From 2ce7defda23055d71fdb373de61dcd18296c2d2e Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Sat, 23 Dec 2017 04:35:51 +0000
Subject: Fill in descriptions of all issues, and some mitigations

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@5818 e094ebfe-e918-0410-adfb-c712417f3574
---
 dsa-texts/4.9.65-3+deb9u1 | 96 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 96 insertions(+)

(limited to 'dsa-texts')

diff --git a/dsa-texts/4.9.65-3+deb9u1 b/dsa-texts/4.9.65-3+deb9u1
index 8bd3be704..7228db7d4 100644
--- a/dsa-texts/4.9.65-3+deb9u1
+++ b/dsa-texts/4.9.65-3+deb9u1
@@ -21,28 +21,111 @@ CVE-2017-8824
 
 CVE-2017-16538
 
+    Andrey Konovalov reported that the dvb-usb-lmedm04 media driver
+    did not correctly handle some error conditions during
+    initialisation.  A physically present user with a specially
+    designed USB device can use this to cause a denial of service
+    (crash).
+
 CVE-2017-16644
 
+    Andrey Konovalov reported that the hdpvr media driver did not
+    correctly handle some error conditions during initialisation.  A
+    physically present user with a specially designed USB device can
+    use this to cause a denial of service (crash).
+
 CVE-2017-16995
 
+    Jann Horn discovered that the Extended BPF verifier did not
+    correctly model the behaviour of 32-bit load instructions.  A
+    local user can use this for privilege escalation.
+
+CVE-2017-XXXXX
+
+    Alexei Starovoitov discovered that the Extended BPF verifier
+    ignored unreachable code, even though it would still be processed
+    by JIT compilers.  This could possibly be used by local users for
+    denial of service.  It also increases the severity of bugs in
+    determining unreachable code.
+
+CVE-2017-XXXXX
+
+    Jann Horn discovered that the Extended BPF verifier did not
+    correctly model pointer arithmetic on the stack frame pointer.
+    A local user can use this for privilege escalation.
+
+CVE-2017-XXXXX
+
+    Jann Horn discovered that the Extended BPF verifier could fail to
+    detect pointer leaks from conditional code.  A local user could
+    use this to obtain sensitive information in order to exploit
+    other vulnerabilities.
+
 CVE-2017-17448
 
+    Kevin Cernekee discovered that the netfilter subsystem allowed
+    users with the CAP_NET_ADMIN capability in any user namespace, not
+    just the root namespace, to enable and disable connection tracking
+    helpers.  This could lead to denial of service, violation of
+    network security policy, or have other impact.
+
 CVE-2017-17449
 
+    Kevin Cernekee discovered that the netlink subsystem allowed
+    users with the CAP_NET_ADMIN capability in any user namespace
+    to monitor netlink traffic in all net namespaces, not just
+    those owned by that user namespace.  This could lead to
+    exposure of sensitive information.
+
 CVE-2017-17450
 
+    Kevin Cernekee discovered that the xt_osf module allowed users
+    with the CAP_NET_ADMIN capability in any user namespace to modify
+    the global OS fingerprint list.
+
 CVE-2017-17558
 
+    Andrey Konovalov reported that that USB core did not correctly
+    handle some error conditions during initialisation.  A physically
+    present user with a specially designed USB device can use this to
+    cause a denial of service (crash or memory corruption), or
+    possibly for privilege escalation.
+
 CVE-2017-17712
 
+    Mohamed Ghannam discovered a race condition in the IPv4 raw socket
+    implementation.  A local user could use this to obtain sensitive
+    information from the kernel.
+
 CVE-2017-17741
 
+    Dmitry Vyukov reported that the KVM implementation for x86 would
+    over-read data from memory when emulating an MMIO write if the
+    kvm_mmio tracepoint was enabled.  A guest virtual machine might be
+    able to use this to cause a denial of service (crash).
+
 CVE-2017-17805
 
+    It was discovered that some implementations of the Salsa20 block
+    cipher did not correctly handle zero-length input.  A local user
+    could use this to cause a denial of service (crash) or possibly
+    have other security impact.
+
 CVE-2017-17806
 
+    It was discovered that the HMAC implementation could be used with
+    an underlying hash algorithm that requires a key, which was not
+    intended.  A local user could use this to cause a denial of
+    service (crash or memory corruption), or possibly for privilege
+    escalation.
+
 CVE-2017-17807
 
+    Eric Biggers discovered that the KEYS subsystem lacked a check for
+    write permission when adding keys to a process's default keyring.
+    A local user could use this to cause a denial of service or to
+    obtain sensitive information.
+
 CVE-2017-1000407
 
     Andrew Honig reported that the KVM implementation for Intel
@@ -52,6 +135,19 @@ CVE-2017-1000407
 
 CVE-2017-1000410
 
+    Ben Seri reported that the Bluetooth subsystem did not correctly
+    handle short EFS information elements in L2CAP messages.  An
+    attacker able to communicate over Bluetooth could use this to
+    obtain sensitive information from the kernel.
+
+The various problems in the Extended BPF verifier can be mitigated by
+disabling use of Extended BPF by unprivileged users:
+sysctl kernel.unprivileged_bpf_disabled=1
+
+Debian disables unprivileged user namespaces by default, but if they
+are enabled (via the kernel.unprivileged_userns_clone sysctl) then
+CVE-2017-17448 can be exploited by any local user.
+
 For the stable distribution (stretch), these problems have been fixed
 in 4.9.65-3+deb9u1.
 
-- 
cgit v1.2.3