CVE-2015-8970 – kernel: crypto: GPF in lrw_crypt caused by null-deref
https://notcve.org/view.php?id=CVE-2015-8970
crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c. crypto/algif_skcipher.c en el kernel Linux en versiones anteriores a 4.4.2 no verifica que una operación setkey haya sido llevada a cabo en un enchufe AF_ALG antes de que una llamada de sistema aceptada sea procesada, lo que permite a usuarios locales provocar una denegación de servicio (referencia a puntero NULO y caída de sistema) a través de una aplicación manipulada que no aporta una llave, relacionado con la función lrw_crypt en crypto/lrw.c. The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel before 4.5 allows local users to cause a system crash and a denial of service by the NULL pointer dereference via accept(2) system call for AF_ALG socket without calling setkey() first to set a cipher key. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dd504589577d8e8e70f51f997ad487a4cb6c026f http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.2 http://www.openwall.com/lists/oss-security/2016/11/04/3 http://www.securityfocus.com/bid/94217 https://access.redhat.com/errata/RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2437 https://access.redhat.com/errata/RHSA-2017:2444 https:// • CWE-476: NULL Pointer Dereference •
CVE-2016-9555 – kernel: Slab out-of-bounds access in sctp_sf_ootb()
https://notcve.org/view.php?id=CVE-2016-9555
The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel before 4.8.8 lacks chunk-length checking for the first chunk, which allows remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data. La función sctp_sf_ootb en net/sctp/sm_statefuns.c en el kernel Linux en versiones anteriores a 4.8.8 carece de comprobación de longitud de fragmento para el primer fragmento, lo que permite a atacantes remotos provocar una denegación de servicio (acceso slab fuera de límites) o tener otro posible impacto no especificado a través de datos SCTP manipulados. A flaw was found in the Linux kernel's implementation of the SCTP protocol. A remote attacker could trigger an out-of-bounds read with an offset of up to 64kB potentially causing the system to crash. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00054.html http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00055.html http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00056.html http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00067.html http://lists.opensuse.org • CWE-125: Out-of-bounds Read •
CVE-2016-8645 – kernel: a BUG() statement can be hit in net/ipv4/tcp_input.c
https://notcve.org/view.php?id=CVE-2016-8645
The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to cause a denial of service (system crash) via a crafted application that makes sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c. La pila TCP en el kernel Linux en versiones anteriores a 4.8.10 maneja incorrectamente el truncamiento skb, lo que permite a usuarios locales provocar una denegación de servicio (caída de sistema) a través de una aplicación manipulada que hace llamadas de sistema sendto, relacionado con net/ipv4/tcp_ipv4.c y net/ipv6/tcp_ipv6.c. It was discovered that the Linux kernel since 3.6-rc1 with 'net.ipv4.tcp_fastopen' set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ac6e780070e30e4c35bd395acfe9191e6268bdd3 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.10 http://www.openwall.com/lists/oss-security/2016/11/11/3 http://www.openwall.com/lists/oss-security/2016/11/30/3 http://www.securityfocus.com/bid/94264 http://www.securitytracker.com/id/1037285 https://access.redhat.com/errata/RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:2077 https: • CWE-284: Improper Access Control CWE-617: Reachable Assertion •
CVE-2015-8962
https://notcve.org/view.php?id=CVE-2015-8962
Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel before 4.4 allows local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call. Vulnerabilidad de liberación doble en la función sg_common_write en drivers/scsi/sg.c en el kernel de Linux en versiones anteriores a 4.4 permite a usuarios locales obtener privilegios o provocar una denegación de servicio (corrupción de memoria y bloqueo del sistema) desvinculando un dispositivo durante una llamada ioctl SG_IO. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f3951a3709ff50990bf3e188c27d346792103432 http://www.securityfocus.com/bid/94187 https://github.com/torvalds/linux/commit/f3951a3709ff50990bf3e188c27d346792103432 https://source.android.com/security/bulletin/2016-11-01.html • CWE-415: Double Free •
CVE-2016-7917
https://notcve.org/view.php?id=CVE-2016-7917
The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does not check whether a batch message's length field is large enough, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability. La función nfnetlink_rcv_batch en net / netfilter / nfnetlink.c en el kernel de Linux en versiones anteriores a 4.5 no comprueba si el campo de longitud de un mensaje por lotes es lo suficientemente grande, lo que permite a los usuarios locales obtener información sensible de la memoria del kernel o provocar una denegación de servicio (bucle infinito o lectura fuera de rango) aprovechando la capacidad de CAP_NET_ADMIN. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c58d6c93680f28ac58984af61d0a7ebf4319c241 http://source.android.com/security/bulletin/2016-11-01.html http://www.securityfocus.com/bid/94147 https://github.com/torvalds/linux/commit/c58d6c93680f28ac58984af61d0a7ebf4319c241 • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •