Debian LTS: DLA-1200-1: linux security update
Summary
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
CVE-2016-10208
Sergej Schumilo and Ralf Spenneberg discovered that a crafted ext4
filesystem could trigger memory corruption when it is mounted. A
user that can provide a device or filesystem image to be mounted
could use this for denial of service (crash or data corruption) or
possibly for privilege escalation.
CVE-2017-8824
Mohamed Ghannam discovered that the DCCP implementation did not
correctly manage resources when a socket is disconnected and
reconnected, potentially leading to a use-after-free. A local
user could use this for denial of service (crash or data
corruption) or possibly for privilege escalation. On systems that
do not already have the dccp module loaded, this can be mitigated
by disabling it:
echo >> /etc/modprobe.d/disable-dccp.conf install dccp false
CVE-2017-8831
Pengfei Wang discovered that the saa7164 video capture driver
re-reads data from a PCI device after validating it. A physically
present user able to attach a specially designed PCI device could
use this for privilege escalation.
CVE-2017-12190
Vitaly Mayatskikh discovered that the block layer did not
correctly count page references for raw I/O from user-space. This
can be exploited by a guest VM with access to a host SCSI device
for denial of service (memory exhaustion) or potentially for
privilege escalation.
CVE-2017-13080
A vulnerability was found in the WPA2 protocol that could lead to
reinstallation of the same Group Temporal Key (GTK), which
substantially reduces the security of wifi encryption. This is
one of the issues collectively known as "KRACK".
Updates to GTKs are usually handled by the wpa package, where this
issue was already fixed (DLA-1150-1). However, some wifi devices
can remain active and update GTKs autonomously while the system is
suspended. The kernel must also check for and ignore key
reinstallation.
CVE-2017-14051
"shqking" reported that the qla2xxx SCSI host driver did not
correctly validate I/O to the "optrom" sysfs attribute of the
devices it creates. This is unlikely to have any security
impact.
CVE-2017-15115
Vladis Dronov reported that the SCTP implementation did not
correctly handle "peel-off" of an association to another net
namespace. This leads to a use-after-free, which a local user can
exploit for denial of service (crash or data corruption) or
possibly for privilege escalation. On systems that do not already
have the sctp module loaded, this can be mitigated by disabling
it:
echo >> /etc/modprobe.d/disable-sctp.conf install sctp false
CVE-2017-15265
Michael23 Yu reported a race condition in the ALSA sequencer
subsystem involving creation and deletion of ports, which could
lead to a use-after-free. A local user with access to an ALSA
sequencer device can use this for denial of service (crash or data
loss) or possibly for privilege escalation.
CVE-2017-15299
Eric Biggers discovered that the KEYS subsystem did not correctly
handle update of an uninstantiated key, leading to a null
dereference. A local user can use this for denial of service
(crash).
CVE-2017-15649
"nixioaming" reported a race condition in the packet socket
(AF_PACKET) implementation involving rebinding to a fanout group,
which could lead to a use-after-free. A local user with the
CAP_NET_RAW capability can use this for denial of service (crash
or data corruption) or possibly for privilege escalation.
CVE-2017-15868
Al Viro found that the Bluebooth Network Encapsulation Protocol
(BNEP) implementation did not validate the type of the second
socket passed to the BNEPCONNADD ioctl(), which could lead to
memory corruption. A local user with the CAP_NET_ADMIN capability
can use this for denial of service (crash or data corruption) or
possibly for privilege escalation.
CVE-2017-16525
Andrey Konovalov reported that the USB serial console
implementation did not correctly handle disconnection of unusual
serial devices, leading to a use-after-free. A similar issue was
found in the case where setup of a serial console fails. A
physically present user with a specially designed USB device can
use this to cause a denial of service (crash or data corruption)
or possibly for privilege escalation.
CVE-2017-16527
Andrey Konovalov reported that the USB sound mixer driver did not
correctly cancel I/O in case it failed to probe a device, which
could lead to a use-after-free. A physically present user with a
specially designed USB device can use this to cause a denial of
service (crash or data corruption) or possibly for privilege
escalation.
CVE-2017-16529
Andrey Konovalov reported that the USB sound driver did not fully
validate descriptor lengths, which could lead to a buffer
over-read. A physically present user with a specially designed
USB device may be able to use this to cause a denial of service
(crash).
CVE-2017-16531
Andrey Konovalov reported that the USB core did not validate IAD
lengths, which could lead to a buffer over-read. A physically
present user with a specially designed USB device may be able to
use this to cause a denial of service (crash).
CVE-2017-16532
Andrey Konovalov reported that the USB test driver did not
correctly handle devices with specific combinations of endpoints.
A physically present user with a specially designed USB device can
use this to cause a denial of service (crash).
CVE-2017-16533
Andrey Konovalov reported that the USB HID driver did not fully
validate descriptor lengths, which could lead to a buffer
over-read. A physically present user with a specially designed
USB device may be able to use this to cause a denial of service
(crash).
CVE-2017-16535
Andrey Konovalov reported that the USB core did not validate BOS
descriptor lengths, which could lead to a buffer over-read. A
physically present user with a specially designed USB device may
be able to use this to cause a denial of service (crash).
CVE-2017-16536
Andrey Konovalov reported that the cx231xx video capture driver
did not fully validate the device endpoint configuration, which
could lead to a null dereference. A physically present user with
a specially designed USB device can use this to cause a denial of
service (crash).
CVE-2017-16537
Andrey Konovalov reported that the imon RC driver did not fully
validate the device interface configuration, which could lead to a
null dereference. A physically present user with a specially
designed USB device can use this to cause a denial of service
(crash).
CVE-2017-16643
Andrey Konovalov reported that the gtco tablet driver did not
fully validate descriptor lengths, which could lead to a buffer
over-read. A physically present user with a specially designed
USB device may be able to use this to cause a denial of service
(crash).
CVE-2017-16649
Bjørn Mork found that the cdc_ether network driver did not
validate the device's maximum segment size, potentially leading to
a division by zero. A physically present user with a specially
designed USB device can use this to cause a denial of service
(crash).
CVE-2017-16939
Mohamed Ghannam reported (through Beyond Security's SecuriTeam
Secure Disclosure program) that the IPsec (xfrm) implementation
did not correctly handle some failure cases when dumping policy
information through netlink. A local user with the CAP_NET_ADMIN
capability can use this for denial of service (crash or data
corruption) or possibly for privilege escalation.
CVE-2017-1000407
Andrew Honig reported that the KVM implementation for Intel
processors allowed direct access to host I/O port 0x80, which
is not generally safe. On some systems this allows a guest
VM to cause a denial of service (crash) of the host.
For Debian 7 "Wheezy", these problems have been fixed in version
3.2.96-2. This version also includes bug fixes from upstream versions
up to and including 3.2.96. It also fixes some regressions caused by
the fix for CVE-2017-1000364, which was included in DLA-993-1.
We recommend that you upgrade your linux packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
--
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams
Package :linux
