Univention Bugzilla – Bug 44706
linux: Multiple security issues (4.1)
Last modified: 2018-01-12 00:39:17 CET
Linux 4.1.40 fixes at least the following security issues compared to 4.1.38: * The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the "dead" type (CVE-2017-6951) * The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (CVE-2017-7187) * The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7261) * The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7294) * The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls (CVE-2017-7472) * crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue (CVE-2017-7618) * The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (CVE-2017-7645) * udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag (CVE-2016-10229) * The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (CVE-2016-2188) * An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process (CVE-2016-8405) * The cgroup offline implementation in the Linux kernel through 4.8.11 mishandles certain drain operations, which allows local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity (CVE-2016-9191) * The built-in keyrings for security tokens can be joined as a session and then modified by the root user (CVE-2016-9604) * The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log (CVE-2017-5549) * The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (CVE-2017-5669) * The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 4.x before 4.9.4 allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (CVE-2017-7273) * The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (CVE-2017-8924) * The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel before 4.10.4 allows local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (CVE-2017-8925)
Package: linux Version: 4.1.6-1.227.201706090945 Branch: ucs_4.1-0 Scope: errata4.1-4 r80108 | Bug #42754 kernel: Update to linux-4.1.40-ucs227 Package: univention-kernel-image-signed Version: 2.0.0-14.28.201706091801 Branch: ucs_4.1-0 Scope: errata4.1-4 r80109 | Bug #44706: Update to linux-4.1.40-ucs227 Package: univention-kernel-image Version: 9.0.0-17.126.201706091804 Branch: ucs_4.1-0 Scope: errata4.1-4 QA: diff dmesg-4.1.0-ucs22[27]-amd64 QA: zless /usr/share/doc/linux-image-4.1.0-ucs227-amd64/changelog.Debian.gz r80111 | Bug #44706: linux-4.1.40 A doc/errata/staging/linux.yaml A doc/errata/staging/univention-kernel-image-signed.yaml A doc/errata/staging/univention-kernel-image.yaml
* Upstream patches applied in errata4.1-4: https://www.kernel.org/pub/linux/kernel/v4.x/incr/patch-4.1.38-39.gz https://www.kernel.org/pub/linux/kernel/v4.x/incr/patch-4.1.39-40.gz * Package update ok * Reboot ok, dmesg ok * Uefi Hardware boot ok * Advisories ok
<http://errata.software-univention.de/ucs/4.1/433.html> <http://errata.software-univention.de/ucs/4.1/434.html> <http://errata.software-univention.de/ucs/4.1/435.html>