Univention Bugzilla – Bug 47905
linux-4.9: Multiple issues (4.2)
Last modified: 2019-03-27 16:44:45 CET
New Debian linux-4.9 4.9.110-3+deb9u5~deb8u1 fixes: This update addresses the following issues: * irda: Memory leak caused by repeated binds of irda socket (CVE-2018-6554) * irda: use-after-free vulnerability in the hashbin list (CVE-2018-6555) * Buffer overflow in hidp_process_report (CVE-2018-9363) * HID: debug: Buffer overflow in hid_debug_events_read() in drivers/hid/hid-debug.c (CVE-2018-9516) * MIDI driver race condition leads to a double-free (CVE-2018-10902) * infinite loop in net/ipv4/cipso_ipv4.c:cipso_v4_optptr() allows for DoS (CVE-2018-10938) * Invalid pointer dereference in fs/btrfs/relocation.c:__del_reloc_root() when mounting crafted btrfs image (CVE-2018-14609) * NULL pointer dereference in fs/hfsplus/dir.c:hfsplus_lookup() when operating on a file in a crafted hfs+ image (CVE-2018-14617) * stack-based buffer overflow in chap_server_compute_md5() in iscsi target (CVE-2018-14633) * Uninitialized state in x86 PV failsafe callback path (XSA-274) (CVE-2018-14678) * use-after-free in ucma_leave_multicast in drivers/infiniband/core/ucma.c (CVE-2018-14734) * hw: cpu: userspace-userspace spectreRSB attack (CVE-2018-15572) * Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594) * incorrect bounds checking in yurex_read in drivers/usb/misc/yurex.c (CVE-2018-16276) * Information leak in cdrom_ioctl_drive_status (CVE-2018-16658) * Use-after-free in the vmacache_flush_all function resulting in a possible privilege escalation (CVE-2018-17182)
--- mirror/ftp/4.2/unmaintained/4.2-5/source/linux-4.9_4.9.110-3+deb9u4~deb8u1.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/linux-4.9_4.9.110-3+deb9u5~deb8u1.dsc @@ -1,3 +1,41 @@ +4.9.110-3+deb9u5~deb8u1 [Wed, 03 Oct 2018 05:27:59 +0100] Ben Hutchings <ben@decadent.org.uk>: + + * Backport to jessie; no further changes required + +4.9.110-3+deb9u5 [Sun, 30 Sep 2018 17:37:51 +0100] Ben Hutchings <ben@decadent.org.uk>: + + [ Salvatore Bonaccorso ] + * irda: Fix memory leak caused by repeated binds of irda socket + (CVE-2018-6554) + * irda: Only insert new objects into the global database via setsockopt + (CVE-2018-6555) + * mm: get rid of vmacache_flush_all() entirely (CVE-2018-17182) + * floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl + (CVE-2018-7755) + * Bluetooth: hidp: buffer overflow in hidp_process_report (CVE-2018-9363) + * ALSA: rawmidi: Change resized buffers atomically (CVE-2018-10902) + * scsi: target: iscsi: Use hex2bin instead of a re-implementation + (CVE-2018-14633) + * [x86] entry/64: Remove %ebx handling from error_entry/exit + (CVE-2018-14678) + * infiniband: fix a possible use-after-free bug (CVE-2018-14734) + * [x86] speculation: Protect against userspace-userspace spectreRSB + (CVE-2018-15572) + * [x86] paravirt: Fix spectre-v2 mitigations for paravirt guests + (CVE-2018-15594) + + [ Ben Hutchings ] + * mm: Avoid ABI change for CVE-2018-17182 fix + * HID: debug: check length before copy_to_user() (CVE-2018-9516) + * Cipso: cipso_v4_optptr enter infinite loop (CVE-2018-10938) + * f2fs: fix to do sanity check with reserved blkaddr of inline inode + (CVE-2018-13099) + * btrfs: relocation: Only remove reloc rb_trees if reloc control has been + initialized (CVE-2018-14609) + * hfsplus: fix NULL dereference in hfsplus_lookup() (CVE-2018-14617) + * USB: yurex: fix out-of-bounds uaccess in read handler (CVE-2018-16276) + * cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (CVE-2018-16658) + 4.9.110-3+deb9u4~deb8u1 [Fri, 24 Aug 2018 05:35:55 +0100] Ben Hutchings <ben@decadent.org.uk>: * Backport to jessie: <http://10.200.17.11/4.2-5/#4892036252960162822>
r18396 | Bug #47905: linux-4.9.110+148 r18397 | Bug #47905: linux-4.9.110+148 r18403 | Bug #47905: linux-4.9.110+149 Package: linux-4.9 Version: 4.9.110-3+deb9u5~deb8u1A~4.2.0.201901100845 Branch: ucs_4.2-0 Scope: errata4.2-5
r18405 | Bug #47905: linux-4.9.110+150
v4.9.122 - v4.9.150: fork: record start_time late (CVE-2019-6133) use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) Use-after-free in the vmacache_flush_all function resulting in a possible privilege escalation (CVE-2018-17182) Information exposure in fd_locked_ioctl function in drivers/block/floppy.c (CVE-2018-7755) use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625) filesystem corruption due to an unchecked error condition during an xfs attribute change (CVE-2018-18690) irda: use-after-free vulnerability in the hashbin list (CVE-2018-6555) infinite loop in net/ipv4/cipso_ipv4.c:cipso_v4_optptr() allows for DoS (CVE-2018-10938) stack-based buffer overflow in chap_server_compute_md5() in iscsi target (CVE-2018-14633) Uninitialized state in x86 PV failsafe callback path (XSA-274, CVE-2018-14678) stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) Use-after-free in drivers/android/binder.c (CVE-2018-9465) net: xen: Linux netback driver OOB access in hash handling (XSA-270, CVE-2018-15471) Mishandled size checks during the reading of an extra descriptor (CVE-2018-20169) Stack-based buffer overflow in drivers/scsi/sr_ioctl.c allows denial of service or other unspecified impact (CVE-2018-11506) cephx protocol is vulnerable to replay attack (CVE-2018-1128) cleancache: Infoleak of deleted files after reuse of old inodes (CVE-2018-16862) Unprivileged users able to inspect kernel stacks of arbitrary tasks (CVE-2018-17972) stack-out-of-bounds write in ext4_update_inline_data function (CVE-2018-10880) Privilege escalation on arm64 via KVM hypervisor (CVE-2018-18021) Null pointer dereference in fs/f2fs/segment.c via mounting fs with noflush_merge option allows local denial of service (CVE-2017-18241) a bug in ip_frag_reasm() can cause a crash in ip_do_fragment() (CVE-2018-14641) cephx uses weak signatures (CVE-2018-1129) TLB flush happens too late on mremap (CVE-2018-18281) Information leak in cdrom_ioctl_drive_status (CVE-2018-16658) Information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c (CVE-2018-18710) Race condition in fs/f2fs/node.c:add_free_nid() function allows local users to cause denial of service (CVE-2017-18249) buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) irda: Memory leak caused by repeated binds of irda socket (CVE-2018-6554) FYI: I tried to match the git commits from 4.9 to the upstream git commits to a list of CVE entries. After that I removed all those entries already fixed by previous UCS errata releases. The list might miss some CVEs. [4.2-5] cf2c910f37 Bug #47905: Update to linux-4.9.110-3+deb9u5~deb8u1A~4.2.0.2019011410370-ucs110 .../debian/changelog | 6 ++++++ .../vmlinuz-4.9.0-ucs110-amd64.efi.signed | Bin 4099056 -> 4106320 bytes 2 files changed, 6 insertions(+) Package: univention-kernel-image-signed Version: 3.0.2-33A~4.2.0.201901141603 Branch: ucs_4.2-0 Scope: errata4.2-5 [4.2-5] 8f9e2e84f7 Bug #47905: linux-4.9 4.9.110-3+deb9u5~deb8u1A~4.2.0.201901141037 doc/errata/staging/linux-4.9.yaml | 69 +++++++++++-- .../staging/univention-kernel-image-signed.yaml | 109 +++++++++++++++++++++ 2 files changed, 172 insertions(+), 6 deletions(-) OK: amd64 @ kvm + OVMF+SB OK: amd64 @ kvm + SeaBIOS OK: uname -a # Linux master42 4.9.0-ucs110-amd64 #1 SMP Debian 4.9.110-3+deb9u5~deb8u1A~4.2.0.201901141037 (2019- x86_64 GNU/Linux OK: i386 @ kvm + SeaBIOS OK: Linux qa31-ucs42 4.9.0-ucs110-686-pae #1 SMP Debian 4.9.110-3+deb9u5~deb8u1A~4.2.0.201901141037 (2019- i686 GNU/Linux
r18411 | Bug #47905: linux-4.9.110+152 CVE-2019-3701 r18418 | Bug #47905: linux-4.9.110+153 Package: linux-4.9 Version: 4.9.110-3+deb9u5~deb8u1A~4.2.0.201901280853 Branch: ucs_4.2-0 Scope: errata4.2-5
r18411 | Bug #47905: linux-4.9.110+152 r18418 | Bug #47905: linux-4.9.110+153 r18440 | Bug #47905: linux-4.9.110+156 r18472 | Bug #47905: linux-4.9.110+158 Package: linux-4.9 Version: 4.9.110-3+deb9u5~deb8u1A~4.2.0.201902151158 Branch: ucs_4.2-0 Scope: errata4.2-5 CVE-2019-3819 4.9.157 CVE-2019-7222 4.9.156 CVE-2019-7221 4.9.156 CVE-2019-6974 4.9.156 CVE-2019-3701 4.9.152 CVE-2018-16884 4.9.151 [4.2-5] ce58c18639 Bug #47905: Update to linux-4.9.110-3+deb9u5~deb8u1A~4.2.0.201902151158-ucs110 .../debian/changelog | 7 +++++++ .../vmlinuz-4.9.0-ucs110-amd64.efi.signed | Bin 4106320 -> 4113552 bytes 2 files changed, 7 insertions(+) Package: univention-kernel-image-signed Version: 3.0.2-34A~4.2.0.201902151531 Branch: ucs_4.2-0 Scope: errata4.2-5 [4.2-5] 598d3b5a35 Bug #47905: univention-kernel-image-signed 3.0.2-34A~4.2.0.201902151531 Bug #47905: linux-4.9 4.9.110-3+deb9u5~deb8u1A~4.2.0.201902151158 doc/errata/staging/linux-4.9.yaml | 17 ++++++++++++++++- doc/errata/staging/univention-kernel-image-signed.yaml | 17 ++++++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) OK: uname -rv OLD: 4.9.0-ucs110-amd64 #1 SMP Debian 4.9.110-3+deb9u5~deb8u1A~4.2.0.201901141037 (2019- NEW: 4.9.0-ucs110-amd64 #1 SMP Debian 4.9.110-3+deb9u5~deb8u1A~4.2.0.201902151158 (2019- OK: sed -ne 3p /boot/config-`uname -r` # Linux/x86 4.9.158 Kernel Configuration OK: cat /sys/kernel/security/securelevel OK: amd64 @ kvm + OVMF+SB OK: amd64 @ kvm + SeaBIOS OK: i386 @ kvm + SeaBIOS
r18491 | Bug #47905: linux-4.9.110+159 r18492 | Bug #47905: linux-4.9.110+159 Package: linux-4.9 Version: 4.9.110-3+deb9u5~deb8u1A~4.2.0.201902201318 Branch: ucs_4.2-0-errata4.2-5 Scope: errata4.2-5 [4.2-5] daf0f8694f Bug #47905: Update to linux-4.9.110-3+deb9u5~deb8u1A~4.2.0.201902201318-ucs110 .../debian/changelog | 7 +++++++ .../vmlinuz-4.9.0-ucs110-amd64.efi.signed | Bin 4113552 -> 4113232 bytes 2 files changed, 7 insertions(+) Package: univention-kernel-image-signed Version: 3.0.2-35A~4.2.0.201902210903 Branch: ucs_4.2-0 Scope: errata4.2-5 [4.2-5] ffead1ec3e Bug #47905: univention-kernel-image-signed 3.0.2-35A~4.2.0.201902210903 Bug #47905: linux-4.9 4.9.110-3+deb9u5~deb8u1A~4.2.0.201902201318 doc/errata/staging/linux-4.9.yaml | 5 ++++- doc/errata/staging/univention-kernel-image-signed.yaml | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) OK: diff <(./linux-dmesg-norm 4.9.158) <(./linux-dmesg-norm 4.9.159) OK: cat /sys/kernel/security/securelevel OK: amd64 @ kvm + OVMF+SB OK: amd64 @ kvm + SeaBIOS OK: i386 @ kvm + SeaBIOS
Several issues were already fixed by <http://errata.software-univention.de/ucs/4.2/494.html> (Bug #47063, 4.9.89→122) but were not attributed correctly in that erratum. Debian now performs 4.9.40→110 plus selected fixes including CVE-2018-9363 v4.9.121~3 CVE-2018-9516 v4.9.112~14 CVE-2018-10902 v4.9.115~24 CVE-2018-15572 v4.9.120~90 CVE-2018-15594 v4.9.120~91 CVE-2018-16276 v4.9.113~19 so they are listed in comment #1 as being fixed now, but our previous 122 already fixed them. I include them here anyway so those issues are documented as fixed and are searchable by web-crawlers. The following issues were missing in the YAML file: CVE-2018-3639 v4.9.144~43 CVE-2018-5391 v4.9.134~29..v4.9.134~3 CVE-2018-7740 v4.9.144~39 CVE-2018-12896 v4.9.136~1 CVE-2018-13053 v4.9.131~70 CVE-2018-13096 v4.9.144~8 CVE-2018-13097 v4.9.144~10 CVE-2018-13099 v4.9.128~21 CVE-2018-13100 v4.9.144~11 CVE-2018-14610 v4.9.144~23 CVE-2018-14611 v4.9.144~38 CVE-2018-14612 v4.9.144~24 CVE-2018-14613 v4.9.144~25 CVE-2018-14614 v4.9.144~3 CVE-2018-14616 v4.9.144~5 CVE-2018-19407 v4.9.143~30 CVE-2018-19824 v4.9.145~28 CVE-2018-19985 v4.9.148~19 CVE-2018-20511 v4.9.130~24 [4.2-5] ef01e375ea Bug #47905: univention-kernel-image-signed 3.0.2-35A~4.2.0.201902210903 Bug #47905: linux-4.9 4.9.110-3+deb9u5~deb8u1A~4.2.0.201902201318 doc/errata/staging/linux-4.9.yaml | 51 +++++++++++++++++++++- .../staging/univention-kernel-image-signed.yaml | 51 +++++++++++++++++++++- 2 files changed, 100 insertions(+), 2 deletions(-)
r18493 | Bug #47905: linux-4.9.110+160 Package: linux-4.9 Version: 4.9.110-3+deb9u5~deb8u1A~4.2.0.201902251106 Branch: ucs_4.2-0 Scope: errata4.2-5
[4.2-5] 2e6f39f8aa Bug #47905: Update to linux-4.9.110-3+deb9u5~deb8u1A~4.2.0.201902251106-ucs110 .../debian/changelog | 7 +++++++ .../vmlinuz-4.9.0-ucs110-amd64.efi.signed | Bin 4113232 -> 4104464 bytes 2 files changed, 7 insertions(+) Package: univention-kernel-image-signed Version: 3.0.2-36A~4.2.0.201902251428 Branch: ucs_4.2-0 Scope: errata4.2-5 OK: diff <(./linux-dmesg-norm 4.9.159) <(./linux-dmesg-norm 4.9.160) OK: cat /sys/kernel/security/securelevel OK: amd64 @ kvm + OVMF+SB OK: amd64 @ kvm + SeaBIOS OK: i386 @ kvm + SeaBIOS OK: amd64 @ lynx
