http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=dfb4357da6ddbdf57d583ba64361c9d792b0e0b1

96271

https://bugzilla.kernel.org/show_bug.cgi?id=193921

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In the ea_get function in fs/jfs/xattr.c in the Linux     kernel through 4.17.1, a memory corruption bug in JFS     can be triggered by calling setxattr twice with two     different extended attribute names on the same file.
    This vulnerability can be triggered by an unprivileged     user with the ability to create files and execute     programs. A kmalloc call is incorrect, leading to     slab-out-of-bounds in jfs_xattr.(CVE-2018-12233)

  - The spectre_v2_select_mitigation function in     arch/x86/kernel/cpu/bugs.c in the Linux kernel before     4.18.1 does not always fill RSB upon a context switch,     which makes it easier for attackers to conduct     userspace-userspace spectreRSB attacks.(CVE-2018-15572)

  - Race condition in the queue_delete function in     sound/core/seq/seq_queue.c in the Linux kernel before     4.4.1 allows local users to cause a denial of service     (use-after-free and system crash) by making an ioctl     call at a certain time.(CVE-2016-2544)

  - A flaw was found in the Linux kernel's implementation     of BPF in which systems can application can overflow a     32 bit refcount in both program and map refcount. This     refcount can wrap and end up a user after     free.(CVE-2016-4558)

  - Interpretation conflict in     drivers/md/dm-snap-persistent.c in the Linux kernel     through 3.11.6 allows remote authenticated users to     obtain sensitive information or modify data via a     crafted mapping to a snapshot block     device.(CVE-2013-4299)

  - The imon_probe function in drivers/media/rc/imon.c in     the Linux kernel through 4.13.11 allows local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted USB device.(CVE-2017-16537)

  - A vulnerability in the handling of Transactional Memory     on powerpc systems was found. An unprivileged local     user can crash the kernel by starting a transaction,     suspending it, and then calling any of the exec() class     system calls.(CVE-2016-5828)

  - A cross-boundary flaw was discovered in the Linux     kernel software raid driver. The driver accessed a     disabled bitmap where only the first byte of the buffer     was initialized to zero. This meant that the rest of     the request (up to 4095 bytes) was left and copied into     user space. An attacker could use this flaw to read     private information from user space that would not     otherwise have been accessible.(CVE-2015-5697)

  - The parse_hid_report_descriptor function in     drivers/input/tablet/gtco.c in the Linux kernel before     4.13.11 allows local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB     device.(CVE-2017-16643)

  - Race condition in the sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch' vulnerability.(CVE-2016-6130)

  - drivers/net/usb/asix_devices.c in the Linux kernel     through 4.13.11 allows local users to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16647)

  - A flaw was found in the Linux kernel which could cause     a kernel panic when restoring machine specific     registers on the PowerPC platform. Incorrect     transactional memory state registers could     inadvertently change the call path on return from     userspace and cause the kernel to enter an unknown     state and crash.(CVE-2015-8845)

  - fs/namespace.c in the Linux kernel through 3.16.1 does     not properly restrict clearing MNT_NODEV, MNT_NOSUID,     and MNT_NOEXEC and changing MNT_ATIME_MASK during a     remount of a bind mount, which allows local users to     gain privileges, interfere with backups and auditing on     systems that had atime enabled, or cause a denial of     service (excessive filesystem updating) on systems that     had atime disabled via a 'mount -o remount' command     within a user namespace.(CVE-2014-5207)

  - The NFS2/3 RPC client could send long arguments to the     NFS server. These encoded arguments are stored in an     array of memory pages, and accessed using pointer     variables. Arbitrarily long arguments could make these     pointers point outside the array and cause an     out-of-bounds memory access. A remote user or program     could use this flaw to crash the kernel, resulting in     denial of service.(CVE-2017-7645)

  - The time subsystem in the Linux kernel, when     CONFIG_TIMER_STATS is enabled, allows local users to     discover real PID values (as distinguished from PID     values inside a PID namespace) by reading the     /proc/timer_list file, related to the print_timer     function in kernel/time/timer_list.c and the
    __timer_stats_timer_set_start_info function in     kernel/time/timer.c.(CVE-2017-5967)

  - A vulnerability was found in the Linux kernel where the     keyctl_set_reqkey_keyring() function leaks the thread     keyring. This allows an unprivileged local user to     exhaust kernel memory and thus cause a     DoS.(CVE-2017-7472)

  - A flaw was found that can be triggered in     keyring_search_iterator in keyring.c if type->match is     NULL. A local user could use this flaw to crash the     system or, potentially, escalate their     privileges.(CVE-2017-2647)

  - The make_response function in     drivers/block/xen-blkback/blkback.c in the Linux kernel     before 4.11.8 allows guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures, aka XSA-216.(CVE-2017-10911)

  - Stack-based buffer overflow in the SET_WPS_IE IOCTL     implementation in wlan_hdd_hostapd.c in the WLAN (aka     Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used     in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to gain privileges via a crafted     application that uses a long WPS IE     element.(CVE-2015-0570)

  - The net_ctl_permissions function in net/sysctl_net.c in     the Linux kernel before 3.11.5 does not properly     determine uid and gid values, which allows local users     to bypass intended /proc/sys/net restrictions via a     crafted application.(CVE-2013-4270)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Infinite recursion in ahash.c by triggering EBUSY on a full queue :

A vulnerability was found in crypto/ahash.c in the Linux kernel which allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.(CVE-2017-7618)

Time subsystem allows local users to discover real PID values :

The time subsystem in the Linux kernel, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.(CVE-2017-5967)

Stack-based buffer overflow in sg_ioctl function :

The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impacts via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function. (CVE-2017-7187)

Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c :

Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in mm/mempolicy.c; in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. (CVE-2017-7616)

Race condition in Link Layer Control :

A race condition leading to a NULL pointer dereference was found in the Linux kernel's Link Layer Control implementation. A local attacker with access to ping sockets could use this flaw to crash the system.
(CVE-2017-2671)

Overflow in check for priv area size :

It was found that the packet_set_ring() function of the Linux kernel's networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system.
Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-7308)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or have other impacts.

CVE-2016-2188

Ralf Spenneberg of OpenSource Security reported that the iowarrior device driver did not sufficiently validate USB descriptors. This allowed a physically present user with a specially designed USB device to cause a denial of service (crash).

CVE-2016-9604

It was discovered that the keyring subsystem allowed a process to set a special internal keyring as its session keyring. The security impact in this version of the kernel is unknown.

CVE-2016-10200

Baozeng Ding and Andrey Konovalov reported a race condition in the L2TP implementation which could corrupt its table of bound sockets. A local user could use this to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2017-2647 / CVE-2017-6951

idl3r reported that the keyring subsystem would allow a process to search for 'dead' keys, causing a NULL pointer dereference. A local user could use this to cause a denial of service (crash).

CVE-2017-2671

Daniel Jiang discovered a race condition in the ping socket implementation. A local user with access to ping sockets could use this to cause a denial of service (crash) or possibly for privilege escalation. This feature is not accessible to any users by default.

CVE-2017-5967

Xing Gao reported that the /proc/timer_list file showed information about all processes, not considering PID namespaces. If timer debugging was enabled by a privileged user, this leaked information to processes contained in PID namespaces.

CVE-2017-5970

Andrey Konovalov discovered a denial of service flaw in the IPv4 networking code. This can be triggered by a local or remote attacker if a local UDP or raw socket has the IP_RETOPTS option enabled.

CVE-2017-7184

Chaitin Security Research Lab discovered that the net xfrm subsystem did not sufficiently validate replay state parameters, allowing a heap buffer overflow. This can be used by a local user with the CAP_NET_ADMIN capability for privilege escalation.

CVE-2017-7261

Vladis Dronov and Murray McAllister reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash).

CVE-2017-7273

Benoit Camredon reported that the hid-cypress driver did not sufficiently validate HID reports. This possibly allowed a physically present user with a specially designed USB device to cause a denial of service (crash).

CVE-2017-7294

Li Qiang reported that the vmwgfx driver did not sufficiently validate rendering surface parameters. In a VMware guest, this can be used by a local user to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2017-7308

Andrey Konovalov reported that the packet socket (AF_PACKET) implementation did not sufficiently validate buffer parameters. This can be used by a local user with the CAP_NET_RAW capability for privilege escalation.

CVE-2017-7472

Eric Biggers reported that the keyring subsystem allowed a thread to create new thread keyrings repeatedly, causing a memory leak. This can be used by a local user to cause a denial of service (memory exhaustion).

CVE-2017-7616

Chris Salls reported an information leak in the 32-bit big-endian compatibility implementations of set_mempolicy() and mbind(). This does not affect any architecture supported in Debian 7 LTS.

CVE-2017-7618

Sabrina Dubroca reported that the cryptographic hash subsystem does not correctly handle submission of unaligned data to a device that is already busy, resulting in infinite recursion. On some systems this can be used by local users to cause a denial of service (crash).

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.88-1. This version also includes bug fixes from upstream version 3.2.88, and fixes some older security issues in the keyring, packet socket and cryptographic hash subsystems that do not have CVE IDs.

For Debian 8 'Jessie', most of these problems have been fixed in version 3.16.43-1 which will be part of the next point release.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.9.10 stable kernel update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124802	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1478)	Nessus	Huawei Local Security Checks	high
100106	Amazon Linux AMI : kernel (ALAS-2017-828)	Nessus	Amazon Linux Local Security Checks	high
99733	Debian DLA-922-1 : linux security update	Nessus	Debian Local Security Checks	high
97310	Fedora 24 : kernel (2017-787bc0d5b4)	Nessus	Fedora Local Security Checks	medium
97237	Fedora 25 : kernel (2017-0054c7b1f0)	Nessus	Fedora Local Security Checks	medium

CVE-2017-5967

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins