9u4) <(./linux-dmesg-norm 4.9.0-8-amd64.4.9.110-3+deb9u5)
OK: amd64 KVM SeaBIOS
OK: amd64 KVM OVMF+SecureBoot
OK: amd64 xen16