Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 922-1] linux security update
[DLA 923-1] partclone security update
[DLA 924-1] tomcat7 security update
[DSA 3838-1] ghostscript security update
[DSA 3839-1] freetype security update



[DLA 922-1] linux security update

Package : linux
Version : 3.2.88-1
CVE ID : CVE-2016-2188 CVE-2016-9604 CVE-2016-10200 CVE-2017-2647
CVE-2017-2671 CVE-2017-5967 CVE-2017-5970 CVE-2017-6951
CVE-2017-7184 CVE-2017-7261 CVE-2017-7273 CVE-2017-7294
CVE-2017-7308 CVE-2017-7472 CVE-2017-7616 CVE-2017-7618

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or have other
impacts.

CVE-2016-2188

Ralf Spenneberg of OpenSource Security reported that the iowarrior
device driver did not sufficiently validate USB descriptors. This
allowed a physically present user with a specially designed USB
device to cause a denial of service (crash).

CVE-2016-9604

It was discovered that the keyring subsystem allowed a process to
set a special internal keyring as its session keyring. The
security impact in this version of the kernel is unknown.

CVE-2016-10200

Baozeng Ding and Andrey Konovalov reported a race condition in the
L2TP implementation which could corrupt its table of bound
sockets. A local user could use this to cause a denial of service
(crash) or possibly for privilege escalation.

CVE-2017-2647 / CVE-2017-6951

idl3r reported that the keyring subsystem would allow a process
to search for 'dead' keys, causing a null pointer dereference.
A local user could use this to cause a denial of service (crash).

CVE-2017-2671

Daniel Jiang discovered a race condition in the ping socket
implementation. A local user with access to ping sockets could
use this to cause a denial of service (crash) or possibly for
privilege escalation. This feature is not accessible to any
users by default.

CVE-2017-5967

Xing Gao reported that the /proc/timer_list file showed
information about all processes, not considering PID namespaces.
If timer debugging was enabled by a privileged user, this leaked
information to processes contained in PID namespaces.

CVE-2017-5970

Andrey Konovalov discovered a denial-of-service flaw in the IPv4
networking code. This can be triggered by a local or remote
attacker if a local UDP or raw socket has the IP_RETOPTS option
enabled.

CVE-2017-7184

Chaitin Security Research Lab discovered that the net xfrm
subsystem did not sufficiently validate replay state parameters,
allowing a heap buffer overflow. This can be used by a local user
with the CAP_NET_ADMIN capability for privilege escalation.

CVE-2017-7261

Vladis Dronov and Murray McAllister reported that the vmwgfx
driver did not sufficiently validate rendering surface parameters.
In a VMware guest, this can be used by a local user to cause a
denial of service (crash).

CVE-2017-7273

Benoit Camredon reported that the hid-cypress driver did not
sufficiently validate HID reports. This possibly allowed a
physically present user with a specially designed USB device to
cause a denial of service (crash).

CVE-2017-7294

Li Qiang reported that the vmwgfx driver did not sufficiently
validate rendering surface parameters. In a VMware guest, this
can be used by a local user to cause a denial of service (crash)
or possibly for privilege escalation.

CVE-2017-7308

Andrey Konovalov reported that the packet socket (AF_PACKET)
implementation did not sufficiently validate buffer parameters.
This can be used by a local user with the CAP_NET_RAW capability
for privilege escalation.

CVE-2017-7472

Eric Biggers reported that the keyring subsystem allowed a thread
to create new thread keyrings repeatedly, causing a memory leak.
This can be used by a local user to cause a denial of service
(memory exhaustion).

CVE-2017-7616

Chris Salls reported an information leak in the 32-bit big-endian
compatibility implementations of set_mempolicy() and mbind().
This does not affect any architecture supported in Debian 7 LTS.

CVE-2017-7618

Sabrina Dubroca reported that the cryptographic hash subsystem
does not correctly handle submission of unaligned data to a
device that is already busy, resulting in infinite recursion.
On some systems this can be used by local users to cause a
denial of service (crash).

For Debian 7 "Wheezy", these problems have been fixed in version
3.2.88-1. This version also includes bug fixes from upstream version
3.2.88, and fixes some older security issues in the keyring, packet
socket and cryptographic hash subsystems that do not have CVE IDs.

For Debian 8 "Jessie", most of these problems have been fixed in
version 3.16.43-1 which will be part of the next point release.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 923-1] partclone security update

Package : partclone
Version : 0.2.48-1+deb7u1
CVE ID : CVE-2017-6596
Debian Bug : 857966

It was discovered that partclone, an utility to backup partitions,
was prone to a heap-based buffer overflow vulnerability due to
insufficient validation of the partclone image header. This could allow
remote attackers to cause a 'Denial of Service attack' in the context
of the user running the affected application via a crafted partition
image.

For Debian 7 "Wheezy", these problems have been fixed in version
0.2.48-1+deb7u1.

We recommend that you upgrade your partclone packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 924-1] tomcat7 security update

Package : tomcat7
Version : 7.0.28-4+deb7u12
CVE ID : CVE-2017-5647 CVE-2017-5648
Debian Bug : 860068

Two security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.

CVE-2017-5647
A bug in the handling of the pipelined requests when send file was
used resulted in the pipelined request being lost when send file
processing of the previous request completed. This could result in
responses appearing to be sent for the wrong request.

CVE-2017-5648
It was noticed that some calls to application listeners did not use
the appropriate facade object. When running an untrusted application
under a SecurityManager, it was therefore possible for that
untrusted application to retain a reference to the request or
response object and thereby access and/or modify information
associated with another web application.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u12.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3838-1] ghostscript security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3838-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 28, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ghostscript
CVE ID : CVE-2016-10219 CVE-2016-10220 CVE-2017-5951 CVE-2017-7207
CVE-2017-8291
Debian Bug : 858350 859666 859694 859696 861295

Several vulnerabilities were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which may lead to the execution of arbitrary
code or denial of service if a specially crafted Postscript file is
processed.

For the stable distribution (jessie), these problems have been fixed in
version 9.06~dfsg-2+deb8u5.

For the unstable distribution (sid), these problems have been fixed in
version 9.20~dfsg-3.1 or earlier versions.

We recommend that you upgrade your ghostscript packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3839-1] freetype security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3839-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 28, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : freetype
CVE ID : CVE-2016-10244 CVE-2017-8105 CVE-2017-8287
Debian Bug : 856971 861220 861308

Several vulnerabilities were discovered in Freetype. Opening malformed
fonts may result in denial of service or the execution of arbitrary
code.

For the stable distribution (jessie), these problems have been fixed in
version 2.5.2-3+deb8u2.

We recommend that you upgrade your freetype packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/