ESB-2018.2097 - [Debian] linux: Multiple vulnerabilities 2018-07-19

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2097
                           linux-4.9 new package
                               19 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
                   Access Privileged Data          -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000204 CVE-2018-12233 CVE-2018-11506
                   CVE-2018-10940 CVE-2018-10883 CVE-2018-10882
                   CVE-2018-10881 CVE-2018-10880 CVE-2018-10879
                   CVE-2018-10878 CVE-2018-10877 CVE-2018-10876
                   CVE-2018-10853 CVE-2018-10124 CVE-2018-10087
                   CVE-2018-10021 CVE-2018-5814 CVE-2018-3639
                   CVE-2018-1130 CVE-2018-1120 CVE-2018-1118
                   CVE-2017-18255 CVE-2017-5753 

Reference:         ASB-2018.0121
                   ASB-2018.0009
                   ESB-2018.2028
                   ESB-2018.2007
                   ESB-2018.2005

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html
   https://lists.debian.org/debian-lts-announce/2018/07/msg00021.html

Comment: This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

[SECURITY] [DLA 1423-1] linux-4.9 new package
Package        : linux-4.9
Version        : 4.9.110-1~deb8u1
CVE ID         : CVE-2017-5753 CVE-2017-18255 CVE-2018-1118 CVE-2018-1120
                 CVE-2018-1130 CVE-2018-3639 CVE-2018-5814 CVE-2018-10021
                 CVE-2018-10087 CVE-2018-10124 CVE-2018-10853 CVE-2018-10876
                 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880
                 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10940
                 CVE-2018-11506 CVE-2018-12233 CVE-2018-1000204
Debian Bug     : 860900 872907 892057 896775 897590 898137

Linux 4.9 has been packaged for Debian 8 as linux-4.9.  This provides
a supported upgrade path for systems that currently use kernel
packages from the "jessie-backports" suite.

There is no need to upgrade systems using Linux 3.16, as that kernel
version will also continue to be supported in the LTS period.

This backport does not include the following binary packages:

    hyperv-daemons libcpupower1 libcpupower-dev libusbip-dev
    linux-compiler-gcc-4.9-x86 linux-cpupower linux-libc-dev usbip

Older versions of most of those are built from other source packages
in Debian 8.

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-5753

    Further instances of code that was vulnerable to Spectre variant 1
    (bounds-check bypass) have been mitigated.

CVE-2017-18255

    It was discovered that the performance events subsystem did not
    properly validate the value of the
    kernel.perf_cpu_time_max_percent sysctl.  Setting a large value
    could have an unspecified security impact.  However, only a
    privileged user can set this sysctl.

CVE-2018-1118

    The syzbot software found that the vhost driver did not initialise
    message buffers which would later be read by user processes.  A
    user with access to the /dev/vhost-net device could use this to
    read sensitive information from the kernel or other users'
    processes.

CVE-2018-1120

    Qualys reported that a user able to mount FUSE filesystems can
    create a process such that when another process attempting to read
    its command line will be blocked for an arbitrarily long time.
    This could be used for denial of service, or to aid in exploiting
    a race condition in the other program.

CVE-2018-1130

    The syzbot software found that the DCCP implementation of
    sendmsg() does not check the socket state, potentially leading
    to a null pointer dereference.  A local user could use this to
    cause a denial of service (crash).    

CVE-2018-3639

    Multiple researchers have discovered that Speculative Store Bypass
    (SSB), a feature implemented in many processors, could be used to
    read sensitive information from another context.  In particular,
    code in a software sandbox may be able to read sensitive
    information from outside the sandbox.  This issue is also known as
    Spectre variant 4.

    This update allows the issue to be mitigated on some x86
    processors by disabling SSB.  This requires an update to the
    processor's microcode, which is non-free.  It may be included in
    an update to the system BIOS or UEFI firmware, or in a future
    update to the intel-microcode or amd64-microcode packages.

    Disabling SSB can reduce performance significantly, so by default
    it is only done in tasks that use the seccomp feature.
    Applications that require this mitigation should request it
    explicitly through the prctl() system call.  Users can control
    where the mitigation is enabled with the spec_store_bypass_disable
    kernel parameter.

CVE-2018-5814

    Jakub Jirasek reported race conditions in the USB/IP host driver.
    A malicious client could use this to cause a denial of service
    (crash or memory corruption), and possibly to execute code, on a
    USB/IP server.

CVE-2018-10021

    A physically present attacker who unplugs a SAS cable can cause a
    denial of service (memory leak and WARN).

CVE-2018-10087, CVE-2018-10124

    zhongjiang found that the wait4() and kill() system call
    implementations did not check for the invalid pid value of
    INT_MIN.  If a user passed this value, the behaviour of the code
    was formally undefined and might have had a security impact.

CVE-2018-10853

    Andy Lutomirski and Mika Penttilä reported that KVM for x86
    processors did not perform a necessary privilege check when
    emulating certain instructions.  This could be used by an
    unprivileged user in a guest VM to escalate their privileges
    within the guest.

CVE-2018-10876, CVE-2018-10877, CVE-2018-10878, CVE-2018-10879,
CVE-2018-10880, CVE-2018-10881, CVE-2018-10882, CVE-2018-10883

    Wen Xu at SSLab, Gatech, reported that crafted ext4 filesystem
    images could trigger a crash or memory corruption.  A local user
    able to mount arbitrary filesystems, or an attacker providing
    filesystems to be mounted, could use this for denial of service or
    possibly for privilege escalation.

CVE-2018-10940

    Dan Carpenter reported that the optical disc driver (cdrom) does
    not correctly validate the parameter to the CDROM_MEDIA_CHANGED
    ioctl.  A user with access to a cdrom device could use this to
    cause a denial of service (crash).

CVE-2018-11506

    Piotr Gabriel Kosinski and Daniel Shapira reported that the
    SCSI optical disc driver (sr) did not allocate a sufficiently
    large buffer for sense data.  A user with access to a SCSI
    optical disc device that can produce more than 64 bytes of
    sense data could use this to cause a denial of service (crash
    or memory corruption), and possibly for privilege escalation.

CVE-2018-12233

    Shankara Pailoor reported that a crafted JFS filesystem image
    could trigger a denial of service (memory corruption).  This
    could possibly also be used for privilege escalation.

CVE-2018-1000204

    The syzbot software found that the SCSI generic driver (sg) would
    in some circumstances allow reading data from uninitialised
    buffers, which could include sensitive information from the kernel
    or other tasks.  However, only privileged users with the
    CAP_SYS_ADMIN or CAP_SYS_RAWIO capability were allowed to do this,
    so this has little or no security impact.

For Debian 8 "Jessie", these problems have been fixed in version
4.9.110-1~deb8u1.  This update additionally fixes Debian bugs
#860900, #872907, #892057, #896775, #897590, and #898137; and
includes many more bug fixes from stable updates 4.9.89-4.9.110
inclusive.

We recommend that you upgrade your linux-4.9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 

==============================================================================

[SECURITY] [DLA 1424-1] linux-latest-4.9 new package

Package        : linux-latest-4.9
Version        : 80+deb9u5~deb8u1

Linux 4.9 has been packaged for Debian 8 as linux-4.9.  This provides
a supported upgrade path for systems that currently use kernel
packages from the "jessie-backports" suite.

However, "apt full-upgrade" will *not* automatically install the
updated kernel packages.  You should explicitly install one of the
following metapackages first, as appropriate for your system:

    linux-image-4.9-686
    linux-image-4.9-686-pae
    linux-image-4.9-amd64
    linux-image-4.9-armmp
    linux-image-4.9-armmp-lpae
    linux-image-4.9-marvell

For example, if the command "uname -r" currently shows
"4.9.0-0.bpo.6-amd64", you should install linux-image-4.9-amd64.

There is no need to upgrade systems using Linux 3.16, as that kernel
version will also continue to be supported in the LTS period.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

=============================================================================

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW1AHb2aOgq3Tt24GAQiFDRAAoBJD6egMfoY+CS935csnDU0WVnfa4JO7
3hoFZAU4kapyr/rhZqHAebOGLnWi8YeWfGtJHYY5Bfb/gsnr0EFHWqVXnkbzEi2S
qkR+1ccu+f+qY+szkeqP8fuYylExBgpnRYG5zfse2Ue40YEaAUsp2qvOZUWzoElH
yCZCJJKQD+b8gNhCIZ7F3cej7/VAdROj8pIVh3o9QrRRviXBSaMWJelDoxC61Wmf
SmGB7MRpbICjW+xTTgsZ1lb4l7rMF5i+K0uIdfg+OIY+GicmvWI4ckkDUIfH/DyA
nDS+F8GrRc/nXK00S7DRTSoAsaUBBfWEiqEZX5UuaYjln4a9eVH/oKm30GmxGQ/M
YIM5wQ4a8Ygnf07S2VCMebKMYtWhq4IOTKeqxsi+ddsiPNThLZyU0ttW4fTJCcIb
9cU6HE8poOIgIUG2aLIrj72np7fACmJqeU4OWp4NbFBXiEhduhAtC9jgTYFkJKbk
ARPRqNYEciv9YNA62Qu/kJCJIZ1Ko1beHXbnLaYLgl3z4C/slbZJuRJMEh6wIwpD
m5hJoTTe//h2FRYWiijZKpvRyK7y8GKIb3afGyo5Ob/TCRy8KSlu+Tw7JA7cl1Vt
RLy3zSbwPZkpzoclUkszCtSBH0oaVIN+vhwpjGUaL7tVzDCx5ogJ+09R1Vlv0WAa
asRDgAQMFow=
=nHy0
-----END PGP SIGNATURE-----

« Back to bulletins