CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000380 – kernel: information leak due to a data race in ALSA timer
https://notcve.org/view.php?id=CVE-2017-1000380
sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. El archivo sound/core/timer.c en el kernel de Linux anterior a versión 4.11.5, es vulnerable a una carrera de datos en el controlador de /dev/snd/timer de ALSA, resultando en que los usuarios locales sean capaces de leer la información que pertenece a otros usuarios, es decir, los contenidos de la memoria sin inicializar pueden ser divulgados cuando una lectura y un ioctl se presentan al mismo tiempo. It was found that the timer functionality in the Linux kernel ALSA subsystem is prone to a race condition between read and ioctl system call handlers, resulting in an uninitialized memory disclosure to user space. A local user could use this flaw to read information belonging to other users. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ba3021b2c79b2fa9114f92790a99deb27a65b728 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d11662f4f798b50d8c8743f433842c3e40fe3378 http://www.debian.org/security/2017/dsa-3981 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.5 http://www.openwall.com/lists/oss-security/2017/06/12/2 http://www.securityfocus.com/bid/99121 https://access.redhat.com/errata/RHSA-2017:3295 https:&#x • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9605
https://notcve.org/view.php?id=CVE-2017-9605
The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call. La función vmw_gb_surface_define_ioctl (accesible mediante DRM_IOCTL_VMW_GB_SURFACE_CREATE) eb drivers/gpu/drm/vmwgfx/vmwgfx_surface.c en el Kernel de Linux hasta la 4.11.4 define una variable backup_handle pero no da un valor inicial. Si uno intenta crear una superficie GB, con una colocación previa del buffer DMA va ser usado como un buffer backup, la variable backup_handle no consigue escritura, y después es devuelto al espacio de usuario, permitiendo a los usuarios locales obtener información sensible de la memoria del kernel no inicializada mediante la manipulación de la llamada ioctl. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=07678eca2cf9c9a18584e546c2b2a0d0c9a3150c http://www.debian.org/security/2017/dsa-3927 http://www.debian.org/security/2017/dsa-3945 http://www.securityfocus.com/bid/99095 https://github.com/torvalds/linux/commit/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2016-9604 – kernel: security: The built-in keyrings for security tokens can be joined as a session and then modified by the root user
https://notcve.org/view.php?id=CVE-2016-9604
It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring. Se ha descubierto en el kernel de Linux en versiones anteriores a la 4.11-rc8 que root puede obtener acceso directo a un keyring interno, como ".dns_resolver" en RHEL-7 o el upstream ".builtin_trusted_keys" uniéndose a él como su keyring de sesión. Esto permite que root omita la verificación de firmas del módulo añadiendo una nueva clave pública de su propia elaboración al keyring. It was discovered that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. • http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9604.html http://www.securityfocus.com/bid/102135 https://access.redhat.com/errata/RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2669 https://bugzilla.novell.com/show_bug.cgi?id=1035576 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9604 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee8f844e3c5a73b999edf733df1c529d6503ec2 • CWE-347: Improper Verification of Cryptographic Signature CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9242 – kernel: Incorrect overwrite check in __ip6_append_data()
https://notcve.org/view.php?id=CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls. La función __ip6_append_data en el archivo net/ipv6/ip6_output.c en el kernel de Linux hasta versión 4.11.3, es demasiado tardía para comprobar si se puede sobrescribir una estructura de datos skb, lo que permite a los usuarios locales causar una denegación de servicio (bloqueo del sistema) por medio de unas llamadas de sistema diseñadas. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=232cd35d0804cc241eb887bb8d4d9b3b9881c64a http://www.debian.org/security/2017/dsa-3886 http://www.securityfocus.com/bid/98731 https://access.redhat.com/errata/RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:2077 https://github.com/torvalds/linux/commit/232cd35d0804cc241eb887bb8d4d9b3b9881c64a https://patchwork.ozlabs.org/patch/764880 https://access.redhat.com/security/cve/CVE-2017-9242 https://bugzilla.redhat.com/ • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9211
https://notcve.org/view.php?id=CVE-2017-9211
The crypto_skcipher_init_tfm function in crypto/skcipher.c in the Linux kernel through 4.11.2 relies on a setkey function that lacks a key-size check, which allows local users to cause a denial of service (NULL pointer dereference) via a crafted application. La función crypto_skcipher_init_tfm en el archivo crypto/skcipher.c en el kernel de Linux hasta versión 4.11.2, se basa en una función setkey que carece de una comprobación de tamaño de clave, que permite a los usuarios locales causar una denegación de servicio (desreferencia de puntero NULL) por medio de una aplicación especialmente diseñada. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9933e113c2e87a9f46a40fde8dafbf801dca1ab9 https://github.com/torvalds/linux/commit/9933e113c2e87a9f46a40fde8dafbf801dca1ab9 https://patchwork.kernel.org/patch/9718933 • CWE-476: NULL Pointer Dereference •