Canonical Ubuntu Linux vulnerabilities

CVE-2017-16845 [CRITICAL] CWE-20 CVE-2017-16845: hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading t hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.

CVE-2017-15115 [HIGH] CWE-416 CVE-2017-15115: The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whe The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.

CVE-2017-15102 [MEDIUM] CWE-476 CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.

CVE-2017-16642 [HIGH] CVE-2017-16642: In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's t In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE

CVE-2017-16548 [CRITICAL] CWE-125 CVE-2017-16548: The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a tra The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon.

CVE-2015-7529 [HIGH] CWE-59 CVE-2015-7529: sosreport in SoS 3.x allows local users to obtain sensitive information from sosreport files or gain sosreport in SoS 3.x allows local users to obtain sensitive information from sosreport files or gain privileges via a symlink attack on an archive file in a temporary directory, as demonstrated by sosreport-$hostname-$date.tar in /tmp/sosreport-$hostname-$date.

CVE-2017-16546 [HIGH] CWE-119 CVE-2017-16546: The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does not properly validate the colo The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does not properly validate the colormap index in a WPG palette, which allows remote attackers to cause a denial of service (use of uninitialized data or invalid memory allocation) or possibly have unspecified other impact via a malformed WPG file.

CVE-2017-16526 [HIGH] CWE-119 CVE-2017-16526: drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device.

CVE-2017-16533 [MEDIUM] CWE-125 CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.

CVE-2017-16529 [MEDIUM] CWE-125 CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows loc The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.

CVE-2017-16525 [MEDIUM] CWE-416 CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel befor The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup.

CVE-2017-16532 [MEDIUM] CWE-476 CVE-2017-16532: The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.

CVE-2017-16528 [MEDIUM] CWE-416 CVE-2017-16528: sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of se sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.

CVE-2017-16527 [MEDIUM] CWE-416 CVE-2017-16527: sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device.

CVE-2017-15908 [HIGH] CWE-835 CVE-2017-15908: In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service.

CVE-2017-15873 [MEDIUM] CWE-190 CVE-2017-15873: The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Int The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.

CVE-2017-13082 [HIGH] CWE-323 CVE-2017-13082: Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwi Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13086 [MEDIUM] CWE-323 CVE-2017-13086: Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13088 [MEDIUM] CWE-323 CVE-2017-13088: Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Gr Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.

CVE-2017-13087 [MEDIUM] CWE-330 CVE-2017-13087: Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Tempor Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.