Advisories » MGASA-2018-0264

Updated kernel-tmb packages fix security vulnerabilities

Publication date: 31 May 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-5754 , CVE-2018-1065 , CVE-2018-1068 , CVE-2018-1087 , CVE-2018-1092 , CVE-2018-1093 , CVE-2018-1094 , CVE-2018-1095 , CVE-2018-1130 , CVE-2018-8897 , CVE-2018-1120 , CVE-2018-3639 , CVE-2018-1000004 , CVE-2018-1000200

Description

This kernel-tmb update is based on the upstream 4.14.44 and fixes at least
the following security issues:

This update adds KPTI mitigation for Meltdown (CVE-2017-5754) on 32bit x86.

The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the
case of a rule blob that contains a jump but lacks a user-defined chain,
which allows local users to cause a denial of service (NULL pointer
dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability,
related to arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table
in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in
net/ipv6/netfilter/ip6_tables.c (CVE-2018-1065).

A flaw was found in the Linux kernel implementation of 32 bit syscall
interface for bridging allowing a privileged user to arbitrarily write
to a limited range of kernel memory. This flaw can be exploited not only
by a system's privileged user (a real "root" user), but also by an
attacker who is a privileged user (a "root" user) in a user+network
namespace (CVE-2018-1068).

On x86, MOV SS and POP SS behave strangely if they encounter a data
breakpoint. If this occurs in a KVM guest, KVM incorrectly thinks that
a #DB instruction was caused by the undocumented ICEBP instruction. This
results in #DB being delivered to the guest kernel with an incorrect RIP
on the stack. On most guest kernels, this will allow a guest user to DoS
the guest kernel or even to escalate privilege to that of the guest kernel
(CVE-2018-1087).

The ext4_iget function in fs/ext4/inode.c in the Linux kernel through
4.15.15 mishandles the case of a root directory with a zero i_links_count,
which allows attackers to cause a denial of service (ext4_process_freed_data
NULL pointer dereference and OOPS) via a crafted ext4 image (CVE-2018-1092).

The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel
through 4.15.15 allows attackers to cause a denial of service (out-of-bounds
read and system crash) via a crafted ext4 image because balloc.c and ialloc.c
do not validate bitmap block numbers (CVE-2018-1093).

The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through
4.15.15 does not always initialize the crc32c checksum driver, which allows
attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer
dereference and system crash) via a crafted ext4 image (CVE-2018-1094).

The ext4_xattr_check_entries function in fs/ext4/xattr.c in the Linux kernel
through 4.15.15 does not properly validate xattr sizes, which causes
misinterpretation of a size as an error code, and consequently allows
attackers to cause a denial of service (get_acl NULL pointer dereference and
system crash) via a crafted ext4 image (CVE-2018-1095).

By mmap()ing a FUSE-backed file onto a process's memory containing command
line arguments (or environment strings), an attacker can cause utilities
from psutils or procps (such as ps, w) or any other program which makes a
read() call to the /proc//cmdline (or /proc//environ) files to
block indefinitely (denial of service) or for some controlled time (as a
synchronization primitive for other attacks) (CVE-2018-1120).

A null pointer dereference in dccp_write_xmit() function in
net/dccp/output.c in the Linux kernel before v4.16-rc7 allows a local
user to cause a denial of service by a number of certain crafted
system calls (CVE-2018-1130).

Speculative Store Bypass (SSB) – also known as Spectre Variant 4.
Systems with microprocessors utilizing speculative execution and speculative
execution of memory reads before the addresses of all prior memory writes
are known may allow unauthorized disclosure of information to an attacker
with local user access via a side-channel analysis (CVE-2018-3639).
NOTE! This fix only apply to Amd hardware so far as Intel CPUs need a
fixed microcode update in order for the fix to get activated. At the time
of this release we dont yet know when Intel will release new microcode.

The Linux kernel does not properly handle debug exceptions delivered after a
stack switch operation via mov SS or pop SS instructions. During the stack
switch operation, the exceptions are deferred. As a result, a local user can
cause the kernel to crash (CVE-2018-8897).

A race condition vulnerability exists in the sound system, that can
lead to a deadlock and denial of service condition (CVE-2018-1000004).

A flaw was found in the Linux kernel where an out of memory (oom) killing
of a process that has large spans of mlocked memory can result in
deferencing a NULL pointer, leading to denial of service (CVE-2018-1000200).

WireGuard has been updated to 0.0.20180519.

For other fixes in this update, see the referenced changelogs.
                

References

SRPMS

6/core