Univention Bugzilla – Bug 49020
linux-4.9: Multiple issues (4.2)
Last modified: 2019-03-25 17:02:45 CET
New Debian linux-4.9 4.9.144-3.1~deb8u1A~4.2.5.201903180838 fixes: This update of the Linux kernel to version 4.9.163 addresses the following issues: * Null pointer dereference in fs/f2fs/segment.c via mounting fs with noflush_merge option allows local denial of service (CVE-2017-18241) * Race condition in fs/f2fs/node.c:add_free_nid() function allows local users to cause denial of service (CVE-2017-18249) * cephx protocol is vulnerable to replay attack (CVE-2018-1128) * cephx uses weak signatures (CVE-2018-1129) * cpu: speculative store bypass (CVE-2018-3639) * IP fragments with random offsets allow a remote denial of service (FragmentSmack) (CVE-2018-5391) * buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * irda: Memory leak caused by repeated binds of irda socket (CVE-2018-6554) * irda: use-after-free vulnerability in the hashbin list (CVE-2018-6555) * Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * Information exposure in fd_locked_ioctl function in drivers/block/floppy.c (CVE-2018-7755) * Buffer overflow in hidp_process_report (CVE-2018-9363) * Use-after-free in drivers/android/binder.c (CVE-2018-9465) * HID: debug: Buffer overflow in hid_debug_events_read() in drivers/hid/hid-debug.c (CVE-2018-9516) * use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * stack-out-of-bounds write in ext4_update_inline_data function (CVE-2018-10880) * stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * MIDI driver race condition leads to a double-free (CVE-2018-10902) * infinite loop in net/ipv4/cipso_ipv4.c:cipso_v4_optptr() allows for DoS (CVE-2018-10938) * Stack-based buffer overflow in drivers/scsi/sr_ioctl.c allows denial of service or other unspecified impact (CVE-2018-11506) * Integer overflow in kernel/time/posix-timers.c (CVE-2018-12896) * Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053) * out-of-bounds memory access in fs/f2fs/super.c (CVE-2018-13096) * divide-by-zero in fs/f2fs/super.c (CVE-2018-13097) * out-of-bounds memory access in fs/f2fs/inline.c (CVE-2018-13099) * divide-by-zero in fs/f2fs/super.c (CVE-2018-13100) * Invalid pointer dereference in fs/btrfs/relocation.c:__del_reloc_root() when mounting crafted btrfs image (CVE-2018-14609) * Out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image (CVE-2018-14610) * Use-after-free in try_merge_free_space() when mounting crafted btrfs image (CVE-2018-14611) * Invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image (CVE-2018-14612) * Invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image (CVE-2018-14613) * Out-of-bounds access in fs/f2fs/segment.c:__remove_dirty_segment() when mounting a crafted f2fs image (CVE-2018-14614) * NULL pointer dereference in fs/crypto/crypto.c:fscrypt_do_page_crypto() when operating on a corrupted f2fs image (CVE-2018-14616) * NULL pointer dereference in fs/hfsplus/dir.c:hfsplus_lookup() when operating on a file in a crafted hfs+ image (CVE-2018-14617) * use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625) * stack-based buffer overflow in chap_server_compute_md5() in iscsi target (CVE-2018-14633) * a bug in ip_frag_reasm() can cause a crash in ip_do_fragment() (CVE-2018-14641) * Uninitialized state in x86 PV failsafe callback path (XSA-274, CVE-2018-14678) * net: xen: Linux netback driver OOB access in hash handling (XSA-270, CVE-2018-15471) * hw: cpu: userspace-userspace spectreRSB attack (CVE-2018-15572) * Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594) * incorrect bounds checking in yurex_read in drivers/usb/misc/yurex.c (CVE-2018-16276) * Information leak in cdrom_ioctl_drive_status (CVE-2018-16658) * cleancache: Infoleak of deleted files after reuse of old inodes (CVE-2018-16862) * nfs: use-after-free in svc_process_common() (CVE-2018-16884) * Use-after-free in the vmacache_flush_all function resulting in a possible privilege escalation (CVE-2018-17182) * Unprivileged users able to inspect kernel stacks of arbitrary tasks (CVE-2018-17972) * Privilege escalation on arm64 via KVM hypervisor (CVE-2018-18021) * TLB flush happens too late on mremap (CVE-2018-18281) * filesystem corruption due to an unchecked error condition during an xfs attribute change (CVE-2018-18690) * Information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c (CVE-2018-18710) * kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c (CVE-2018-19407) * Use-after-free in sound/usb/card.c:usb_audio_probe() (CVE-2018-19824) * oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985) * Mishandled size checks during the reading of an extra descriptor (CVE-2018-20169) * Memory address exposure in drivers/net/appletalk/ipddp.c:ipddp_ioctl() by users with CAP_NET_ADMIN (CVE-2018-20511) * Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * Missing check in net/can/gw.c:can_can_gw_rcv() allows for crash by users with CAP_NET_ADMIN (CVE-2019-3701) * infinite loop in drivers/hid/hid-debug.c:hid_debug_events_read() (CVE-2019-3819) * fork: record start_time late (CVE-2019-6133) * KVM: potential use-after-free via kvm_ioctl_create_device() (CVE-2019-6974) * KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer (CVE-2019-7221) * KVM: leak of uninitialized stack contents to guest (CVE-2019-7222) * Memory leak in the kernel_read_file function in fs/exec.c allows to cause a denial of service (CVE-2019-8980) * Lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms (CVE-2019-9213) * Integer overflow in drivers/video/fbdev/uvesafb.c:uvesafb_setcmap() allows for potential denial of service (CVE-2018-13406)
*** This bug has been marked as a duplicate of bug 47905 ***