http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccd5b3235180eef3cfec337df1c8554ab151b5cc

102010

RHSA-2018:0676

https://github.com/torvalds/linux/commit/ccd5b3235180eef3cfec337df1c8554ab151b5cc

https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.10

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A double free vulnerability was found in netlink_dump,     which could cause a denial of service or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9806i1/4%0

  - Memory leak in drivers/media/video/videobuf-core.c in     the videobuf subsystem in the Linux kernel 2.6.x     through 4.x allows local users to cause a denial of     service (memory consumption) by leveraging /dev/video     access for a series of mmap calls that require new     allocations, a different vulnerability than     CVE-2007-6761. NOTE: as of 2016-06-18, this affects     only 11 drivers that have not been updated to use     videobuf2 instead of videobuf.(CVE-2010-5321i1/4%0

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2018-1108i1/4%0

  - The KVM implementation in the Linux kernel through     4.20.5 has an Information Leak.(CVE-2019-7222i1/4%0

  - The adreno_perfcounter_query_group function in     drivers/gpu/msm/adreno_perfcounter.c in the Adreno GPU     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, uses an incorrect integer     data type, which allows attackers to cause a denial of     service (integer overflow, heap-based buffer overflow,     and incorrect memory allocation) or possibly have     unspecified other impact via a crafted     IOCTL_KGSL_PERFCOUNTER_QUERY ioctl     call.(CVE-2016-2062i1/4%0

  - drivers/hid/hid-ntrig.c in the Human Interface Device     (HID) subsystem in the Linux kernel through 3.11, when     CONFIG_HID_NTRIG is enabled, allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and OOPS) via a crafted     device.(CVE-2013-2896i1/4%0

  - The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     before 3.17 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-3139i1/4%0

  - An integer overflow vulnerability in     ip6_find_1stfragopt() function was found. A local     attacker that has privileges (of CAP_NET_RAW) to open     raw socket can cause an infinite loop inside the     ip6_find_1stfragopt() function.(CVE-2017-7542i1/4%0

  - Memory leak in the virtio_gpu_object_create function in     drivers/gpu/drm/virtio/virtgpu_object.c in the Linux     kernel through 4.11.8 allows attackers to cause a     denial of service (memory consumption) by triggering     object-initialization failures.(CVE-2017-10810i1/4%0

  - The ping_recvmsg function in net/ipv4/ping.c in the     Linux kernel before 3.12.4 does not properly interact     with read system calls on ping sockets, which allows     local users to cause a denial of service (NULL pointer     dereference and system crash) by leveraging unspecified     privileges to execute a crafted     application.(CVE-2013-6432i1/4%0

  - The madvise_willneed function in the Linux kernel     allows local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping.(CVE-2017-18208i1/4%0

  - An issue was discovered in the Linux kernel through     4.18.8. The vmacache_flush_all function in     mm/vmacache.c mishandles sequence number overflows. An     attacker can trigger a use-after-free (and possibly     gain privileges) via certain thread creation, map,     unmap, invalidation, and dereference     operations.(CVE-2018-17182i1/4%0

  - The ieee80211_radiotap_iterator_init function in     net/wireless/radiotap.c in the Linux kernel before     3.11.7 does not check whether a frame contains any data     outside of the header, which might allow attackers to     cause a denial of service (buffer over-read) via a     crafted header.(CVE-2013-7027i1/4%0

  - The Btrfs implementation in the Linux kernel before     3.19 does not ensure that the visible xattr state is     consistent with a requested replacement, which allows     local users to bypass intended ACL settings and gain     privileges via standard filesystem operations (1)     during an xattr-replacement time window, related to a     race condition, or (2) after an xattr-replacement     attempt that fails because the data does not     fit.(CVE-2014-9710i1/4%0

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled duplicate Address Configuration Change Chunks     (ASCONF). A remote attacker could use either of these     flaws to crash the system.(CVE-2014-3687i1/4%0

  - A syntax vulnerability was discovered in the kernel's     ASN1.1 DER decoder, which could lead to memory     corruption or a complete local denial of service     through x509 certificate DER files. A local system user     could use a specially created key file to trigger     BUG_ON() in the public_key_verify_signature() function     (crypto/asymmetric_keys/public_key.c), to cause a     kernel panic and crash the system.(CVE-2016-2053i1/4%0

  - It was found that the Linux kernel's KVM subsystem did     not handle the VM exits gracefully for the invept     (Invalidate Translations Derived from EPT)     instructions. On hosts with an Intel processor and     invept VM exit support, an unprivileged guest user     could use these instructions to crash the     guest.(CVE-2014-3645i1/4%0

  - The packet_recvmsg function in net/packet/af_packet.c     in the Linux kernel before 3.12.4 updates a certain     length value before ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7270i1/4%0

  - The init_new_context function in     arch/x86/include/asm/mmu_context.h in the Linux kernel,     before 4.12.10, does not correctly handle errors from     LDT table allocation when forking a new process. This     could allow a local attacker to achieve a     use-after-free or possibly have unspecified other     impact by running a specially crafted     program.(CVE-2017-17053i1/4%0

  - It was found that the sanity_check_raw_super() function     in 'fs/f2fs/super.c' file in the Linux kernel before     version 4.12-rc1 does not validate the f2fs filesystem     segment count. This allows an unprivileged local user     to cause a system panic and DoS. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we believe it is     unlikely.(CVE-2017-10662i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Incorrect handling in arch/x86/include/asm/ mmu_context.h:init_new_context function allowing use-after-free (CVE-2017-17053, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: unlimiting the stack disables ASLR (CVE-2016-3672, Low)

* kernel: Missing permission check in move_pages system call (CVE-2017-14140, Low)

* kernel: NULL pointer dereference in rngapi_reset function (CVE-2017-15116, Low)

* kernel: Improper error handling of VM_SHARED hugetlbfs mapping in mm/ hugetlb.c (CVE-2017-15127, Low)

* kernel: Integer overflow in futex.c:futux_requeue can lead to denial of service or unspecified impact (CVE-2018-6927, Low)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H.
Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

Additional Changes :

See the Red Hat Enterprise Linux 7.5 Release Notes linked from References.

ID	Name	Product	Family	Severity
124979	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1526)	Nessus	Huawei Local Security Checks	high
108984	RHEL 7 : kernel-rt (RHSA-2018:0676)	Nessus	Red Hat Local Security Checks	critical

CVE-2017-17053

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical