Univention Corporate Server 4.2 erratum 67 (security)

This update of the Linux kernel to version 4.9.33 addresses the following
issues:
* tty: n_hdlc: get rid of racy n_hdlc.tbuf (CVE-2017-2636)
* ucount: Remove the atomicity from ucount->count (CVE-2017-6874)
* USB: iowarrior: fix NULL-deref at probe (CVE-2016-2188)
* scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)
* The built-in keyrings for security tokens can be joined as a session and
  then modified by the root user (CVE-2016-9604)
* The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c improperly
  emulates the VMXON instruction, which allows KVM L1 guest OS users to cause
  a denial of service (host OS memory consumption) by leveraging the
  mishandling of page references (CVE-2017-2596)
* The ping_unhash function in net/ipv4/ping.c is too late in obtaining a
  certain lock and consequently cannot ensure that disconnect function calls
  are safe, which allows local users to cause a denial of service (panic) by
  leveraging access to the protocol value of IPPROTO_ICMP in a socket system
  call (CVE-2017-2671)
* net/sctp/socket.c does not properly restrict association peel-off
  operations during certain wait states, which allows local users to cause a
  denial of service (invalid unlock and double free) via a multithreaded
  application. NOTE: this vulnerability exists because of an incorrect fix
  for CVE-2017-5986 (CVE-2017-6353)
* The keyring_search_aux function in security/keys/keyring.c allows local
  users to cause a denial of service (NULL pointer dereference and OOPS) via
  a request_key system call for the "dead" type (CVE-2017-6951)
* The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c does not
  validate certain size data after an XFRM_MSG_NEWAE update, which allows
  local users to obtain root privileges or cause a denial of service
  (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN
  capability (CVE-2017-7184)
* The vmw_surface_define_ioctl function in
  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c does not check for a zero value of
  certain levels data, which allows local users to cause a denial of service
  (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl
  call for a /dev/dri/renderD* device (CVE-2017-7261)
* The vmw_surface_define_ioctl function in
  drivers/gpu/drm/vmwgfx/vmwgfx_surface.c does not validate addition of
  certain levels data, which allows local users to trigger an integer
  overflow and out-of-bounds write, and cause a denial of service (system
  hang or crash) or possibly gain privileges, via a crafted ioctl call for a
  /dev/dri/renderD* device (CVE-2017-7294)
* The packet_set_ring function in net/packet/af_packet.c does not properly
  validate certain block-size data, which allows local users to cause a
  denial of service (integer signedness error and out-of-bounds write), or
  gain privileges (if the CAP_NET_RAW capability is held), via crafted system
  calls (CVE-2017-7308)
* Use-after-free vulnerability in fs/crypto/ allows local users to cause a
  denial of service (NULL pointer dereference) or possibly gain privileges by
  revoking keyring keys being used for ext4, f2fs, or ubifs encryption,
  causing cryptographic transform objects to be freed prematurely
  (CVE-2017-7374)
* The KEYS subsystem allows local users to cause a denial of service (memory
  consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING
  keyctl_set_reqkey_keyring calls (CVE-2017-7472)
* Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module
  allows attackers to cause a denial of service or possibly have unspecified
  other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction
  with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec
  function (CVE-2017-7477)
* The ipxitf_ioctl function in net/ipx/af_ipx.c mishandles reference counts,
  which allows local users to cause a denial of service (use-after-free) or
  possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call
  for an IPX interface (CVE-2017-7487)
* crypto/ahash.c allows attackers to cause a denial of service (API operation
  calling its own callback, and infinite recursion) by triggering EBUSY on a
  full queue (CVE-2017-7618)
* The NFSv2/NFSv3 server in the nfsd subsystem allows remote attackers to
  cause a denial of service (system crash) via a long RPC reply, related to
  net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (CVE-2017-7645)
* The mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM
  protection mechanism, which allows local users to read or write to kernel
  memory locations in the first megabyte (and bypass slab-allocation access
  restrictions) via an application that opens the /dev/mem file, related to
  arch/x86/mm/init.c and drivers/char/mem.c (CVE-2017-7889)
* drivers/media/usb/dvb-usb/dvb-usb-firmware.c interacts incorrectly with the
  CONFIG_VMAP_STACK option, which allows local users to cause a denial of
  service (system crash or memory corruption) or possibly have unspecified
  other impact by leveraging use of more than one virtual page for a DMA
  scatterlist (CVE-2017-8061)
* drivers/media/usb/dvb-usb/cxusb.c interacts incorrectly with the
  CONFIG_VMAP_STACK option, which allows local users to cause a denial of
  service (system crash) or possibly have unspecified other impact by
  leveraging use of more than one virtual page for a DMA scatterlist
  (CVE-2017-8063)
* drivers/media/usb/dvb-usb-v2/dvb_usb_core.c interacts incorrectly with the
  CONFIG_VMAP_STACK option, which allows local users to cause a denial of
  service (system crash or memory corruption) or possibly have unspecified
  other impact by leveraging use of more than one virtual page for a DMA
  scatterlist (CVE-2017-8064)
* drivers/char/virtio_console.c interacts incorrectly with the
  CONFIG_VMAP_STACK option, which allows local users to cause a denial of
  service (system crash or memory corruption) or possibly have unspecified
  other impact by leveraging use of more than one virtual page for a DMA
  scatterlist (CVE-2017-8067)
* The do_check function in kernel/bpf/verifier.c does not make the
  allow_ptr_leaks value available for restricting the output of the
  print_bpf_insn function, which allows local users to obtain sensitive
  address information via crafted bpf system calls (CVE-2017-9150)
* lp.c Out-of-Bounds Write via Kernel Command-line (CVE-2017-1000363)
* dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890)
* ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074)
* sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075)
* ipv6/dccp: do not inherit ipv6_mc_list from parent
  (dccp_v6_request_recv_sock) (CVE-2017-9076)
* ipv6/dccp: do not inherit ipv6_mc_list from parent (tcp_v6_syn_recv_sock)
  (CVE-2017-9077)
* ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
* crypto: skcipher - Add missing API setkey checks (CVE-2017-9211)
* drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()
  (CVE-2017-7346)
* drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)
* infoleak due to a data race in ALSA timer (CVE-2017-1000380)
* A buffer overflow flaw was discovered in the trace subsystem
  (CVE-2017-0605)
* The NFSv2 and NFSv3 server implementations do not properly handle payload
  bounds checking of WRITE requests. A remote attacker with write access to a
  NFS mount can take advantage of this flaw to read chunks of arbitrary
  memory from both kernel-space and user-space (CVE-2017-7895)
* The io_ti USB serial driver could leak sensitive information if a malicious
  USB device was connected (CVE-2017-8924)
* A reference counter leak in the omninet USB serial driver, resulting in a
  use-after-free vulnerability. This can be triggered by a local user
  permitted to open tty devices (CVE-2017-8925)
* The stack guard page is not sufficiently large. The stack-pointer can jump
  over the guard-page and moving from the stack into another memory region
  without accessing the guard-page. In this case no page-fault exception is
  raised and the stack extends into the other memory region. An attacker can
  exploit this flaw for privilege escalation (CVE-2017-1000364)