[kernel-sec-discuss] r5584 - dsa-texts

Ben Hutchings benh at moszumanska.debian.org
Wed Sep 20 20:18:40 UTC 2017 

Author: benh
Date: 2017-09-20 20:18:40 +0000 (Wed, 20 Sep 2017)
New Revision: 5584

Modified:
   dsa-texts/4.9.30-2+deb9u5
Log:
Corrections and additions to descriptions for 3.16.43-2+deb8u5/4.9.30-2+deb9u5


Modified: dsa-texts/4.9.30-2+deb9u5
===================================================================
--- dsa-texts/4.9.30-2+deb9u5	2017-09-20 19:34:05 UTC (rev 5583)
+++ dsa-texts/4.9.30-2+deb9u5	2017-09-20 20:18:40 UTC (rev 5584)
@@ -35,9 +35,8 @@
 
     Bo Zhang reported that the xfrm subsystem does not properly
     validate one of the parameters to a netlink message. Local users
-    with the CAP_NET_ADMIN capability (in any user namespace) can use
-    this to cause a denial of service or potentially to execute
-    arbitrary code.
+    with the CAP_NET_ADMIN capability can use this to cause a denial
+    of service or potentially to execute arbitrary code.
 
 CVE-2017-12134 / #866511 / XSA-229
 
@@ -53,9 +52,10 @@
 
 CVE-2017-12146 (stretch only)
 
-    A race condition flaw was found in the driver_override
-    implementation within the platform 'pseudo' bus for legacy devices,
-    allowing a local user to gain privileges.
+    Adrian Salido of Google reported a race condition in access to the
+    "driver_override" attribute for platform devices in sysfs. If
+    unprivileged users are permitted to access this attribute, this
+    might allow them to gain privileges.
 
 CVE-2017-12153
 
@@ -79,9 +79,11 @@
 
 CVE-2017-14140
 
-    Otto Ebeling discovered that the move_pages() syscall performed
-    insufficient validation of the effective UID of the target process
-    which result in a partial ASLR bypass.
+    Otto Ebeling reported that the move_pages() system call performed
+    insufficient validation of the UIDs of the calling and target
+    processes, resulting in a partial ASLR bypass. This made it easier
+    for local users to exploit vulnerabilities in programs installed
+    with the set-UID permission bit set.
 
 CVE-2017-14156
 
@@ -107,28 +109,26 @@
 
 CVE-2017-14497 (stretch only)
 
-    Benjamin Poirier reported that vnet headers are not properly handled
-    within the tpacket_rcv() function in the raw packet (af_packet)
-    feature. A local user can take advantage of this flaw to cause a
-    denial of service (buffer overflow, and disk and memory corruption)
-    or have other impact.
+    Benjamin Poirier of SUSE reported that vnet headers are not
+    properly handled within the tpacket_rcv() function in the raw
+    packet (af_packet) feature. A local user with the CAP_NET_RAW
+    capability can take advantage of this flaw to cause a denial of
+    service (buffer overflow, and disk and memory corruption) or have
+    other impact.
 
 CVE-2017-1000111
 
-    Andrey Konovalov of Google reported that a race condition in the
-    raw packet (af_packet) feature. Local users with the CAP_NET_RAW
-    capability (in any user namespace) can use this for denial of
-    service or possibly to execute arbitrary code.
+    Andrey Konovalov of Google reported a race condition in the raw
+    packet (af_packet) feature. Local users with the CAP_NET_RAW
+    capability can use this for denial of service or possibly to
+    execute arbitrary code.
 
 CVE-2017-1000112
 
-    Andrey Konovalov of Google reported a race condition flaw in the UDP
-    Fragmentation Offload (UFO) code. A local user with the
-    CAP_NET_ADMIN capability can use this flaw for denial of service or
-    possibly to execute arbitrary code. Debian disables unprivileged
-    user namespaces by default, if locally enabled with the
-    kernel.unprivileged_userns_clone sysctl, this allows privilege
-    escalation.
+    Andrey Konovalov of Google reported a race condition flaw in the
+    UDP Fragmentation Offload (UFO) code. A local user with the
+    CAP_NET_ADMIN capability can use this flaw for denial of service
+    or possibly to execute arbitrary code.
 
 CVE-2017-1000251 / #875881
 
@@ -141,10 +141,10 @@
 
 CVE-2017-1000252 (stretch only)
 
-    Jan H. Schoenherr of Amazon reported that there exists a reachable
-    assertion failure in the KVM implementation with enabled Virtual
-    Function I/O feature (ONFIG_VFIO), allowing a malicious guest
-    process to crash the KVM hypervisor and causing a denial of service.
+    Jan H. Schönherr of Amazon reported that the KVM implementation
+    for Intel x86 processors did not correctly validate interrupt
+    injection requests. A local user with permission to use KVM
+    could use this for denial of service.
 
 CVE-2017-1000370
 
@@ -164,6 +164,11 @@
     with permission to access sound devices could use this to obtain
     sensitive information.
 
+Debian disables unprivileged user namespaces by default, but if they
+are enabled (via the kernel.unprivileged_userns_clone sysctl) then
+CVE-2017-11600, CVE-2017-14497, CVE-2017-1000111, and CVE-2017-1000112
+can be exploited by any local user.
+    
 jessie: 3.16.43-2+deb8u5
 stretch: 4.9.30-2+deb9u5

More information about the kernel-sec-discuss mailing list