[kernel-sec-discuss] r5584 - dsa-texts
Ben Hutchings
benh at moszumanska.debian.org
Wed Sep 20 20:18:40 UTC 2017
Author: benh
Date: 2017-09-20 20:18:40 +0000 (Wed, 20 Sep 2017)
New Revision: 5584
Modified:
dsa-texts/4.9.30-2+deb9u5
Log:
Corrections and additions to descriptions for 3.16.43-2+deb8u5/4.9.30-2+deb9u5
Modified: dsa-texts/4.9.30-2+deb9u5
===================================================================
--- dsa-texts/4.9.30-2+deb9u5 2017-09-20 19:34:05 UTC (rev 5583)
+++ dsa-texts/4.9.30-2+deb9u5 2017-09-20 20:18:40 UTC (rev 5584)
@@ -35,9 +35,8 @@
Bo Zhang reported that the xfrm subsystem does not properly
validate one of the parameters to a netlink message. Local users
- with the CAP_NET_ADMIN capability (in any user namespace) can use
- this to cause a denial of service or potentially to execute
- arbitrary code.
+ with the CAP_NET_ADMIN capability can use this to cause a denial
+ of service or potentially to execute arbitrary code.
CVE-2017-12134 / #866511 / XSA-229
@@ -53,9 +52,10 @@
CVE-2017-12146 (stretch only)
- A race condition flaw was found in the driver_override
- implementation within the platform 'pseudo' bus for legacy devices,
- allowing a local user to gain privileges.
+ Adrian Salido of Google reported a race condition in access to the
+ "driver_override" attribute for platform devices in sysfs. If
+ unprivileged users are permitted to access this attribute, this
+ might allow them to gain privileges.
CVE-2017-12153
@@ -79,9 +79,11 @@
CVE-2017-14140
- Otto Ebeling discovered that the move_pages() syscall performed
- insufficient validation of the effective UID of the target process
- which result in a partial ASLR bypass.
+ Otto Ebeling reported that the move_pages() system call performed
+ insufficient validation of the UIDs of the calling and target
+ processes, resulting in a partial ASLR bypass. This made it easier
+ for local users to exploit vulnerabilities in programs installed
+ with the set-UID permission bit set.
CVE-2017-14156
@@ -107,28 +109,26 @@
CVE-2017-14497 (stretch only)
- Benjamin Poirier reported that vnet headers are not properly handled
- within the tpacket_rcv() function in the raw packet (af_packet)
- feature. A local user can take advantage of this flaw to cause a
- denial of service (buffer overflow, and disk and memory corruption)
- or have other impact.
+ Benjamin Poirier of SUSE reported that vnet headers are not
+ properly handled within the tpacket_rcv() function in the raw
+ packet (af_packet) feature. A local user with the CAP_NET_RAW
+ capability can take advantage of this flaw to cause a denial of
+ service (buffer overflow, and disk and memory corruption) or have
+ other impact.
CVE-2017-1000111
- Andrey Konovalov of Google reported that a race condition in the
- raw packet (af_packet) feature. Local users with the CAP_NET_RAW
- capability (in any user namespace) can use this for denial of
- service or possibly to execute arbitrary code.
+ Andrey Konovalov of Google reported a race condition in the raw
+ packet (af_packet) feature. Local users with the CAP_NET_RAW
+ capability can use this for denial of service or possibly to
+ execute arbitrary code.
CVE-2017-1000112
- Andrey Konovalov of Google reported a race condition flaw in the UDP
- Fragmentation Offload (UFO) code. A local user with the
- CAP_NET_ADMIN capability can use this flaw for denial of service or
- possibly to execute arbitrary code. Debian disables unprivileged
- user namespaces by default, if locally enabled with the
- kernel.unprivileged_userns_clone sysctl, this allows privilege
- escalation.
+ Andrey Konovalov of Google reported a race condition flaw in the
+ UDP Fragmentation Offload (UFO) code. A local user with the
+ CAP_NET_ADMIN capability can use this flaw for denial of service
+ or possibly to execute arbitrary code.
CVE-2017-1000251 / #875881
@@ -141,10 +141,10 @@
CVE-2017-1000252 (stretch only)
- Jan H. Schoenherr of Amazon reported that there exists a reachable
- assertion failure in the KVM implementation with enabled Virtual
- Function I/O feature (ONFIG_VFIO), allowing a malicious guest
- process to crash the KVM hypervisor and causing a denial of service.
+ Jan H. Schönherr of Amazon reported that the KVM implementation
+ for Intel x86 processors did not correctly validate interrupt
+ injection requests. A local user with permission to use KVM
+ could use this for denial of service.
CVE-2017-1000370
@@ -164,6 +164,11 @@
with permission to access sound devices could use this to obtain
sensitive information.
+Debian disables unprivileged user namespaces by default, but if they
+are enabled (via the kernel.unprivileged_userns_clone sysctl) then
+CVE-2017-11600, CVE-2017-14497, CVE-2017-1000111, and CVE-2017-1000112
+can be exploited by any local user.
+
jessie: 3.16.43-2+deb8u5
stretch: 4.9.30-2+deb9u5
More information about the kernel-sec-discuss
mailing list