104917

https://bugzilla.kernel.org/show_bug.cgi?id=199839

[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update

https://patchwork.kernel.org/patch/10503099/

USN-3932-1

USN-3932-2

USN-4094-1

USN-4118-1

It was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096, CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14615, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata.
An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613)

Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617)

Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862)

Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985)

Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169)

Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784)

It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-20856)

Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383)

It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136)

It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126)

It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207)

Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638)

Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639)

Adam Zabrocki discovered that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap() ranges in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-11085)

It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487)

Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information.
(CVE-2019-11599)

It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).
(CVE-2019-11810)

It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-11815)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833)

It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2019-11884)

It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818)

It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819)

It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984)

Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233)

Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272)

It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2019-13631)

It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash).
(CVE-2019-14283)

It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284)

Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service.
(CVE-2019-14763)

It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090)

It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2019-15211)

It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212)

It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214)

It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215)

It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2019-15220)

It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292)

It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024)

It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101)

It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846)

Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900)

Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506)

It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information.
(CVE-2018-20511)

It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2019-15216)

It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218)

It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616, CVE-2018-13096, CVE-2018-13098, CVE-2018-14615)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata.
An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613, CVE-2018-14609)

Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617)

Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862)

Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169)

It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-20856)

Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383)

It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126)

Andrei Vlad Lutas and Dan Lutas discovered that some x86 processors incorrectly handle SWAPGS instructions during speculative execution. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-1125)

It was discovered that the PowerPC dlpar implementation in the Linux kernel did not properly check for allocation errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12614)

It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818)

It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819)

It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984)

Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233)

Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272)

It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024)

It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101)

It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846)

It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information.
(CVE-2018-20511).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c     in the Linux kernel through 4.14.15 allows local users     to obtain sensitive address information by reading     dmesg data from an SBS HC printk call.(CVE-2018-5750)

  - An issue was discovered in the btrfs filesystem code in     the Linux kernel. A use-after-free is possible in     try_merge_free_space() when mounting a crafted btrfs     image due to a lack of chunk type flag checks in     btrfs_check_chunk_valid() in the fs/btrfs/volumes.c     function. This could lead to a denial of service or     other unspecified impact.(CVE-2018-14611)

  - A flaw was found in the way the Linux kernel visor     driver handles certain invalid USB device descriptors.
    The driver assumes that the device always has at least     one bulk OUT endpoint. By using a specially crafted USB     device (without a bulk OUT endpoint), an unprivileged     user with physical access could trigger a kernel     NULL-pointer dereference and cause a system panic     (denial of service).(CVE-2015-7566)

  - It was found that the RFC 5961 challenge ACK rate     limiting as implemented in the Linux kernel's     networking subsystem allowed an off-path attacker to     leak certain information about a given connection by     creating congestion on the global challenge ACK rate     limit counter and then measuring the changes by probing     packets. An off-path attacker could use this flaw to     either terminate TCP connection and/or inject payload     into non-secured TCP connection between two endpoints     on the network.(CVE-2016-5696)

  - It was found that the Bluebooth Network Encapsulation     Protocol (BNEP) implementation did not validate the     type of second socket passed to the BNEPCONNADD     ioctl(), which could lead to memory corruption. A local     user with the CAP_NET_ADMIN capability can use this for     denial of service (crash or data corruption) or     possibly for privilege escalation. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we feel it is unlikely.(CVE-2017-15868)

  - A vulnerability was found in the key management     subsystem of the Linux kernel. An update on an     uninstantiated key could cause a kernel panic, leading     to denial of service (DoS).(CVE-2017-15299)

  - The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel before     4.2 allows local users to obtain sensitive information     or cause a denial of service (NULL pointer dereference)     via vectors involving a bind system call on a Bluetooth     RFCOMM socket.(CVE-2015-8956)

  - arch/mips/include/asm/thread_info.h in the Linux kernel     before 3.14.8 on the MIPS platform does not configure
    _TIF_SECCOMP checks on the fast system-call path, which     allows local users to bypass intended PR_SET_SECCOMP     restrictions by executing a crafted application without     invoking a trace or audit subsystem.(CVE-2014-4157)

  - A flaw was found in the Linux kernel's ext4 filesystem     code. A stack-out-of-bounds write in     ext4_update_inline_data() is possible when mounting and     writing to a crafted ext4 image. An attacker could use     this to cause a system crash and a denial of     service.(CVE-2018-10880)

  - The aac_send_raw_srb function in     drivers/scsi/aacraid/commctrl.c in the Linux kernel     through 3.12.1 does not properly validate a certain     size value, which allows local users to cause a denial     of service (invalid pointer dereference) or possibly     have unspecified other impact via an     FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted     SRB command.(CVE-2013-6380)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization(nVMX) feature     enabled(nested=1), is vulnerable to an uncaught     exception issue. It could occur if an L2 guest was to     throw an exception which is not handled by an L1     guest.(CVE-2016-9588)

  - A flaw was found in the alarm_timer_nsleep() function     in kernel/time/alarmtimer.c in the Linux kernel. The     ktime_add_safe() function is not used and an integer     overflow can happen causing an alarm not to fire if     using a large relative timeout.(CVE-2018-13053)

  - net/llc/sysctl_net_llc.c in the Linux kernel before     3.19 uses an incorrect data type in a sysctl table,     which allows local users to obtain potentially     sensitive information from kernel memory or possibly     have unspecified other impact by accessing a sysctl     entry.(CVE-2015-2041)

  - Incorrect error handling in the set_mempolicy() and     mbind() compat syscalls in 'mm/mempolicy.c' in the     Linux kernel allows local users to obtain sensitive     information from uninitialized stack data by triggering     failure of a certain bitmap operation.(CVE-2017-7616)

  - The snd_msnd_interrupt function in     sound/isa/msnd/msnd_pinnacle.c in the Linux kernel     through 4.11.7 allows local users to cause a denial of     service (over-boundary access) or possibly have     unspecified other impact by changing the value of a     message queue head pointer between two kernel reads of     that value, aka a 'double fetch'     vulnerability.(CVE-2017-9984)

  - An integer overflow was discovered in the     qla2x00_sysfs_write_optrom_ctl function in     drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel     through 4.12.10. This flaw allows local users to cause     a denial of service (memory corruption and system     crash) by leveraging root access.(CVE-2017-14051)

  - A use-after-free flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the     system.(CVE-2014-4654)

  - An information leak flaw was found in the way the Linux     kernel's Virtual Dynamic Shared Object (vDSO)     implementation performed address randomization. A     local, unprivileged user could use this flaw to leak     kernel memory addresses to user-space.(CVE-2014-9585)

  - The usbhid_parse function in     drivers/hid/usbhid/hid-core.c in the Linux kernel,     before 4.13.8, allows local users to cause a denial of     service (out-of-bounds read and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16533)

  - A divide-by-zero vulnerability was found in the
    __tcp_select_window function in the Linux kernel. This     can result in a kernel panic causing a local denial of     service.(CVE-2017-14106)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3932-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata.
An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code.
(CVE-2018-9517)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel.
An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM).
(CVE-2019-7222)

Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249)

Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616)

Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata.
An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613)

Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884)

It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code.
(CVE-2018-9517)

Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel.
An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460)

Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974)

Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221)

Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM).
(CVE-2019-7222)

Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213)

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701)

Vladis Dronov discovered that the debug interface for the Linux kernel's HID subsystem did not properly validate passed parameters in some situations. A local privileged attacker could use this to cause a denial of service (infinite loop). (CVE-2019-3819).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-18249

A race condition was discovered in the disk space allocator of F2FS. A user with access to an F2FS volume could use this to cause a denial of service or other security impact.

CVE-2018-1128, CVE-2018-1129

The cephx authentication protocol used by Ceph was susceptible to replay attacks, and calculated signatures incorrectly. These vulnerabilities in the server required changes to authentication that are incompatible with existing clients. The kernel's client code has now been updated to be compatible with the fixed server.

CVE-2018-3639 (SSB)

Multiple researchers have discovered that Speculative Store Bypass (SSB), a feature implemented in many processors, could be used to read sensitive information from another context. In particular, code in a software sandbox may be able to read sensitive information from outside the sandbox. This issue is also known as Spectre variant 4.

This update adds a further mitigation for this issue in the eBPF (Extended Berkeley Packet Filter) implementation.

CVE-2018-5391 (FragmentSmack)

Juha-Matti Tilli discovered a flaw in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can take advantage of this flaw to trigger time and calculation expensive fragment reassembly algorithms by sending specially crafted packets, leading to remote denial of service.

This was previously mitigated by reducing the default limits on memory usage for incomplete fragmented packets. This update replaces that mitigation with a more complete fix.

CVE-2018-5848

The wil6210 wifi driver did not properly validate lengths in scan and connection requests, leading to a possible buffer overflow. On systems using this driver, a local user with the CAP_NET_ADMIN capability could use this for denial of service (memory corruption or crash) or potentially for privilege escalation.

CVE-2018-12896, CVE-2018-13053

Team OWL337 reported possible integer overflows in the POSIX timer implementation. These might have some security impact.

CVE-2018-13096, CVE-2018-13097, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616

Wen Xu from SSLab at Gatech reported that crafted F2FS volumes could trigger a crash (BUG, Oops, or division by zero) and/or out-of-bounds memory access. An attacker able to mount such a volume could use this to cause a denial of service or possibly for privilege escalation.

CVE-2018-13406

Dr Silvio Cesare of InfoSect reported a potential integer overflow in the uvesafb driver. A user with permission to access such a device might be able to use this for denial of service or privilege escalation.

CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613

Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes could trigger a crash (Oops) and/or out-of-bounds memory access. An attacker able to mount such a volume could use this to cause a denial of service or possibly for privilege escalation.

CVE-2018-15471 ((XSA-270)

Felix Wilhelm of Google Project Zero discovered a flaw in the hash handling of the xen-netback Linux kernel module. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in privilege escalation, denial of service, or information leaks.

https://xenbits.xen.org/xsa/advisory-270.html

CVE-2018-16862

Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team discovered that the cleancache memory management feature did not invalidate cached data for deleted files. On Xen guests using the tmem driver, local users could potentially read data from other users' deleted files if they were able to create new files on the same volume.

CVE-2018-17972

Jann Horn reported that the /proc/*/stack files in procfs leaked sensitive data from the kernel. These files are now only readable by users with the CAP_SYS_ADMIN capability (usually only root)

CVE-2018-18281

Jann Horn reported a race condition in the virtual memory manager that can result in a process briefly having access to memory after it is freed and reallocated. A local user could possibly exploit this for denial of service (memory corruption) or for privilege escalation.

CVE-2018-18690

Kanda Motohiro reported that XFS did not correctly handle some xattr (extended attribute) writes that require changing the disk format of the xattr. A user with access to an XFS volume could use this for denial of service.

CVE-2018-18710

It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_SELECT_DISC ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash).

CVE-2018-19407

Wei Wu reported a potential crash (Oops) in the KVM implementation for x86 processors. A user with access to /dev/kvm could use this for denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 4.9.144-3.1~deb8u1. This version also includes fixes for Debian bugs #890034, #896911, #907581, #915229, and #915231; and other fixes included in upstream stable updates.

We recommend that you upgrade your linux-4.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New kernel packages are available for Slackware 14.2 to fix security issues.

Description of changes:

[4.14.35-1818.4.5.el7uek]
- x86/intel/spectre_v2: Remove unnecessary retp_compiler() test (Boris Ostrovsky)  [Orabug: 28814574]
- x86/intel/spectre_v4: Deprecate spec_store_bypass_disable=userspace (Boris Ostrovsky)  [Orabug: 28814574]
- x86/speculation: x86_spec_ctrl_set needs to be called unconditionally (Boris Ostrovsky)  [Orabug: 28814574]
- x86/speculation: Drop unused DISABLE_IBRS_CLOBBER macro (Boris Ostrovsky)  [Orabug: 28814574]
- x86/intel/spectre_v4: Keep SPEC_CTRL_SSBD when IBRS is in use (Boris Ostrovsky)  [Orabug: 28814574]

[4.14.35-1818.4.4.el7uek]
- ocfs2: fix ocfs2 read block panic (Junxiao Bi)  [Orabug: 28821391]
- scsi: sg: mitigate read/write abuse (Jann Horn)  [Orabug: 28824731] {CVE-2017-13168}
- hugetlbfs: introduce truncation/fault mutex to avoid races (Mike Kravetz)  [Orabug: 28776542]
- rds: MPRDS messages delivered out of order (Ka-Cheong Poon)  [Orabug: 28838051]
- x86/bugs: rework x86_spec_ctrl_set to make its changes explicit (Daniel Jordan)  [Orabug: 28270952]
- x86/bugs: rename ssbd_ibrs_selected to ssbd_userspace_selected (Daniel Jordan)  [Orabug: 28270952]
- x86/bugs: x86_spec_ctrl_set may not disable IBRS on kernel idle (Daniel Jordan)  [Orabug: 28270952]
- x86/bugs: always use x86_spec_ctrl_base or _priv when setting spec ctrl MSR (Daniel Jordan)  [Orabug: 28270952]
- iommu: turn on iommu=pt by default (Tushar Dave)  [Orabug: 28111039]
- vhost/scsi: Use common handling code in request queue handler (Bijan Mottahedeh)  [Orabug: 28775556]
- vhost/scsi: Extract common handling code from control queue handler (Bijan Mottahedeh)  [Orabug: 28775556]
- vhost/scsi: Respond to control queue operations (Bijan Mottahedeh) [Orabug: 28775556]

[4.14.35-1818.4.3.el7uek]
- Fix error code in nfs_lookup_verify_inode() (Lance Shelton)  [Orabug: 28807515]
- x86/speculation: Retpoline should always be available on Skylake (Alexandre Chartre)  [Orabug: 28801830]
- x86/bugs: ssbd_ibrs_selected called prematurely (Daniel Jordan) [Orabug: 28802799]
- net/mlx4_core: print firmware version during driver loading (Qing Huang)  [Orabug: 28809382]
- hugetlbfs: dirty pages as they are added to pagecache (Mike Kravetz) [Orabug: 28813999]

[4.14.35-1818.4.2.el7uek]
- infiniband: fix a possible use-after-free bug (Cong Wang)  [Orabug: 28774511]  {CVE-2018-14734}
- nfs: fix a deadlock in nfs client initialization (Scott Mayhew) [Orabug: 28775910]
- x86/speculation: Unconditionally fill RSB on context switch (Alejandro Jimenez)  [Orabug: 28631576]  {CVE-2018-15572}
- bnxt_re: Implement the shutdown hook of the L2-RoCE driver interface (Somnath Kotur)  [Orabug: 28539344]
- rds: RDS (tcp) hangs on sendto() to unresponding address (Ka-Cheong Poon)  [Orabug: 28762597]
- uek-rpm: aarch64 some XGENE drivers must be be modules (Tom Saeger) [Orabug: 28769119]
- arm64: KVM: Sanitize PSTATE.M when being set from userspace (Marc Zyngier)  [Orabug: 28762424]  {CVE-2018-18021}
- arm64: KVM: Tighten guest core register access from userspace (Dave Martin)  [Orabug: 28762424]  {CVE-2018-18021}
- iommu/amd: Clear memory encryption mask from physical address (Singh, Brijesh)  [Orabug: 28770185]

[4.14.35-1818.4.1.el7uek]
- mm: get rid of vmacache_flush_all() entirely (Linus Torvalds) [Orabug: 28700955]  {CVE-2018-17182}
- Btrfs: fix log replay failure after unlink and link combination (Filipe Manana)  [Orabug: 27941939]
- x86/speculation: Add sysfs entry to enable/disable retpoline (Alexandre Chartre)  [Orabug: 28753851]
- x86/speculation: Allow IBRS firmware to be enabled when IBRS is disabled (Alexandre Chartre)  [Orabug: 28753851]
- x86/speculation: Remove unnecessary retpoline alternatives (Alexandre Chartre)  [Orabug: 28753851]
- x86/speculation: Use static key to enable/disable retpoline (Alexandre Chartre)  [Orabug: 28753851]
- bnxt_en: Fix memory fault in bnxt_ethtool_init() (Vasundhara Volam) [Orabug: 28632641]
- IB/core: Initialize relaxed_pd properly (Yuval Shaia)  [Orabug: 28197305]

[4.14.35-1818.4.0.el7uek]
- e1000e: Fix link check race condition (Benjamin Poirier)  [Orabug: 28489384]
- Revert 'e1000e: Separate signaling for link check/link up' (Benjamin Poirier)  [Orabug: 28489384]
- e1000e: Avoid missed interrupts following ICR read (Benjamin Poirier) [Orabug: 28489384]
- e1000e: Fix queue interrupt re-raising in Other interrupt (Benjamin Poirier)  [Orabug: 28489384]
- Partial revert 'e1000e: Avoid receiver overrun interrupt bursts' (Benjamin Poirier)  [Orabug: 28489384]
- e1000e: Remove Other from EIAC (Benjamin Poirier)  [Orabug: 28489384]
- btrfs: validate type when reading a chunk (Gu Jinxiang)  [Orabug: 28700851]  {CVE-2018-14611}
- btrfs: Check that each block group has corresponding chunk at mount time (Qu Wenruo)  [Orabug: 28700872]  {CVE-2018-14610}
- net: rds: Use address family to designate IPv4 or IPv6 addresses (H&aring kon Bugge)  [Orabug: 28720069]
- net: rds: Fix blank at eol in af_rds.c (H&aring kon Bugge)  [Orabug: 28720069]

ID	Name	Product	Family	Severity
128478	Ubuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)	Nessus	Ubuntu Local Security Checks	critical
127889	Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, (USN-4094-1)	Nessus	Ubuntu Local Security Checks	high
124983	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1530)	Nessus	Huawei Local Security Checks	high
123681	Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3932-2)	Nessus	Ubuntu Local Security Checks	high
123680	Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3932-1)	Nessus	Ubuntu Local Security Checks	high
122879	Debian DLA-1715-1 : linux-4.9 security update (Spectre)	Nessus	Debian Local Security Checks	high
121505	Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)	Nessus	Slackware Local Security Checks	high
118861	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4270)	Nessus	Oracle Linux Local Security Checks	high

CVE-2018-14611

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins