|
|
Subscribe / Log in / New account

Mageia alert MGASA-2017-0147 (kernel-tmb)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2017-0147: Updated kernel-tmb packages fixes security vulnerabilities 


Date:
    	      Fri, 26 May 2017 08:55:29 +0200


Message-ID:
    	      <20170526065529.C4AF09F856@duvel.mageia.org>


MGASA-2017-0147 - Updated kernel-tmb packages fixes security vulnerabilities

Publication date: 26 May 2017
URL: http://advisories.mageia.org/MGASA-2017-0147.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-6213,
     CVE-2016-7913,
     CVE-2016-7917,
     CVE-2016-8632,
     CVE-2016-9083,
     CVE-2016-9084,
     CVE-2016-9120,
     CVE-2016-9604,
     CVE-2017-2671,
     CVE-2017-6001,
     CVE-2017-6951,
     CVE-2017-7308,
     CVE-2017-7472,
     CVE-2017-7645,
     CVE-2017-7895

Description:
This kernel-tmb update is based on upstream 4.4.68 and fixes atleast
the following security issues:

fs/namespace.c in the Linux kernel before 4.9 does not restrict how many
mounts may exist in a mount namespace, which allows local users to cause
a denial of service (memory consumption and deadlock) via MS_BIND mount
system calls, as demonstrated by a loop that triggers exponential growth
in the number of mounts (CVE-2016-6213).

The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in
the Linux kernel before 4.6 allows local users to gain privileges or cause
a denial of service (use-after-free) via vectors involving omission of the
firmware name from a certain data structure (CVE-2016-7913).

The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux
kernel before 4.5 does not check whether a batch message's length field is
large enough, which allows local users to obtain sensitive information from
kernel memory or cause a denial of service (infinite loop or out-of-bounds
read) by leveraging the CAP_NET_ADMIN capability (CVE-2016-7917).

The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through
4.8.11 does not validate the relationship between the minimum fragment
length and the maximum packet size, which allows local users to gain
privileges or cause a denial of service (heap-based buffer overflow) by
leveraging the CAP_NET_ADMIN capability (CVE-2016-8632).

drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local
users to bypass integer overflow checks, and cause a denial of service
(memory corruption) or have unspecified other impact, by leveraging access
to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a
"state machine confusion bug" (CVE-2016-9083).

drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11
misuses the kzalloc function, which allows local users to cause a denial
of service (integer overflow) or have unspecified other impact by
leveraging access to a vfio PCI device file (CVE-2016-9084).

It was discovered that root can gain direct access to an internal keyring,
such as '.builtin_trusted_keys' upstream, by joining it as its session
keyring. This allows root to bypass module signature verification by adding
a new public key of its own devising to the keyring (CVE-2016-9604).

The ping_unhash function in net/ipv4/ping.c in the Linux kernel through
4.10.8 is too late in obtaining a certain lock and consequently cannot
ensure that disconnect function calls are safe, which allows local users
to cause a denial of service (panic) by leveraging access to the protocol
value of IPPROTO_ICMP in a socket system call (CVE-2017-2671).

Race condition in kernel/events/core.c in the Linux kernel before 4.9.7
allows local users to gain privileges via a crafted application that makes
concurrent perf_event_open system calls for moving a software group into a
hardware context. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2016-6786 (CVE-2017-6001).

The keyring_search_aux function in security/keys/keyring.c in the Linux
kernel through 3.14.79 allows local users to cause a denial of service
(NULL pointer dereference and OOPS) via a request_key system call for the
"dead" type (CVE-2017-6951).

The packet_set_ring function in net/packet/af_packet.c in the Linux kernel
through 4.10.6 does not properly validate certain block-size data, which
allows local users to cause a denial of service (overflow) or possibly have
unspecified other impact via crafted system calls (CVE-2017-7308).

A vulnerability was found in the Linux kernel. It was found that
keyctl_set_reqkey_keyring() function leaks thread keyring which allows
unprivileged local user to exhaust kernel memory (CVE-2017-7472).

The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through
4.10.11 allows remote attackers to cause a denial of service (system crash)
via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and
fs/nfsd/nfsxdr.c (CVE-2017-7645).

The NFSv2 and NFSv3 server implementations in the Linux kernel through
4.10.13 lack certain checks for the end of a buffer, which allows remote
attackers to trigger pointer-arithmetic errors or possibly have unspecified
other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and
fs/nfsd/nfsxdr.c (CVE-2017-7895).

For other upstream fixes in this update, see the referenced changelogs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=20859
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4....
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6213
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7913
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7917
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8632
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9084
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9120
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9604
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2671
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6001
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6951
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7472
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7895

SRPMS:
- 5/core/kernel-tmb-4.4.68-1.mga5
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds