Bug 34751 – linux: Multiple security issues (3.2)

Bug 34751 - linux: Multiple security issues (3.2)


Summary:	linux: Multiple security issues (3.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P2 normal (vote)
Target Milestone:	UCS 3.2-2-errata
Assigned To:	Moritz Muehlenhoff
QA Contact:	Janek Walkenhorst

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-05-06 15:27 CEST by Moritz Muehlenhoff
Modified:	2014-07-08 16:12 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2014-05-06 15:27:30 CEST

These vulnerabilities are open in UCS 3.2 and fixed in Linux 3.10.38:

Denial of Service in RDS (CVE-2012-2372) (3.10.27)
Information leaks in hamradio network ioctl (CVE-2014-1446) (3.10.27)
Local denial of service in fpu handling (CVE-2014-1438) (3.10.27)
Information leak in the Netfilter connection tracker for IRC (CVE-2014-1690) (3.10.27)  
Buffer overflow in KVM (CVE-2014-0049) (3.10.33)
Denial of service in selinux (CVE-2014-1874) (3.10.31)  
Denial of service in CIFS (CVE-2014-0069) (3.10.33)
Ipv6 routing denial of service (CVE-2014-2309) (3.10.37)
SCTP denial of service (CVE-2014-0101) (3.10.34)
Local denial of service in rds (CVE-2013-7339) (3.10.27)
Denial of service in vhost_net (CVE-2014-0055, CVE-2014-0077) (3.10.37)
Denial of service in RDS (CVE-2014-2678) (3.10.37)
Denial of service in mac80211 (CVE-2014-2706) (3.10.34)



These vulnerabilities are still unfixed:

Insecure block handling (CVE-2012-4542)
Information leak in vhost-net zerocopy support (CVE-2014-0131)
Information leak in skb_zerocopy  (CVE-2014-2568)
Denial of service in the atk9k driver (CVE-2014-2672)

Comment 1 Moritz Muehlenhoff

2014-05-12 08:43:07 CEST

Out of bounds read in BPF filters (CVE-2014-3144, CVE-2014-3145)
Local denial of service in memory management (CVE-2014-3122)
Insufficient access checks on netlink sockets (CVE-2014-0181)
Insufficient access checks on ping sockets (CVE-2014-2851)
Denial of service in KVM (CVE-2014-0155) (Only affects UCS 3.2)

Comment 2 Moritz Muehlenhoff

2014-06-06 09:08:23 CEST

The patches have been applied and I've verified that they are effective. All tests went fine.

The meta package has been updated to install the new kernel.

Errata:
2014-06-05-univention-kernel-image.yaml
2014-06-05-linux.yaml

Comment 3 Moritz Muehlenhoff

2014-06-06 12:49:45 CEST

We'll fix these later.

Comment 4 Moritz Muehlenhoff

2014-06-11 14:36:23 CEST

Missing check during hugepage migration (CVE-2014-3940)

Comment 5 Moritz Muehlenhoff

2014-06-11 14:38:43 CEST

Denial of service in audit system (CVE-2014-3917)

Comment 6 Moritz Muehlenhoff

2014-06-11 14:41:34 CEST

Incorrect permission checks in inode_capable() (CVE-2014-4014)

Comment 7 Moritz Muehlenhoff

2014-06-11 15:15:49 CEST

These vulnerabilities are open in UCS 3.2 and fixed in Linux 3.10.42:

Denial of Service in RDS (CVE-2012-2372) (3.10.27)
Information leaks in hamradio network ioctl (CVE-2014-1446) (3.10.27)
Local denial of service in fpu handling (CVE-2014-1438) (3.10.27)
Information leak in the Netfilter connection tracker for IRC (CVE-2014-1690) (3.10.27)
Buffer overflow in KVM (CVE-2014-0049) (3.10.33)
Denial of service in selinux (CVE-2014-1874) (3.10.31)
Denial of service in CIFS (CVE-2014-0069) (3.10.33)
Ipv6 routing denial of service (CVE-2014-2309) (3.10.37)
SCTP denial of service (CVE-2014-0101) (3.10.34)
Local denial of service in rds (CVE-2013-7339) (3.10.27)
Denial of service in vhost_net (CVE-2014-0055, CVE-2014-0077) (3.10.37)
Denial of service in RDS (CVE-2014-2678) (3.10.37)
Denial of service in mac80211 (CVE-2014-2706) (3.10.34)
Denial of service in the atk9k driver (CVE-2014-2672) (3.10.42)
Out of bounds read in BPF filters (CVE-2014-3144, CVE-2014-3145) (3.10.41)
Local denial of service in memory management (CVE-2014-3122) (3.10.39)
Insufficient access checks on ping sockets (CVE-2014-2851) (3.10.41)
Denial of service in KVM (CVE-2014-0155) (3.10.40)



These vulnerabilities are still unfixed in 3.10.x:

Insecure block handling (CVE-2012-4542)
Information leak in vhost-net zerocopy support (CVE-2014-0131)
Insufficient access checks on netlink sockets (CVE-2014-0181)
Information leak in skb_zerocopy  (CVE-2014-2568)
Missing check during hugepage migration (CVE-2014-3940)
Denial of service in audit system (CVE-2014-3917)
Incorrect permission checks in inode_capable() (CVE-2014-4014)

Comment 8 Moritz Muehlenhoff

2014-06-16 08:25:50 CEST

Information leak in ioctl media_enum_entities() (CVE-2014-1739) (normal device permissions should prevent exploitation)

Comment 9 Moritz Muehlenhoff

2014-06-17 06:26:37 CEST

These vulnerabilities are open in UCS 3.2 and fixed in Linux 3.10.44:

Denial of Service in RDS (CVE-2012-2372) (3.10.27)
Local denial of service in rds (CVE-2013-7339) (3.10.27)
Buffer overflow in KVM (CVE-2014-0049) (3.10.33)
Denial of service in vhost_net (CVE-2014-0055, CVE-2014-0077) (3.10.37)
Denial of service in CIFS (CVE-2014-0069) (3.10.33)
SCTP denial of service (CVE-2014-0101) (3.10.34)
Denial of service in KVM (CVE-2014-0155) (3.10.40)
Local denial of service in fpu handling (CVE-2014-1438) (3.10.27)
Information leaks in hamradio network ioctl (CVE-2014-1446) (3.10.27)
Information leak in the Netfilter connection tracker for IRC (CVE-2014-1690) (3.10.27)
Information leak in ioctl media_enum_entities() (CVE-2014-1739) (3.10.42)
Denial of service in selinux (CVE-2014-1874) (3.10.31)
Ipv6 routing denial of service (CVE-2014-2309) (3.10.37)
Denial of service in the atk9k driver (CVE-2014-2672) (3.10.42)
Denial of service in RDS (CVE-2014-2678) (3.10.37)
Denial of service in mac80211 (CVE-2014-2706) (3.10.34)
Insufficient access checks on ping sockets (CVE-2014-2851) (3.10.41)
Local denial of service in memory management (CVE-2014-3122) (3.10.39)
Out of bounds read in BPF filters (CVE-2014-3144, CVE-2014-3145) (3.10.41)
Denial of service in audit system (CVE-2014-3917) (3.10.44)
Incorrect permission checks in inode_capable() (CVE-2014-4014) (3.10.44)


These vulnerabilities are still unfixed in 3.10.x:

Insecure block handling (CVE-2012-4542)
Information leak in vhost-net zerocopy support (CVE-2014-0131)
Insufficient access checks on netlink sockets (CVE-2014-0181)
Information leak in skb_zerocopy  (CVE-2014-2568)
Missing check during hugepage migration (CVE-2014-3940)
Information leak in rc backend of target SCSI (CVE-2014-4027)

Comment 10 Moritz Muehlenhoff

2014-06-27 11:47:27 CEST

Integer overflow when processing lz4 compressed kernel images (CVE-2014-4608)
Various information disclosure, use-after-frees and integer overflows in ALSA user controls (CVE-2014-4656, CVE-2014-4655, CVE-2014-4654, CVE-2014-4653, CVE-2014-4652)
Denial of service in the audit subsystem (CVE-2014-4508)
Denial of service in memory management (CVE-2014-4171)

Comment 11 Moritz Muehlenhoff

2014-06-27 11:51:30 CEST

Information disclosure in aio (CVE-2014-0206)

Comment 12 Moritz Muehlenhoff

2014-06-27 13:26:27 CEST

These vulnerabilities are open in UCS 3.2 and fixed in Linux 3.10.45:

Denial of Service in RDS (CVE-2012-2372) (3.10.27)
Local denial of service in rds (CVE-2013-7339) (3.10.27)
Buffer overflow in KVM (CVE-2014-0049) (3.10.33)
Denial of service in vhost_net (CVE-2014-0055, CVE-2014-0077) (3.10.37)
Denial of service in CIFS (CVE-2014-0069) (3.10.33)
SCTP denial of service (CVE-2014-0101) (3.10.34)
Denial of service in KVM (CVE-2014-0155) (3.10.40)
Local denial of service in fpu handling (CVE-2014-1438) (3.10.27)
Information leaks in hamradio network ioctl (CVE-2014-1446) (3.10.27)
Information leak in the Netfilter connection tracker for IRC (CVE-2014-1690) (3.10.27)
Information leak in ioctl media_enum_entities() (CVE-2014-1739) (3.10.42)
Denial of service in selinux (CVE-2014-1874) (3.10.31)
Ipv6 routing denial of service (CVE-2014-2309) (3.10.37)
Denial of service in the atk9k driver (CVE-2014-2672) (3.10.42)
Denial of service in RDS (CVE-2014-2678) (3.10.37)
Denial of service in mac80211 (CVE-2014-2706) (3.10.34)
Insufficient access checks on ping sockets (CVE-2014-2851) (3.10.41)
Local denial of service in memory management (CVE-2014-3122) (3.10.39)
Out of bounds read in BPF filters (CVE-2014-3144, CVE-2014-3145) (3.10.41)
Denial of service in audit system (CVE-2014-3917) (3.10.44)
Incorrect permission checks in inode_capable() (CVE-2014-4014) (3.10.44)
Insufficient access checks on netlink sockets (CVE-2014-0181)
Integer overflow when processing lz4 compressed kernel images (CVE-2014-4608)
Various information disclosure, use-after-frees and integer overflows in ALSA user controls (CVE-2014-4656, CVE-2014-4655, CVE-2014-4654, CVE-2014-4653, CVE-2014-4652)


These vulnerabilities are still unfixed in 3.10.x:

Insecure block handling (CVE-2012-4542)
Information leak in vhost-net zerocopy support (CVE-2014-0131)
Information leak in skb_zerocopy  (CVE-2014-2568)
Missing check during hugepage migration (CVE-2014-3940)
Information leak in rc backend of target SCSI (CVE-2014-4027)
Denial of service in the audit subsystem (CVE-2014-4508)
Denial of service in memory management (CVE-2014-4171)
Information disclosure in aio (CVE-2014-0206)

Comment 13 Moritz Muehlenhoff

2014-07-01 11:54:47 CEST

CVE-2014-3940 only affects 3.12 and later.



These vulnerabilities are open in UCS 3.2 and fixed in Linux 3.10.45:
 
Denial of Service in RDS (CVE-2012-2372) (3.10.27)
Local denial of service in rds (CVE-2013-7339) (3.10.27)
Buffer overflow in KVM (CVE-2014-0049) (3.10.33)
Denial of service in vhost_net (CVE-2014-0055, CVE-2014-0077) (3.10.37)
Denial of service in CIFS (CVE-2014-0069) (3.10.33)
SCTP denial of service (CVE-2014-0101) (3.10.34)
Denial of service in KVM (CVE-2014-0155) (3.10.40)
Local denial of service in fpu handling (CVE-2014-1438) (3.10.27)
Information leaks in hamradio network ioctl (CVE-2014-1446) (3.10.27)
Information leak in the Netfilter connection tracker for IRC (CVE-2014-1690)
(3.10.27)
Information leak in ioctl media_enum_entities() (CVE-2014-1739) (3.10.42)
Denial of service in selinux (CVE-2014-1874) (3.10.31)
Ipv6 routing denial of service (CVE-2014-2309) (3.10.37)
Denial of service in the atk9k driver (CVE-2014-2672) (3.10.42)
Denial of service in RDS (CVE-2014-2678) (3.10.37)
Denial of service in mac80211 (CVE-2014-2706) (3.10.34)
Insufficient access checks on ping sockets (CVE-2014-2851) (3.10.41)
Local denial of service in memory management (CVE-2014-3122) (3.10.39)
Out of bounds read in BPF filters (CVE-2014-3144, CVE-2014-3145) (3.10.41)
Denial of service in audit system (CVE-2014-3917) (3.10.44)
Incorrect permission checks in inode_capable() (CVE-2014-4014) (3.10.44)
Insufficient access checks on netlink sockets (CVE-2014-0181)
Integer overflow when processing lz4 compressed kernel images (CVE-2014-4608)
Various information disclosure, use-after-frees and integer overflows in
ALSA user controls (CVE-2014-4656, CVE-2014-4655, CVE-2014-4654,
CVE-2014-4653, CVE-2014-4652)
Information leak in rc backend of target SCSI (CVE-2014-4027) (3.10.46)
Denial of service in the audit subsystem (CVE-2014-4508) (3.10.46)
Information disclosure in aio (CVE-2014-0206) (3.10.46)
 

These vulnerabilities are still unfixed in 3.10.x:

Insecure block handling (CVE-2012-4542)
Information leak in vhost-net zerocopy support (CVE-2014-0131)
Information leak in skb_zerocopy  (CVE-2014-2568)
Denial of service in memory management (CVE-2014-4171)

Comment 14 Moritz Muehlenhoff

2014-07-01 14:07:55 CEST

(In reply to Moritz Muehlenhoff from comment #13)
>> These vulnerabilities are still unfixed in 3.10.x:

Bug 35226 has been created for these.

Comment 15 Moritz Muehlenhoff

2014-07-02 11:39:24 CEST

The kernel package has been updated to 3.10.46 and the meta package has been updated to thew new release. Tests on hardware with i386 and amd64 were successful.

YAML files:
2014-07-01-linux.yaml
2014-07-01-univention-kernel-image.yaml

Comment 16 Moritz Muehlenhoff

2014-07-07 07:51:42 CEST

New issue, which needs to be added to the upcoming update, reopening:

Missing input validation in the ptrace syscall allows privilege escalation (CVE-2014-4699) (This is limited to amd64)

Comment 17 Moritz Muehlenhoff

2014-07-08 08:15:28 CEST

(In reply to Moritz Muehlenhoff from comment #16)
> New issue, which needs to be added to the upcoming update, reopening:
> 
> Missing input validation in the ptrace syscall allows privilege escalation
> (CVE-2014-4699) (This is limited to amd64)

A patch for this has been merged, built and tested. YAML files have been amended.

Comment 18 Janek Walkenhorst

2014-07-08 13:39:56 CEST

Tests (amd64, amd64kvm, i386kvm): OK
Advisories: OK

Comment 19 Moritz Muehlenhoff

2014-07-08 16:12:19 CEST

http://errata.univention.de/ucs/3.2/134.html
http://errata.univention.de/ucs/3.2/135.html