The Debian Project released new major Linux kernel patches for the Debian GNU/Linux 8 “Jessie” and Debian GNU/Linux 9 “Stretch” operating system series to address a total of 27 security vulnerabilities, including an 8-year-old privilege escalation flaw.
First and foremost, the security update again patches Debian GNU/Linux’s kernel against both variants of the Spectre vulnerability (CVE-2017-5715 and CVE-2017-5753). These could allow an attacker that has control over an unprivileged process to read memory from arbitrary addresses, including kernel memory.
While Spectre Variant 2 was mitigated for the x86 architecture (amd64 and i386) via the retpoline compiler feature, Spectre Variant 1 was mitigated by first identifying the vulnerable code sections and then replacing the array access with the speculation-safe array_index_nospec() function.
Another important bug (CVE-2018-8781) patched with these new kernel updates for Debian GNU/Linux is a recently unearthed privilege escalation flaw that was introduced in the Linux kernel no less than eight years ago. It affected udl (DisplayLink) driver’s mmap operation, allowing a local attacker with access to a udl framebuffer device to gain root access by overwriting kernel memory.
submitted by: Arnfried Walbrecht