ESB-2018.2955 - [Debian] kernel: Multiple vulnerabilities 2018-10-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2955
                           linux security update
                              2 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Root Compromise        -- Existing Account
                   Access Privileged Data -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-17182 CVE-2018-16658 CVE-2018-16276
                   CVE-2018-15594 CVE-2018-15572 CVE-2018-14734
                   CVE-2018-14678 CVE-2018-14633 CVE-2018-14617
                   CVE-2018-14609 CVE-2018-13099 CVE-2018-10938
                   CVE-2018-10902 CVE-2018-9516 CVE-2018-9363
                   CVE-2018-7755 CVE-2018-6555 CVE-2018-6554

Reference:         ASB-2018.0124
                   ESB-2018.2930
                   ESB-2018.2914
                   ESB-2018.1917
                   ESB-2018.1916
                   ESB-2018.1915.2

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4308

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4308-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 01, 2018                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2018-6554 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363
                 CVE-2018-9516 CVE-2018-10902 CVE-2018-10938 CVE-2018-13099
                 CVE-2018-14609 CVE-2018-14617 CVE-2018-14633 CVE-2018-14678
                 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276
                 CVE-2018-16658 CVE-2018-17182

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2018-6554

    A memory leak in the irda_bind function in the irda subsystem was
    discovered. A local user can take advantage of this flaw to cause a
    denial of service (memory consumption).

CVE-2018-6555

    A flaw was discovered in the irda_setsockopt function in the irda
    subsystem, allowing a local user to cause a denial of service
    (use-after-free and system crash).

CVE-2018-7755

    Brian Belleville discovered a flaw in the fd_locked_ioctl function
    in the floppy driver in the Linux kernel. The floppy driver copies a
    kernel pointer to user memory in response to the FDGETPRM ioctl. A
    local user with access to a floppy drive device can take advantage
    of this flaw to discover the location kernel code and data.

CVE-2018-9363

    It was discovered that the Bluetooth HIDP implementation did not
    correctly check the length of received report messages. A paired
    HIDP device could use this to cause a buffer overflow, leading to
    denial of service (memory corruption or crash) or potentially
    remote code execution.

CVE-2018-9516

    It was discovered that the HID events interface in debugfs did not
    correctly limit the length of copies to user buffers.  A local
    user with access to these files could use this to cause a
    denial of service (memory corruption or crash) or possibly for
    privilege escalation.  However, by default debugfs is only
    accessible by the root user.

CVE-2018-10902

    It was discovered that the rawmidi kernel driver does not protect
    against concurrent access which leads to a double-realloc (double
    free) flaw. A local attacker can take advantage of this issue for
    privilege escalation.

CVE-2018-10938

    Yves Younan from Cisco reported that the Cipso IPv4 module did not
    correctly check the length of IPv4 options. On custom kernels with
    CONFIG_NETLABEL enabled, a remote attacker could use this to cause
    a denial of service (hang).

CVE-2018-13099

    Wen Xu from SSLab at Gatech reported a use-after-free bug in the
    F2FS implementation. An attacker able to mount a crafted F2FS
    volume could use this to cause a denial of service (crash or
    memory corruption) or possibly for privilege escalation.

CVE-2018-14609

    Wen Xu from SSLab at Gatech reported a potential null pointer
    dereference in the F2FS implementation. An attacker able to mount
    a crafted F2FS volume could use this to cause a denial of service
    (crash).

CVE-2018-14617

    Wen Xu from SSLab at Gatech reported a potential null pointer
    dereference in the HFS+ implementation. An attacker able to mount
    a crafted HFS+ volume could use this to cause a denial of service
    (crash).

CVE-2018-14633

    Vincent Pelletier discovered a stack-based buffer overflow flaw in
    the chap_server_compute_md5() function in the iSCSI target code. An
    unauthenticated remote attacker can take advantage of this flaw to
    cause a denial of service or possibly to get a non-authorized access
    to data exported by an iSCSI target.

CVE-2018-14678

    M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the
    kernel exit code used on amd64 systems running as Xen PV guests.
    A local user could use this to cause a denial of service (crash).

CVE-2018-14734

    A use-after-free bug was discovered in the InfiniBand
    communication manager. A local user could use this to cause a
    denial of service (crash or memory corruption) or possible for
    privilege escalation.

CVE-2018-15572

    Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and
    Nael Abu-Ghazaleh, from University of California, Riverside,
    reported a variant of Spectre variant 2, dubbed SpectreRSB. A
    local user may be able to use this to read sensitive information
    from processes owned by other users.

CVE-2018-15594

    Nadav Amit reported that some indirect function calls used in
    paravirtualised guests were vulnerable to Spectre variant 2.  A
    local user may be able to use this to read sensitive information
    from the kernel.

CVE-2018-16276

    Jann Horn discovered that the yurex driver did not correctly limit
    the length of copies to user buffers.  A local user with access to
    a yurex device node could use this to cause a denial of service
    (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-16658

    It was discovered that the cdrom driver does not correctly
    validate the parameter to the CDROM_DRIVE_STATUS ioctl.  A user
    with access to a cdrom device could use this to read sensitive
    information from the kernel or to cause a denial of service
    (crash).

CVE-2018-17182

    Jann Horn discovered that the vmacache_flush_all function mishandles
    sequence number overflows. A local user can take advantage of this
    flaw to trigger a use-after-free, causing a denial of service
    (crash or memory corruption) or privilege escalation.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.110-3+deb9u5.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluyM0tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Sakg//d4zNTvlxh5pXEVJWbcKBmyHJ1LrMFb04BwhmCwzHO3WNLAswBNUDPDwC
Q1V38ucCIlBsM88SfSgFsQkpSAot98HlKTJKlDnoIX01aRxZuEeiEPDRUcSIkl29
ZB9CBEjEoPyzf/GlUVM3cdaagKTxjUk46mL2ltxEhJkrYfGvoAim2IZuNvplx2vl
ITsiFKtbsDucwx1pO18//6fG5xowNoAcUme8hYzt2TJkMYcnFpU+eSDiEZqfjUhr
xb85RXJbn3zPJ6smC+Vi8ZfYihkTcv1gJgmjyJPYVPGsjCPFDPoa3FQJM0KzJMa7
yQSosJ4d4+2MCIHcPHhMnOD63HBz3Pm8wbd3EJWDlUDM5tWSXZBUyjTwqBkQTKaH
7oO1gpS+U7q18HeCJ27p1YOdfJFvX1PKMfyR2/fuulOUzF8WrkVEF76l5G8WEceC
9rI/83GhaIifXSwIRxeRo2sWYCqYSEQe9RSTRpvKCx4UWhInv9V2Jb5A9Mv20gvL
NwwbgdmZ9z4vRSXeZqQ/NVCTEUh3Et6ppw3xTgyqAhEAzQXnEVEmdXNf5YuCy1Eo
gz+IZJWWuJXzoq1IwO5y/2hdbr/wQWiBN7Yce3YNmJqcujZfvuf9Pfm6C9J4m7wY
ZR/j+lbSbr2tHa1EZRKnmOk9DB3IIgiI3ERFKuYsHaT48YtHGJU=
=O1JQ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7K2GWaOgq3Tt24GAQhQwA//civhtYzw3BmIjPvNrgUj1NztdAKjYvfb
wgo6HUKT1JBinF3WEa8yd8nAb6jIomneY3UZtf+DVtX2d6FSKtHGjsbVMA/kswUT
/lmM4k81i7v2QS8bPtCLLWTZvg4Ysirk7JyIoI3uhk1jiqzY8RzDp+Ynpj9yVMNS
t+Up+rsZuTRp9EljokhBV8Dd3KOvXMWn1QtkvsF1RIDkLUdTyvYuq6XOKMk7qM1W
dBV6Btt4FtiOoQrD+mbG+ecxUB3CF/EFvsz0VrsvcZpDHWzUJCOidYpCNL3jjOOB
PlEvWitjEwU10MNNo7pVyDgmfkawo7kqHRK0316wrACLPQOFVjRrxhf82RnZkEki
+Fhz/lr/5U8MRbARHNIpFb9rlpcyXN6NWzbNrAE9SHyfnzUrtHJHmwlxIZnlv5Q8
BoNwmx2YZ4R35dW8wMQyfaj7W5gDwib6IzGAmUAG+TefN0PMh5/1opdRxa2msyOE
1qiM0SihNGglbFeOHBl701R4Fm/QhLlDgSFHek6rsqc1gSf/1z2T+NRNwMAvkB1h
Rqoakuhub/jBoFTMCpqANFKwbk9YfVaJ0O/vZ0qUdMR6RzNZDpKyhMtJXaNEFw2W
TKE5j69Rebo/lgmtjK1YFKCYSsHFENtvE/5VCdSoi5sTg2g5D83KiJ9CO1F+8yDk
qzXeAlm4PBI=
=+o+m
-----END PGP SIGNATURE-----

« Back to bulletins