Debian 10229 Published by

Updated Linux kernel packages has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1099-1: linux security update

Debian GNU/Linux 8 and 9:
DSA 3981-1: linux security update



DLA 1099-1: linux security update

Package : linux
Version : 3.2.93-1
CVE ID : CVE-2017-7482 CVE-2017-7542 CVE-2017-7889 CVE-2017-10661
CVE-2017-10911 CVE-2017-11176 CVE-2017-11600 CVE-2017-12134
CVE-2017-12153 CVE-2017-12154 CVE-2017-14106 CVE-2017-14140
CVE-2017-14156 CVE-2017-14340 CVE-2017-14489 CVE-2017-1000111
CVE-2017-1000251 CVE-2017-1000363 CVE-2017-1000365
CVE-2017-1000380
Debian Bug : #866511 #875881

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-7482

Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does
not properly verify metadata, leading to information disclosure,
denial of service or potentially execution of arbitrary code.

CVE-2017-7542

An integer overflow vulnerability in the ip6_find_1stfragopt()
function was found allowing a local attacker with privileges to open
raw sockets to cause a denial of service.

CVE-2017-7889

Tommi Rantala and Brad Spengler reported that the mm subsystem does
not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism,
allowing a local attacker with access to /dev/mem to obtain
sensitive information or potentially execute arbitrary code.

CVE-2017-10661

Dmitry Vyukov of Google reported that the timerfd facility does
not properly handle certain concurrent operations on a single file
descriptor. This allows a local attacker to cause a denial of
service or potentially to execute arbitrary code.

CVE-2017-10911 / XSA-216

Anthony Perard of Citrix discovered an information leak flaw in Xen
blkif response handling, allowing a malicious unprivileged guest to
obtain sensitive information from the host or other guests.

CVE-2017-11176

It was discovered that the mq_notify() function does not set the
sock pointer to NULL upon entry into the retry logic. An attacker
can take advantage of this flaw during a userspace close of a
Netlink socket to cause a denial of service or potentially cause
other impact.

CVE-2017-11600

bo Zhang reported that the xfrm subsystem does not properly
validate one of the parameters to a netlink message. Local users
with the CAP_NET_ADMIN capability can use this to cause a denial
of service or potentially to execute arbitrary code.

CVE-2017-12134 / #866511 / XSA-229

Jan H. Schönherr of Amazon discovered that when Linux is running
in a Xen PV domain on an x86 system, it may incorrectly merge
block I/O requests. A buggy or malicious guest may trigger this
bug in dom0 or a PV driver domain, causing a denial of service or
potentially execution of arbitrary code.

This issue can be mitigated by disabling merges on the underlying
back-end block devices, e.g.:
echo 2 > /sys/block/nvme0n1/queue/nomerges

CVE-2017-12153

bo Zhang reported that the cfg80211 (wifi) subsystem does not
properly validate the parameters to a netlink message. Local users
with the CAP_NET_ADMIN capability on a system with a wifi device
can use this to cause a denial of service.

CVE-2017-12154

Jim Mattson of Google reported that the KVM implementation for
Intel x86 processors did not correctly handle certain nested
hypervisor configurations. A malicious guest (or nested guest in a
suitable L1 hypervisor) could use this for denial of service.

CVE-2017-14106

Andrey Konovalov of Google reported that a specific sequence of
operations on a TCP socket could lead to division by zero. A
local user could use this for denial of service.

CVE-2017-14140

Otto Ebeling reported that the move_pages() system call permitted
users to discover the memory layout of a set-UID process running
under their real user-ID. This made it easier for local users to
exploit vulnerabilities in programs installed with the set-UID
permission bit set.

CVE-2017-14156

"sohu0106" reported an information leak in the atyfb video driver.
A local user with access to a framebuffer device handled by this
driver could use this to obtain sensitive information.

CVE-2017-14340

Richard Wareing discovered that the XFS implementation allows the
creation of files with the "realtime" flag on a filesystem with no
realtime device, which can result in a crash (oops). A local user
with access to an XFS filesystem that does not have a realtime
device can use this for denial of service.

CVE-2017-14489

ChunYu of Red Hat discovered that the iSCSI subsystem does not
properly validate the length of a netlink message, leading to
memory corruption. A local user with permission to manage iSCSI
devices can use this for denial of service or possibly to
execute arbitrary code.

CVE-2017-1000111

Andrey Konovalov of Google reported that a race condition in the
raw packet (af_packet) feature. Local users with the CAP_NET_RAW
capability can use this to cause a denial of service or possibly to
execute arbitrary code.

CVE-2017-1000251 / #875881

Armis Labs discovered that the Bluetooth subsystem does not
properly validate L2CAP configuration responses, leading to a
stack buffer overflow. This is one of several vulnerabilities
dubbed "Blueborne". A nearby attacker can use this to cause a
denial of service or possibly to execute arbitrary code on a
system with Bluetooth enabled.

CVE-2017-1000363

Roee Hay reported that the lp driver does not properly bounds-check
passed arguments. This has no security impact in Debian.

CVE-2017-1000365

It was discovered that argument and environment pointers are not
properly taken into account by the size restrictions on arguments
and environmental strings passed through execve(). A local
attacker can take advantage of this flaw in conjunction with other
flaws to execute arbitrary code.

CVE-2017-1000380

Alexander Potapenko of Google reported a race condition in the ALSA
(sound) timer driver, leading to an information leak. A local user
with permission to access sound devices could use this to obtain
sensitive information.

For Debian 7 "Wheezy", these problems have been fixed in version
3.2.93-1. This version also includes bug fixes from upstream versions
up to and including 3.2.93.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.43-2+deb8u4 or were fixed in an earlier version.

For Debian 9 "Stretch", these problems have been fixed in version
4.9.30-2+deb9u4 or were fixed in an earlier version.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 3981-1: linux security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3981-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 20, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-7518 CVE-2017-7558 CVE-2017-10661 CVE-2017-11600
CVE-2017-12134 CVE-2017-12146 CVE-2017-12153 CVE-2017-12154
CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340
CVE-2017-14489 CVE-2017-14497 CVE-2017-1000111 CVE-2017-1000112
CVE-2017-1000251 CVE-2017-1000252 CVE-2017-1000370 CVE-2017-1000371
CVE-2017-1000380
Debian Bug : 866511 875881

Several vulnerabilities have been discovered in the Linux kernel that
may lead to privilege escalation, denial of service or information
leaks.

CVE-2017-7518

Andy Lutomirski discovered that KVM is prone to an incorrect debug
exception (#DB) error occurring while emulating a syscall
instruction. A process inside a guest can take advantage of this
flaw for privilege escalation inside a guest.

CVE-2017-7558 (stretch only)

Stefano Brivio of Red Hat discovered that the SCTP subsystem is
prone to a data leak vulnerability due to an out-of-bounds read
flaw, allowing to leak up to 100 uninitialized bytes to userspace.

CVE-2017-10661 (jessie only)

Dmitry Vyukov of Google reported that the timerfd facility does
not properly handle certain concurrent operations on a single file
descriptor. This allows a local attacker to cause a denial of
service or potentially execute arbitrary code.

CVE-2017-11600

Bo Zhang reported that the xfrm subsystem does not properly
validate one of the parameters to a netlink message. Local users
with the CAP_NET_ADMIN capability can use this to cause a denial
of service or potentially to execute arbitrary code.

CVE-2017-12134 / #866511 / XSA-229

Jan H. Schoenherr of Amazon discovered that when Linux is running
in a Xen PV domain on an x86 system, it may incorrectly merge
block I/O requests. A buggy or malicious guest may trigger this
bug in dom0 or a PV driver domain, causing a denial of service or
potentially execution of arbitrary code.

This issue can be mitigated by disabling merges on the underlying
back-end block devices, e.g.:
echo 2 > /sys/block/nvme0n1/queue/nomerges

CVE-2017-12146 (stretch only)

Adrian Salido of Google reported a race condition in access to the
"driver_override" attribute for platform devices in sysfs. If
unprivileged users are permitted to access this attribute, this
might allow them to gain privileges.

CVE-2017-12153

bo Zhang reported that the cfg80211 (wifi) subsystem does not
properly validate the parameters to a netlink message. Local users
with the CAP_NET_ADMIN capability (in any user namespace with a
wifi device) can use this to cause a denial of service.

CVE-2017-12154

Jim Mattson of Google reported that the KVM implementation for
Intel x86 processors did not correctly handle certain nested
hypervisor configurations. A malicious guest (or nested guest in a
suitable L1 hypervisor) could use this for denial of service.

CVE-2017-14106

Andrey Konovalov discovered that a user-triggerable division by
zero in the tcp_disconnect() function could result in local denial
of service.

CVE-2017-14140

Otto Ebeling reported that the move_pages() system call performed
insufficient validation of the UIDs of the calling and target
processes, resulting in a partial ASLR bypass. This made it easier
for local users to exploit vulnerabilities in programs installed
with the set-UID permission bit set.

CVE-2017-14156

"sohu0106" reported an information leak in the atyfb video driver.
A local user with access to a framebuffer device handled by this
driver could use this to obtain sensitive information.

CVE-2017-14340

Richard Wareing discovered that the XFS implementation allows the
creation of files with the "realtime" flag on a filesystem with no
realtime device, which can result in a crash (oops). A local user
with access to an XFS filesystem that does not have a realtime
device can use this for denial of service.

CVE-2017-14489

ChunYu Wang of Red Hat discovered that the iSCSI subsystem does not
properly validate the length of a netlink message, leading to
memory corruption. A local user with permission to manage iSCSI
devices can use this for denial of service or possibly to execute
arbitrary code.

CVE-2017-14497 (stretch only)

Benjamin Poirier of SUSE reported that vnet headers are not
properly handled within the tpacket_rcv() function in the raw
packet (af_packet) feature. A local user with the CAP_NET_RAW
capability can take advantage of this flaw to cause a denial of
service (buffer overflow, and disk and memory corruption) or have
other impact.

CVE-2017-1000111

Andrey Konovalov of Google reported a race condition in the raw
packet (af_packet) feature. Local users with the CAP_NET_RAW
capability can use this for denial of service or possibly to
execute arbitrary code.

CVE-2017-1000112

Andrey Konovalov of Google reported a race condition flaw in the
UDP Fragmentation Offload (UFO) code. A local user can use this
flaw for denial of service or possibly to execute arbitrary code.

CVE-2017-1000251 / #875881

Armis Labs discovered that the Bluetooth subsystem does not
properly validate L2CAP configuration responses, leading to a
stack buffer overflow. This is one of several vulnerabilities
dubbed "Blueborne". A nearby attacker can use this to cause a
denial of service or possibly to execute arbitrary code on a
system with Bluetooth enabled.

CVE-2017-1000252 (stretch only)

Jan H. Schoenherr of Amazon reported that the KVM implementation
for Intel x86 processors did not correctly validate interrupt
injection requests. A local user with permission to use KVM could
use this for denial of service.

CVE-2017-1000370

The Qualys Research Labs reported that a large argument or
environment list can result in ASLR bypass for 32-bit PIE binaries.

CVE-2017-1000371

The Qualys Research Labs reported that a large argument
orenvironment list can result in a stack/heap clash for 32-bit
PIE binaries.

CVE-2017-1000380

Alexander Potapenko of Google reported a race condition in the ALSA
(sound) timer driver, leading to an information leak. A local user
with permission to access sound devices could use this to obtain
sensitive information.

Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited
by any local user.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.16.43-2+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.30-2+deb9u5.

We recommend that you upgrade your linux packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/