CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9605
https://notcve.org/view.php?id=CVE-2017-9605
The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call. La función vmw_gb_surface_define_ioctl (accesible mediante DRM_IOCTL_VMW_GB_SURFACE_CREATE) eb drivers/gpu/drm/vmwgfx/vmwgfx_surface.c en el Kernel de Linux hasta la 4.11.4 define una variable backup_handle pero no da un valor inicial. Si uno intenta crear una superficie GB, con una colocación previa del buffer DMA va ser usado como un buffer backup, la variable backup_handle no consigue escritura, y después es devuelto al espacio de usuario, permitiendo a los usuarios locales obtener información sensible de la memoria del kernel no inicializada mediante la manipulación de la llamada ioctl. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=07678eca2cf9c9a18584e546c2b2a0d0c9a3150c http://www.debian.org/security/2017/dsa-3927 http://www.debian.org/security/2017/dsa-3945 http://www.securityfocus.com/bid/99095 https://github.com/torvalds/linux/commit/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2016-9604 – kernel: security: The built-in keyrings for security tokens can be joined as a session and then modified by the root user
https://notcve.org/view.php?id=CVE-2016-9604
It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. This allows root to bypass module signature verification by adding a new public key of its own devising to the keyring. Se ha descubierto en el kernel de Linux en versiones anteriores a la 4.11-rc8 que root puede obtener acceso directo a un keyring interno, como ".dns_resolver" en RHEL-7 o el upstream ".builtin_trusted_keys" uniéndose a él como su keyring de sesión. Esto permite que root omita la verificación de firmas del módulo añadiendo una nueva clave pública de su propia elaboración al keyring. It was discovered that root can gain direct access to an internal keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its session keyring. • http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9604.html http://www.securityfocus.com/bid/102135 https://access.redhat.com/errata/RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2669 https://bugzilla.novell.com/show_bug.cgi?id=1035576 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9604 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee8f844e3c5a73b999edf733df1c529d6503ec2 • CWE-347: Improper Verification of Cryptographic Signature CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9242 – kernel: Incorrect overwrite check in __ip6_append_data()
https://notcve.org/view.php?id=CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls. La función __ip6_append_data en el archivo net/ipv6/ip6_output.c en el kernel de Linux hasta versión 4.11.3, es demasiado tardía para comprobar si se puede sobrescribir una estructura de datos skb, lo que permite a los usuarios locales causar una denegación de servicio (bloqueo del sistema) por medio de unas llamadas de sistema diseñadas. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=232cd35d0804cc241eb887bb8d4d9b3b9881c64a http://www.debian.org/security/2017/dsa-3886 http://www.securityfocus.com/bid/98731 https://access.redhat.com/errata/RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:2077 https://github.com/torvalds/linux/commit/232cd35d0804cc241eb887bb8d4d9b3b9881c64a https://patchwork.ozlabs.org/patch/764880 https://access.redhat.com/security/cve/CVE-2017-9242 https://bugzilla.redhat.com/ • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9211
https://notcve.org/view.php?id=CVE-2017-9211
The crypto_skcipher_init_tfm function in crypto/skcipher.c in the Linux kernel through 4.11.2 relies on a setkey function that lacks a key-size check, which allows local users to cause a denial of service (NULL pointer dereference) via a crafted application. La función crypto_skcipher_init_tfm en el archivo crypto/skcipher.c en el kernel de Linux hasta versión 4.11.2, se basa en una función setkey que carece de una comprobación de tamaño de clave, que permite a los usuarios locales causar una denegación de servicio (desreferencia de puntero NULL) por medio de una aplicación especialmente diseñada. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9933e113c2e87a9f46a40fde8dafbf801dca1ab9 https://github.com/torvalds/linux/commit/9933e113c2e87a9f46a40fde8dafbf801dca1ab9 https://patchwork.kernel.org/patch/9718933 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9150 – Linux Kernel 4.11 - eBPF Verifier Log Leaks Lower Half of map Pointer
https://notcve.org/view.php?id=CVE-2017-9150
The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value available for restricting the output of the print_bpf_insn function, which allows local users to obtain sensitive address information via crafted bpf system calls. La función do_check en el archivo kernel/bpf/verifier.c en el kernel de Linux anterior a versión 4.11.1, no hace que el valor de allow_ptr_leaks esté disponible para restringir la salida de la función print_bpf_insn, que permite a los usuarios locales obtener información de una dirección confidencial por medio de llamadas del sistema bpf especialmente diseñadas. • https://www.exploit-db.com/exploits/42048 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d0e57697f162da4aa218b5feafe614fb666db07 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.1 http://www.securityfocus.com/bid/98635 https://bugs.chromium.org/p/project-zero/issues/detail?id=1251 https://github.com/torvalds/linux/commit/0d0e57697f162da4aa218b5feafe614fb666db07 https://source.android.com/security/bulletin/2017-09-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •