Univention Bugzilla – Bug 47894
linux: Multiple issues (4.3)
Last modified: 2018-10-04 14:27:53 CEST
New Debian linux 4.9.110-3+deb9u5 fixes: This update addresses the following issues: * irda: Memory leak caused by repeated binds of irda socket (CVE-2018-6554) * irda: use-after-free vulnerability in the hashbin list (CVE-2018-6555) * Information exposure in fd_locked_ioctl function in drivers/block/floppy.c (CVE-2018-7755) * Buffer overflow in hidp_process_report (CVE-2018-9363) * HID: debug: Buffer overflow in hid_debug_events_read() in drivers/hid/hid-debug.c (CVE-2018-9516) * MIDI driver race condition leads to a double-free (CVE-2018-10902) * infinite loop in net/ipv4/cipso_ipv4.c:cipso_v4_optptr() allows for DoS (CVE-2018-10938) * out-of-bounds memory access in fs/f2fs/inline.c (CVE-2018-13099) * Invalid pointer dereference in fs/btrfs/relocation.c:__del_reloc_root() when mounting crafted btrfs image (CVE-2018-14609) * NULL pointer dereference in fs/hfsplus/dir.c:hfsplus_lookup() when operating on a file in a crafted hfs+ image (CVE-2018-14617) * stack-based buffer overflow in chap_server_compute_md5() in iscsi target (CVE-2018-14633) * Uninitialized state in x86 PV failsafe callback path (XSA-274) (CVE-2018-14678) * use-after-free in ucma_leave_multicast in drivers/infiniband/core/ucma.c (CVE-2018-14734) * hw: cpu: userspace-userspace spectreRSB attack (CVE-2018-15572) * Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594) * incorrect bounds checking in yurex_read in drivers/usb/misc/yurex.c (CVE-2018-16276) * Information leak in cdrom_ioctl_drive_status (CVE-2018-16658) * Use-after-free in the vmacache_flush_all function resulting in a possible privilege escalation (CVE-2018-17182)
--- mirror/ftp/4.3/unmaintained/4.3-2/source/linux_4.9.110-3+deb9u4.dsc +++ apt/ucs_4.3-0-errata4.3-2/source/linux_4.9.110-3+deb9u5.dsc @@ -1,3 +1,37 @@ +4.9.110-3+deb9u5 [Sun, 30 Sep 2018 17:37:51 +0100] Ben Hutchings <ben@decadent.org.uk>: + + [ Salvatore Bonaccorso ] + * irda: Fix memory leak caused by repeated binds of irda socket + (CVE-2018-6554) + * irda: Only insert new objects into the global database via setsockopt + (CVE-2018-6555) + * mm: get rid of vmacache_flush_all() entirely (CVE-2018-17182) + * floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl + (CVE-2018-7755) + * Bluetooth: hidp: buffer overflow in hidp_process_report (CVE-2018-9363) + * ALSA: rawmidi: Change resized buffers atomically (CVE-2018-10902) + * scsi: target: iscsi: Use hex2bin instead of a re-implementation + (CVE-2018-14633) + * [x86] entry/64: Remove %ebx handling from error_entry/exit + (CVE-2018-14678) + * infiniband: fix a possible use-after-free bug (CVE-2018-14734) + * [x86] speculation: Protect against userspace-userspace spectreRSB + (CVE-2018-15572) + * [x86] paravirt: Fix spectre-v2 mitigations for paravirt guests + (CVE-2018-15594) + + [ Ben Hutchings ] + * mm: Avoid ABI change for CVE-2018-17182 fix + * HID: debug: check length before copy_to_user() (CVE-2018-9516) + * Cipso: cipso_v4_optptr enter infinite loop (CVE-2018-10938) + * f2fs: fix to do sanity check with reserved blkaddr of inline inode + (CVE-2018-13099) + * btrfs: relocation: Only remove reloc rb_trees if reloc control has been + initialized (CVE-2018-14609) + * hfsplus: fix NULL dereference in hfsplus_lookup() (CVE-2018-14617) + * USB: yurex: fix out-of-bounds uaccess in read handler (CVE-2018-16276) + * cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (CVE-2018-16658) + 4.9.110-3+deb9u4 [Tue, 21 Aug 2018 16:50:09 +0200] Salvatore Bonaccorso <carnil@debian.org>: * init: rename and re-order boot_cpu_state_init() <http://10.200.17.11/4.3-2/#5024331900875433010>
4.3-2] 28dba5a72f Bug #47894: Update to linux-4.9.110-3+deb9u5 .../debian/changelog | 6 ++++++ .../univention-kernel-image-signed/debian/control | 4 ++-- .../vmlinuz-4.9.0-8-amd64.efi.signed | Bin 4241008 -> 4241008 bytes 3 files changed, 8 insertions(+), 2 deletions(-) Package: univention-kernel-image-signed Version: 4.0.0-7A~4.3.0.201810021026 Branch: ucs_4.3-0 Scope: errata4.3-2 [4.3-2] 23a48fbbae Bug #47894: univention-kernel-image-signed 4.0.0-7A~4.3.0.201810021026 doc/errata/staging/linux.yaml | 1 + .../staging/univention-kernel-image-signed.yaml | 58 ++++++++++++++++++++++ 2 files changed, 59 insertions(+) OK: diff <(./linux-dmesg-norm 4.9.0-8-amd64.4.9.110-3+deb9u4) <(./linux-dmesg-norm 4.9.0-8-amd64.4.9.110-3+deb9u5) OK: amd64 KVM SeaBIOS OK: amd64 KVM OVMF+SecureBoot OK: amd64 xen16
<http://errata.software-univention.de/ucs/4.3/263.html> <http://errata.software-univention.de/ucs/4.3/264.html>