CVE-2016-10044
https://notcve.org/view.php?id=CVE-2016-10044
The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call. La función aio_mount en fs/aio.c en el kernel de Linux en versiones anteriores a 4.7.7 no restringe adecuadamente el acceso de ejecución, lo que facilita a usuarios locales eludir restricciones de política destinadas SELinux W^X, y consecuentemente obtener privilegios, a través de una llamada de sistema io_setup. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=22f6b4d34fcf039c63a94e7670e0da24f8575a5a http://source.android.com/security/bulletin/2017-02-01.html http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.7 http://www.securityfocus.com/bid/96122 http://www.securitytracker.com/id/1037798 https://github.com/torvalds/linux/commit/22f6b4d34fcf039c63a94e7670e0da24f8575a5a • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2017-5551 – kernel: S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix)
https://notcve.org/view.php?id=CVE-2017-5551
The simple_set_acl function in fs/posix_acl.c in the Linux kernel before 4.9.6 preserves the setgid bit during a setxattr call involving a tmpfs filesystem, which allows local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-7097. La función simple_set_acl en fs/posix_acl.c en el kernel de Linux en versiones anteriores a 4.9.6 preserva el bit setgid durante una llamada setxattr que implica un sistema de archivos tmpfs, lo que permite a usuarios locales obtener privilegios de grupo aprovechando la existencia de un programa setgid con restricciones sobre los permisos de ejecución. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2016-7097. A vulnerability was found in the Linux kernel in 'tmpfs' file system. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=497de07d89c1410d76a15bec2bb41f24a2a89f31 http://www.debian.org/security/2017/dsa-3791 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.6 http://www.openwall.com/lists/oss-security/2017/01/21/3 http://www.securityfocus.com/bid/95717 http://www.securitytracker.com/id/1038053 https://bugzilla.redhat.com/show_bug.cgi?id=1416126 https://github.com/torvalds/linux/commit/497de07d89c1410d76a15bec2bb41f24a2a89f31 • CWE-287: Improper Authentication •
CVE-2017-2596 – Kernel: kvm: page reference leakage in handle_vmon
https://notcve.org/view.php?id=CVE-2017-2596
The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS memory consumption) by leveraging the mishandling of page references. La función nested_vmx_check_vmptr en arch/x86/kvm/vmx.c en el kernel de Linux hasta la versión 4.9.8 emula indebidamente la instrucción VMXON, lo que permite a usuarios del SO invitado KVM L1 provocar una denegación de servicio (consumo de memoria del SO anfitrión) aprovechando el manejo incorrecto de referencia de páginas. Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization(nVMX) feature enabled(nested=1), is vulnerable to host memory leakage issue. It could occur while emulating VMXON instruction in 'handle_vmon'. An L1 guest user could use this flaw to leak host memory potentially resulting in DoS. • http://www.debian.org/security/2017/dsa-3791 http://www.openwall.com/lists/oss-security/2017/01/31/4 http://www.securityfocus.com/bid/95878 https://access.redhat.com/errata/RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:2077 https://bugzilla.redhat.com/show_bug.cgi?id=1417812 https://access.redhat.com/security/cve/CVE-2017-2596 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2017-2583 – Kernel: Kvm: vmx/svm potential privilege escalation inside guest
https://notcve.org/view.php?id=CVE-2017-2583
The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" instruction, which allows guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application. La implementación de load_segment_descriptor en arc/x86/kvm/emulate.c en el kernel de Linux en versiones anteriores a 4.9.5 emula indebidamente una instrucción "MOV SS, NULL selector", lo que permite a usuarios del SO invitado provocar una denegación de servicio (caída del SO invitado) u obteniendo privilegios de SO invitado a través de una aplicación manipulada. Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. The error could occur while loading values into the SS register in long mode. A user or process inside a guest could use this flaw to crash the guest, resulting in DoS or potentially escalate their privileges inside the guest. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=33ab91103b3415e12457e3104f0e4517ce12d0f3 http://www.debian.org/security/2017/dsa-3791 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.5 http://www.openwall.com/lists/oss-security/2017/01/19/2 http://www.securityfocus.com/bid/95673 https://access.redhat.com/errata/RHSA-2017:1615 https://access.redhat.com/errata/RHSA-2017:1616 https://bugzilla.redhat.com/show_bug.cgi?id=1414735 https:/ • CWE-250: Execution with Unnecessary Privileges •
CVE-2017-5577
https://notcve.org/view.php?id=CVE-2017-5577
The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM driver in the Linux kernel before 4.9.7 does not set an errno value upon certain overflow detections, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) via inconsistent size values in a VC4_SUBMIT_CL ioctl call. La función vc4_get_bcl en drivers/gpc/drm/vc4/vc4_gem.c en el controlador VideoCore DRM en el kernel de Linux en versiones anteriores a 4.9.7 no establece un valor errno sobre ciertas detecciones de desbordamiento, lo que permite a usuarios locales provocar una denegación de servicio (referencia incorrecta al puntero y OOPS) a través de valores de tamaño inconsistentes en una llamada ioctl VC4_SUBMIT_CL. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6b8ac63847bc2f958dd93c09edc941a0118992d9 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7 http://www.openwall.com/lists/oss-security/2017/01/21/7 http://www.securityfocus.com/bid/95765 https://bugzilla.redhat.com/show_bug.cgi?id=1416437 https://github.com/torvalds/linux/commit/6b8ac63847bc2f958dd93c09edc941a0118992d9 https://lkml.org/lkml/2017/1/17/759 • CWE-388: 7PK - Errors •