Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-1200-1 linux

Debian Security Advisory

DLA-1200-1 linux -- LTS security update

Date Reported:

10 Dec 2017

Affected Packages:

linux

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 865303, Bug 865416.
In Mitre's CVE dictionary: CVE-2016-10208, CVE-2017-8824, CVE-2017-8831, CVE-2017-12190, CVE-2017-13080, CVE-2017-14051, CVE-2017-15115, CVE-2017-1526, CVE-2017-15299, CVE-2017-15649, CVE-2017-15868, CVE-2017-1652, CVE-2017-16527, CVE-2017-16529, CVE-2017-16531, CVE-2017-1653, CVE-2017-16533, CVE-2017-16535, CVE-2017-16536, CVE-2017-1653, CVE-2017-16643, CVE-2017-16649, CVE-2017-16939, CVE-2017-1000.

More information:

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

• CVE-2016-10208

  Sergej Schumilo and Ralf Spenneberg discovered that a crafted ext4 filesystem could trigger memory corruption when it is mounted. A user that can provide a device or filesystem image to be mounted could use this for denial of service (crash or data corruption) or possibly for privilege escalation.

• CVE-2017-8824

  Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

• CVE-2017-8831

  Pengfei Wang discovered that the saa7164 video capture driver re-reads data from a PCI device after validating it. A physically present user able to attach a specially designed PCI device could use this for privilege escalation.

• CVE-2017-12190

  Vitaly Mayatskikh discovered that the block layer did not correctly count page references for raw I/O from user-space. This can be exploited by a guest VM with access to a host SCSI device for denial of service (memory exhaustion) or potentially for privilege escalation.

• CVE-2017-13080

  A vulnerability was found in the WPA2 protocol that could lead to reinstallation of the same Group Temporal Key (GTK), which substantially reduces the security of wifi encryption. This is one of the issues collectively known as KRACK.

  Updates to GTKs are usually handled by the wpa package, where this issue was already fixed (DLA-1150-1). However, some wifi devices can remain active and update GTKs autonomously while the system is suspended. The kernel must also check for and ignore key reinstallation.

• CVE-2017-14051

  shqking reported that the qla2xxx SCSI host driver did not correctly validate I/O to the optrom sysfs attribute of the devices it creates. This is unlikely to have any security impact.

• CVE-2017-15115

  Vladis Dronov reported that the SCTP implementation did not correctly handle "peel-off" of an association to another net namespace. This leads to a use-after-free, which a local user can exploit for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the sctp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-sctp.conf install sctp false

• CVE-2017-15265

  Michael23 Yu reported a race condition in the ALSA sequencer subsystem involving creation and deletion of ports, which could lead to a use-after-free. A local user with access to an ALSA sequencer device can use this for denial of service (crash or data loss) or possibly for privilege escalation.

• CVE-2017-15299

  Eric Biggers discovered that the KEYS subsystem did not correctly handle update of an uninstantiated key, leading to a null dereference. A local user can use this for denial of service (crash).

• CVE-2017-15649

  nixioaming reported a race condition in the packet socket (AF_PACKET) implementation involving rebinding to a fanout group, which could lead to a use-after-free. A local user with the CAP_NET_RAW capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

• CVE-2017-15868

  Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

• CVE-2017-16525

  Andrey Konovalov reported that the USB serial console implementation did not correctly handle disconnection of unusual serial devices, leading to a use-after-free. A similar issue was found in the case where setup of a serial console fails. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or data corruption) or possibly for privilege escalation.

• CVE-2017-16527

  Andrey Konovalov reported that the USB sound mixer driver did not correctly cancel I/O in case it failed to probe a device, which could lead to a use-after-free. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or data corruption) or possibly for privilege escalation.

• CVE-2017-16529

  Andrey Konovalov reported that the USB sound driver did not fully validate descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).

• CVE-2017-16531

  Andrey Konovalov reported that the USB core did not validate IAD lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).

• CVE-2017-16532

  Andrey Konovalov reported that the USB test driver did not correctly handle devices with specific combinations of endpoints. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).

• CVE-2017-16533

  Andrey Konovalov reported that the USB HID driver did not fully validate descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).

• CVE-2017-16535

  Andrey Konovalov reported that the USB core did not validate BOS descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).

• CVE-2017-16536

  Andrey Konovalov reported that the cx231xx video capture driver did not fully validate the device endpoint configuration, which could lead to a null dereference. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).

• CVE-2017-16537

  Andrey Konovalov reported that the imon RC driver did not fully validate the device interface configuration, which could lead to a null dereference. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).

• CVE-2017-16643

  Andrey Konovalov reported that the gtco tablet driver did not fully validate descriptor lengths, which could lead to a buffer over-read. A physically present user with a specially designed USB device may be able to use this to cause a denial of service (crash).

• CVE-2017-16649

  Bjørn Mork found that the cdc_ether network driver did not validate the device's maximum segment size, potentially leading to a division by zero. A physically present user with a specially designed USB device can use this to cause a denial of service (crash).

• CVE-2017-16939

  Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation.

• CVE-2017-1000407

  Andrew Honig reported that the KVM implementation for Intel processors allowed direct access to host I/O port 0x80, which is not generally safe. On some systems this allows a guest VM to cause a denial of service (crash) of the host.

For Debian 7 Wheezy, these problems have been fixed in version 3.2.96-2. This version also includes bug fixes from upstream versions up to and including 3.2.96. It also fixes some regressions caused by the fix for CVE-2017-1000364, which was included in DLA-993-1.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS