[LSN-0041-1] Linux kernel vulnerability

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[LSN-0041-1] Linux kernel vulnerability

benjamin.romer
==========================================================================
Kernel Live Patch Security Notice 0041-1
August 06, 2018

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu:

| Series           | Base kernel  | Arch     | flavors          |
|------------------+--------------+----------+------------------|
| Ubuntu 14.04 LTS | 4.4.0        | amd64    | generic          |
| Ubuntu 14.04 LTS | 4.4.0        | amd64    | lowlatency       |
| Ubuntu 16.04 LTS | 4.4.0        | amd64    | generic          |
| Ubuntu 16.04 LTS | 4.4.0        | amd64    | lowlatency       |
| Ubuntu 18.04 LTS | 4.15.0       | amd64    | generic          |
| Ubuntu 18.04 LTS | 4.15.0       | amd64    | lowlatency       |

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel
through 4.16.12 allows local users to cause a denial of service
(stack-based buffer overflow) or possibly have unspecified other impact
because sense buffers have different sizes at the CDROM layer and the SCSI
layer, as demonstrated by a CDROMREADMODE2 ioctl call. (CVE-2018-11506)

Wen Xu discovered that the ext4 file system implementation in the Linux
kernel did not properly initialize the crc32c checksum driver. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2018-1094)

The inode_init_owner function in fs/inode.c in the Linux kernel through
4.17.4 allows local users to create files with an unintended group ownership,
in a scenario where a directory is SGID to a certain group and is writable
by a user who is not a member of that group. Here, the non-member can trigger
creation of a plain file whose group ownership is that group. The intended
behavior was that the non-member can trigger creation of a directory
(but not a plain file) whose group ownership is that group. The non-member
can escalate privileges by making the plain file executable and SGID.
(CVE-2018-13405)

An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel
through 4.17.3. An OOPS may occur for a corrupted xfs image after
xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)

Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel
performed algorithmically expensive operations in some situations when
handling incoming packets. A remote attacker could use this to cause a
denial of service. (CVE-2018-5390)

Update instructions:

The problem can be corrected by updating your livepatches to the following
versions:

| Kernel                   | Version  | flavors                  |
|--------------------------+----------+--------------------------|
| 4.4.0-124.148            | 41.2     | lowlatency, generic      |
| 4.4.0-124.148~14.04.1    | 41.2     | generic, lowlatency      |
| 4.4.0-127.153            | 41.2     | lowlatency, generic      |
| 4.4.0-127.153~14.04.1    | 41.2     | lowlatency, generic      |
| 4.4.0-128.154            | 41.2     | generic, lowlatency      |
| 4.4.0-128.154~14.04.1    | 41.2     | generic, lowlatency      |
| 4.4.0-130.156            | 41.2     | generic, lowlatency      |
| 4.4.0-130.156~14.04.1    | 41.2     | lowlatency, generic      |
| 4.4.0-131.157            | 41.2     | lowlatency, generic      |
| 4.4.0-131.157~14.04.1    | 41.2     | lowlatency, generic      |
| 4.15.0-20.21             | 41.2     | generic, lowlatency      |
| 4.15.0-22.24             | 41.2     | lowlatency, generic      |
| 4.15.0-23.25             | 41.2     | lowlatency, generic      |
| 4.15.0-24.26             | 41.2     | lowlatency, generic      |
| 4.15.0-29.31             | 41.2     | generic, lowlatency      |

References:
  CVE-2018-11506, CVE-2018-1094, CVE-2018-13405, CVE-2018-13094,
  CVE-2018-5390

--
ubuntu-security-announce mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce