ALAS-2017-814


Amazon Linux 1 Security Advisory: ALAS-2017-814
Advisory Release Date: 2017-04-06 21:16 Pacific
Advisory Updated Date: 2017-04-17 16:35 Pacific
Severity: Medium

Issue Overview:

Possible double free in stcp_sendmsg() (incorrect fix for CVE-2017-5986):

It was found that the code in net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. This vulnerability was introduced by CVE-2017-5986 fix (commit 2dcab5984841).

Reachable BUG_ON from userspace in sctp_wait_for_sndbuf:

It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986)

Shmat allows mmap null page protection bypass:

The do_shmat function in ipc/shm.c in the Linux kernel, through 4.9.12, does not restrict the address calculated by a certain rounding operation. This allows privileged local users to map page zero and, consequently, bypass a protection mechanism that exists for the mmap system call. This is possible by making crafted shmget and shmat system calls in a privileged context. (CVE-2017-5669)


Affected Packages:

kernel


Issue Correction:
Run yum update kernel to update your system.

New Packages:
i686:
    perf-debuginfo-4.9.20-10.30.amzn1.i686
    kernel-tools-devel-4.9.20-10.30.amzn1.i686
    kernel-debuginfo-common-i686-4.9.20-10.30.amzn1.i686
    kernel-tools-4.9.20-10.30.amzn1.i686
    kernel-tools-debuginfo-4.9.20-10.30.amzn1.i686
    perf-4.9.20-10.30.amzn1.i686
    kernel-headers-4.9.20-10.30.amzn1.i686
    kernel-debuginfo-4.9.20-10.30.amzn1.i686
    kernel-4.9.20-10.30.amzn1.i686
    kernel-devel-4.9.20-10.30.amzn1.i686

noarch:
    kernel-doc-4.9.20-10.30.amzn1.noarch

src:
    kernel-4.9.20-10.30.amzn1.src

x86_64:
    kernel-tools-4.9.20-10.30.amzn1.x86_64
    kernel-headers-4.9.20-10.30.amzn1.x86_64
    kernel-debuginfo-4.9.20-10.30.amzn1.x86_64
    kernel-tools-devel-4.9.20-10.30.amzn1.x86_64
    kernel-tools-debuginfo-4.9.20-10.30.amzn1.x86_64
    perf-debuginfo-4.9.20-10.30.amzn1.x86_64
    perf-4.9.20-10.30.amzn1.x86_64
    kernel-devel-4.9.20-10.30.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.9.20-10.30.amzn1.x86_64
    kernel-4.9.20-10.30.amzn1.x86_64