Bug 37353 - linux: Multiple security issues (3.2)
linux: Multiple security issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P3 normal (vote)
: UCS 3.2-5-errata
Assigned To: Moritz Muehlenhoff
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-16 07:51 CET by Moritz Muehlenhoff
Modified: 2015-03-23 13:12 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-12-16 07:51:08 CET
Race condition in ext4 permission handling (CVE-2014-8086)
Denial of service in KVM instruction emulation (CVE-2014-3647)
Denial of service in VMX handling in KVM (CVE-2014-3645, CVE-2014-3646)
Denial of service in the VMX handling in KVM (CVE-2014-3690)
Denial of service in the dcache in the fs layer (CVE-2014-8559)
Comment 1 Moritz Muehlenhoff univentionstaff 2015-01-05 10:30:39 CET
Kernel workaround for AMD CPU deadlock (CVE-2013-6885)
TLS base address leak allows partial ASLR bypass (CVE-2014-9419)
Denial of service in isofs (CVE-2014-9420)
espfix can by bypassed (CVE-2014-8133)
espfix not available for KVM paravirtualised guests (CVE-2014-8134)
Comment 2 Moritz Muehlenhoff univentionstaff 2015-01-07 07:37:02 CET
Memory corruption in garbage collector for unused security keys (CVE-2014-9529)
Comment 3 Moritz Muehlenhoff univentionstaff 2015-01-09 11:42:49 CET
Information leak in isofs (CVE-2014-9584)
Comment 4 Moritz Muehlenhoff univentionstaff 2015-01-09 14:39:54 CET
(In reply to Moritz Muehlenhoff from comment #1)
> Kernel workaround for AMD CPU deadlock (CVE-2013-6885)

This was already merged in 3.10.29, so UCS 3.2 is already fixed.
Comment 5 Moritz Muehlenhoff univentionstaff 2015-01-09 14:44:17 CET
These are fixed as of 3.10.64:

Denial of service in VMX handling in KVM (CVE-2014-3645) (3.10.63)
TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.10.64)
Denial of service in isofs (CVE-2014-9420) (3.10.64)
espfix can be bypassed (CVE-2014-8133) (3.10.64)
espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.10.64)
Information leak in isofs (CVE-2014-9584) (3.10.64)


These are unfixed as of 3.10.64:

Race condition in ext4 permission handling (CVE-2014-8086)
Denial of service in KVM instruction emulation (CVE-2014-3647)
Denial of service in the VMX handling in KVM (CVE-2014-3690)
Denial of service in VMX handling in KVM (CVE-2014-3646)
Denial of service in the dcache in the fs layer (CVE-2014-8559)
Memory corruption in garbage collector for unused security keys (CVE-2014-9529)
Comment 6 Moritz Muehlenhoff univentionstaff 2015-01-15 14:56:16 CET
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160)
Insufficient randomisation of the vdso segment (CVE-2014-9585)
Comment 7 Moritz Muehlenhoff univentionstaff 2015-02-04 08:21:59 CET
Use-after-free in SCTP (CVE-2015-1421)
ext4 denial of service (CVE-2014-7822) (this only affects UCS 3.1/3.2)
Incorrect implementation of SYSENTER emulation (CVE-2015-0239)
Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644)  
chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Comment 8 Moritz Muehlenhoff univentionstaff 2015-02-10 07:37:34 CET
Race condition in file handle support (CVE-2015-1420)
Comment 9 Moritz Muehlenhoff univentionstaff 2015-02-10 15:15:08 CET
CVE-2014-8086 doesn't affect 3.10.x, it was introduced in 3.16.



These are fixed as of 3.10.68:

Denial of service in VMX handling in KVM (CVE-2014-3645) (3.10.63)
TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.10.64)
Denial of service in isofs (CVE-2014-9420) (3.10.64)
espfix can be bypassed (CVE-2014-8133) (3.10.64)
espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.10.64)
Information leak in isofs (CVE-2014-9584) (3.10.64)
Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.10.67)
Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.10.65)
Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.10.67)




These are unfixed as of 3.10.68:

Denial of service in KVM instruction emulation (CVE-2014-3647)
Denial of service in the VMX handling in KVM (CVE-2014-3690)
Denial of service in VMX handling in KVM (CVE-2014-3646)
Denial of service in the dcache in the fs layer (CVE-2014-8559)
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160)
Use-after-free in SCTP (CVE-2015-1421)
ext4 denial of service (CVE-2014-7822) (this only affects UCS 3.1/3.2)
Incorrect implementation of SYSENTER emulation (CVE-2015-0239)


These are unfixed in the upstream kernel:

chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Race condition in file handle support (CVE-2015-1420)
Comment 10 Arvid Requate univentionstaff 2015-02-16 17:55:37 CET
ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593)
Comment 11 Arvid Requate univentionstaff 2015-02-23 17:24:48 CET
Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042)
Comment 12 Arvid Requate univentionstaff 2015-02-23 17:42:26 CET
Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041)

Ext4: fallocate zero range page size > block size (CVE-2015-0275)
Comment 13 Arvid Requate univentionstaff 2015-02-25 20:44:26 CET
ecryptfs 1-byte overwrite (CVE-2014-9683)
Comment 14 Moritz Muehlenhoff univentionstaff 2015-03-05 15:19:16 CET
(In reply to Arvid Requate from comment #12)
> Ext4: fallocate zero range page size > block size (CVE-2015-0275)

This was introduced in 3.15 and doesn't affect UCS 3.2
Comment 15 Moritz Muehlenhoff univentionstaff 2015-03-05 15:20:50 CET
These are fixed as of 3.10.70:
Denial of service in VMX handling in KVM (CVE-2014-3645) (3.10.63)
TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.10.64)
Denial of service in isofs (CVE-2014-9420) (3.10.64)
espfix can be bypassed (CVE-2014-8133) (3.10.64)
espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.10.64)
Information leak in isofs (CVE-2014-9584) (3.10.64)
Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.10.67)
Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.10.65)
Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.10.67)
Denial of service in the VMX handling in KVM (CVE-2014-3690) (3.10.69)
Denial of service in VMX handling in KVM (CVE-2014-3646) (3.10.69)
Use-after-free in SCTP (CVE-2015-1421) (3.10.70)
ecryptfs 1-byte overwrite (CVE-2014-9683) (3.10.64)


These are unfixed as of 3.10.70:
Denial of service in KVM instruction emulation (CVE-2014-3647)
Denial of service in the dcache in the fs layer (CVE-2014-8559)
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160)
ext4 denial of service (CVE-2014-7822)
Incorrect implementation of SYSENTER emulation (CVE-2015-0239)
ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593)
Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042)
Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041)



These are unfixed in the upstream kernel:
chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Race condition in file handle support (CVE-2015-1420)
Comment 16 Moritz Muehlenhoff univentionstaff 2015-03-06 09:30:43 CET
53-fix-ext2-quota.patch was removed; it was integrated into 3.10.63
Comment 17 Moritz Muehlenhoff univentionstaff 2015-03-09 07:21:54 CET
3.0.71 has been released:

These are fixed as of 3.10.71:
Denial of service in VMX handling in KVM (CVE-2014-3645) (3.10.63)
TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.10.64)
Denial of service in isofs (CVE-2014-9420) (3.10.64)
espfix can be bypassed (CVE-2014-8133) (3.10.64)
espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.10.64)
Information leak in isofs (CVE-2014-9584) (3.10.64)
Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.10.67)
Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.10.65)
Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.10.67)
Denial of service in the VMX handling in KVM (CVE-2014-3690) (3.10.69)
Denial of service in VMX handling in KVM (CVE-2014-3646) (3.10.69)
Use-after-free in SCTP (CVE-2015-1421) (3.10.70)
ecryptfs 1-byte overwrite (CVE-2014-9683) (3.10.64)
ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593) (3.10.71) 


These are unfixed as of 3.10.71:
Denial of service in KVM instruction emulation (CVE-2014-3647)
Denial of service in the dcache in the fs layer (CVE-2014-8559)
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160)
ext4 denial of service (CVE-2014-7822)
Incorrect implementation of SYSENTER emulation (CVE-2015-0239)
Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042)
Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041)
Soft lockup in AIO (CVE-2014-8172)


These are unfixed in the upstream kernel:
chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Race condition in file handle support (CVE-2015-1420)
Comment 18 Moritz Muehlenhoff univentionstaff 2015-03-11 13:31:19 CET
The kernel has been updated to 3.10.71.

Tests on hardware (amd64) and in virtualisation (i386) were successful.

YAML files:
2015-03-09-linux.yaml
2015-03-09-univention-kernel-image.yaml
Comment 19 Philipp Hahn univentionstaff 2015-03-20 17:09:35 CET
OK: apt-cache policy univention-kernel-image # 7.0.0-18.71.201503111143
OK: DEBIAN_FRONTEND=noninteractive aptitude install '?source-package(univention-kernel-image)?installed' # i386 amd64
OK: linux-image-3.10.0-ucs114-686-pae_3.10.11-1.114.201503091200_i386.deb
OK: uname -r # 3.10.0-ucs114-686-pae
OK: zdiff /usr/share/doc/linux-image-3.10.0-ucs1{08,14}-686-pae/changelog.Debian.gz
    -53-fix-ext2-quota
    +53-stable-63-to-70
    +54-stable-71

OK: CVE-2014-3645 CVE-2014-9419 CVE-2014-9420 CVE-2014-8133 CVE-2014-8134 CVE-2014-9584 CVE-2014-9529 CVE-2014-9585 CVE-2013-7421 CVE-2014-9644 CVE-2014-3690 CVE-2014-3646 CVE-2015-1421 CVE-2014-9683 CVE-2015-1593

OK: 2015-03-09-linux.yaml
OK: 2015-03-09-univention-kernel-image.yaml
OK: errata-announce -V 2015-03-09-linux.yaml
OK: errata-announce -V 2015-03-09-univention-kernel-image.yaml