SB2018010317 - Fedora 26 update for kernel
Published: January 3, 2018 Updated: April 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2017-17852)
The vulnerability allows a local authenticated user to execute arbitrary code.
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops.
2) Buffer overflow (CVE-ID: CVE-2017-17853)
The vulnerability allows a local authenticated user to execute arbitrary code.
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations.
3) Integer overflow (CVE-ID: CVE-2017-17854)
The vulnerability allows a local authenticated user to execute arbitrary code.
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic.
4) Buffer overflow (CVE-ID: CVE-2017-17855)
The vulnerability allows a local authenticated user to execute arbitrary code.
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars.
5) Buffer overflow (CVE-ID: CVE-2017-17856)
The vulnerability allows a local authenticated user to execute arbitrary code.
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement.
6) Buffer overflow (CVE-ID: CVE-2017-17857)
The vulnerability allows a local authenticated user to execute arbitrary code.
The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations.
7) Denial of service (CVE-ID: CVE-2017-17862)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to kernel/bpf/verifier.c in the Linux kernel improperly explores unreachable code paths, even though it would still be processed by JIT compilers. A local attacker can run a specially crafted application, trigger an improper branch-pruning logic issue and cause the system to crash.
Successful exploitation of the vulnerability results in denial of service.
8) Privilege escalation (CVE-ID: CVE-2017-17863)
The vulnerability allows a local attacker to gain elevated privileges on the target system.The weakness exists due to kernel/bpf/verifier.c in the Linux kernel does not check the relationship between pointer values and the BPF stack. A local attacker can run a specially crafted application to trigger integer overflow or invalid memory access and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
9) Memory leak (CVE-ID: CVE-2017-17864)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.The weakness exists due to kernel/bpf/verifier.c in the Linux kernel mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type. A local attacker can trigger a memory leak and obtain potentially sensitive address information.
Remediation
Install update from vendor's website.