Updated kernel-linus fixes security vulnerabilities
Publication date: 25 Feb 2017Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-9191 , CVE-2016-9588 , CVE-2016-10088 , CVE-2016-10208 , CVE-2017-2583 , CVE-2017-2584 , CVE-2017-5547 , CVE-2017-5548 , CVE-2017-5549 , CVE-2017-5551 , CVE-2017-5897 , CVE-2017-5970 , CVE-2017-5986 , CVE-2017-6074 , CVE-2017-6214 , CVE-2017-6353
Description
This kernel-linus update is based on upstream 4.4.50 and fixes at least the following security issues: The cgroup offline implementation in the Linux kernel through 4.8.11 mishandles certain drain operations, which allows local users to cause a denial of service (system hang) by leveraging access to a container environment for executing a crafted application, as demonstrated by trinity (CVE-2016-9191). arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (CVE-2016-9588). The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c (CVE-2016-10088). The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (CVE-2016-10208). The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" instruction, which allows guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application (CVE-2017-2583). arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt (CVE-2017-2584). drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist (CVE-2017-5547). drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist (CVE-2017-5548). The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log (CVE-2017-5549). The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (CVE-2017-5551). An issue was found in the Linux kernel ipv6 implementation of GRE tunnels which allows a remote attacker to trigger an out-of-bounds access (CVE-2017-5897). The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options (CVE-2017-5970). Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (CVE-2017-5986). The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call (CVE-2017-6074). The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (CVE-2017-6214). net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application (CVE-2017-6353). For other upstream fixes in this update, see the referenced changelogs.
References
- https://bugs.mageia.org/show_bug.cgi?id=20315
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.40
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.41
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.42
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.43
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.44
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.45
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.46
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.47
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.48
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.49
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.50
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9191
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9588
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10088
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10208
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2583
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2584
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5547
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5548
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5549
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5897
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353
SRPMS
5/core
- kernel-linus-4.4.50-2.mga5