http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=385aee965b4e4c36551c362a334378d2985b722a

DSA-3927

99433

https://github.com/torvalds/linux/commit/385aee965b4e4c36551c362a334378d2985b722a

https://lkml.org/lkml/2017/4/6/668

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A double free vulnerability was found in netlink_dump,     which could cause a denial of service or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9806)

  - Memory leak in drivers/media/video/videobuf-core.c in     the videobuf subsystem in the Linux kernel 2.6.x     through 4.x allows local users to cause a denial of     service (memory consumption) by leveraging /dev/video     access for a series of mmap calls that require new     allocations, a different vulnerability than     CVE-2007-6761. NOTE: as of 2016-06-18, this affects     only 11 drivers that have not been updated to use     videobuf2 instead of videobuf.(CVE-2010-5321)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2018-1108)

  - The KVM implementation in the Linux kernel through     4.20.5 has an Information Leak.(CVE-2019-7222)

  - The adreno_perfcounter_query_group function in     drivers/gpu/msm/adreno_perfcounter.c in the Adreno GPU     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, uses an incorrect integer     data type, which allows attackers to cause a denial of     service (integer overflow, heap-based buffer overflow,     and incorrect memory allocation) or possibly have     unspecified other impact via a crafted     IOCTL_KGSL_PERFCOUNTER_QUERY ioctl call.(CVE-2016-2062)

  - drivers/hid/hid-ntrig.c in the Human Interface Device     (HID) subsystem in the Linux kernel through 3.11, when     CONFIG_HID_NTRIG is enabled, allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and OOPS) via a crafted     device.(CVE-2013-2896)

  - The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     before 3.17 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-3139)

  - An integer overflow vulnerability in     ip6_find_1stfragopt() function was found. A local     attacker that has privileges (of CAP_NET_RAW) to open     raw socket can cause an infinite loop inside the     ip6_find_1stfragopt() function.(CVE-2017-7542)

  - Memory leak in the virtio_gpu_object_create function in     drivers/gpu/drm/virtio/virtgpu_object.c in the Linux     kernel through 4.11.8 allows attackers to cause a     denial of service (memory consumption) by triggering     object-initialization failures.(CVE-2017-10810)

  - The ping_recvmsg function in net/ipv4/ping.c in the     Linux kernel before 3.12.4 does not properly interact     with read system calls on ping sockets, which allows     local users to cause a denial of service (NULL pointer     dereference and system crash) by leveraging unspecified     privileges to execute a crafted     application.(CVE-2013-6432)

  - The madvise_willneed function in the Linux kernel     allows local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping.(CVE-2017-18208)

  - An issue was discovered in the Linux kernel through     4.18.8. The vmacache_flush_all function in     mm/vmacache.c mishandles sequence number overflows. An     attacker can trigger a use-after-free (and possibly     gain privileges) via certain thread creation, map,     unmap, invalidation, and dereference     operations.(CVE-2018-17182)

  - The ieee80211_radiotap_iterator_init function in     net/wireless/radiotap.c in the Linux kernel before     3.11.7 does not check whether a frame contains any data     outside of the header, which might allow attackers to     cause a denial of service (buffer over-read) via a     crafted header.(CVE-2013-7027)

  - The Btrfs implementation in the Linux kernel before     3.19 does not ensure that the visible xattr state is     consistent with a requested replacement, which allows     local users to bypass intended ACL settings and gain     privileges via standard filesystem operations (1)     during an xattr-replacement time window, related to a     race condition, or (2) after an xattr-replacement     attempt that fails because the data does not     fit.(CVE-2014-9710)

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled duplicate Address Configuration Change Chunks     (ASCONF). A remote attacker could use either of these     flaws to crash the system.(CVE-2014-3687)

  - A syntax vulnerability was discovered in the kernel's     ASN1.1 DER decoder, which could lead to memory     corruption or a complete local denial of service     through x509 certificate DER files. A local system user     could use a specially created key file to trigger     BUG_ON() in the public_key_verify_signature() function     (crypto/asymmetric_keys/public_key.c), to cause a     kernel panic and crash the system.(CVE-2016-2053)

  - It was found that the Linux kernel's KVM subsystem did     not handle the VM exits gracefully for the invept     (Invalidate Translations Derived from EPT)     instructions. On hosts with an Intel processor and     invept VM exit support, an unprivileged guest user     could use these instructions to crash the     guest.(CVE-2014-3645)

  - The packet_recvmsg function in net/packet/af_packet.c     in the Linux kernel before 3.12.4 updates a certain     length value before ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7270)

  - The init_new_context function in     arch/x86/include/asm/mmu_context.h in the Linux kernel,     before 4.12.10, does not correctly handle errors from     LDT table allocation when forking a new process. This     could allow a local attacker to achieve a     use-after-free or possibly have unspecified other     impact by running a specially crafted     program.(CVE-2017-17053)

  - It was found that the sanity_check_raw_super() function     in 'fs/f2fs/super.c' file in the Linux kernel before     version 4.12-rc1 does not validate the f2fs filesystem     segment count. This allows an unprivileged local user     to cause a system panic and DoS. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we believe it is     unlikely.(CVE-2017-10662)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow vulnerability was found in the     ring_buffer_resize() calculations in which a privileged     user can adjust the size of the ringbuffer message     size. These calculations can create an issue where the     kernel memory allocator will not allocate the correct     count of pages yet expect them to be usable. This can     lead to the ftrace() output to appear to corrupt kernel     memory and possibly be used for privileged escalation     or more likely kernel panic.(CVE-2016-9754)

  - A flaw was found in the Linux kernel's implementation     of setsockopt for the SO_{SND|RCV}BUFFORCE setsockopt()     system call. Users with non-namespace CAP_NET_ADMIN are     able to trigger this call and create a situation in     which the sockets sendbuff data size could be negative.
    This could adversely affect memory allocations and     create situations where the system could crash or cause     memory corruption.(CVE-2016-9793)

  - A use-after-free vulnerability was found in ALSA pcm     layer, which allows local users to cause a denial of     service, memory corruption, or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9794)

  - A double free vulnerability was found in netlink_dump,     which could cause a denial of service or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9806)

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets are     implemented in the Linux kernel networking subsystem     handling synchronization. A local user able to open a     raw packet socket (requires the CAP_NET_RAW capability)     can use this issue to crash the     system.(CVE-2017-1000111)

  - An exploitable memory corruption flaw was found in the     Linux kernel. The append path can be erroneously     switched from UFO to non-UFO in ip_ufo_append_data()     when building an UFO packet with MSG_MORE option. If     unprivileged user namespaces are available, this flaw     can be exploited to gain root     privileges.(CVE-2017-1000112)

  - A stack buffer overflow flaw was found in the way the     Bluetooth subsystem of the Linux kernel processed     pending L2CAP configuration responses from a client. On     systems with the stack protection feature enabled in     the kernel (CONFIG_CC_STACKPROTECTOR=y, which is     enabled on all architectures other than s390x and     ppc64le), an unauthenticated attacker able to initiate     a connection to a system via Bluetooth could use this     flaw to crash the system. Due to the nature of the     stack protection feature, code execution cannot be     fully ruled out, although we believe it is unlikely. On     systems without the stack protection feature (ppc64le;
    the Bluetooth modules are not built on s390x), an     unauthenticated attacker able to initiate a connection     to a system via Bluetooth could use this flaw to     remotely execute arbitrary code on the system with ring     0 (kernel) privileges.(CVE-2017-1000251)

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (>1024) index value.(CVE-2017-1000252)

  - A flaw was found in the way memory was being allocated     on the stack for user space binaries. If heap (or     different memory region) and stack memory regions were     adjacent to each other, an attacker could use this flaw     to jump over the stack guard gap, cause controlled     memory corruption on process stack or the adjacent     memory region, and thus increase their privileges on     the system. This is a kernel-side mitigation which     increases the stack guard gap size from one page to 1     MiB to make successful exploitation of this issue more     difficult.(CVE-2017-1000364)

  - The Linux Kernel imposes a size restriction on the     arguments and environmental strings passed through     RLIMIT_STACK/RLIMIT_INFINITY, but does not take the     argument and environment pointers into account, which     allows attackers to bypass this     limitation.(CVE-2017-1000365)

  - The offset2lib patch as used in the Linux Kernel     contains a vulnerability that allows a PIE binary to be     execve()'ed with 1GB of arguments or environmental     strings then the stack occupies the address 0x80000000     and the PIE binary is mapped above 0x40000000     nullifying the protection of the offset2lib patch. This     affects Linux Kernel version 4.11.5 and earlier. This     is a different issue than CVE-2017-1000371. This issue     appears to be limited to i386 based     systems.(CVE-2017-1000370)

  - A flaw was found in the processing of incoming L2CAP     bluetooth commands. Uninitialized stack variables can     be sent to an attacker leaking data in kernel address     space.(CVE-2017-1000410)

  - A race condition was found in the Linux kernel before     version 4.11-rc1 in 'fs/timerfd.c' file which allows a     local user to cause a kernel list corruption or     use-after-free via simultaneous operations with a file     descriptor which leverage improper 'might_cancel'     queuing. An unprivileged local user could use this flaw     to cause a denial of service of the system. Due to the     nature of the flaw, privilege escalation cannot be     fully ruled out, although we believe it is     unlikely.(CVE-2017-10661)

  - Memory leak in the virtio_gpu_object_create function in     drivers/gpu/drm/virtio/virtgpu_object.c in the Linux     kernel through 4.11.8 allows attackers to cause a     denial of service (memory consumption) by triggering     object-initialization failures.(CVE-2017-10810)

  - The make_response function in     drivers/block/xen-blkback/blkback.c in the Linux kernel     before 4.11.8 allows guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures, aka XSA-216.(CVE-2017-10911)

  - A use-after-free flaw was found in the Netlink     functionality of the Linux kernel networking subsystem.
    Due to the insufficient cleanup in the mq_notify     function, a local attacker could potentially use this     flaw to escalate their privileges on the     system.(CVE-2017-11176)

  - Buffer overflow in the mp_override_legacy_irq()     function in arch/x86/kernel/acpi/boot.c in the Linux     kernel through 4.12.2 allows local users to gain     privileges via a crafted ACPI table.(CVE-2017-11473)

  - The xfrm_migrate() function in the     net/xfrm/xfrm_policy.c file in the Linux kernel built     with CONFIG_XFRM_MIGRATE does not verify if the dir     parameter is less than XFRM_POLICY_MAX. This allows a     local attacker to cause a denial of service     (out-of-bounds access) or possibly have unspecified     other impact by sending a XFRM_MSG_MIGRATE netlink     message. This flaw is present in the Linux kernel since     an introduction of XFRM_MSG_MIGRATE in 2.6.21-rc1, up     to 4.13-rc3.(CVE-2017-11600)

  - A security flaw was discovered in     nl80211_set_rekey_data() function in the Linux kernel     since v3.1-rc1 through v4.13. This function does not     check whether the required attributes are present in a     netlink request. This request can be issued by a user     with CAP_NET_ADMIN privilege and may result in NULL     dereference and a system crash.(CVE-2017-12153)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a     nested visualization setup, L2 guest user could use     this flaw to potentially crash the host(L0) resulting     in DoS.(CVE-2017-12154)

  - The Linux kernel built with the KVM visualization     support (CONFIG_KVM), with nested visualization(nVMX)     feature enabled (nested=1), was vulnerable to a stack     buffer overflow issue. The vulnerability could occur     while traversing guest page table entries to resolve     guest virtual address(gva). An L1 guest could use this     flaw to crash the host kernel resulting in denial of     service (DoS) or potentially execute arbitrary code on     the host to gain privileges on the     system.(CVE-2017-12188)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for drm provides the following fixes: This security issue was fixed :

  - CVE-2017-10810: Memory leak in the     virtio_gpu_object_create function in     drivers/gpu/drm/virtio/virtgpu_object.c allowed     attackers to cause a denial of service (memory     consumption) by triggering object-initialization     failures (bnc#1047277)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.90 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-1000252: The KVM subsystem in the Linux kernel     allowed guest OS users to cause a denial of service     (assertion failure, and hypervisor hang or crash) via an     out-of bounds guest_irq value, related to     arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038).

  - CVE-2017-10810: Memory leak in the     virtio_gpu_object_create function in     drivers/gpu/drm/virtio/virtgpu_object.c in the Linux     kernel allowed attackers to cause a denial of service     (memory consumption) by triggering object-initialization     failures (bnc#1047277).

  - CVE-2017-11472: The acpi_ns_terminate() function in     drivers/acpi/acpica/nsutils.c in the Linux kernel did     not flush the operand cache and causes a kernel stack     dump, which allowed local users to obtain sensitive     information from kernel memory and bypass the KASLR     protection mechanism (in the kernel through 4.9) via a     crafted ACPI table (bnc#1049580).

  - CVE-2017-11473: Buffer overflow in the     mp_override_legacy_irq() function in     arch/x86/kernel/acpi/boot.c in the Linux kernel allowed     local users to gain privileges via a crafted ACPI table     (bnc#1049603).

  - CVE-2017-12134: The xen_biovec_phys_mergeable function     in drivers/xen/biomerge.c in Xen might allow local OS     guest users to corrupt block device data streams and     consequently obtain sensitive memory information, cause     a denial of service, or gain host OS privileges by     leveraging incorrect block IO merge-ability calculation     (bnc#1051790 bnc#1053919).

  - CVE-2017-12153: A security flaw was discovered in the     nl80211_set_rekey_data() function in     net/wireless/nl80211.c in the Linux kernel This function     did not check whether the required attributes are     present in a Netlink request. This request can be issued     by a user with the CAP_NET_ADMIN capability and may     result in a NULL pointer dereference and system crash     (bnc#1058410).

  - CVE-2017-12154: The prepare_vmcs02 function in     arch/x86/kvm/vmx.c in the Linux kernel did not ensure     that the 'CR8-load exiting' and 'CR8-store exiting' L0     vmcs02 controls exist in cases where L1 omits the 'use     TPR shadow' vmcs12 control, which allowed KVM L2 guest     OS users to obtain read and write access to the hardware     CR8 register (bnc#1058507).

  - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)     allowed reinstallation of the Group Temporal Key (GTK)     during the group key handshake, allowing an attacker     within radio range to replay frames from access points     to clients (bnc#1063667).

  - CVE-2017-14051: An integer overflow in the     qla2x00_sysfs_write_optrom_ctl function in     drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash) by leveraging root access     (bnc#1056588).

  - CVE-2017-14106: The tcp_disconnect function in     net/ipv4/tcp.c in the Linux kernel allowed local users     to cause a denial of service (__tcp_select_window     divide-by-zero error and system crash) by triggering a     disconnect within a certain tcp_recvmsg code path     (bnc#1056982).

  - CVE-2017-14489: The iscsi_if_rx function in     drivers/scsi/scsi_transport_iscsi.c in the Linux kernel     allowed local users to cause a denial of service (panic)     by leveraging incorrect length validation (bnc#1059051).

  - CVE-2017-15649: net/packet/af_packet.c in the Linux     kernel allowed local users to gain privileges via     crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind) that     leads to a use-after-free, a different vulnerability     than CVE-2017-6346 (bnc#1064388).

  - CVE-2017-7518: The Linux kernel was vulnerable to an     incorrect debug exception(#DB) error. It could occur     while emulating a syscall instruction and potentially     lead to guest privilege escalation. (bsc#1045922).

  - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (buffer overflow and system crash) or     possibly gain privileges via a crafted NL80211_CMD_FRAME     Netlink packet (bnc#1049645).

  - CVE-2017-7542: The ip6_find_1stfragopt function in     net/ipv6/output_core.c in the Linux kernel allowed local     users to cause a denial of service (integer overflow and     infinite loop) by leveraging the ability to open a raw     socket (bnc#1049882).

  - CVE-2017-8831: The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds array access) or possibly have     unspecified other impact by changing a certain     sequence-number value, aka a 'double fetch'     vulnerability (bnc#1037994).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.82 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-1000111: Fixed a race condition in net-packet     code that could be exploited to cause out-of-bounds     memory access (bsc#1052365).

  - CVE-2017-1000112: Fixed a race condition in net-packet     code that could have been exploited by unprivileged     users to gain root access. (bsc#1052311).

  - CVE-2017-8831: The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds array access) or possibly have     unspecified other impact by changing a certain     sequence-number value, aka a 'double fetch'     vulnerability (bnc#1037994).

  - CVE-2017-7542: The ip6_find_1stfragopt function in     net/ipv6/output_core.c in the Linux kernel allowed local     users to cause a denial of service (integer overflow and     infinite loop) by leveraging the ability to open a raw     socket (bnc#1049882).

  - CVE-2017-11473: Buffer overflow in the     mp_override_legacy_irq() function in     arch/x86/kernel/acpi/boot.c in the Linux kernel allowed     local users to gain privileges via a crafted ACPI table     (bnc#1049603).

  - CVE-2017-7533: Race condition in the fsnotify     implementation in the Linux kernel allowed local users     to gain privileges or cause a denial of service (memory     corruption) via a crafted application that leverages     simultaneous execution of the inotify_handle_event and     vfs_rename functions (bnc#1049483 bnc#1050677).

  - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (buffer overflow and system crash) or     possibly gain privileges via a crafted NL80211_CMD_FRAME     Netlink packet (bnc#1049645).

  - CVE-2017-10810: Memory leak in the     virtio_gpu_object_create function in     drivers/gpu/drm/virtio/virtgpu_object.c in the Linux     kernel allowed attackers to cause a denial of service     (memory consumption) by triggering object-initialization     failures (bnc#1047277).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3392-1 fixed a regression in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

USN-3378-2 fixed vulnerabilities in the Linux Hardware Enablement kernel. Unfortunately, a regression was introduced that prevented conntrack from working correctly in some situations. This update fixes the problem.

We apologize for the inconvenience.

Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2017-7533)

It was discovered that the Linux kernel did not properly restrict RLIMIT_STACK size. A local attacker could use this in conjunction with another vulnerability to possibly execute arbitrary code. (CVE-2017-1000365)

Li Qiang  discovered that the Virtio GPU driver in the Linux kernel did not properly free memory in some situations. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-10810)

Shi Lei  discovered that the RxRPC Kerberos 5 ticket handling code in the Linux kernel did not properly verify metadata. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7482).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3378-1 fixed vulnerabilities in the Linux kernel. Unfortunately, a regression was introduced that prevented conntrack from working correctly in some situations. This update fixes the problem.

We apologize for the inconvenience.

Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2017-7533)

It was discovered that the Linux kernel did not properly restrict RLIMIT_STACK size. A local attacker could use this in conjunction with another vulnerability to possibly execute arbitrary code. (CVE-2017-1000365)

Li Qiang  discovered that the Virtio GPU driver in the Linux kernel did not properly free memory in some situations. A local attacker could use this to cause a denial of service (memory consumption). (CVE-2017-10810)

Shi Lei  discovered that the RxRPC Kerberos 5 ticket handling code in the Linux kernel did not properly verify metadata. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-7482).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-7346     Li Qiang discovered that the DRM driver for VMware     virtual GPUs does not properly check user-controlled     values in the vmw_surface_define_ioctl() functions for     upper limits. A local user can take advantage of this     flaw to cause a denial of service.

  - CVE-2017-7482     Shi Lei discovered that RxRPC Kerberos 5 ticket handling     code does not properly verify metadata, leading to     information disclosure, denial of service or potentially     execution of arbitrary code.

  - CVE-2017-7533     Fan Wu and Shixiong Zhao discovered a race condition     between inotify events and VFS rename operations     allowing an unprivileged local attacker to cause a     denial of service or escalate privileges.

  - CVE-2017-7541     A buffer overflow flaw in the Broadcom IEEE802.11n PCIe     SoftMAC WLAN driver could allow a local user to cause     kernel memory corruption, leading to a denial of service     or potentially privilege escalation.

  - CVE-2017-7542     An integer overflow vulnerability in the     ip6_find_1stfragopt() function was found allowing a     local attacker with privileges to open raw sockets to     cause a denial of service.

  - CVE-2017-9605     Murray McAllister discovered that the DRM driver for     VMware virtual GPUs does not properly initialize memory,     potentially allowing a local attacker to obtain     sensitive information from uninitialized kernel memory     via a crafted ioctl call.

  - CVE-2017-10810     Li Qiang discovered a memory leak flaw within the VirtIO     GPU driver resulting in denial of service (memory     consumption).

  - CVE-2017-10911 / XSA-216     Anthony Perard of Citrix discovered an information leak     flaw in Xen blkif response handling, allowing a     malicious unprivileged guest to obtain sensitive     information from the host or other guests.

  - CVE-2017-11176     It was discovered that the mq_notify() function does not     set the sock pointer to NULL upon entry into the retry     logic. An attacker can take advantage of this flaw     during a user-space close of a Netlink socket to cause a     denial of service or potentially cause other impact.

  - CVE-2017-1000365     It was discovered that argument and environment pointers     are not taken properly into account to the imposed size     restrictions on arguments and environmental strings     passed through RLIMIT_STACK/RLIMIT_INFINITY. A local     attacker can take advantage of this flaw in conjunction     with other flaws to execute arbitrary code.

USN-3378-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2017-7533)

It was discovered that the Linux kernel did not properly restrict RLIMIT_STACK size. A local attacker could use this in conjunction with another vulnerability to possibly execute arbitrary code.
(CVE-2017-1000365)

Li Qiang  discovered that the Virtio GPU driver in the Linux kernel did not properly free memory in some situations. A local attacker could use this to cause a denial of service (memory consumption).
(CVE-2017-10810)

Shi Lei  discovered that the RxRPC Kerberos 5 ticket handling code in the Linux kernel did not properly verify metadata. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7482).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2017-7533)

It was discovered that the Linux kernel did not properly restrict RLIMIT_STACK size. A local attacker could use this in conjunction with another vulnerability to possibly execute arbitrary code.
(CVE-2017-1000365)

Li Qiang  discovered that the Virtio GPU driver in the Linux kernel did not properly free memory in some situations. A local attacker could use this to cause a denial of service (memory consumption).
(CVE-2017-10810)

Shi Lei  discovered that the RxRPC Kerberos 5 ticket handling code in the Linux kernel did not properly verify metadata. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7482).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3377-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.

Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2017-7533)

It was discovered that the Linux kernel did not properly restrict RLIMIT_STACK size. A local attacker could use this in conjunction with another vulnerability to possibly execute arbitrary code.
(CVE-2017-1000365)

Li Qiang  discovered that the Virtio GPU driver in the Linux kernel did not properly free memory in some situations. A local attacker could use this to cause a denial of service (memory consumption).
(CVE-2017-10810)

Shi Lei  discovered that the RxRPC Kerberos 5 ticket handling code in the Linux kernel did not properly verify metadata. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7482).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.11.10 update contains a number of important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124979	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1526)	Nessus	Huawei Local Security Checks	high
124821	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1498)	Nessus	Huawei Local Security Checks	high
106943	SUSE SLED12 Security Update : drm (SUSE-SU-2018:0509-1)	Nessus	SuSE Local Security Checks	high
104253	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2869-1) (KRACK)	Nessus	SuSE Local Security Checks	high
102838	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2286-1)	Nessus	SuSE Local Security Checks	high
102525	Ubuntu 14.04 LTS : linux-lts-xenial regression (USN-3392-2) (Stack Clash)	Nessus	Ubuntu Local Security Checks	high
102524	Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon regression (USN-3392-1) (Stack Clash)	Nessus	Ubuntu Local Security Checks	high
102333	openSUSE Security Update : the Linux Kernel (openSUSE-2017-891)	Nessus	SuSE Local Security Checks	high
102211	Debian DSA-3927-1 : linux - security update (Stack Clash)	Nessus	Debian Local Security Checks	high
102198	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3378-2) (Stack Clash)	Nessus	Ubuntu Local Security Checks	high
102197	Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3378-1) (Stack Clash)	Nessus	Ubuntu Local Security Checks	high
102196	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3377-2) (Stack Clash)	Nessus	Ubuntu Local Security Checks	high
102195	Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3377-1) (Stack Clash)	Nessus	Ubuntu Local Security Checks	high
101865	Fedora 24 : kernel (2017-5ce9d89b82)	Nessus	Fedora Local Security Checks	high
101782	Fedora 25 : kernel (2017-f2f29441f9)	Nessus	Fedora Local Security Checks	high
101781	Fedora 26 : kernel (2017-e8bdc4ede0)	Nessus	Fedora Local Security Checks	high

CVE-2017-10810

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins