[arch-security] [ASA-201702-17] linux: multiple issues
anthraxx at archlinux.org
Wed Feb 22 19:37:09 UTC 2017
Arch Linux Security Advisory ASA-201702-17
Date : 2017-02-22
CVE-ID : CVE-2016-10088 CVE-2016-9588 CVE-2017-5986 CVE-2017-6074
Package : linux
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-178
The package linux before version 4.9.11-1 is vulnerable to multiple
issues including privilege escalation and denial of service.
Upgrade to 4.9.11-1.
# pacman -Syu "linux>=4.9.11-1"
The problems have been fixed upstream in version 4.9.11.
- CVE-2016-10088 (privilege escalation)
The sg implementation in the Linux kernel through 4.9 does not properly
restrict write operations in situations where the KERNEL_DS option is
set, which allows local users to read or write to arbitrary kernel
memory locations or cause a denial of service (use-after-free) by
leveraging access to a /dev/sg device, related to block/bsg.c and
drivers/scsi/sg.c. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2016-9576.
- CVE-2016-9588 (denial of service)
Linux kernel built with the KVM visualization support (CONFIG_KVM),
with nested visualization(nVMX) feature enabled(nested=1), is
vulnerable to an uncaught exception issue. It could occur if an L2
guest was to throw an exception which is not handled by an L1 guest.
- CVE-2017-5986 (denial of service)
It was reported that with Linux kernel, earlier than version v4.10-rc8,
an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the
socket tx buffer is full, a thread is waiting on it to queue more data,
and meanwhile another thread peels off the association being used by
the first thread. This issue may then lead to a segmentation fault
resulting in denial of service.
- CVE-2017-6074 (privilege escalation)
A use-after-free vulnerability has been discovered in the DCCP
implementation in the Linux kernel. The dccp_rcv_state_process function
in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles
DCCP_PKT_REQUEST packet data structures in the LISTEN state. A local
unprivileged user could use this flaw to alter the kernel memory,
allowing them to escalate their privileges on the system via an
application that makes an IPV6_RECVPKTINFO setsockopt system call.
A local unprivileged attacker is able to perform a denial of service
attack or escalate their privileges on the system.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security