advisories/20859.adv

type: security
subject: Updated kernel-tmb packages fixes security vulnerabilities
CVE:
 - CVE-2016-6213
 - CVE-2016-7913
 - CVE-2016-7917
 - CVE-2016-8632
 - CVE-2016-9083
 - CVE-2016-9084
 - CVE-2016-9120
 - CVE-2016-9604
 - CVE-2017-2671
 - CVE-2017-6001
 - CVE-2017-6951
 - CVE-2017-7308
 - CVE-2017-7472
 - CVE-2017-7645
 - CVE-2017-7895
src:
  5:
   core:
     - kernel-tmb-4.4.68-1.mga5
description: |
  This kernel-tmb update is based on upstream 4.4.68 and fixes atleast
  the following security issues:

  fs/namespace.c in the Linux kernel before 4.9 does not restrict how many
  mounts may exist in a mount namespace, which allows local users to cause
  a denial of service (memory consumption and deadlock) via MS_BIND mount
  system calls, as demonstrated by a loop that triggers exponential growth
  in the number of mounts (CVE-2016-6213).

  The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in
  the Linux kernel before 4.6 allows local users to gain privileges or cause
  a denial of service (use-after-free) via vectors involving omission of the
  firmware name from a certain data structure (CVE-2016-7913).

  The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux
  kernel before 4.5 does not check whether a batch message's length field is
  large enough, which allows local users to obtain sensitive information from
  kernel memory or cause a denial of service (infinite loop or out-of-bounds
  read) by leveraging the CAP_NET_ADMIN capability (CVE-2016-7917).

  The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through
  4.8.11 does not validate the relationship between the minimum fragment
  length and the maximum packet size, which allows local users to gain
  privileges or cause a denial of service (heap-based buffer overflow) by
  leveraging the CAP_NET_ADMIN capability (CVE-2016-8632).

  drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local
  users to bypass integer overflow checks, and cause a denial of service
  (memory corruption) or have unspecified other impact, by leveraging access
  to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a
  "state machine confusion bug" (CVE-2016-9083).

  drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11
  misuses the kzalloc function, which allows local users to cause a denial
  of service (integer overflow) or have unspecified other impact by
  leveraging access to a vfio PCI device file (CVE-2016-9084).

  It was discovered that root can gain direct access to an internal keyring,
  such as '.builtin_trusted_keys' upstream, by joining it as its session
  keyring. This allows root to bypass module signature verification by adding
  a new public key of its own devising to the keyring (CVE-2016-9604).

  The ping_unhash function in net/ipv4/ping.c in the Linux kernel through
  4.10.8 is too late in obtaining a certain lock and consequently cannot
  ensure that disconnect function calls are safe, which allows local users
  to cause a denial of service (panic) by leveraging access to the protocol
  value of IPPROTO_ICMP in a socket system call (CVE-2017-2671).

  Race condition in kernel/events/core.c in the Linux kernel before 4.9.7
  allows local users to gain privileges via a crafted application that makes
  concurrent perf_event_open system calls for moving a software group into a
  hardware context. NOTE: this vulnerability exists because of an incomplete
  fix for CVE-2016-6786 (CVE-2017-6001).

  The keyring_search_aux function in security/keys/keyring.c in the Linux
  kernel through 3.14.79 allows local users to cause a denial of service
  (NULL pointer dereference and OOPS) via a request_key system call for the
  "dead" type (CVE-2017-6951).

  The packet_set_ring function in net/packet/af_packet.c in the Linux kernel
  through 4.10.6 does not properly validate certain block-size data, which
  allows local users to cause a denial of service (overflow) or possibly have
  unspecified other impact via crafted system calls (CVE-2017-7308).

  A vulnerability was found in the Linux kernel. It was found that
  keyctl_set_reqkey_keyring() function leaks thread keyring which allows
  unprivileged local user to exhaust kernel memory (CVE-2017-7472).

  The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through
  4.10.11 allows remote attackers to cause a denial of service (system crash)
  via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and
  fs/nfsd/nfsxdr.c (CVE-2017-7645).

  The NFSv2 and NFSv3 server implementations in the Linux kernel through
  4.10.13 lack certain checks for the end of a buffer, which allows remote
  attackers to trigger pointer-arithmetic errors or possibly have unspecified
  other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and
  fs/nfsd/nfsxdr.c (CVE-2017-7895).

  For other upstream fixes in this update, see the referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=20859
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.60
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.61
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.62
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.63
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.64
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.65
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.66
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.67
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.68
ID: MGASA-2017-0147
1	type: security
2	subject: Updated kernel-tmb packages fixes security vulnerabilities
3	CVE:
4	- CVE-2016-6213
5	- CVE-2016-7913
6	- CVE-2016-7917
7	- CVE-2016-8632
8	- CVE-2016-9083
9	- CVE-2016-9084
10	- CVE-2016-9120
11	- CVE-2016-9604
12	- CVE-2017-2671
13	- CVE-2017-6001
14	- CVE-2017-6951
15	- CVE-2017-7308
16	- CVE-2017-7472
17	- CVE-2017-7645
18	- CVE-2017-7895
19	src:
20	5:
21	core:
22	- kernel-tmb-4.4.68-1.mga5
23	description: \|
24	This kernel-tmb update is based on upstream 4.4.68 and fixes atleast
25	the following security issues:
26
27	fs/namespace.c in the Linux kernel before 4.9 does not restrict how many
28	mounts may exist in a mount namespace, which allows local users to cause
29	a denial of service (memory consumption and deadlock) via MS_BIND mount
30	system calls, as demonstrated by a loop that triggers exponential growth
31	in the number of mounts (CVE-2016-6213).
32
33	The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in
34	the Linux kernel before 4.6 allows local users to gain privileges or cause
35	a denial of service (use-after-free) via vectors involving omission of the
36	firmware name from a certain data structure (CVE-2016-7913).
37
38	The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux
39	kernel before 4.5 does not check whether a batch message's length field is
40	large enough, which allows local users to obtain sensitive information from
41	kernel memory or cause a denial of service (infinite loop or out-of-bounds
42	read) by leveraging the CAP_NET_ADMIN capability (CVE-2016-7917).
43
44	The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through
45	4.8.11 does not validate the relationship between the minimum fragment
46	length and the maximum packet size, which allows local users to gain
47	privileges or cause a denial of service (heap-based buffer overflow) by
48	leveraging the CAP_NET_ADMIN capability (CVE-2016-8632).
49
50	drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local
51	users to bypass integer overflow checks, and cause a denial of service
52	(memory corruption) or have unspecified other impact, by leveraging access
53	to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a
54	"state machine confusion bug" (CVE-2016-9083).
55
56	drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11
57	misuses the kzalloc function, which allows local users to cause a denial
58	of service (integer overflow) or have unspecified other impact by
59	leveraging access to a vfio PCI device file (CVE-2016-9084).
60
61	It was discovered that root can gain direct access to an internal keyring,
62	such as '.builtin_trusted_keys' upstream, by joining it as its session
63	keyring. This allows root to bypass module signature verification by adding
64	a new public key of its own devising to the keyring (CVE-2016-9604).
65
66	The ping_unhash function in net/ipv4/ping.c in the Linux kernel through
67	4.10.8 is too late in obtaining a certain lock and consequently cannot
68	ensure that disconnect function calls are safe, which allows local users
69	to cause a denial of service (panic) by leveraging access to the protocol
70	value of IPPROTO_ICMP in a socket system call (CVE-2017-2671).
71
72	Race condition in kernel/events/core.c in the Linux kernel before 4.9.7
73	allows local users to gain privileges via a crafted application that makes
74	concurrent perf_event_open system calls for moving a software group into a
75	hardware context. NOTE: this vulnerability exists because of an incomplete
76	fix for CVE-2016-6786 (CVE-2017-6001).
77
78	The keyring_search_aux function in security/keys/keyring.c in the Linux
79	kernel through 3.14.79 allows local users to cause a denial of service
80	(NULL pointer dereference and OOPS) via a request_key system call for the
81	"dead" type (CVE-2017-6951).
82
83	The packet_set_ring function in net/packet/af_packet.c in the Linux kernel
84	through 4.10.6 does not properly validate certain block-size data, which
85	allows local users to cause a denial of service (overflow) or possibly have
86	unspecified other impact via crafted system calls (CVE-2017-7308).
87
88	A vulnerability was found in the Linux kernel. It was found that
89	keyctl_set_reqkey_keyring() function leaks thread keyring which allows
90	unprivileged local user to exhaust kernel memory (CVE-2017-7472).
91
92	The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through
93	4.10.11 allows remote attackers to cause a denial of service (system crash)
94	via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and
95	fs/nfsd/nfsxdr.c (CVE-2017-7645).
96
97	The NFSv2 and NFSv3 server implementations in the Linux kernel through
98	4.10.13 lack certain checks for the end of a buffer, which allows remote
99	attackers to trigger pointer-arithmetic errors or possibly have unspecified
100	other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and
101	fs/nfsd/nfsxdr.c (CVE-2017-7895).
102
103	For other upstream fixes in this update, see the referenced changelogs.
104	references:
105	- https://bugs.mageia.org/show_bug.cgi?id=20859
106	- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.60
107	- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.61
108	- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.62
109	- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.63
110	- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.64
111	- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.65
112	- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.66
113	- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.67
114	- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.68
115	ID: MGASA-2017-0147