Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1335 linux kernel security update 2 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Access Privileged Data -- Existing Account Denial of Service -- Remote with User Interaction Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-1000199 CVE-2018-10323 CVE-2018-8822 CVE-2018-8781 CVE-2018-8087 CVE-2018-7995 CVE-2018-7757 CVE-2018-7740 CVE-2018-7566 CVE-2018-7480 CVE-2018-5803 CVE-2018-1108 CVE-2018-1093 CVE-2018-1092 CVE-2018-1068 CVE-2018-1066 CVE-2018-1065 CVE-2017-18257 CVE-2017-18241 CVE-2017-18224 CVE-2017-18222 CVE-2017-18218 CVE-2017-18216 CVE-2017-18193 CVE-2017-17975 CVE-2017-5753 CVE-2017-5715 Reference: ASB-2018.0009 ASB-2018.0002.4 ESB-2018.0044 ESB-2018.0042.2 Original Bulletin: http://www.debian.org/security/2018/dsa-4188 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4188-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 01, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2017-5715 CVE-2017-5753 CVE-2017-17975 CVE-2017-18193 CVE-2017-18216 CVE-2017-18218 CVE-2017-18222 CVE-2017-18224 CVE-2017-18241 CVE-2017-18257 CVE-2018-1065 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-1093 CVE-2018-1108 CVE-2018-5803 CVE-2018-7480 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8087 CVE-2018-8781 CVE-2018-8822 CVE-2018-10323 CVE-2018-1000199 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the "retpoline" compiler feature which allows indirect branches to be isolated from speculative execution. CVE-2017-5753 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function. More use sites will be added over time. CVE-2017-17975 Tuba Yavuz reported a use-after-free flaw in the USBTV007 audio-video grabber driver. A local user could use this for denial of service by triggering failure of audio registration. CVE-2017-18193 Yunlei He reported that the f2fs implementation does not properly handle extent trees, allowing a local user to cause a denial of service via an application with multiple threads. CVE-2017-18216 Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a null pointer dereference. A local user could use this for denial of service. CVE-2017-18218 Jun He reported a user-after-free flaw in the Hisilicon HNS ethernet driver. A local user could use this for denial of service. CVE-2017-18222 It was reported that the Hisilicon Network Subsystem (HNS) driver implementation does not properly handle ethtool private flags. A local user could use this for denial of service or possibly have other impact. CVE-2017-18224 Alex Chen reported that the OCFS2 filesystem omits the use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode. A local user could use this for denial of service. CVE-2017-18241 Yunlei He reported that the f2fs implementation does not properly initialise its state if the "noflush_merge" mount option is used. A local user with access to a filesystem mounted with this option could use this to cause a denial of service. CVE-2017-18257 It was reported that the f2fs implementation is prone to an infinite loop caused by an integer overflow in the __get_data_block() function. A local user can use this for denial of service via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl. CVE-2018-1065 The syzkaller tool found a NULL pointer dereference flaw in the netfilter subsystem when handling certain malformed iptables rulesets. A local user with the CAP_NET_RAW or CAP_NET_ADMIN capability (in any user namespace) could use this to cause a denial of service. Debian disables unprivileged user namespaces by default. CVE-2018-1066 Dan Aloni reported to Red Hat that the CIFS client implementation would dereference a null pointer if the server sent an invalid response during NTLMSSP setup negotiation. This could be used by a malicious server for denial of service. CVE-2018-1068 The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel, a local user with the CAP_NET_ADMIN capability (in any user namespace) could use this to overwrite kernel memory, possibly leading to privilege escalation. Debian disables unprivileged user namespaces by default. CVE-2018-1092 Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service. CVE-2018-1093 Wen Xu reported that a crafted ext4 filesystem image could trigger an out-of-bounds read in the ext4_valid_block_bitmap() function. A local user able to mount arbitrary filesystems could use this for denial of service. CVE-2018-1108 Jann Horn reported that crng_ready() does not properly handle the crng_init variable states and the RNG could be treated as cryptographically safe too early after system boot. CVE-2018-5803 Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service. CVE-2018-7480 Hou Tao discovered a double-free flaw in the blkcg_init_queue() function in block/blk-cgroup.c. A local user could use this to cause a denial of service or have other impact. CVE-2018-7566 Fan LongFei reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations. This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation. CVE-2018-7740 Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service. CVE-2018-7757 Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service. CVE-2018-7995 Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact. CVE-2018-8087 A memory leak flaw was found in the hwsim_new_radio_nl() function in the simulated radio testing tool driver for mac80211, allowing a local user to cause a denial of service. CVE-2018-8781 Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation. CVE-2018-8822 Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client. CVE-2018-10323 Wen Xu reported a NULL pointer dereference flaw in the xfs_bmapi_write() function triggered when mounting and operating a crafted xfs filesystem image. A local user able to mount arbitrary filesystems could use this for denial of service. CVE-2018-1000199 Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures. For the stable distribution (stretch), these problems have been fixed in version 4.9.88-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlron7dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Se0xAAmR31jrqeEkJhgh7qvKplrko9N27l7FCCrrqsR0cBjKtIpwBkIdm6UxP2 8HBxqK5oy3sUP/ViHBtTUqFlRbLq4fC2DsuJGGqtBk46yML4QOEV2CXA1gyhfSzG ux5Z5nNkLDbzD7jPazbTwMusbQrDItojj6K5aoDVoRjjOpRHRViHv81kRU3KJytX 62f/vnEjxX0xkSOqLKXcUNDczLjcP2VxuKFb3si6w7YyCXq6XYhvoDch92QLJZfD qtDUCKs1sEgWLzhktcYyhck3NGujSfLZuSLGnZowqGqaAvx/lq0sTOliKuPpnG+I HztPR0iYQCuzsDgHbLlwGyuUnf446VRG+u/AP69qk0HqyWwCXqsTJ0rwMX04fXtR 7dR8Y1jbbXaH0+ai9V6c3zdz4UKH5rZOkpIIYSjCxVHUpE2cU4lFXYiWL/qJRBGV 150TtSgyAPBBBJa6cWgApXrHgriGEkZNscH2nmJfg2OBnDwnLJ4CvwNfij7daR8n RlGOlvgKYCI1Ob54kKqvvxQhDrhTiBhti8T64wd2MzsrKLIRdlyTpSrsqK8VIJyg ux1Y01sgA3JqS2XKL52ZTgCJhGkoX68+/se73P+jeRBP/tbNcXB2t2cE6gxIkiTX eZEUmnS5IeoEcr7cYKm3M9GZvBBrVeTaFra3vSgeGDUr0XL2Yu4= =uZGQ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWulSkox+lLeg9Ub1AQio8g/9GrWMIX8mtOlkypFo3uVXnN61gYcwJzAG g5RF0OPMvq8qhg+gvDiebUOajMpDKOKfTUr7r/kC4n5XUmHbCxZAMjiQiKV4PBI/ mJFJRp9ZpVR9NJ76Zc8uUQ/rbmF3iIRWZVcKLsRWxld17vXzLj8I0AQNnBZ9Ezic fu9zo9Uw6YiWVtfMo44o5Fy9CSsNmtXP61JmACb9Em/xDE+LcWPnwmnCFMr1Evi2 cH5zdYg4fcREB3B3WfLAbJQlLL28xHo4PNhUQOY5lPaET6dnoYjvaTvWrb/EmyZ/ 4uyfxDi4eJbfMk6hnJeLjgrF/ou+JwNchAVCuS6+z+FknIRdApaQJoObAvAb/QhB Y/LVfJyk1xAO7z6Cib9C1/taxSRkcJovUh7wV5k4Kxf+gfHtKV8i4K2FGxhHjv+V LclTzTqF2yiWy0SKmZ9o5Zyc2AzYK+9Mr437k8YLl1aJGz/p0b6sLHyBu6u1+TUE NeFazy3PLI5GKVrS82YEQA0a2oBPrgz98/L+U2LplcZTPZ+Qckd2qNzPbLhlE/Br BodqCtriaTvgslorRceUeVMxOknMf86Lqly01Tmb0EyQyM4USgwr4scjF/Q1ZkwP uoZ7rFVtKepbGPgvKiftZTNig/bXreJFFiVwHEcc0FWPRcaJgwxOid/9gndZLg/r uXd6qvDTDe4= =z6qt -----END PGP SIGNATURE-----