Advisories ยป MGASA-2017-0148

Updated kernel-linus packages fixes security vulnerabilities

Publication date: 26 May 2017
Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-6213 , CVE-2016-7913 , CVE-2016-7917 , CVE-2016-8632 , CVE-2016-9083 , CVE-2016-9084 , CVE-2016-9120 , CVE-2016-9604 , CVE-2017-2671 , CVE-2017-6001 , CVE-2017-6951 , CVE-2017-7308 , CVE-2017-7472 , CVE-2017-7645 , CVE-2017-7895

Description

This kernel-linus update is based on upstream 4.4.68 and fixes at least
the following security issues:

fs/namespace.c in the Linux kernel before 4.9 does not restrict how many
mounts may exist in a mount namespace, which allows local users to cause
a denial of service (memory consumption and deadlock) via MS_BIND mount
system calls, as demonstrated by a loop that triggers exponential growth
in the number of mounts (CVE-2016-6213).

The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in
the Linux kernel before 4.6 allows local users to gain privileges or cause
a denial of service (use-after-free) via vectors involving omission of the
firmware name from a certain data structure (CVE-2016-7913).

The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux
kernel before 4.5 does not check whether a batch message's length field is
large enough, which allows local users to obtain sensitive information from
kernel memory or cause a denial of service (infinite loop or out-of-bounds
read) by leveraging the CAP_NET_ADMIN capability (CVE-2016-7917).

The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through
4.8.11 does not validate the relationship between the minimum fragment
length and the maximum packet size, which allows local users to gain
privileges or cause a denial of service (heap-based buffer overflow) by
leveraging the CAP_NET_ADMIN capability (CVE-2016-8632).

drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local
users to bypass integer overflow checks, and cause a denial of service
(memory corruption) or have unspecified other impact, by leveraging access
to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a
"state machine confusion bug" (CVE-2016-9083).

drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11
misuses the kzalloc function, which allows local users to cause a denial
of service (integer overflow) or have unspecified other impact by
leveraging access to a vfio PCI device file (CVE-2016-9084).

It was discovered that root can gain direct access to an internal keyring,
such as '.builtin_trusted_keys' upstream, by joining it as its session
keyring. This allows root to bypass module signature verification by adding
a new public key of its own devising to the keyring (CVE-2016-9604).

The ping_unhash function in net/ipv4/ping.c in the Linux kernel through
4.10.8 is too late in obtaining a certain lock and consequently cannot
ensure that disconnect function calls are safe, which allows local users
to cause a denial of service (panic) by leveraging access to the protocol
value of IPPROTO_ICMP in a socket system call (CVE-2017-2671).

Race condition in kernel/events/core.c in the Linux kernel before 4.9.7
allows local users to gain privileges via a crafted application that makes
concurrent perf_event_open system calls for moving a software group into a
hardware context. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2016-6786 (CVE-2017-6001).

The keyring_search_aux function in security/keys/keyring.c in the Linux
kernel through 3.14.79 allows local users to cause a denial of service
(NULL pointer dereference and OOPS) via a request_key system call for the
"dead" type (CVE-2017-6951).

The packet_set_ring function in net/packet/af_packet.c in the Linux kernel
through 4.10.6 does not properly validate certain block-size data, which
allows local users to cause a denial of service (overflow) or possibly have
unspecified other impact via crafted system calls (CVE-2017-7308).

A vulnerability was found in the Linux kernel. It was found that
keyctl_set_reqkey_keyring() function leaks thread keyring which allows
unprivileged local user to exhaust kernel memory (CVE-2017-7472).

The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through
4.10.11 allows remote attackers to cause a denial of service (system crash)
via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and
fs/nfsd/nfsxdr.c (CVE-2017-7645).

The NFSv2 and NFSv3 server implementations in the Linux kernel through
4.10.13 lack certain checks for the end of a buffer, which allows remote
attackers to trigger pointer-arithmetic errors or possibly have unspecified
other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and
fs/nfsd/nfsxdr.c (CVE-2017-7895).

For other upstream fixes in this update, see the referenced changelogs.
                

References

SRPMS

5/core