Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

DLA 1200-1: linux security update
DLA 1201-1: libxcursor security update
DLA 1202-1: firefox-esr security update
DSA 4061-1: thunderbird security update
DSA 4062-1: firefox-esr security update



DLA 1200-1: linux security update

Package : linux
Version : 3.2.96-2
CVE ID : CVE-2016-10208 CVE-2017-8824 CVE-2017-8831 CVE-2017-12190
CVE-2017-13080 CVE-2017-14051 CVE-2017-15115 CVE-2017-15265
CVE-2017-15299 CVE-2017-15649 CVE-2017-15868 CVE-2017-16525
CVE-2017-16527 CVE-2017-16529 CVE-2017-16531 CVE-2017-16532
CVE-2017-16533 CVE-2017-16535 CVE-2017-16536 CVE-2017-16537
CVE-2017-16643 CVE-2017-16649 CVE-2017-16939 CVE-2017-1000407
Debian Bug : 865303 865416

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2016-10208

Sergej Schumilo and Ralf Spenneberg discovered that a crafted ext4
filesystem could trigger memory corruption when it is mounted. A
user that can provide a device or filesystem image to be mounted
could use this for denial of service (crash or data corruption) or
possibly for privilege escalation.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not
correctly manage resources when a socket is disconnected and
reconnected, potentially leading to a use-after-free. A local
user could use this for denial of service (crash or data
corruption) or possibly for privilege escalation. On systems that
do not already have the dccp module loaded, this can be mitigated
by disabling it:
echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-8831

Pengfei Wang discovered that the saa7164 video capture driver
re-reads data from a PCI device after validating it. A physically
present user able to attach a specially designed PCI device could
use this for privilege escalation.

CVE-2017-12190

Vitaly Mayatskikh discovered that the block layer did not
correctly count page references for raw I/O from user-space. This
can be exploited by a guest VM with access to a host SCSI device
for denial of service (memory exhaustion) or potentially for
privilege escalation.

CVE-2017-13080

A vulnerability was found in the WPA2 protocol that could lead to
reinstallation of the same Group Temporal Key (GTK), which
substantially reduces the security of wifi encryption. This is
one of the issues collectively known as "KRACK".

Updates to GTKs are usually handled by the wpa package, where this
issue was already fixed (DLA-1150-1). However, some wifi devices
can remain active and update GTKs autonomously while the system is
suspended. The kernel must also check for and ignore key
reinstallation.

CVE-2017-14051

"shqking" reported that the qla2xxx SCSI host driver did not
correctly validate I/O to the "optrom" sysfs attribute of the
devices it creates. This is unlikely to have any security
impact.

CVE-2017-15115

Vladis Dronov reported that the SCTP implementation did not
correctly handle "peel-off" of an association to another net
namespace. This leads to a use-after-free, which a local user can
exploit for denial of service (crash or data corruption) or
possibly for privilege escalation. On systems that do not already
have the sctp module loaded, this can be mitigated by disabling
it:
echo >> /etc/modprobe.d/disable-sctp.conf install sctp false

CVE-2017-15265

Michael23 Yu reported a race condition in the ALSA sequencer
subsystem involving creation and deletion of ports, which could
lead to a use-after-free. A local user with access to an ALSA
sequencer device can use this for denial of service (crash or data
loss) or possibly for privilege escalation.

CVE-2017-15299

Eric Biggers discovered that the KEYS subsystem did not correctly
handle update of an uninstantiated key, leading to a null
dereference. A local user can use this for denial of service
(crash).

CVE-2017-15649

"nixioaming" reported a race condition in the packet socket
(AF_PACKET) implementation involving rebinding to a fanout group,
which could lead to a use-after-free. A local user with the
CAP_NET_RAW capability can use this for denial of service (crash
or data corruption) or possibly for privilege escalation.

CVE-2017-15868

Al Viro found that the Bluebooth Network Encapsulation Protocol
(BNEP) implementation did not validate the type of the second
socket passed to the BNEPCONNADD ioctl(), which could lead to
memory corruption. A local user with the CAP_NET_ADMIN capability
can use this for denial of service (crash or data corruption) or
possibly for privilege escalation.

CVE-2017-16525

Andrey Konovalov reported that the USB serial console
implementation did not correctly handle disconnection of unusual
serial devices, leading to a use-after-free. A similar issue was
found in the case where setup of a serial console fails. A
physically present user with a specially designed USB device can
use this to cause a denial of service (crash or data corruption)
or possibly for privilege escalation.

CVE-2017-16527

Andrey Konovalov reported that the USB sound mixer driver did not
correctly cancel I/O in case it failed to probe a device, which
could lead to a use-after-free. A physically present user with a
specially designed USB device can use this to cause a denial of
service (crash or data corruption) or possibly for privilege
escalation.

CVE-2017-16529

Andrey Konovalov reported that the USB sound driver did not fully
validate descriptor lengths, which could lead to a buffer
over-read. A physically present user with a specially designed
USB device may be able to use this to cause a denial of service
(crash).

CVE-2017-16531

Andrey Konovalov reported that the USB core did not validate IAD
lengths, which could lead to a buffer over-read. A physically
present user with a specially designed USB device may be able to
use this to cause a denial of service (crash).

CVE-2017-16532

Andrey Konovalov reported that the USB test driver did not
correctly handle devices with specific combinations of endpoints.
A physically present user with a specially designed USB device can
use this to cause a denial of service (crash).

CVE-2017-16533

Andrey Konovalov reported that the USB HID driver did not fully
validate descriptor lengths, which could lead to a buffer
over-read. A physically present user with a specially designed
USB device may be able to use this to cause a denial of service
(crash).

CVE-2017-16535

Andrey Konovalov reported that the USB core did not validate BOS
descriptor lengths, which could lead to a buffer over-read. A
physically present user with a specially designed USB device may
be able to use this to cause a denial of service (crash).

CVE-2017-16536

Andrey Konovalov reported that the cx231xx video capture driver
did not fully validate the device endpoint configuration, which
could lead to a null dereference. A physically present user with
a specially designed USB device can use this to cause a denial of
service (crash).

CVE-2017-16537

Andrey Konovalov reported that the imon RC driver did not fully
validate the device interface configuration, which could lead to a
null dereference. A physically present user with a specially
designed USB device can use this to cause a denial of service
(crash).

CVE-2017-16643

Andrey Konovalov reported that the gtco tablet driver did not
fully validate descriptor lengths, which could lead to a buffer
over-read. A physically present user with a specially designed
USB device may be able to use this to cause a denial of service
(crash).

CVE-2017-16649

Bjørn Mork found that the cdc_ether network driver did not
validate the device's maximum segment size, potentially leading to
a division by zero. A physically present user with a specially
designed USB device can use this to cause a denial of service
(crash).

CVE-2017-16939

Mohamed Ghannam reported (through Beyond Security's SecuriTeam
Secure Disclosure program) that the IPsec (xfrm) implementation
did not correctly handle some failure cases when dumping policy
information through netlink. A local user with the CAP_NET_ADMIN
capability can use this for denial of service (crash or data
corruption) or possibly for privilege escalation.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel
processors allowed direct access to host I/O port 0x80, which
is not generally safe. On some systems this allows a guest
VM to cause a denial of service (crash) of the host.

For Debian 7 "Wheezy", these problems have been fixed in version
3.2.96-2. This version also includes bug fixes from upstream versions
up to and including 3.2.96. It also fixes some regressions caused by
the fix for CVE-2017-1000364, which was included in DLA-993-1.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1201-1: libxcursor security update




Package : libxcursor
Version : 1:1.1.13-1+deb7u2
CVE ID : CVE-2017-16612
Debian Bug : 883792

It was discovered that libXcursor, a X cursor management library, is
prone to several heap overflows when parsing malicious files. An
attacker can take advantage of these flaws for arbitrary code execution,
if a user is tricked into processing a specially crafted cursor file.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.1.13-1+deb7u2.

We recommend that you upgrade your libxcursor packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1202-1: firefox-esr security update




Package : firefox-esr
Version : 52.5.2esr-1~deb7u1
CVE ID : CVE-2017-7843

It was discovered that the private browsing mode in Firefox was
able to write persistent data to a database, which could lead
to websites tracking users even when browsing in this mode.

For Debian 7 "Wheezy", these problems have been fixed in version
52.5.2esr-1~deb7u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4061-1: thunderbird security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4061-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2017-7826 CVE-2017-7828 CVE-2017-7830

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code or denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:52.5.0-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:52.5.0-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4062-1: firefox-esr security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4062-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2017-7843

It discovered that the Private Browsing mode in the Mozilla Firefox
web browser allowed to fingerprint a user across multiple sessions
via IndexedDB.

For the oldstable distribution (jessie), this problem has been fixed
in version 52.5.2esr-1~deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 52.5.2esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/