Updated kernel-tmb packages fixes security vulnerabilities
Publication date: 26 May 2017Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-6213 , CVE-2016-7913 , CVE-2016-7917 , CVE-2016-8632 , CVE-2016-9083 , CVE-2016-9084 , CVE-2016-9120 , CVE-2016-9604 , CVE-2017-2671 , CVE-2017-6001 , CVE-2017-6951 , CVE-2017-7308 , CVE-2017-7472 , CVE-2017-7645 , CVE-2017-7895
Description
This kernel-tmb update is based on upstream 4.4.68 and fixes at least the following security issues: fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts (CVE-2016-6213). The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure (CVE-2016-7913). The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does not check whether a batch message's length field is large enough, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability (CVE-2016-7917). The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (CVE-2016-8632). drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug" (CVE-2016-9083). drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 misuses the kzalloc function, which allows local users to cause a denial of service (integer overflow) or have unspecified other impact by leveraging access to a vfio PCI device file (CVE-2016-9084). It was discovered that root can gain direct access to an internal keyring, such as '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring (CVE-2016-9604). The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (CVE-2017-2671). Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786 (CVE-2017-6001). The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the "dead" type (CVE-2017-6951). The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (CVE-2017-7308). A vulnerability was found in the Linux kernel. It was found that keyctl_set_reqkey_keyring() function leaks thread keyring which allows unprivileged local user to exhaust kernel memory (CVE-2017-7472). The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (CVE-2017-7645). The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c (CVE-2017-7895). For other upstream fixes in this update, see the referenced changelogs.
References
- https://bugs.mageia.org/show_bug.cgi?id=20859
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.60
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.61
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.62
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.63
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.64
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.65
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.66
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.67
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.68
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6213
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7913
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7917
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8632
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9084
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9120
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9604
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2671
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6001
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6951
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7472
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7895
SRPMS
5/core
- kernel-tmb-4.4.68-1.mga5