Re: [SECURITY] [DLA 1369-1] linux security update

[john <lists@cloned.org.uk>]

Hi,
Thanks for update. Had a weird issue when trying to update a machine 
yesterday (before the update came out) running..

ii  linux-image-3.2.0-4-686-pae          3.2.96-2                          i386         Linux 3.2 for modern PCs

aptitude upgrade wouldn't pull in 3.2.0-5-686-pae for some reason. I tried 
to install the virtual package manually and it said:

# aptitude install linux-image-686-pae
The following packages will be upgraded:
  linux-image-686-pae{b}
1 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,874 B of archives. After unpacking 31.7 kB will be freed.
The following packages have unmet dependencies:
 linux-image-686-pae : Depends: linux-image-3.2.0-6-686-pae which is a 
virtual package.
The following actions will resolve these dependencies:

     Remove the following packages:
1)     linux-image-2.6-686-bigmem
2)     linux-image-686-pae



Accept this solution? [Y/n/q/?]
The following packages will be REMOVED:
  linux-image-2.6-686-bigmem{a} linux-image-686-pae{a}
0 packages upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 43.0 kB will be freed.
Do you want to continue? [Y/n/?]
(Reading database ... 32453 files and directories currently installed.)
Removing linux-image-2.6-686-bigmem ...
Removing linux-image-686-pae ...

Current status: 0 updates [-1].



# aptitude install linux-image-686-pae linux-image-3.2.0-6-686-pae
No candidate version found for linux-image-3.2.0-6-686-pae
No candidate version found for linux-image-3.2.0-6-686-pae
The following NEW packages will be installed:
  linux-image-686-pae{b}
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.


Not sure if this is a regular thing pre updates coming out or if 
linux-image-686-pae got pushed out before the dependency for some reason 
or made it to the uk mirror but the kernel itself didnt?

Thought I would point this out.

Cheers,

John


On Wed, 2 May 2018, Ben Hutchings wrote:

> Date: Wed, 02 May 2018 21:58:29 +0100
> From: Ben Hutchings <benh@debian.org>
> Reply-To: debian-lts@lists.debian.org
> To: debian-lts-announce@lists.debian.org
> Subject: [SECURITY] [DLA 1369-1] linux security update
> Resent-Date: Wed,  2 May 2018 20:58:55 +0000 (UTC)
> Resent-From: debian-lts-announce@lists.debian.org
>
> Package        : linux
> Version        : 3.2.101-1
> CVE ID         : CVE-2017-0861 CVE-2017-5715 CVE-2017-13166 CVE-2017-16526
>                 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914
>                 CVE-2017-18017 CVE-2017-18203 CVE-2017-18216 CVE-2018-1068
>                 CVE-2018-1092 CVE-2018-5332 CVE-2018-5333 CVE-2018-5750
>                 CVE-2018-5803 CVE-2018-6927 CVE-2018-7492 CVE-2018-7566
>                 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8781
>                 CVE-2018-8822 CVE-2018-1000004 CVE-2018-1000199
> Debian Bug     : 887106
>
> Several vulnerabilities have been discovered in the Linux kernel that
> may lead to a privilege escalation, denial of service or information
> leaks.
>
> CVE-2017-0861
>
>    Robb Glasser reported a potential use-after-free in the ALSA (sound)
>    PCM core.  We believe this was not possible in practice.
>
> CVE-2017-5715
>
>    Multiple researchers have discovered a vulnerability in various
>    processors supporting speculative execution, enabling an attacker
>    controlling an unprivileged process to read memory from arbitrary
>    addresses, including from the kernel and all other processes
>    running on the system.
>
>    This specific attack has been named Spectre variant 2 (branch
>    target injection) and is mitigated for the x86 architecture (amd64
>    and i386) by using the "retpoline" compiler feature which allows
>    indirect branches to be isolated from speculative execution.
>
> CVE-2017-13166
>
>    A bug in the 32-bit compatibility layer of the v4l2 ioctl handling
>    code has been found.  Memory protections ensuring user-provided
>    buffers always point to userland memory were disabled, allowing
>    destination addresses to be in kernel space.  On a 64-bit kernel
>    (amd64 flavour) a local user with access to a suitable video
>    device can exploit this to overwrite kernel memory, leading to
>    privilege escalation.
>
> CVE-2017-16526
>
>    Andrey Konovalov reported that the UWB subsystem may dereference
>    an invalid pointer in an error case.  A local user might be able
>    to use this for denial of service.
>
> CVE-2017-16911
>
>    Secunia Research reported that the USB/IP vhci_hcd driver exposed
>    kernel heap addresses to local users.  This information could aid the
>    exploitation of other vulnerabilities.
>
> CVE-2017-16912
>
>    Secunia Research reported that the USB/IP stub driver failed to
>    perform a range check on a received packet header field, leading
>    to an out-of-bounds read.  A remote user able to connect to the
>    USB/IP server could use this for denial of service.
>
> CVE-2017-16913
>
>    Secunia Research reported that the USB/IP stub driver failed to
>    perform a range check on a received packet header field, leading
>    to excessive memory allocation.  A remote user able to connect to
>    the USB/IP server could use this for denial of service.
>
> CVE-2017-16914
>
>    Secunia Research reported that the USB/IP stub driver failed to
>    check for an invalid combination of fields in a recieved packet,
>    leading to a null pointer dereference.  A remote user able to
>    connect to the USB/IP server could use this for denial of service.
>
> CVE-2017-18017
>
>    Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module
>    failed to validate TCP header lengths, potentially leading to a
>    use-after-free.  If this module is loaded, it could be used by a
>    remote attacker for denial of service or possibly for code
>    execution.
>
> CVE-2017-18203
>
>    Hou Tao reported that there was a race condition in creation and
>    deletion of device-mapper (DM) devices.  A local user could
>    potentially use this for denial of service.
>
> CVE-2017-18216
>
>    Alex Chen reported that the OCFS2 filesystem failed to hold a
>    necessary lock during nodemanager sysfs file operations,
>    potentially leading to a null pointer dereference.  A local user
>    could use this for denial of service.
>
> CVE-2018-1068
>
>    The syzkaller tool found that the 32-bit compatibility layer of
>    ebtables did not sufficiently validate offset values.  On a 64-bit
>    kernel (amd64 flavour), a local user with the CAP_NET_ADMIN
>    capability could use this to overwrite kernel memory, possibly
>    leading to privilege escalation.
>
> CVE-2018-1092
>
>    Wen Xu reported that a crafted ext4 filesystem image would
>    trigger a null dereference when mounted.  A local user able
>    to mount arbitrary filesystems could use this for denial of
>    service.
>
> CVE-2018-5332
>
>    Mohamed Ghannam reported that the RDS protocol did not
>    sufficiently validate RDMA requests, leading to an out-of-bounds
>    write.  A local attacker on a system with the rds module loaded
>    could use this for denial of service or possibly for privilege
>    escalation.
>
> CVE-2018-5333
>
>    Mohamed Ghannam reported that the RDS protocol did not properly
>    handle an error case, leading to a null pointer dereference.  A
>    local attacker on a system with the rds module loaded could
>    possibly use this for denial of service.
>
> CVE-2018-5750
>
>    Wang Qize reported that the ACPI sbshc driver logged a kernel heap
>    address.  This information could aid the exploitation of other
>    vulnerabilities.
>
> CVE-2018-5803
>
>    Alexey Kodanev reported that the SCTP protocol did not range-check
>    the length of chunks to be created.  A local or remote user could
>    use this to cause a denial of service.
>
> CVE-2018-6927
>
>    Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did
>    not check for negative parameter values, which might lead to a
>    denial of service or other security impact.
>
> CVE-2018-7492
>
>    The syzkaller tool found that the RDS protocol was lacking a null
>    pointer check.  A local attacker on a system with the rds module
>    loaded could use this for denial of service.
>
> CVE-2018-7566
>
>    范龙飞 (Fan LongFei) reported a race condition in the ALSA (sound)
>    sequencer core, between write and ioctl operations.  This could
>    lead to an out-of-bounds access or use-after-free.  A local user
>    with access to a sequencer device could use this for denial of
>    service or possibly for privilege escalation.
>
> CVE-2018-7740
>
>    Nic Losby reported that the hugetlbfs filesystem's mmap operation
>    did not properly range-check the file offset.  A local user with
>    access to files on a hugetlbfs filesystem could use this to cause
>    a denial of service.
>
> CVE-2018-7757
>
>    Jason Yan reported a memory leak in the SAS (Serial-Attached
>    SCSI) subsystem.  A local user on a system with SAS devices
>    could use this to cause a denial of service.
>
> CVE-2018-7995
>
>    Seunghun Han reported a race condition in the x86 MCE
>    (Machine Check Exception) driver.  This is unlikely to have
>    any security impact.
>
> CVE-2018-8781
>
>    Eyal Itkin reported that the udl (DisplayLink) driver's mmap
>    operation did not properly range-check the file offset.  A local
>    user with access to a udl framebuffer device could exploit this to
>    overwrite kernel memory, leading to privilege escalation.
>
> CVE-2018-8822
>
>    Dr Silvio Cesare of InfoSect reported that the ncpfs client
>    implementation did not validate reply lengths from the server.  An
>    ncpfs server could use this to cause a denial of service or
>    remote code execution in the client.
>
> CVE-2018-1000004
>
>    Luo Quan reported a race condition in the ALSA (sound) sequencer
>    core, between multiple ioctl operations.  This could lead to a
>    deadlock or use-after-free.  A local user with access to a
>    sequencer device could use this for denial of service or possibly
>    for privilege escalation.
>
> CVE-2018-1000199
>
>    Andy Lutomirski discovered that the ptrace subsystem did not
>    sufficiently validate hardware breakpoint settings.  Local users
>    can use this to cause a denial of service, or possibly for
>    privilege escalation, on x86 (amd64 and i386) and possibly other
>    architectures.
>
> Additionally, some mitigations for CVE-2017-5753 are included in this
> release:
>
> CVE-2017-5753
>
>    Multiple researchers have discovered a vulnerability in various
>    processors supporting speculative execution, enabling an attacker
>    controlling an unprivileged process to read memory from arbitrary
>    addresses, including from the kernel and all other processes
>    running on the system.
>
>    This specific attack has been named Spectre variant 1
>    (bounds-check bypass) and is mitigated by identifying vulnerable
>    code sections (array bounds checking followed by array access) and
>    replacing the array access with the speculation-safe
>    array_index_nospec() function.
>
>    More use sites will be added over time.
>
> For Debian 7 "Wheezy", these problems have been fixed in version
> 3.2.101-1.  This version also includes bug fixes from upstream versions
> up to and including 3.2.101.  It also fixes a regression in the
> procfs hidepid option in the previous version (Debian bug #887106).
>
> We recommend that you upgrade your linux packages.
>
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
>
> --
> Ben Hutchings - Debian developer, member of kernel, installer and LTS teams