Fedora 25 update for kernel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-15299 CVE-2017-1000255 |
| CWE-ID | CWE-476 CWE-119 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system kernel Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Null pointer dereference
EUVDB-ID: #VU9602
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-15299
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists due to the KEYS subsystem mishandles use of add_key for a key that already exists but is uninstantiated. A local attacker can supply specially crafted keys, trigger null pointer dereference and cause the service to crash.
Successful exploitation of the vulnerability results in denial of service.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 25
kernel: before 4.13.6-100.fc25
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-2017-521bb0d538
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU8812
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-1000255
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code with escalated privileges.
The vulnerability exists due to a boundary error in the Linux kernel's when handling signal frame on PowerPC systems. A malicious local user process could craft a signal frame allowing an attacker to corrupt memory and execute arbitrary code on the target system with escalated privileges.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 25
kernel: before 4.13.6-100.fc25
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-2017-521bb0d538
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
