Errata overview
Errata ID 435
Date 2017-06-28
Source package univention-kernel-image
Fixed in version 9.0.0-17.126.201706091804
Description 
This update addresses the following issues:
* The keyring_search_aux function in security/keys/keyring.c in the Linux
  kernel through 3.14.79 allows local users to cause a denial of service
  (NULL pointer dereference and OOPS) via a request_key system call for the
  "dead" type (CVE-2017-6951)
* The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through
  4.10.4 allows local users to cause a denial of service (stack-based buffer
  overflow) or possibly have unspecified other impact via a large command
  size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write
  access in the sg_write function (CVE-2017-7187)
* The vmw_surface_define_ioctl function in
  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5
  does not check for a zero value of certain levels data, which allows local
  users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and
  possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device
  (CVE-2017-7261)
* The vmw_surface_define_ioctl function in
  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6
  does not validate addition of certain levels data, which allows local users
  to trigger an integer overflow and out-of-bounds write, and cause a denial
  of service (system hang or crash) or possibly gain privileges, via a
  crafted ioctl call for a /dev/dri/renderD* device (CVE-2017-7294)
* The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to
  cause a denial of service (memory consumption) via a series of
  KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls
  (CVE-2017-7472)
* crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause
  a denial of service (API operation calling its own callback, and infinite
  recursion) by triggering EBUSY on a full queue (CVE-2017-7618)
* The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through
  4.10.11 allows remote attackers to cause a denial of service (system crash)
  via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and
  fs/nfsd/nfsxdr.c (CVE-2017-7645)
* udp.c in the Linux kernel before 4.5 allows remote attackers to execute
  arbitrary code via UDP traffic that triggers an unsafe second checksum
  calculation during execution of a recv system call with the MSG_PEEK flag
  (CVE-2016-10229)
* The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux
  kernel before 4.5.1 allows physically proximate attackers to cause a denial
  of service (NULL pointer dereference and system crash) via a crafted
  endpoints value in a USB device descriptor (CVE-2016-2188)
* An information disclosure vulnerability in kernel components including the
  ION subsystem, Binder, USB driver and networking subsystem could enable a
  local malicious application to access data outside of its permission
  levels. This issue is rated as Moderate because it first requires
  compromising a privileged process (CVE-2016-8405)
* The cgroup offline implementation in the Linux kernel through 4.8.11
  mishandles certain drain operations, which allows local users to cause a
  denial of service (system hang) by leveraging access to a container
  environment for executing a crafted application, as demonstrated by trinity
  (CVE-2016-9191)
* The built-in keyrings for security tokens can be joined as a session and
  then modified by the root user (CVE-2016-9604)
* The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in
  the Linux kernel before 4.9.5 places uninitialized heap-memory contents
  into a log entry upon a failure to read the line status, which allows local
  users to obtain sensitive information by reading the log (CVE-2017-5549)
* The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does
  not restrict the address calculated by a certain rounding operation, which
  allows local users to map page zero, and consequently bypass a protection
  mechanism that exists for the mmap system call, by making crafted shmget
  and shmat system calls in a privileged context (CVE-2017-5669)
* The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux
  kernel 4.x before 4.9.4 allows physically proximate attackers to cause a
  denial of service (integer underflow) or possibly have unspecified other
  impact via a crafted HID report (CVE-2017-7273)
* The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the
  Linux kernel before 4.10.4 allows local users to obtain sensitive
  information (in the dmesg ringbuffer and syslog) from uninitialized kernel
  memory by using a crafted USB device (posing as an io_ti USB serial device)
  to trigger an integer underflow (CVE-2017-8924)
* The omninet_open function in drivers/usb/serial/omninet.c in the Linux
  kernel before 4.10.4 allows local users to cause a denial of service (tty
  exhaustion) by leveraging reference count mishandling (CVE-2017-8925)
Additional notes This is the third part of the update.
CVE ID CVE-2017-6951
CVE-2017-7187
CVE-2017-7261
CVE-2017-7294
CVE-2017-7472
CVE-2017-7618
CVE-2017-7645
CVE-2016-10229
CVE-2016-2188
CVE-2016-8405
CVE-2016-9191
CVE-2016-9604
CVE-2017-5549
CVE-2017-5669
CVE-2017-7273
CVE-2017-8924
CVE-2017-8925
UCS Bug number #44706