https://source.android.com/security/bulletin/pixel/2017-12-01

USN-3753-1

USN-3753-2

USN-3820-1

USN-3820-2

USN-3820-3

USN-3822-1

USN-3822-2

Description of changes:

kernel-uek [3.8.13-118.28.1.el7uek]
- udf: Check component length before reading it (Jan Kara) [Orabug: 21193696] {CVE-2014-9728}
- udf: Verify i_size when loading inode (Shan Hai) [Orabug: 21193696] {CVE-2014-9728}
- intel_pstate: Fix overflow in busy_scaled due to long delay (mridula shastry) [Orabug: 28005134] - scsi: libsas: defer ata device eh commands to libata (Jason Yan) [Orabug: 28459689] {CVE-2018-10021}
- nfsd: silence sparse warning about accessing credentials (Jeff Layton) [Orabug: 28824742] {CVE-2017-13168}
- scsi: sg: mitigate read/write abuse (Jann Horn) [Orabug: 28824742] {CVE-2017-13168}
- scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (Alexander Potapenko) [Orabug: 28892683] {CVE-2018-1000204}
- ALSA: rawmidi: Change resized buffers atomically (Takashi Iwai) [Orabug: 28898650] {CVE-2018-10902}
- KVM: MTRR: remove MSR 0x2f8 (Andy Honig) [Orabug: 28901657] {CVE-2016-3713} {CVE-2016-3713}
- cdrom: fix improper type cast, which can leat to information leak. (Young_X) [Orabug: 28929777] {CVE-2018-16658} {CVE-2018-10940} {CVE-2018-18710}
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (Andy Whitcroft) {CVE-2018-7755} {CVE-2018-7755}
- crypto: salsa20 - fix blkcipher_walk API usage (Eric Biggers) [Orabug: 28976585] {CVE-2017-17805}
- crypto: hmac - require that the underlying hash algorithm is unkeyed (Eric Biggers) [Orabug: 28976654] {CVE-2017-17806}

The remote OracleVM system is missing necessary patches to address critical security updates :

  - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:447!     (Mike Kravetz) 

  - scsi: libsas: fix memory leak in sas_smp_get_phy_events     (Jason Yan) [Orabug: 27927687] (CVE-2018-7757)

  - KVM: vmx: shadow more fields that are read/written on     every vmexits (Paolo Bonzini) [Orabug: 28581045]

  - vhost/scsi: Use common handling code in request queue     handler (Bijan Mottahedeh) [Orabug: 28775573]

  - vhost/scsi: Extract common handling code from control     queue handler (Bijan Mottahedeh) [Orabug: 28775573]

  - vhost/scsi: Respond to control queue operations (Bijan     Mottahedeh) 

  - scsi: lpfc: devloss timeout race condition caused null     pointer reference (James Smart) [Orabug: 27994179]

  - scsi: qla2xxx: Fix race condition between iocb timeout     and initialisation (Ben Hutchings) [Orabug: 28013813]

  - i40e: Add programming descriptors to cleaned_count     (Alexander Duyck) 

  - i40e: Fix memory leak related filter programming status     (Alexander Duyck) [Orabug: 28228724]

  - xen-swiotlb: use actually allocated size on check     physical continuous (Joe Jin) [Orabug: 28258102]

  - Revert 'Revert 'xen-swiotlb: fix the check condition for     xen_swiotlb_free_coherent'' (Dongli Zhang) [Orabug:
    28258102]

  - net/mlx4_en: fix potential use-after-free with     dma_unmap_page (Sarah Newman) [Orabug: 28376051]

  - ocfs2: fix ocfs2 read block panic (Junxiao Bi) [Orabug:
    28580543]

  - block: fix bdi vs gendisk lifetime mismatch (Dan     Williams) [Orabug: 28645416]

  - e1000e: Fix link check race condition (Benjamin Poirier)     [Orabug: 28716958]

  - Revert 'e1000e: Separate signaling for link check/link     up' (Benjamin Poirier) [Orabug: 28716958]

