[LSN-0021-1] Linux kernel vulnerability

Benjamin M. Romer benjamin.romer at canonical.com
Thu Apr 13 18:36:25 UTC 2017 

==========================================================================
Kernel Live Patch Security Notice LSN-0021-1
April 10, 2017

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu:

| Series           | Base kernel  | Arch     | flavors          |
|------------------+--------------+----------+------------------|
| Ubuntu 16.04 LTS | 4.4.0        | amd64    | generic          |
| Ubuntu 16.04 LTS | 4.4.0        | amd64    | lowlatency       |

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Andrey Konovalov discovered that the AF_PACKET implementation in the Linux
kernel did not properly validate certain block-size data. A local attacker
could use this to cause a denial of service (system crash). (CVE-2017-7308)

Andrey Konovalov discovered a use-after-free vulnerability in the DCCP
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly gain administrative
privileges. (CVE-2017-6074)

It was discovered that a race condition existed in the memory manager of
the Linux kernel when handling copy-on-write breakage of private read-only
memory mappings. A local attacker could use this to gain administrative
privileges. (CVE-2016-5195)

It was discovered that a use-after-free vulnerability existed in the block
device layer of the Linux kernel. A local attacker could use this to cause
a denial of service (system crash) or possibly gain administrative
privileges. (CVE-2016-7910)

Dmitry Vyukov discovered a use-after-free vulnerability in the
sys_ioprio_get() function in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
administrative privileges. (CVE-2016-7911)

XXX-FIXME-XXX [Use-after-free vulnerability in the ffs_user_copy_worker
function in drivers/usb/gadget/function/f_fs.c in the Linux kernel before
4.5.3 allows local users to gain privileges by accessing an I/O data
structure after a certain callback call.] (CVE-2016-7912)

It was discovered that a race condition existed in the procfs environ_read
function in the Linux kernel, leading to an integer underflow. A local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2016-7916)

Qidan He discovered that the ICMP implementation in the Linux kernel did
not properly check the size of an ICMP header. A local attacker with
CAP_NET_ADMIN could use this to expose sensitive information.
(CVE-2016-8399)

It was discovered that the KVM implementation for x86/x86_64 in the Linux
kernel could dereference a null pointer. An attacker in a guest virtual
machine could use this to cause a denial of service (system crash) in the
KVM host. (CVE-2016-8630)

Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
in the Linux kernel contained a buffer overflow when handling fragmented
packets. A remote attacker could use this to possibly execute arbitrary
code with administrative privileges. (CVE-2016-8633)

CAI Qian discovered that the sysctl implementation in the Linux kernel did
not properly perform reference counting in some situations. An unprivileged
attacker could use this to cause a denial of service (system hang).
(CVE-2016-9191)

Andrey Konovalov discovered that the SCTP implementation in the Linux
kernel improperly handled validation of incoming data. A remote attacker
could use this to cause a denial of service (system crash). (CVE-2016-9555)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel
did not properly initialize the Code Segment (CS) in certain error cases. A
local attacker could use this to expose sensitive information (kernel
memory). (CVE-2016-9756)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in
the Linux kernel did not properly emulate instructions on the SS segment
register. A local attacker in a guest virtual machine could use this to
cause a denial of service (guest OS crash) or possibly gain administrative
privileges in the guest OS. (CVE-2017-2583)

Update instructions:

The problem can be corrected by updating your livepatches to the following
versions:

| Kernel          | Version  | flavors                  |
|-----------------+----------+--------------------------|
| 4.4.0-21.37     | 16.1     | generic, lowlatency      |
| 4.4.0-21.37     | 17.1     | generic, lowlatency      |
| 4.4.0-21.37     | 18.1     | generic, lowlatency      |
| 4.4.0-21.37     | 21.1     | generic, lowlatency      |
| 4.4.0-22.39     | 13.2     | generic, lowlatency      |
| 4.4.0-22.39     | 16.1     | generic, lowlatency      |
| 4.4.0-22.39     | 17.1     | generic, lowlatency      |
| 4.4.0-22.39     | 18.1     | generic, lowlatency      |
| 4.4.0-22.39     | 21.1     | generic, lowlatency      |
| 4.4.0-22.40     | 16.1     | generic, lowlatency      |
| 4.4.0-22.40     | 17.1     | generic, lowlatency      |
| 4.4.0-22.40     | 18.1     | generic, lowlatency      |
| 4.4.0-22.40     | 21.1     | generic, lowlatency      |
| 4.4.0-24.43     | 16.1     | generic, lowlatency      |
| 4.4.0-24.43     | 17.1     | generic, lowlatency      |
| 4.4.0-24.43     | 18.1     | generic, lowlatency      |
| 4.4.0-24.43     | 21.1     | generic, lowlatency      |
| 4.4.0-28.47     | 16.1     | generic, lowlatency      |
| 4.4.0-28.47     | 17.1     | generic, lowlatency      |
| 4.4.0-28.47     | 18.1     | generic, lowlatency      |
| 4.4.0-28.47     | 21.1     | generic, lowlatency      |
| 4.4.0-31.50     | 16.1     | generic, lowlatency      |
| 4.4.0-31.50     | 17.1     | generic, lowlatency      |
| 4.4.0-31.50     | 18.1     | generic, lowlatency      |
| 4.4.0-31.50     | 21.1     | generic, lowlatency      |
| 4.4.0-34.53     | 16.1     | generic, lowlatency      |
| 4.4.0-34.53     | 17.1     | generic, lowlatency      |
| 4.4.0-34.53     | 18.1     | generic, lowlatency      |
| 4.4.0-34.53     | 21.1     | generic, lowlatency      |
| 4.4.0-36.55     | 16.1     | generic, lowlatency      |
| 4.4.0-36.55     | 17.1     | generic, lowlatency      |
| 4.4.0-36.55     | 18.1     | generic, lowlatency      |
| 4.4.0-36.55     | 21.1     | generic, lowlatency      |
| 4.4.0-38.57     | 16.1     | generic, lowlatency      |
| 4.4.0-38.57     | 17.1     | generic, lowlatency      |
| 4.4.0-38.57     | 18.1     | generic, lowlatency      |
| 4.4.0-38.57     | 21.1     | generic, lowlatency      |
| 4.4.0-42.62     | 16.1     | generic, lowlatency      |
| 4.4.0-42.62     | 17.1     | generic, lowlatency      |
| 4.4.0-42.62     | 18.1     | generic, lowlatency      |
| 4.4.0-42.62     | 21.1     | generic, lowlatency      |
| 4.4.0-43.63     | 16.1     | generic, lowlatency      |
| 4.4.0-43.63     | 17.1     | generic, lowlatency      |
| 4.4.0-43.63     | 18.1     | generic, lowlatency      |
| 4.4.0-43.63     | 21.1     | generic, lowlatency      |
| 4.4.0-45.66     | 16.1     | generic, lowlatency      |
| 4.4.0-45.66     | 17.1     | generic, lowlatency      |
| 4.4.0-45.66     | 18.1     | generic, lowlatency      |
| 4.4.0-45.66     | 21.1     | generic, lowlatency      |
| 4.4.0-47.68     | 16.1     | generic, lowlatency      |
| 4.4.0-47.68     | 17.1     | generic, lowlatency      |
| 4.4.0-47.68     | 18.1     | generic, lowlatency      |
| 4.4.0-47.68     | 21.1     | generic, lowlatency      |
| 4.4.0-51.72     | 16.1     | generic, lowlatency      |
| 4.4.0-51.72     | 17.1     | generic, lowlatency      |
| 4.4.0-51.72     | 18.1     | generic, lowlatency      |
| 4.4.0-51.72     | 21.1     | generic, lowlatency      |
| 4.4.0-53.74     | 16.1     | generic, lowlatency      |
| 4.4.0-53.74     | 17.1     | generic, lowlatency      |
| 4.4.0-53.74     | 18.1     | generic, lowlatency      |
| 4.4.0-53.74     | 21.1     | generic, lowlatency      |
| 4.4.0-57.78     | 17.1     | generic, lowlatency      |
| 4.4.0-57.78     | 18.1     | generic, lowlatency      |
| 4.4.0-57.78     | 21.1     | generic, lowlatency      |
| 4.4.0-59.80     | 17.1     | generic, lowlatency      |
| 4.4.0-59.80     | 18.1     | generic, lowlatency      |
| 4.4.0-59.80     | 21.1     | generic, lowlatency      |
| 4.4.0-62.83     | 17.1     | generic, lowlatency      |
| 4.4.0-62.83     | 18.1     | generic, lowlatency      |
| 4.4.0-62.83     | 21.1     | generic, lowlatency      |
| 4.4.0-63.84     | 18.1     | generic, lowlatency      |
| 4.4.0-63.84     | 21.1     | generic, lowlatency      |
| 4.4.0-64.85     | 21.1     | generic, lowlatency      |
| 4.4.0-66.87     | 21.1     | generic, lowlatency      |
| 4.4.0-67.88     | 21.1     | generic, lowlatency      |
| 4.4.0-70.91     | 21.1     | generic, lowlatency      |
| 4.4.0-71.92     | 21.1     | generic, lowlatency      |

Additionally, you should install an updated kernel with these fixes and
reboot at your convienience.

References:
  CVE-2016-5195, CVE-2016-7910, CVE-2016-7911, CVE-2016-7912,
  CVE-2016-7916, CVE-2016-8399, CVE-2016-8630, CVE-2016-8633,
  CVE-2016-9191, CVE-2016-9555, CVE-2016-9756, CVE-2017-2583,
  CVE-2017-6074, CVE-2017-7308
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20170413/d2bd6b30/attachment.sig>

More information about the ubuntu-security-announce mailing list