Advisories ยป MGASA-2017-0064

Updated kernel-tmb packages fixes security vulnerabilities

Publication date: 25 Feb 2017
Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-9191 , CVE-2016-9588 , CVE-2016-10088 , CVE-2016-10208 , CVE-2017-2583 , CVE-2017-2584 , CVE-2017-5547 , CVE-2017-5548 , CVE-2017-5549 , CVE-2017-5551 , CVE-2017-5897 , CVE-2017-5970 , CVE-2017-5986 , CVE-2017-6074 , CVE-2017-6214 , CVE-2017-6353

Description

This kernel-tmb update is based on upstream 4.4.50 and fixes at least
the following security issues:

The cgroup offline implementation in the Linux kernel through 4.8.11
mishandles certain drain operations, which allows local users to cause
a denial of service (system hang) by leveraging access to a container
environment for executing a crafted application, as demonstrated by
trinity (CVE-2016-9191).

arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP
and #OF exceptions, which allows guest OS users to cause a denial of
service (guest OS crash) by declining to handle an exception thrown by
an L2 guest (CVE-2016-9588).

The sg implementation in the Linux kernel through 4.9 does not properly
restrict write operations in situations where the KERNEL_DS option is set,
which allows local users to read or write to arbitrary kernel memory
locations or cause a denial of service (use-after-free) by leveraging
access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c
(CVE-2016-10088).

The ext4_fill_super function in fs/ext4/super.c in the Linux kernel
through 4.9.8 does not properly validate meta block groups, which
allows physically proximate attackers to cause a denial of service
(out-of-bounds read and system crash) via a crafted ext4 image
(CVE-2016-10208).

The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in
the Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL
selector" instruction, which allows guest OS users to cause a denial of
service (guest OS crash) or gain guest OS privileges via a crafted
application (CVE-2017-2583).

arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local
users to obtain sensitive information from kernel memory or cause a
denial of service (use-after-free) via a crafted application that
leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt
(CVE-2017-2584).

drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6
interacts incorrectly with the CONFIG_VMAP_STACK option, which allows
local users to cause a denial of service (system crash or memory
corruption) or possibly have unspecified other impact by leveraging
use of more than one virtual page for a DMA scatterlist (CVE-2017-5547).

drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6
interacts incorrectly with the CONFIG_VMAP_STACK option, which allows
local users to cause a denial of service (system crash or memory
corruption) or possibly have unspecified other impact by leveraging
use of more than one virtual page for a DMA scatterlist (CVE-2017-5548).

The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c
in the Linux kernel before 4.9.5 places uninitialized heap-memory
contents into a log entry upon a failure to read the line status, which
allows local users to obtain sensitive information by reading the log
(CVE-2017-5549).

The simple_set_acl function in fs/posix_acl.c in the Linux kernel before
4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs
filesystem, which allows local users to gain group privileges by
leveraging the existence of a setgid program with restrictions on
execute permissions (CVE-2017-5551).

An issue was found in the Linux kernel ipv6 implementation of GRE tunnels
which allows a remote attacker to trigger an out-of-bounds access
(CVE-2017-5897).

The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux
kernel through 4.9.9 allows attackers to cause a denial of service
(system crash) via (1) an application that makes crafted system calls or
possibly (2) IPv4 traffic with invalid IP options (CVE-2017-5970).

Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c
in the Linux kernel before 4.9.11 allows local users to cause a denial
of service (assertion failure and panic) via a multithreaded application
that peels off an association in a certain buffer-full state
(CVE-2017-5986).

The dccp_rcv_state_process function in net/dccp/input.c in the Linux
kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures
in the LISTEN state, which allows local users to obtain root privileges
or cause a denial of service (double free) via an application that makes
an IPV6_RECVPKTINFO setsockopt system call (CVE-2017-6074).

The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before
4.9.11 allows remote attackers to cause a denial of service (infinite loop
and soft lockup) via vectors involving a TCP packet with the URG flag
(CVE-2017-6214).

net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly
restrict association peel-off operations during certain wait states, which
allows local users to cause a denial of service (invalid unlock and double
free) via a multithreaded application (CVE-2017-6353).

For other upstream fixes in this update, see the referenced changelogs.
                

References

SRPMS

5/core