Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.2981
linux-4.9 security update
4 October 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: linux kernel
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Root Compromise -- Existing Account
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-17182 CVE-2018-16658 CVE-2018-16276
CVE-2018-15594 CVE-2018-15572 CVE-2018-14734
CVE-2018-14678 CVE-2018-14633 CVE-2018-14617
CVE-2018-14609 CVE-2018-13099 CVE-2018-10938
CVE-2018-10902 CVE-2018-9516 CVE-2018-9363
CVE-2018-7755 CVE-2018-6555 CVE-2018-6554
Reference: ESB-2018.2974
ESB-2018.2958
ESB-2018.2955
ESB-2018.2930
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Package : linux-4.9
Version : 4.9.110-3+deb9u5~deb8u1
CVE ID : CVE-2018-6554 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363
CVE-2018-9516 CVE-2018-10902 CVE-2018-10938 CVE-2018-13099
CVE-2018-14609 CVE-2018-14617 CVE-2018-14633 CVE-2018-14678
CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276
CVE-2018-16658 CVE-2018-17182
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2018-6554
A memory leak in the irda_bind function in the irda subsystem was
discovered. A local user can take advantage of this flaw to cause a
denial of service (memory consumption).
CVE-2018-6555
A flaw was discovered in the irda_setsockopt function in the irda
subsystem, allowing a local user to cause a denial of service
(use-after-free and system crash).
CVE-2018-7755
Brian Belleville discovered a flaw in the fd_locked_ioctl function
in the floppy driver in the Linux kernel. The floppy driver copies a
kernel pointer to user memory in response to the FDGETPRM ioctl. A
local user with access to a floppy drive device can take advantage
of this flaw to discover the location kernel code and data.
CVE-2018-9363
It was discovered that the Bluetooth HIDP implementation did not
correctly check the length of received report messages. A paired
HIDP device could use this to cause a buffer overflow, leading to
denial of service (memory corruption or crash) or potentially
remote code execution.
CVE-2018-9516
It was discovered that the HID events interface in debugfs did not
correctly limit the length of copies to user buffers. A local
user with access to these files could use this to cause a
denial of service (memory corruption or crash) or possibly for
privilege escalation. However, by default debugfs is only
accessible by the root user.
CVE-2018-10902
It was discovered that the rawmidi kernel driver does not protect
against concurrent access which leads to a double-realloc (double
free) flaw. A local attacker can take advantage of this issue for
privilege escalation.
CVE-2018-10938
Yves Younan from Cisco reported that the Cipso IPv4 module did not
correctly check the length of IPv4 options. On custom kernels with
CONFIG_NETLABEL enabled, a remote attacker could use this to cause
a denial of service (hang).
CVE-2018-13099
Wen Xu from SSLab at Gatech reported a use-after-free bug in the
F2FS implementation. An attacker able to mount a crafted F2FS
volume could use this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.
CVE-2018-14609
Wen Xu from SSLab at Gatech reported a potential null pointer
dereference in the F2FS implementation. An attacker able to mount
arbitrary F2FS volumes could use this to cause a denial of service
(crash).
CVE-2018-14617
Wen Xu from SSLab at Gatech reported a potential null pointer
dereference in the HFS+ implementation. An attacker able to mount
arbitrary HFS+ volumes could use this to cause a denial of service
(crash).
CVE-2018-14633
Vincent Pelletier discovered a stack-based buffer overflow flaw in
the chap_server_compute_md5() function in the iSCSI target code. An
unauthenticated remote attacker can take advantage of this flaw to
cause a denial of service or possibly to get a non-authorized access
to data exported by an iSCSI target.
CVE-2018-14678
M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the
kernel exit code used on amd64 systems running as Xen PV guests.
A local user could use this to cause a denial of service (crash).
CVE-2018-14734
A use-after-free bug was discovered in the InfiniBand
communication manager. A local user could use this to cause a
denial of service (crash or memory corruption) or possible for
privilege escalation.
CVE-2018-15572
Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and
Nael Abu-Ghazaleh, from University of California, Riverside,
reported a variant of Spectre variant 2, dubbed SpectreRSB. A
local user may be able to use this to read sensitive information
from processes owned by other users.
CVE-2018-15594
Nadav Amit reported that some indirect function calls used in
paravirtualised guests were vulnerable to Spectre variant 2. A
local user may be able to use this to read sensitive information
from the kernel.
CVE-2018-16276
Jann Horn discovered that the yurex driver did not correctly limit
the length of copies to user buffers. A local user with access to
a yurex device node could use this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.
CVE-2018-16658
It was discovered that the cdrom driver does not correctly
validate the parameter to the CDROM_DRIVE_STATUS ioctl. A user
with access to a cdrom device could use this to read sensitive
information from the kernel or to cause a denial of service
(crash).
CVE-2018-17182
Jann Horn discovered that the vmacache_flush_all function mishandles
sequence number overflows. A local user can take advantage of this
flaw to trigger a use-after-free, causing a denial of service
(crash or memory corruption) or privilege escalation.
For Debian 8 "Jessie", these problems have been fixed in version
4.9.110-3+deb9u5~deb8u1.
We recommend that you upgrade your linux-4.9 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlu1V8sACgkQ57/I7JWG
EQmVeQ//ZQkGenbcOr7ptm7zSWB2AU0X+QaHaRKZqlQypwXb04jd+1SMuXCOxkkG
qZhCmrrdsGvLrXW161lOW5UL41dRorJiu3m+p+lp66FcmJ57WeVjNSXvBGbJN6Ak
GbAd+0Tu0x3xU0ire15Y+0wRVCvW7NlBA7ygPTv90VKDZpQJWlcQfy1z0gBaHZ9V
fm3TqCMX79F49gz0y8vKdQhVys8s5zrMllnz+tdvm4IH3uy63xrqNhAN7PaIGqGd
C7HK0gGscIneYGShQhaaUxqCaEw+7bVfNVZMTGFy4mRjfYkIQIdfE4vpL5KrG6Kx
VlxWF7UKX4kdiWTzU52k/oSm25WCCXNNPW9/wpnZannJlgJwaHmCEa0b8hNFq418
csNqNhIBejGYt/GECoNTzWwIojLLozJVW1s9wRtp42JAJHWYOueg1zv/9oaCeDPH
P/qnEhW/jCQluNDNKdeHv8E30dt3TuPbWunjvuJ0a+LCJxAAp57RNd4hQjVzPTL+
0utZST0gHYCNPMcn33mH31uyixw4L47n9MS8rhbgay+5JesdSoKZcrA/CWtn+1X3
lSsKL9RLV84Klfgj5vtBk1mImhhqtTIMKHAL7J9P0eUFNJ5fsTdHWbvyVdnem9j9
0mqdYkk+p5s9wjVULdFZwbOAT7wosd0X1WWBuRmE7vVtfwbtR1U=
=g7BQ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW7V4zWaOgq3Tt24GAQgd+w//Vkh01a1QweWoQ+RU2vJ/maSqOqUS9Auo
xKzqATgw0S77gEK6ybknKPQC3VuI9MNj+VgleM1AtiDKDUYv1tlZ4Dv5cAHpYd+S
GGse/yvySxUjhRZd/pPrYsH0J1ChF/3Qk8df4sA15/++lqfi9SNAOeHD7lCtDvoD
5RmSbqQykLmyVe3kjfupkhXaXWBhJSp+WnCpICwpFr6KTZaz+1AQzdr+zYLtfbAk
JE6DsHaprJZGCCZF48XZr2BXiMbAEKL/vrCNZbIduJo2YTLM4J/fp3tpCwH3SnQs
tT6Uz/lFfSYg79wOemBVgUM+HkbiLnb7EKmUI21m/c1d0fMKLIv5G3ZHUrqxdTdt
K44Ul5fHGO9/YmUToaioyotQWY/aW25qsZRVlWbSeST6G7m/Ru3mFAAEGBD3uQHh
mtVgGLZyJXwAr9Fvl7ajBXshlh5ubOZlqftn987uk2dICtiuAcgc0zPWFRTu1ZqW
aqcgLbNMH9rKBymMa46N2xOeXr1Vdi607BFUqv156LqL5GhicjFtwvlAVoUyGAgb
knxiZ25BxCj/RtmndGhcb/hXwKDxexBdv0oSa0tnalOQmgII7IWqnAa1Tp82P9vp
q4IQuXIBijdAB98r8KmJUAysldNK+3cB962cXae2DUG+Jb2D95gsh5uriqzBgi7H
TvlkVG3VNSA=
=saRV
-----END PGP SIGNATURE-----