  - e1000e: Avoid missed interrupts following ICR read     (Benjamin Poirier) 

  - e1000e: Fix queue interrupt re-raising in Other     interrupt (Benjamin Poirier) [Orabug: 28716958]

  - Partial revert 'e1000e: Avoid receiver overrun interrupt     bursts' (Benjamin Poirier) [Orabug: 28716958]

  - e1000e: Remove Other from EIAC (Benjamin Poirier)     [Orabug: 28716958]

  - Fix error code in nfs_lookup_verify_inode (Lance     Shelton) [Orabug: 28789030]

  - workqueue: Allow modifying low level unbound workqueue     cpumask (Lai Jiangshan) [Orabug: 28813166]

  - workqueue: Create low-level unbound workqueues cpumask     (Frederic Weisbecker) [Orabug: 28813166]

  - scsi: sg: mitigate read/write abuse (Jann Horn) [Orabug:
    28824718] (CVE-2017-13168)

  - Revert 'rds: RDS (tcp) hangs on sendto to unresponding     address' (Brian Maly) [Orabug: 28837953]

  - x86/speculation: Retpoline should always be available on     Skylake (Alexandre Chartre) [Orabug: 28801831]

  - x86/speculation: Add sysfs entry to enable/disable     retpoline (Alexandre Chartre) [Orabug: 28607548]

  - x86/speculation: Switch to IBRS when loading a     non-retpoline module (Alexandre Chartre) [Orabug:
    28607548]

  - x86/speculation: Remove unnecessary retpoline     alternatives (Alexandre Chartre) [Orabug: 28607548]

  - x86/speculation: Use static key to enable/disable     retpoline (Alexandre Chartre) [Orabug: 28607548]

  - locking/static_keys: Provide DECLARE and well as DEFINE     macros (Tony Luck) [Orabug: 28607548]

  - jump_label: remove bug.h, atomic.h dependencies for     HAVE_JUMP_LABEL (Jason Baron) [Orabug: 28607548]

  - locking/static_key: Fix concurrent static_key_slow_inc     (Paolo Bonzini) [Orabug: 28607548]

  - jump_label: make static_key_enabled work on     static_key_true/false types too (Tejun Heo) [Orabug:
    28607548]

  - locking/static_keys: Fix up the static keys     documentation (Jonathan Corbet) [Orabug: 28607548]

  - locking/static_keys: Fix a silly typo (Jonathan Corbet)     [Orabug: 28607548]

  - jump label, locking/static_keys: Update docs (Jason     Baron) [Orabug: 28607548]

  - x86/asm: Add asm macros for static keys/jump labels     (Andy Lutomirski) 

  - x86/asm: Error out if asm/jump_label.h is included     inappropriately (Andy Lutomirski) [Orabug: 28607548]

  - jump_label/x86: Work around asm build bug on     older/backported GCCs (Peter Zijlstra) [Orabug:
    28607548]

  - locking/static_keys: Add a new static_key interface     (Peter Zijlstra) 

  - locking/static_keys: Rework update logic (Peter     Zijlstra) [Orabug: 28607548]

  - jump_label: Add jump_entry_key helper (Peter Zijlstra)     [Orabug: 28607548]

  - jump_label, locking/static_keys: Rename     JUMP_LABEL_TYPE_* and related helpers to the static_key*     pattern (Peter Zijlstra) [Orabug: 28607548]

  - jump_label: Rename JUMP_LABEL_[EN,DIS]ABLE to     JUMP_LABEL_[JMP,NOP] (Peter Zijlstra) [Orabug: 28607548]

  - module, jump_label: Fix module locking (Peter Zijlstra)     [Orabug: 28607548]

  - x86/speculation: Protect against userspace-userspace     spectreRSB (Jiri Kosina) [Orabug: 28631590]     (CVE-2018-15572)

  - x86/spectre_v2: Remove remaining references to lfence     mitigation (Alejandro Jimenez) [Orabug: 28631590]     (CVE-2018-15572)

  - Revert 'md: allow a partially recovered device to be     hot-added to an array.' (NeilBrown) [Orabug: 28702623]

  - x86/bugs: ssbd_ibrs_selected called prematurely (Daniel     Jordan) 

  - net/mlx4_core: print firmware version during driver     loading (Qing Huang) [Orabug: 28809377]

  - mm: numa: Do not trap faults on shared data section     pages. (Henry Willard) [Orabug: 28814880]

  - hugetlbfs: dirty pages as they are added to pagecache     (Mike Kravetz) 

  - rds: RDS (tcp) hangs on sendto to unresponding address     (Ka-Cheong Poon) [Orabug: 28762608]

  - nfs: fix a deadlock in nfs client initialization (Scott     Mayhew) 

  - infiniband: fix a possible use-after-free bug (Cong     Wang) [Orabug: 28774517] (CVE-2018-14734)

Jim Mattson discovered that the KVM implementation in the Linux kernel mismanages the #BP and #OF exceptions. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash). (CVE-2016-9588)

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16649)

It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)

It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-9363).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Felix Wilhelm discovered that the Xen netback driver in the Linux kernel did not properly perform input validation in some situations.
An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-15471)

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)

It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-9363).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3820-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

Felix Wilhelm discovered that the Xen netback driver in the Linux kernel did not properly perform input validation in some situations.
An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-15471)

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

It was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)

It was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-9363).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

[4.14.35-1818.4.5.el7uek]
- x86/intel/spectre_v2: Remove unnecessary retp_compiler() test (Boris Ostrovsky)  [Orabug: 28814574]
- x86/intel/spectre_v4: Deprecate spec_store_bypass_disable=userspace (Boris Ostrovsky)  [Orabug: 28814574]
- x86/speculation: x86_spec_ctrl_set needs to be called unconditionally (Boris Ostrovsky)  [Orabug: 28814574]
- x86/speculation: Drop unused DISABLE_IBRS_CLOBBER macro (Boris Ostrovsky)  [Orabug: 28814574]
- x86/intel/spectre_v4: Keep SPEC_CTRL_SSBD when IBRS is in use (Boris Ostrovsky)  [Orabug: 28814574]

[4.14.35-1818.4.4.el7uek]
- ocfs2: fix ocfs2 read block panic (Junxiao Bi)  [Orabug: 28821391]
- scsi: sg: mitigate read/write abuse (Jann Horn)  [Orabug: 28824731] {CVE-2017-13168}
- hugetlbfs: introduce truncation/fault mutex to avoid races (Mike Kravetz)  [Orabug: 28776542]
- rds: MPRDS messages delivered out of order (Ka-Cheong Poon)  [Orabug: 28838051]
- x86/bugs: rework x86_spec_ctrl_set to make its changes explicit (Daniel Jordan)  [Orabug: 28270952]
- x86/bugs: rename ssbd_ibrs_selected to ssbd_userspace_selected (Daniel Jordan)  [Orabug: 28270952]
- x86/bugs: x86_spec_ctrl_set may not disable IBRS on kernel idle (Daniel Jordan)  [Orabug: 28270952]
- x86/bugs: always use x86_spec_ctrl_base or _priv when setting spec ctrl MSR (Daniel Jordan)  [Orabug: 28270952]
- iommu: turn on iommu=pt by default (Tushar Dave)  [Orabug: 28111039]
- vhost/scsi: Use common handling code in request queue handler (Bijan Mottahedeh)  [Orabug: 28775556]
- vhost/scsi: Extract common handling code from control queue handler (Bijan Mottahedeh)  [Orabug: 28775556]
- vhost/scsi: Respond to control queue operations (Bijan Mottahedeh) [Orabug: 28775556]

