Updated kernel-tmb packages fixes critical security vulnerabilities
Publication date: 26 Jun 2017Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-7487 , CVE-2017-8890 , CVE-2017-9074 , CVE-2017-9075 , CVE-2017-9076 , CVE-2017-9077 , CVE-2017-9242 , CVE-2017-9605 , CVE-2017-1000363 , CVE-2017-1000364 , CVE-2017-1000365 , CVE-2017-1000380
Description
This kernel-tmb update is based on upstream 4.4.74 and fixes at least the following security issues: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (CVE-2017-7487). The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (CVE-2017-8890). The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (CVE-2017-9074). The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (CVE-2017-9075). The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (CVE-2017-9076). The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (CVE-2017-9077). The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls (CVE-2017-9242). The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call (CVE-2017-9605). A vulnerability was found in the Linux kernel's lp_setup() function where it doesn't apply any bounds checking when passing "lp=none". This can result into overflow of the parport_nr[] array. An attacker with control over kernel command line can overwrite kernel code and data with fixed (0xff) values (CVE-2017-1000363). A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult (CVE-2017-1000364). The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY(1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier (CVE-2017-1000365). sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (CVE-2017-1000380). The block interface response structure has some discontiguous fields. Certain backends populate the structure fields of an otherwise uninitialized instance of this structure on their stacks, leaking data through the (internal or trailing) padding field. A malicious unprivileged guest may be able to obtain sensitive information from the host or other guests (XSA-216). NOTE! The CVE-2017-1000364 and CVE-2017-1000365 issues are part of a set of issues known as Stack Clash. The fixes have components in both glibc and the kernel. The glibc fix will be included in a separate update advisory (mga#20803). Other changes in this kernel: - add support for rtl8812au wireless (mga#21043) - enable support for SMB2 (mga#20886) For other upstream fixes in this update, see the referenced changelogs.
References
- https://bugs.mageia.org/show_bug.cgi?id=21149
- https://bugs.mageia.org/show_bug.cgi?id=21043
- https://bugs.mageia.org/show_bug.cgi?id=20886
- https://bugs.mageia.org/show_bug.cgi?id=20803
- https://xenbits.xen.org/xsa/advisory-216.html
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.69
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.70
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.72
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.73
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.74
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7487
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9605
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000363
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000380
SRPMS
5/core
- kernel-tmb-4.4.74-1.mga5