linux-kernel: CVE-2018-5390 CVE-2018-5391 CVE-2018-13405

[l2dy]

Cross-References: DSA-4266-1, DSA-4272-1

• A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390)
• The inode_init_owner function in fs/inode.c in the Linux kernel through 4.17.4 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)

CVE-2018-5391 (FragmentSmack)

Juha-Matti Tilli discovered a flaw in the way the Linux kernel
handled reassembly of fragmented IPv4 and IPv6 packets. A remote
attacker can take advantage of this flaw to trigger time and
calculation expensive fragment reassembly algorithms by sending
specially crafted packets, leading to remote denial of service.

This is mitigated by reducing the default limits on memory usage
for incomplete fragmented packets.  The same mitigation can be
achieved without the need to reboot, by setting the sysctls:

net.ipv4.ipfrag_high_thresh = 262144
net.ipv6.ip6frag_high_thresh = 262144
net.ipv4.ipfrag_low_thresh = 196608
net.ipv6.ip6frag_low_thresh = 196608

The default values may still be increased by local configuration
if necessary.

[MingcongBai]

CVE-2018-5390, "SegmentSmack" https://access.redhat.com/security/cve/cve-2018-5390

[l2dy]

Adding CVE-2018-5391 (FragmentSmack).

[MingcongBai]

Fixed with https://github.com/AOSC-Dev/aosc-os-abbs/commit/8c0a5cdc6c60dd21abfd73e305f225e4e78be10b (Main) and https://github.com/AOSC-Dev/aosc-os-abbs/commit/c0da9748e5bdad65ae586558cc85e8acd332c42f (LTS). Closing, please assign two AOSAs.

[l2dy]

Use AOSA-2018-0351 for linux-kernel. Use AOSA-2018-0352 for linux-kernel-lts.