Candidate: CVE-2018-10689
PublicDate: 2018-05-03 07:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10689
 https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
 https://www.spinics.net/lists/linux-btrace/msg00847.html
 http://git.kernel.dk/?p=blktrace.git;a=log;h=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
Description:
 blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and
 Android, has a buffer overflow in the dev_map_read function in btt/devmap.c
 because the device and devno arrays are too small, as demonstrated by an
 invalid free when using the btt program with a crafted file.
Ubuntu-Description:
 It was discovered a buffer overflow in the blktrace utility. An attacker
 could use this vulnerability to cause a DoS or possibly execute arbitrary
 code.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [5.5 MEDIUM]


Patches_blktrace:
 upstream: http://git.kernel.dk/?p=blktrace.git;a=commitdiff;h=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
upstream_blktrace: released (1.0.5-1+deb8u1, 1.1.0-2+deb9u1, 1.2.0-1)
precise/esm_blktrace: DNE
trusty_blktrace: released (1.0.5-1+deb8u1build0.14.04.1)
trusty/esm_blktrace: DNE (trusty was released [1.0.5-1+deb8u1build0.14.04.1])

xenial_blktrace: released (1.1.0-2+deb9u1build0.16.04.1)

artful_blktrace: ignored (reached end-of-life)
bionic_blktrace: released (1.1.0-2+deb9u1build0.18.04.1)

cosmic_blktrace: not-affected (1.2.0-2)
devel_blktrace: not-affected (1.2.0-2)