USN-3753-2

See a problem?
Source
https://ubuntu.com/security/notices/USN-3753-2
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/USN-3753-2.json
JSON Data
https://api.osv.dev/v1/vulns/USN-3753-2
Related
  • CVE-2017-13168
  • CVE-2018-10876
  • CVE-2018-10877
  • CVE-2018-10878
  • CVE-2018-10879
  • CVE-2018-10881
  • CVE-2018-10882
  • CVE-2018-12233
  • CVE-2018-13094
  • CVE-2018-13405
  • CVE-2018-13406
Published
2018-08-24T00:46:51.820694Z
Modified
2018-08-24T00:46:51.820694Z
Summary
linux-lts-xenial, linux-aws vulnerabilities
Details

USN-3753-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)

References

Affected packages

Ubuntu:14.04:LTS / linux-lts-xenial

Package

Name
linux-lts-xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4.0-134.160~14.04.1

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "linux-image-4.4.0-134-lowlatency": "4.4.0-134.160~14.04.1",
            "linux-image-4.4.0-134-generic": "4.4.0-134.160~14.04.1",
            "linux-image-4.4.0-134-powerpc64-emb": "4.4.0-134.160~14.04.1",
            "linux-image-4.4.0-134-generic-lpae": "4.4.0-134.160~14.04.1",
            "linux-image-4.4.0-134-powerpc-smp": "4.4.0-134.160~14.04.1",
            "linux-image-extra-4.4.0-134-generic": "4.4.0-134.160~14.04.1",
            "linux-image-4.4.0-134-powerpc64-smp": "4.4.0-134.160~14.04.1",
            "linux-image-4.4.0-134-powerpc-e500mc": "4.4.0-134.160~14.04.1"
        }
    ]
}

Ubuntu:14.04:LTS / linux-aws

Package

Name
linux-aws

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4.0-1028.31

Ecosystem specific

{
    "availability": "No subscription needed",
    "binaries": [
        {
            "linux-image-4.4.0-1028-aws": "4.4.0-1028.31"
        }
    ]
}