r18497 | Bug #47905: linux-4.9.110+161 Package: linux-4.9 Version: 4.9.110-3+deb9u5~deb8u1A~4.2.0.201902281323 Branch: ucs_4.2-0-errata4.2-5 Scope: errata4.2-5 [4.2-5] 9acd60d979 Bug #47905: Update to linux-4.9.110-3+deb9u5~deb8u1A~4.2.0.201902281323-ucs110 .../debian/changelog | 7 +++++++ .../vmlinuz-4.9.0-ucs110-amd64.efi.signed | Bin 4104464 -> 4109904 bytes 2 files changed, 7 insertions(+) Package: univention-kernel-image-signed Version: 3.0.2-37A~4.2.0.201903011021 Branch: ucs_4.2-0 Scope: errata4.2-5 [4.2-5] 494df430f2 Bug #47905: linux-4.9 4.9.161 doc/errata/staging/linux-4.9.yaml | 4 ++-- doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)
r18500 | Bug #47905: linux-4.9.110+162 r18501 | Bug #47905: linux-4.9.110+162 fixup
(In reply to Philipp Hahn from comment #12) > r18501 | Bug #47905: linux-4.9.110+162 fixup master had the following patches: v4.13-rc1~62^2~61: mm/mmap.c: expand_downwards: don't require the gap if !vm_prev v5.0~14: mm: enforce min addr even if capable() in expand_downwards() 4.9 only has the 2nd patches: v4.9.162~2: mm: enforce min addr even if capable() in expand_downwards() The 1st patch is only carried by Debian as a backport: debian/patches/bugfix/all/mm-mmap.c-expand_downwards-don-t-require-the-gap-if-.patch r18503 | Bug #47905: linux-4.9.163 r18504 | Bug #47905: linux-4.9.110+163 2 Package: linux-4.9 Version: 4.9.110-3+deb9u5~deb8u1A~4.2.0.201903151513 Branch: ucs_4.2-0 Scope: errata4.2-5 [4.2-5] 67bdf71ac9 Bug #47905: Update to linux-4.9.110-3+deb9u5~deb8u1A~4.2.0.201903151513-ucs110 .../debian/changelog | 7 +++++++ .../vmlinuz-4.9.0-ucs110-amd64.efi.signed | Bin 4109904 -> 4109008 bytes 2 files changed, 7 insertions(+) Package: univention-kernel-image-signed Version: 3.0.2-38A~4.2.0.201903151901 Branch: ucs_4.2-0 Scope: errata4.2-5 OK: diff <(./linux-dmesg-norm 4.9.161) <(./linux-dmesg-norm 4.9.163) OK: cat /sys/kernel/security/securelevel OK: amd64 @ kvm + OVMF+SB OK: amd64 @ kvm + SeaBIOS OK: i386 @ kvm + SeaBIOS SKIPPED: amd64 @ lynx
r18507 | Bug #47905: linux-4.9.163 r18508 | Bug #47905: linux-4.9.163 Package: linux-4.9 Version: 4.9.144-3.1~deb8u1A~4.2.0.201903190757 Branch: ucs_4.2-0 Scope: errata4.2-5
*** Bug 49020 has been marked as a duplicate of this bug. ***
r18509 | Bug #47905: linux-4.9.163 r18510 | Bug #47905: linux-4.9.163 Package: linux-4.9 Version: 4.9.144-3.1~deb8u1A~4.2.0.201903191037 Branch: ucs_4.2-0 Scope: errata4.2-5 4.9.164 is scheduled for tomorrow
r18511 | Bug #47905: linux-4.9.164 Package: linux-4.9 Version: 4.9.144-3.1~deb8u1A~4.2.0.201903191858 Branch: ucs_4.2-0 Scope: errata4.2-5 [4.2-5] f5fe26d7b4 Bug #47905: Update to linux-4.9.144-3.1~deb8u1A~4.2.0.201903191858-ucs111 .../univention-kernel-image-signed/debian/changelog | 7 +++++++ kernel/univention-kernel-image-signed/debian/control | 10 +++++----- .../vmlinuz-4.9.0-ucs110-amd64.efi.signed | Bin 4109008 -> 0 bytes .../vmlinuz-4.9.0-ucs111-amd64.efi.signed | Bin 0 -> 4107312 bytes 4 files changed, 12 insertions(+), 5 deletions(-) Package: univention-kernel-image-signed Version: 3.0.2-39A~4.2.0.201903201657 Branch: ucs_4.2-0 Scope: errata4.2-5 [4.2-5] b0cefeb8ba Bug #47905: Update to linux-4.9.144-ucs111 kernel/univention-kernel-image/debian/changelog | 6 ++++++ kernel/univention-kernel-image/debian/copyright | 2 +- kernel/univention-kernel-image/debian/rules | 4 ++-- .../univention-kernel-image/debian/univention-kernel-image.postinst | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) Package: univention-kernel-image Version: 10.0.0-14A~4.2.0.201903201704 Branch: ucs_4.2-0 Scope: errata4.2-5 OK: errata-announce -V --only *.yaml OK: apt install univention-kernel-image=10.0.0-14A~4.2.0.201903201704 OK: diff <(./linux-dmesg-norm 4.9.163) <(./linux-dmesg-norm 4.9.164) OK: cat /sys/kernel/security/securelevel OK: amd64 @ kvm + OVMF+SB OK: amd64 @ kvm + SeaBIOS OK: i386 @ kvm + SeaBIOS SKIPPED: amd64 @ lynx
r18529 | Bug #47905: linux-4.9.165
Package: linux-4.9 Version: 4.9.144-3.1~deb8u1A~4.2.0.201903260900 Branch: ucs_4.2-0 Scope: errata4.2-5
stable review cycle 4.9.166: 30 patches -> Thu Mar 28 04:25:51 UTC 2019 [4.2-5] 75d62f0ebf Bug #47905: Update to linux-4.9.144-3.1~deb8u1A~4.2.0.201903260900-ucs111 .../debian/changelog | 7 +++++++ .../vmlinuz-4.9.0-ucs111-amd64.efi.signed | Bin 4107312 -> 4106416 bytes 2 files changed, 7 insertions(+) Package: univention-kernel-image-signed Version: 3.0.2-40A~4.2.0.201903261206 Branch: ucs_4.2-0 Scope: errata4.2-5 [4.2-5] ba754b58d2 Bug #47905: linux-4.9 4.9.144-3.1~deb8u1A~4.2.0.201903260900 doc/errata/staging/linux-4.9.yaml | 4 ++-- doc/errata/staging/univention-kernel-image-signed.yaml | 4 ++-- doc/errata/staging/univention-kernel-image.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) OK: errata-announce -V --only *.yaml OK: apt install univention-kernel-image=10.0.0-14A~4.2.0.201903201704 OK: diff <(./linux-dmesg-norm 4.9.164) <(./linux-dmesg-norm 4.9.165) OK: cat /sys/kernel/security/securelevel OK: amd64 @ kvm + OVMF+SB OK: amd64 @ kvm + SeaBIOS OK: i386 @ kvm + SeaBIOS OK: amd64 @ lynx2
Verified: * New upstream source package: linux-4.9 * Patches merged from linux/4.2-0-0-ucs/4.9.30-2-errata4.2-4 to linux-4.9/4.2-0-0-ucs/4.9.144-3.1~deb8u1-errata4.2-5 * 10_backport.patch - OK ** New source package uses gcc-4.9 by default, so that has been removed from 10_backport ** New source package has Build-Depends on dh-systemd by default * abiname_part adjusted in 14_ucs_version.patch * * New patches same as https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/incr/ * 61_patch-4.9.155_fixup.patch - OK, fixes patch context * r18501 : 61_patch-4.9.162_fixup.patch - OK, fixes patch context * 60_debian-patches-reverts.quilt and 60_debian-patches-reverts.patch - OK * Packages installation: OK * Boot on amd64 hardware: OK * Advisories: OK 442afc0cba | Sort CVE list
<http://errata.software-univention.de/ucs/4.2/628.html> <http://errata.software-univention.de/ucs/4.2/629.html> <http://errata.software-univention.de/ucs/4.2/630.html>