http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3e4c56d41eef5595035872a2ec5a483f42e8917f

103353

https://github.com/torvalds/linux/commit/3e4c56d41eef5595035872a2ec5a483f42e8917f

DSA-4188

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):Use-after-free     vulnerability in driverset/tun.c in the Linux kernel     through 3.11.1 allows local users to gain privileges by     leveraging the CAP_NET_ADMIN capability and providing     an invalid tuntap interface name in a TUNSETIFF ioctl     call.(CVE-2013-4343)It was found that when the gcc     stack protector was enabled, reading the /proc/keys     file could cause a panic in the Linux kernel due to     stack corruption. This happened because an incorrect     buffer size was used to hold a 64-bit timeout value     rendered as weeks.(CVE-2016-7042)A flaw was found in     the Linux kernel that fs/ocfs2/aops.c omits use of a     semaphore and consequently has a race condition for     access to the extent tree during read operations in     DIRECT mode. This allows local users to cause a denial     of service by modifying a certain e_cpos     field.(CVE-2017-18224)The sctp_v6_create_accept_sk     function in net/sctp/ipv6.c in the Linux kernel     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9075)In     the function sbusfb_ioctl_helper() in     drivers/video/fbdev/sbuslib.c in the Linux kernel, up     to and including 4.15, an integer signedness error     allows arbitrary information leakage for the     FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC     commands.(CVE-2018-6412)A race condition flaw was found     in the way the Linux kernel's mmap(2), madvise(2), and     fallocate(2) system calls interacted with each other     while operating on virtual memory file system files. A     local user could use this flaw to cause a denial of     service.(CVE-2014-4171)** RESERVED ** This candidate     has been reserved by an organization or individual that     will use it when announcing a new security problem.
    When the candidate has been publicized, the details for     this candidate will be provided.(CVE-2018-1095)A NULL     pointer dereference flaw was found in the way the Linux     kernel's Stream Control Transmission Protocol (SCTP)     implementation handled simultaneous connections between     the same hosts. A remote attacker could use this flaw     to crash the system.(CVE-2014-5077)A vulnerability was     found in the fs/inode.c:inode_init_owner() function     logic of the LInux kernel that allows local users to     create files with an unintended group ownership and     with group execution and SGID permission bits set, in a     scenario where a directory is SGID and belongs to a     certain group and is writable by a user who is not a     member of this group. This can lead to excessive     permissions granted in case when they should     not.(CVE-2018-13405)In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a use-after-free.(CVE-2019-6974)A     flaw was found in the way Linux kernel allocates heap     memory to build the scattergather list from a fragment     list(skb_shinfo(skb)-i1/4zfrag_list) in the socket     buffer(skb_buff). The heap overflow occurred if     'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST'     feature are both used together. A remote user or     process could use this flaw to potentially escalate     their privilege on a system.(CVE-2017-7477)Multiple     integer overflows in Alchemy LCD frame-buffer drivers     in the Linux kernel before 3.12 allow local users to     create a read-write memory mapping for the entirety of     kernel memory, and consequently gain privileges, via     crafted mmap operations, related to the (1)     au1100fb_fb_mmap function in drivers/video/au1100fb.c     and the (2) au1200fb_fb_mmap function in     drivers/video/au1200fb.c.(CVE-2013-4511)It was found     that in the Linux kernel through v4.14-rc5,     bio_map_user_iov() and bio_unmap_user() in     'block/bio.c' do unbalanced pages refcounting if IO     vector has small consecutive buffers belonging to the     same page. bio_add_pc_page() merges them into one, but     the page reference is never dropped, causing a memory     leak and possible system lockup due to out-of-memory     condition.(CVE-2017-12190)An issue was discovered in     the Linux kernel before 4.19.3. crypto_report_one() and     related functions in crypto/crypto_user.c (the crypto     user configuration API) do not fully initialize     structures that are copied to userspace, potentially     leaking sensitive memory to user programs. NOTE: this     is a CVE-2013-2547 regression but with easier     exploitability because the attacker does not need a     capability (however, the system must have the     CONFIG_CRYPTO_USER kconfig option).(CVE-2018-19854)The     userfaultfd implementation in the Linux kernel before     4.19.7 mishandles access control for certain UFFDIO_     ioctl calls, as demonstrated by allowing local users to     write data into holes in a tmpfs file (if the user has     read-only access to that file, and that file contains     holes), related to fs/userfaultfd.c and     mm/userfaultfd.c.(CVE-2018-18397)The TCP stack in the     Linux kernel through 4.10.6 mishandles the     SCM_TIMESTAMPING_OPT_STATS feature, which allows local     users to obtain sensitive information from the kernel's     internal socket data structures or cause a denial of     service (out-of-bounds read) via crafted system calls,     related to net/core/skbuff.c and     net/socket.c.(CVE-2017-7277)A flaw was found in the way     the Linux kernel's vhost driver treated userspace     provided log file descriptor when processing the     VHOST_SET_LOG_FD ioctl command. The file descriptor was     never released and continued to consume kernel memory.
    A privileged local user with access to the     /dev/vhost-net files could use this flaw to create a     denial-of-service attack.(CVE-2015-6252)A buffer     overflow flaw was found in the way the Linux kernel's     virtio-net subsystem handled certain fraglists when the     GRO (Generic Receive Offload) functionality was enabled     in a bridged network configuration. An attacker on the     local network could potentially use this flaw to crash     the system, or, although unlikely, elevate their     privileges on the system.(CVE-2015-5156)The MSM QDSP6     audio driver (aka sound driver) for the Linux kernel     3.x, as used in Qualcomm Innovation Center (QuIC)     Android contributions for MSM devices and other     products, allows attackers to gain privileges or cause     a denial of service (integer overflow, and buffer     overflow or buffer over-read) via a crafted application     that performs a (1) AUDIO_EFFECTS_WRITE or (2)     AUDIO_EFFECTS_READ operation, aka Qualcomm internal bug     CR1006609.(CVE-2016-2068)The icmp6_send function in     net/ipv6/icmp.c in the Linux kernel through 4.8.12     omits a certain check of the dst data structure which     allows remote attackers to cause a denial of service     (panic) via a fragmented IPv6 packet.(CVE-2016-9919)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18445: A faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-18224: fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removed entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry could remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18445: Faulty computation of numeric bounds in the BPF verifier permitted out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-18224: fs/ocfs2/aops.c omitted use of a semaphore and consequently had a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel for Azure was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18445: Faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min_max_vals in kernel/bpf/verifier.c mishandled 32-bit right shifts (bnc#1112372).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-18224: fs/ocfs2/aops.c omits use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode, which allowed local users to cause a denial of service (BUG) by modifying a certain e_cpos field (bnc#1084831).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-5715     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 2 (branch target   injection) and is mitigated for the x86 architecture (amd64 and   i386) by using the 'retpoline' compiler feature which allows   indirect branches to be isolated from speculative execution.

  - CVE-2017-5753     Multiple researchers have discovered a vulnerability in     various processors supporting speculative execution,     enabling an attacker controlling an unprivileged process     to read memory from arbitrary addresses, including from     the kernel and all other processes running on the     system.

  This specific attack has been named Spectre variant 1 (bounds-check   bypass) and is mitigated by identifying vulnerable code sections   (array bounds checking followed by array access) and replacing the   array access with the speculation-safe array_index_nospec()   function.

  More use sites will be added over time.

  - CVE-2017-17975     Tuba Yavuz reported a use-after-free flaw in the     USBTV007 audio-video grabber driver. A local user could     use this for denial of service by triggering failure of     audio registration.

  - CVE-2017-18193     Yunlei He reported that the f2fs implementation does not     properly handle extent trees, allowing a local user to     cause a denial of service via an application with     multiple threads.

  - CVE-2017-18216     Alex Chen reported that the OCFS2 filesystem failed to     hold a necessary lock during nodemanager sysfs file     operations, potentially leading to a NULL pointer     dereference. A local user could use this for denial of     service.

  - CVE-2017-18218     Jun He reported a use-after-free flaw in the Hisilicon     HNS ethernet driver. A local user could use this for     denial of service.

  - CVE-2017-18222     It was reported that the Hisilicon Network Subsystem     (HNS) driver implementation does not properly handle     ethtool private flags. A local user could use this for     denial of service or possibly have other impact.

  - CVE-2017-18224     Alex Chen reported that the OCFS2 filesystem omits the     use of a semaphore and consequently has a race condition     for access to the extent tree during read operations in     DIRECT mode. A local user could use this for denial of     service.

  - CVE-2017-18241     Yunlei He reported that the f2fs implementation does not     properly initialise its state if the 'noflush_merge'     mount option is used. A local user with access to a     filesystem mounted with this option could use this to     cause a denial of service.

  - CVE-2017-18257     It was reported that the f2fs implementation is prone to     an infinite loop caused by an integer overflow in the
    __get_data_block() function. A local user can use this     for denial of service via crafted use of the open and     fallocate system calls with an FS_IOC_FIEMAP ioctl.

  - CVE-2018-1065     The syzkaller tool found a NULL pointer dereference flaw     in the netfilter subsystem when handling certain     malformed iptables rulesets. A local user with the     CAP_NET_RAW or CAP_NET_ADMIN capability (in any user     namespace) could use this to cause a denial of service.
    Debian disables unprivileged user namespaces by default.

  - CVE-2018-1066     Dan Aloni reported to Red Hat that the CIFS client     implementation would dereference a NULL pointer if the     server sent an invalid response during NTLMSSP setup     negotiation. This could be used by a malicious server     for denial of service.

  - CVE-2018-1068     The syzkaller tool found that the 32-bit compatibility     layer of ebtables did not sufficiently validate offset     values. On a 64-bit kernel, a local user with the     CAP_NET_ADMIN capability (in any user namespace) could     use this to overwrite kernel memory, possibly leading to     privilege escalation. Debian disables unprivileged user     namespaces by default.

  - CVE-2018-1092     Wen Xu reported that a crafted ext4 filesystem image     would trigger a null dereference when mounted. A local     user able to mount arbitrary filesystems could use this     for denial of service.

  - CVE-2018-1093     Wen Xu reported that a crafted ext4 filesystem image     could trigger an out-of-bounds read in the     ext4_valid_block_bitmap() function. A local user able to     mount arbitrary filesystems could use this for denial of     service.

  - CVE-2018-1108     Jann Horn reported that crng_ready() does not properly     handle the crng_init variable states and the RNG could     be treated as cryptographically safe too early after     system boot.

  - CVE-2018-5803     Alexey Kodanev reported that the SCTP protocol did not     range-check the length of chunks to be created. A local     or remote user could use this to cause a denial of     service.

  - CVE-2018-7480     Hou Tao discovered a double-free flaw in the     blkcg_init_queue() function in block/blk-cgroup.c. A     local user could use this to cause a denial of service     or have other impact.

  - CVE-2018-7566     Fan LongFei reported a race condition in the ALSA     (sound) sequencer core, between write and ioctl     operations. This could lead to an out-of-bounds access     or use-after-free. A local user with access to a     sequencer device could use this for denial of service or     possibly for privilege escalation.

  - CVE-2018-7740     Nic Losby reported that the hugetlbfs filesystem's mmap     operation did not properly range-check the file offset.
    A local user with access to files on a hugetlbfs     filesystem could use this to cause a denial of service.

  - CVE-2018-7757     Jason Yan reported a memory leak in the SAS     (Serial-Attached SCSI) subsystem. A local user on a     system with SAS devices could use this to cause a denial     of service.

  - CVE-2018-7995     Seunghun Han reported a race condition in the x86 MCE     (Machine Check Exception) driver. This is unlikely to     have any security impact.

  - CVE-2018-8087     A memory leak flaw was found in the hwsim_new_radio_nl()     function in the simulated radio testing tool driver for     mac80211, allowing a local user to cause a denial of     service.

  - CVE-2018-8781     Eyal Itkin reported that the udl (DisplayLink) driver's     mmap operation did not properly range-check the file     offset. A local user with access to a udl framebuffer     device could exploit this to overwrite kernel memory,     leading to privilege escalation.

  - CVE-2018-8822     Dr Silvio Cesare of InfoSect reported that the ncpfs     client implementation did not validate reply lengths     from the server. An ncpfs server could use this to cause     a denial of service or remote code execution in the     client.

  - CVE-2018-10323     Wen Xu reported a NULL pointer dereference flaw in the     xfs_bmapi_write() function triggered when mounting and     operating a crafted xfs filesystem image. A local user     able to mount arbitrary filesystems could use this for     denial of service.

  - CVE-2018-1000199     Andy Lutomirski discovered that the ptrace subsystem did     not sufficiently validate hardware breakpoint settings.
    Local users can use this to cause a denial of service,     or possibly for privilege escalation, on x86 (amd64 and     i386) and possibly other architectures.

ID	Name	Product	Family	Severity
124984	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1531)	Nessus	Huawei Local Security Checks	high
123366	openSUSE Security Update : the Linux Kernel (openSUSE-2019-893)	Nessus	SuSE Local Security Checks	high
120151	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:3589-1)	Nessus	SuSE Local Security Checks	high
119647	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:4069-1)	Nessus	SuSE Local Security Checks	high
119286	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3934-1)	Nessus	SuSE Local Security Checks	high
118818	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1342)	Nessus	SuSE Local Security Checks	high
109518	Debian DSA-4188-1 : linux - security update (Spectre)	Nessus	Debian Local Security Checks	high

CVE-2017-18224

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high