[4.14.35-1818.4.3.el7uek]
- Fix error code in nfs_lookup_verify_inode() (Lance Shelton)  [Orabug: 28807515]
- x86/speculation: Retpoline should always be available on Skylake (Alexandre Chartre)  [Orabug: 28801830]
- x86/bugs: ssbd_ibrs_selected called prematurely (Daniel Jordan) [Orabug: 28802799]
- net/mlx4_core: print firmware version during driver loading (Qing Huang)  [Orabug: 28809382]
- hugetlbfs: dirty pages as they are added to pagecache (Mike Kravetz) [Orabug: 28813999]

[4.14.35-1818.4.2.el7uek]
- infiniband: fix a possible use-after-free bug (Cong Wang)  [Orabug: 28774511]  {CVE-2018-14734}
- nfs: fix a deadlock in nfs client initialization (Scott Mayhew) [Orabug: 28775910]
- x86/speculation: Unconditionally fill RSB on context switch (Alejandro Jimenez)  [Orabug: 28631576]  {CVE-2018-15572}
- bnxt_re: Implement the shutdown hook of the L2-RoCE driver interface (Somnath Kotur)  [Orabug: 28539344]
- rds: RDS (tcp) hangs on sendto() to unresponding address (Ka-Cheong Poon)  [Orabug: 28762597]
- uek-rpm: aarch64 some XGENE drivers must be be modules (Tom Saeger) [Orabug: 28769119]
- arm64: KVM: Sanitize PSTATE.M when being set from userspace (Marc Zyngier)  [Orabug: 28762424]  {CVE-2018-18021}
- arm64: KVM: Tighten guest core register access from userspace (Dave Martin)  [Orabug: 28762424]  {CVE-2018-18021}
- iommu/amd: Clear memory encryption mask from physical address (Singh, Brijesh)  [Orabug: 28770185]

[4.14.35-1818.4.1.el7uek]
- mm: get rid of vmacache_flush_all() entirely (Linus Torvalds) [Orabug: 28700955]  {CVE-2018-17182}
- Btrfs: fix log replay failure after unlink and link combination (Filipe Manana)  [Orabug: 27941939]
- x86/speculation: Add sysfs entry to enable/disable retpoline (Alexandre Chartre)  [Orabug: 28753851]
- x86/speculation: Allow IBRS firmware to be enabled when IBRS is disabled (Alexandre Chartre)  [Orabug: 28753851]
- x86/speculation: Remove unnecessary retpoline alternatives (Alexandre Chartre)  [Orabug: 28753851]
- x86/speculation: Use static key to enable/disable retpoline (Alexandre Chartre)  [Orabug: 28753851]
- bnxt_en: Fix memory fault in bnxt_ethtool_init() (Vasundhara Volam) [Orabug: 28632641]
- IB/core: Initialize relaxed_pd properly (Yuval Shaia)  [Orabug: 28197305]

[4.14.35-1818.4.0.el7uek]
- e1000e: Fix link check race condition (Benjamin Poirier)  [Orabug: 28489384]
- Revert 'e1000e: Separate signaling for link check/link up' (Benjamin Poirier)  [Orabug: 28489384]
- e1000e: Avoid missed interrupts following ICR read (Benjamin Poirier) [Orabug: 28489384]
- e1000e: Fix queue interrupt re-raising in Other interrupt (Benjamin Poirier)  [Orabug: 28489384]
- Partial revert 'e1000e: Avoid receiver overrun interrupt bursts' (Benjamin Poirier)  [Orabug: 28489384]
- e1000e: Remove Other from EIAC (Benjamin Poirier)  [Orabug: 28489384]
- btrfs: validate type when reading a chunk (Gu Jinxiang)  [Orabug: 28700851]  {CVE-2018-14611}
- btrfs: Check that each block group has corresponding chunk at mount time (Qu Wenruo)  [Orabug: 28700872]  {CVE-2018-14610}
- net: rds: Use address family to designate IPv4 or IPv6 addresses (H&aring kon Bugge)  [Orabug: 28720069]
- net: rds: Fix blank at eol in af_rds.c (H&aring kon Bugge)  [Orabug: 28720069]

Description of changes:

[4.1.12-124.21.1.el7uek]
- hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:447! (Mike Kravetz) [Orabug: 28839992]
- scsi: libsas: fix memory leak in sas_smp_get_phy_events() (Jason Yan) [Orabug: 27927687]  {CVE-2018-7757}
- KVM: vmx: shadow more fields that are read/written on every vmexits (Paolo Bonzini)  [Orabug: 28581045]
- vhost/scsi: Use common handling code in request queue handler (Bijan Mottahedeh)  [Orabug: 28775573]
- vhost/scsi: Extract common handling code from control queue handler (Bijan Mottahedeh)  [Orabug: 28775573]
- vhost/scsi: Respond to control queue operations (Bijan Mottahedeh) [Orabug: 28775573]

[4.1.12-124.20.8.el7uek]
- scsi: lpfc: devloss timeout race condition caused NULL pointer reference (James Smart)  [Orabug: 27994179]
- scsi: qla2xxx: Fix race condition between iocb timeout and initialisation (Ben Hutchings)  [Orabug: 28013813]
- i40e: Add programming descriptors to cleaned_count (Alexander Duyck) [Orabug: 28228724]
- i40e: Fix memory leak related filter programming status (Alexander Duyck)  [Orabug: 28228724]
- xen-swiotlb: use actually allocated size on check physical continuous (Joe Jin)  [Orabug: 28258102]
- Revert 'Revert 'xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent'' (Dongli Zhang)  [Orabug: 28258102]
- net/mlx4_en: fix potential use-after-free with dma_unmap_page (Sarah Newman)  [Orabug: 28376051]
- ocfs2: fix ocfs2 read block panic (Junxiao Bi)  [Orabug: 28580543]
- block: fix bdi vs gendisk lifetime mismatch (Dan Williams)  [Orabug: 28645416]
- e1000e: Fix link check race condition (Benjamin Poirier)  [Orabug: 28716958]
- Revert 'e1000e: Separate signaling for link check/link up' (Benjamin Poirier)  [Orabug: 28716958]
- e1000e: Avoid missed interrupts following ICR read (Benjamin Poirier) [Orabug: 28716958]
- e1000e: Fix queue interrupt re-raising in Other interrupt (Benjamin Poirier)  [Orabug: 28716958]
- Partial revert 'e1000e: Avoid receiver overrun interrupt bursts' (Benjamin Poirier)  [Orabug: 28716958]
- e1000e: Remove Other from EIAC (Benjamin Poirier)  [Orabug: 28716958]
- Fix error code in nfs_lookup_verify_inode() (Lance Shelton)  [Orabug: 28789030]
- workqueue: Allow modifying low level unbound workqueue cpumask (Lai Jiangshan)  [Orabug: 28813166]
- workqueue: Create low-level unbound workqueues cpumask (Frederic Weisbecker)  [Orabug: 28813166]
- scsi: sg: mitigate read/write abuse (Jann Horn)  [Orabug: 28824718] {CVE-2017-13168}

USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
119535	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4300)	Nessus	Oracle Linux Local Security Checks	high
119010	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0273)	Nessus	OracleVM Local Security Checks	medium
118973	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3822-1)	Nessus	Ubuntu Local Security Checks	high
118970	Ubuntu 14.04 LTS : linux-azure vulnerabilities (USN-3820-3)	Nessus	Ubuntu Local Security Checks	high
118969	Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp vulnerabilities (USN-3820-2)	Nessus	Ubuntu Local Security Checks	high
118968	Ubuntu 18.04 LTS : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-raspi2 vulnerabilities (USN-3820-1)	Nessus	Ubuntu Local Security Checks	high
118861	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4270)	Nessus	Oracle Linux Local Security Checks	high
118814	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4265)	Nessus	Oracle Linux Local Security Checks	medium
112112	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3753-2)	Nessus	Ubuntu Local Security Checks	high
112111	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3753-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2017-13168

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins