Debian DSA-4308-1 : linux - security update

High Nessus Plugin ID 117862

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

- CVE-2018-6554
A memory leak in the irda_bind function in the irda
subsystem was discovered. A local user can take
advantage of this flaw to cause a denial of service
(memory consumption).

- CVE-2018-6555
A flaw was discovered in the irda_setsockopt function in
the irda subsystem, allowing a local user to cause a
denial of service (use-after-free and system crash).

- CVE-2018-7755
Brian Belleville discovered a flaw in the
fd_locked_ioctl function in the floppy driver in the
Linux kernel. The floppy driver copies a kernel pointer
to user memory in response to the FDGETPRM ioctl. A
local user with access to a floppy drive device can take
advantage of this flaw to discover the location kernel
code and data.

- CVE-2018-9363
It was discovered that the Bluetooth HIDP implementation
did not correctly check the length of received report
messages. A paired HIDP device could use this to cause a
buffer overflow, leading to denial of service (memory
corruption or crash) or potentially remote code
execution.

- CVE-2018-9516
It was discovered that the HID events interface in
debugfs did not correctly limit the length of copies to
user buffers. A local user with access to these files
could use this to cause a denial of service (memory
corruption or crash) or possibly for privilege
escalation. However, by default debugfs is only
accessible by the root user.

- CVE-2018-10902
It was discovered that the rawmidi kernel driver does
not protect against concurrent access which leads to a
double-realloc (double free) flaw. A local attacker can
take advantage of this issue for privilege escalation.

- CVE-2018-10938
Yves Younan from Cisco reported that the Cipso IPv4
module did not correctly check the length of IPv4
options. On custom kernels with CONFIG_NETLABEL enabled,
a remote attacker could use this to cause a denial of
service (hang).

- CVE-2018-13099
Wen Xu from SSLab at Gatech reported a use-after-free
bug in the F2FS implementation. An attacker able to
mount a crafted F2FS volume could use this to cause a
denial of service (crash or memory corruption) or
possibly for privilege escalation.

- CVE-2018-14609
Wen Xu from SSLab at Gatech reported a potential NULL
pointer dereference in the F2FS implementation. An
attacker able to mount a crafted F2FS volume could use
this to cause a denial of service (crash).

- CVE-2018-14617
Wen Xu from SSLab at Gatech reported a potential NULL
pointer dereference in the HFS+ implementation. An
attacker able to mount a crafted HFS+ volume could use
this to cause a denial of service (crash).

- CVE-2018-14633
Vincent Pelletier discovered a stack-based buffer
overflow flaw in the chap_server_compute_md5() function
in the iSCSI target code. An unauthenticated remote
attacker can take advantage of this flaw to cause a
denial of service or possibly to get a non-authorized
access to data exported by an iSCSI target.

- CVE-2018-14678
M. Vefa Bicakci and Andy Lutomirski discovered a flaw in
the kernel exit code used on amd64 systems running as
Xen PV guests. A local user could use this to cause a
denial of service (crash).

- CVE-2018-14734
A use-after-free bug was discovered in the InfiniBand
communication manager. A local user could use this to
cause a denial of service (crash or memory corruption)
or possible for privilege escalation.

- CVE-2018-15572
Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu
Song, and Nael Abu-Ghazaleh, from University of
California, Riverside, reported a variant of Spectre
variant 2, dubbed SpectreRSB. A local user may be able
to use this to read sensitive information from processes
owned by other users.

- CVE-2018-15594
Nadav Amit reported that some indirect function calls
used in paravirtualised guests were vulnerable to
Spectre variant 2. A local user may be able to use this
to read sensitive information from the kernel.

- CVE-2018-16276
Jann Horn discovered that the yurex driver did not
correctly limit the length of copies to user buffers. A
local user with access to a yurex device node could use
this to cause a denial of service (memory corruption or
crash) or possibly for privilege escalation.

- CVE-2018-16658
It was discovered that the cdrom driver does not
correctly validate the parameter to the
CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom
device could use this to read sensitive information from
the kernel or to cause a denial of service (crash).

- CVE-2018-17182
Jann Horn discovered that the vmacache_flush_all
function mishandles sequence number overflows. A local
user can take advantage of this flaw to trigger a
use-after-free, causing a denial of service (crash or
memory corruption) or privilege escalation.

Solution

Upgrade the linux packages.

For the stable distribution (stretch), these problems have been fixed
in version 4.9.110-3+deb9u5.

See Also

https://security-tracker.debian.org/tracker/CVE-2018-6554

https://security-tracker.debian.org/tracker/CVE-2018-6555

https://security-tracker.debian.org/tracker/CVE-2018-7755

https://security-tracker.debian.org/tracker/CVE-2018-9363

https://security-tracker.debian.org/tracker/CVE-2018-9516

https://security-tracker.debian.org/tracker/CVE-2018-10902

https://security-tracker.debian.org/tracker/CVE-2018-10938

https://security-tracker.debian.org/tracker/CVE-2018-13099

https://security-tracker.debian.org/tracker/CVE-2018-14609

https://security-tracker.debian.org/tracker/CVE-2018-14617

https://security-tracker.debian.org/tracker/CVE-2018-14633

https://security-tracker.debian.org/tracker/CVE-2018-14678

https://security-tracker.debian.org/tracker/CVE-2018-14734

https://security-tracker.debian.org/tracker/CVE-2018-15572

https://security-tracker.debian.org/tracker/CVE-2018-15594

https://security-tracker.debian.org/tracker/CVE-2018-16276

https://security-tracker.debian.org/tracker/CVE-2018-16658

https://security-tracker.debian.org/tracker/CVE-2018-17182

https://security-tracker.debian.org/tracker/source-package/linux

https://packages.debian.org/source/stretch/linux

https://www.debian.org/security/2018/dsa-4308

Plugin Details

Severity: High

ID: 117862

File Name: debian_DSA-4308.nasl

Version: 1.5

Type: local

Agent: unix

Published: 2018/10/02

Modified: 2018/12/13

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 8.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C

CVSS v3.0

Base Score: 8.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:linux, cpe:/o:debian:debian_linux:9.0

Patch Publication Date: 2018/10/01

Reference Information

CVE: CVE-2018-10902, CVE-2018-10938, CVE-2018-13099, CVE-2018-14609, CVE-2018-14617, CVE-2018-14633, CVE-2018-14678, CVE-2018-14734, CVE-2018-15572, CVE-2018-15594, CVE-2018-16276, CVE-2018-16658, CVE-2018-17182, CVE-2018-6554, CVE-2018-6555, CVE-2018-7755, CVE-2018-9363, CVE-2018-9516

DSA: 4308