Arch Linux Security Advisory ASA-201702-18 ========================================== Severity: High Date : 2017-02-22 CVE-ID : CVE-2016-10088 CVE-2016-9588 CVE-2017-5986 CVE-2017-6074 Package : linux-zen Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-186 Summary ======= The package linux-zen before version 4.9.11-2 is vulnerable to multiple issues including privilege escalation and denial of service. Resolution ========== Upgrade to 4.9.11-2. # pacman -Syu "linux-zen>=4.9.11-2" The problems have been fixed upstream in version 4.9.11. Workaround ========== None. Description =========== - CVE-2016-10088 (privilege escalation) The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576. - CVE-2016-9588 (denial of service) Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization(nVMX) feature enabled(nested=1), is vulnerable to an uncaught exception issue. It could occur if an L2 guest was to throw an exception which is not handled by an L1 guest. - CVE-2017-5986 (denial of service) It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. This issue may then lead to a segmentation fault resulting in denial of service. - CVE-2017-6074 (privilege escalation) A use-after-free vulnerability has been discovered in the DCCP implementation in the Linux kernel. The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state. A local unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system via an application that makes an IPV6_RECVPKTINFO setsockopt system call. Impact ====== A local unprivileged attacker is able to perform a denial of service attack or escalate their privileges on the system. References ========== https://github.com/torvalds/linux/commit/2dcab598484185dea7ec22219c76dcdd59e3cb90 http://seclists.org/oss-sec/2017/q1/432 https://github.com/torvalds/linux/commit/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 https://patchwork.ozlabs.org/patch/728808/ https://security.archlinux.org/CVE-2016-10088 https://security.archlinux.org/CVE-2016-9588 https://security.archlinux.org/CVE-2017-5986 https://security.archlinux.org/CVE-2017-6074