104680

https://bugzilla.kernel.org/show_bug.cgi?id=200179

https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=cc60e90f9bfab8d6a7fb826937e824333c3bf94a

[debian-lts-announce] 20181003 [SECURITY] [DLA 1531-1] linux-4.9 security update

https://sourceforge.net/p/linux-f2fs/mailman/message/36356878/

USN-3932-1

USN-3932-2

DSA-4308

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - Array index error in the tcm_vhost_make_tpg function in     drivers/vhost/scsi.c in the Linux kernel before 4.0     might allow guest OS users to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via a crafted VHOST_SCSI_SET_ENDPOINT ioctl     call. NOTE: the affected function was renamed to     vhost_scsi_make_tpg before the vulnerability was     announced.(CVE-2015-4036)

  - The llc_cmsg_rcv function in net/llc/af_llc.c in the     Linux kernel before 4.5.5 does not initialize a certain     data structure, which allows attackers to obtain     sensitive information from kernel stack memory by     reading a message.(CVE-2016-4485)

  - The nr_recvmsg function in net/netrom/af_netrom.c in     the Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7269)

  - The mct_u232_msr_to_state function in     drivers/usb/serial/mct_u232.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted USB device without two     interrupt-in endpoint descriptors.(CVE-2016-3136)

  - An out-of-bounds memory access flaw, CVE-2014-7825, was     found in the syscall tracing functionality of the Linux     kernel's perf subsystem. A local, unprivileged user     could use this flaw to crash the system. Additionally,     an out-of-bounds memory access flaw, CVE-2014-7826, was     found in the syscall tracing functionality of the Linux     kernel's ftrace subsystem. On a system with ftrace     syscall tracing enabled, a local, unprivileged user     could use this flaw to crash the system, or escalate     their privileges.(CVE-2014-7826)

  - Linux kernel built with the Kernel-based Virtual     Machine (CONFIG_KVM) support is vulnerable to a null     pointer dereference flaw. It could occur on x86     platform, when emulating an undefined instruction. An     attacker could use this flaw to crash the host kernel     resulting in DoS.(CVE-2016-8630)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound access in     ext4_get_group_info function, a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10881)

  - The arch_timer_reg_read_stable macro in     arch/arm64/include/asm/arch_timer.h in the Linux kernel     before 4.13 allows local users to cause a denial of     service (infinite recursion) by writing to a file under     /sys/kernel/debug in certain circumstances, as     demonstrated by a scenario involving debugfs, ftrace,     PREEMPT_TRACER, and     FUNCTION_GRAPH_TRACER.(CVE-2017-18261)

  - The ip6_route_add function in net/ipv6/route.c in the     Linux kernel through 3.13.6 does not properly count the     addition of routes, which allows remote attackers to     cause a denial of service (memory consumption) via a     flood of ICMPv6 Router Advertisement     packets.(CVE-2014-2309)

  - In the Linux kernel before 4.20.2, kernel/sched/fair.c     mishandles leaf cfs_rq's, which allows attackers to     cause a denial of service (infinite loop in     update_blocked_averages) or possibly have unspecified     other impact by inducing a high load.(CVE-2018-20784)

  - An issue was discovered in the F2FS filesystem code in     fs/f2fs/inline.c in the Linux kernel. A denial of     service due to the out-of-bounds memory access can     occur for a modified f2fs filesystem     image.(CVE-2018-13099)

  - An out-of-bounds write vulnerability was found in the     Linux kernel's vmw_surface_define_ioctl() function, in     the 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file. Due     to the nature of the flaw, privilege escalation cannot     be fully ruled out, although we believe it is     unlikely.(CVE-2017-7294)

  - A flaw was found in the way the Linux kernel's KVM     subsystem handled non-canonical addresses when     emulating instructions that change the RIP (for     example, branches or calls). A guest user with access     to an I/O or MMIO region could use this flaw to crash     the guest.(CVE-2014-3647)

  - The __munlock_pagevec function in mm/mlock.c in the     Linux kernel, before 4.11.4, allows local users to     cause a denial of service (NR_MLOCK accounting     corruption) via crafted use of mlockall and munlockall     system calls.(CVE-2017-18221)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2018-1120)

  - The proc_connectinfo() function in     'drivers/usb/core/devio.c' in the Linux kernel through     4.6 does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory via a crafted USBDEVFS_CONNECTINFO     ioctl call. The stack object 'ci' has a total size of 8     bytes. Its last 3 bytes are padding bytes which are not     initialized and are leaked to userland.(CVE-2016-4482)

  - A vulnerability was found in the Linux kernel. An     unprivileged local user could trigger oops in     shash_async_export() by attempting to force the     in-kernel hashing algorithms into decrypting an empty     data set.(CVE-2016-8646)

  - An issue was discovered in the btrfs filesystem code in     the Linux kernel. An invalid NULL pointer dereference     in btrfs_root_node() when mounting a crafted btrfs     image is due to a lack of chunk block group mapping     validation in btrfs_read_block_groups() in the     fs/btrfs/extent-tree.c function and a lack of     empty-tree checks in check_leaf() in     fs/btrfs/tree-checker.c function. This could lead to a     system crash and a denial of service.(CVE-2018-14612)

  - It was found that the Linux kernel's TCP/IP protocol     suite implementation for IPv6 allowed the Hop Limit     value to be set to a smaller value than the default     one. An attacker on a local network could use this flaw     to prevent systems on that network from sending or     receiving network packets.(CVE-2015-2922)

  - A NULL-pointer dereference flaw was found in the     kernel, which is caused by a race between revoking a     user-type key and reading from it. The issue could be     triggered by an unprivileged user with a local account,     causing the kernel to crash (denial of     service).(CVE-2015-7550)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3932-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata.
An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code.
(CVE-2018-9517)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel.
An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM).
(CVE-2019-7222)

Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata.
An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code.
(CVE-2018-9517)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel.
An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM).
(CVE-2019-7222)

Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New kernel packages are available for Slackware 14.2 to fix security issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2018-6554

A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial of service (memory consumption).

CVE-2018-6555

A flaw was discovered in the irda_setsockopt function in the irda subsystem, allowing a local user to cause a denial of service (use-after-free and system crash).

CVE-2018-7755

Brian Belleville discovered a flaw in the fd_locked_ioctl function in the floppy driver in the Linux kernel. The floppy driver copies a kernel pointer to user memory in response to the FDGETPRM ioctl. A local user with access to a floppy drive device can take advantage of this flaw to discover the location kernel code and data.

CVE-2018-9363

It was discovered that the Bluetooth HIDP implementation did not correctly check the length of received report messages. A paired HIDP device could use this to cause a buffer overflow, leading to denial of service (memory corruption or crash) or potentially remote code execution.

CVE-2018-9516

It was discovered that the HID events interface in debugfs did not correctly limit the length of copies to user buffers. A local user with access to these files could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.
However, by default debugfs is only accessible by the root user.

CVE-2018-10902

It was discovered that the rawmidi kernel driver does not protect against concurrent access which leads to a double-realloc (double free) flaw. A local attacker can take advantage of this issue for privilege escalation.

CVE-2018-10938

Yves Younan from Cisco reported that the Cipso IPv4 module did not correctly check the length of IPv4 options. On custom kernels with CONFIG_NETLABEL enabled, a remote attacker could use this to cause a denial of service (hang).

CVE-2018-13099

Wen Xu from SSLab at Gatech reported a use-after-free bug in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2018-14609

Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the F2FS implementation. An attacker able to mount arbitrary F2FS volumes could use this to cause a denial of service (crash).

CVE-2018-14617

Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the HFS+ implementation. An attacker able to mount arbitrary HFS+ volumes could use this to cause a denial of service (crash).

CVE-2018-14633

Vincent Pelletier discovered a stack-based buffer overflow flaw in the chap_server_compute_md5() function in the iSCSI target code. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service or possibly to get a non-authorized access to data exported by an iSCSI target.

CVE-2018-14678

M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the kernel exit code used on amd64 systems running as Xen PV guests. A local user could use this to cause a denial of service (crash).

CVE-2018-14734

A use-after-free bug was discovered in the InfiniBand communication manager. A local user could use this to cause a denial of service (crash or memory corruption) or possible for privilege escalation.

CVE-2018-15572

Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh, from University of California, Riverside, reported a variant of Spectre variant 2, dubbed SpectreRSB. A local user may be able to use this to read sensitive information from processes owned by other users.

CVE-2018-15594

Nadav Amit reported that some indirect function calls used in paravirtualised guests were vulnerable to Spectre variant 2. A local user may be able to use this to read sensitive information from the kernel.

CVE-2018-16276

Jann Horn discovered that the yurex driver did not correctly limit the length of copies to user buffers. A local user with access to a yurex device node could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-16658

It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash).

CVE-2018-17182

Jann Horn discovered that the vmacache_flush_all function mishandles sequence number overflows. A local user can take advantage of this flaw to trigger a use-after-free, causing a denial of service (crash or memory corruption) or privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.9.110-3+deb9u5~deb8u1.

We recommend that you upgrade your linux-4.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2018-6554     A memory leak in the irda_bind function in the irda     subsystem was discovered. A local user can take     advantage of this flaw to cause a denial of service     (memory consumption).

  - CVE-2018-6555     A flaw was discovered in the irda_setsockopt function in     the irda subsystem, allowing a local user to cause a     denial of service (use-after-free and system crash).

  - CVE-2018-7755     Brian Belleville discovered a flaw in the     fd_locked_ioctl function in the floppy driver in the     Linux kernel. The floppy driver copies a kernel pointer     to user memory in response to the FDGETPRM ioctl. A     local user with access to a floppy drive device can take     advantage of this flaw to discover the location kernel     code and data.

  - CVE-2018-9363     It was discovered that the Bluetooth HIDP implementation     did not correctly check the length of received report     messages. A paired HIDP device could use this to cause a     buffer overflow, leading to denial of service (memory     corruption or crash) or potentially remote code     execution.

  - CVE-2018-9516     It was discovered that the HID events interface in     debugfs did not correctly limit the length of copies to     user buffers. A local user with access to these files     could use this to cause a denial of service (memory     corruption or crash) or possibly for privilege     escalation. However, by default debugfs is only     accessible by the root user.

  - CVE-2018-10902     It was discovered that the rawmidi kernel driver does     not protect against concurrent access which leads to a     double-realloc (double free) flaw. A local attacker can     take advantage of this issue for privilege escalation.

  - CVE-2018-10938     Yves Younan from Cisco reported that the Cipso IPv4     module did not correctly check the length of IPv4     options. On custom kernels with CONFIG_NETLABEL enabled,     a remote attacker could use this to cause a denial of     service (hang).

  - CVE-2018-13099     Wen Xu from SSLab at Gatech reported a use-after-free     bug in the F2FS implementation. An attacker able to     mount a crafted F2FS volume could use this to cause a     denial of service (crash or memory corruption) or     possibly for privilege escalation.

  - CVE-2018-14609     Wen Xu from SSLab at Gatech reported a potential NULL     pointer dereference in the F2FS implementation. An     attacker able to mount a crafted F2FS volume could use     this to cause a denial of service (crash).

  - CVE-2018-14617     Wen Xu from SSLab at Gatech reported a potential NULL     pointer dereference in the HFS+ implementation. An     attacker able to mount a crafted HFS+ volume could use     this to cause a denial of service (crash).

  - CVE-2018-14633     Vincent Pelletier discovered a stack-based buffer     overflow flaw in the chap_server_compute_md5() function     in the iSCSI target code. An unauthenticated remote     attacker can take advantage of this flaw to cause a     denial of service or possibly to get a non-authorized     access to data exported by an iSCSI target.

  - CVE-2018-14678     M. Vefa Bicakci and Andy Lutomirski discovered a flaw in     the kernel exit code used on amd64 systems running as     Xen PV guests. A local user could use this to cause a     denial of service (crash).

  - CVE-2018-14734     A use-after-free bug was discovered in the InfiniBand     communication manager. A local user could use this to     cause a denial of service (crash or memory corruption)     or possible for privilege escalation.

  - CVE-2018-15572     Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu     Song, and Nael Abu-Ghazaleh, from University of     California, Riverside, reported a variant of Spectre     variant 2, dubbed SpectreRSB. A local user may be able     to use this to read sensitive information from processes     owned by other users.

  - CVE-2018-15594     Nadav Amit reported that some indirect function calls     used in paravirtualised guests were vulnerable to     Spectre variant 2. A local user may be able to use this     to read sensitive information from the kernel.

  - CVE-2018-16276     Jann Horn discovered that the yurex driver did not     correctly limit the length of copies to user buffers. A     local user with access to a yurex device node could use     this to cause a denial of service (memory corruption or     crash) or possibly for privilege escalation.

  - CVE-2018-16658     It was discovered that the cdrom driver does not     correctly validate the parameter to the     CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom     device could use this to read sensitive information from     the kernel or to cause a denial of service (crash).

  - CVE-2018-17182     Jann Horn discovered that the vmacache_flush_all     function mishandles sequence number overflows. A local     user can take advantage of this flaw to trigger a     use-after-free, causing a denial of service (crash or     memory corruption) or privilege escalation.

ID	Name	Product	Family	Severity
124973	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1520)	Nessus	Huawei Local Security Checks	high
123681	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3932-2)	Nessus	Ubuntu Local Security Checks	high
123680	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3932-1)	Nessus	Ubuntu Local Security Checks	high
121505	Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)	Nessus	Slackware Local Security Checks	high
118194	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1184)	Nessus	SuSE Local Security Checks	high
117908	Debian DLA-1531-1 : linux-4.9 security update	Nessus	Debian Local Security Checks	high
117862	Debian DSA-4308-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2018-13099

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins