Bug 37385 - linux: Multiple security issues (4.0)
linux: Multiple security issues (4.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P2 normal (vote)
: UCS 4.0-2-errata
Assigned To: Janek Walkenhorst
Philipp Hahn
https://packages.debian.org/source/je...
:
Depends on:
Blocks: 38764
  Show dependency treegraph
 
Reported: 2014-12-18 08:01 CET by Moritz Muehlenhoff
Modified: 2015-07-20 17:48 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-12-18 08:01:24 CET
After Bug 36969 the following security issues still need to be fixed:

Denial of service in the dcache in the fs layer (CVE-2014-8559)
User namespaces can bypass group-based restrictions (CVE-2014-8989)
Denial of service in the dcache in the fs layer (CVE-2014-8559)
Comment 1 Moritz Muehlenhoff univentionstaff 2015-01-05 10:16:53 CET
Denial of service in batman-adv (CVE-2014-9428)

The Linux kernels in UCS 3.x are not affected, this was introduced in Linux 3.13
Comment 2 Moritz Muehlenhoff univentionstaff 2015-01-05 10:30:56 CET
Kernel workaround for AMD CPU deadlock (CVE-2013-6885)
TLS base address leak allows partial ASLR bypass (CVE-2014-9419)
Denial of service in isofs (CVE-2014-9420)
espfix can by bypassed (CVE-2014-8133)
espfix not available for KVM paravirtualised guests (CVE-2014-8134)
Comment 3 Moritz Muehlenhoff univentionstaff 2015-01-07 07:37:12 CET
Memory corruption in garbage collector for unused security keys (CVE-2014-9529)
Comment 4 Moritz Muehlenhoff univentionstaff 2015-01-09 11:42:57 CET
Information leak in isofs (CVE-2014-9584)
Comment 5 Moritz Muehlenhoff univentionstaff 2015-01-15 14:56:21 CET
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160)
Insufficient randomisation of the vdso segment (CVE-2014-9585)
Comment 6 Moritz Muehlenhoff univentionstaff 2015-02-04 08:22:30 CET
Denial of service in packet routing (CVE-2015-1465) (this only affects UCS 4.0) 
Use-after-free in SCTP (CVE-2015-1421)
Incorrect implementation of SYSENTER emulation (CVE-2015-0239)
Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644)  
chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Comment 7 Moritz Muehlenhoff univentionstaff 2015-02-10 07:37:48 CET
Race condition in file handle support (CVE-2015-1420)
Comment 8 Moritz Muehlenhoff univentionstaff 2015-02-11 07:52:29 CET
Denial of service in nftables (CVE-2015-1573)

(the kernels in UCS 3.1 and 3.2 are not affected)
Comment 9 Arvid Requate univentionstaff 2015-02-16 17:55:29 CET
ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593)
Comment 10 Arvid Requate univentionstaff 2015-02-23 17:24:45 CET
Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042)
Comment 11 Arvid Requate univentionstaff 2015-02-23 17:42:23 CET
Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041)

Ext4: fallocate zero range page size > block size (CVE-2015-0275)
Comment 12 Arvid Requate univentionstaff 2015-02-25 20:44:24 CET
ecryptfs 1-byte overwrite (CVE-2014-9683)
Comment 13 Moritz Muehlenhoff univentionstaff 2015-03-09 08:20:56 CET
(In reply to Moritz Muehlenhoff from comment #2)
> Kernel workaround for AMD CPU deadlock (CVE-2013-6885)

This was fixed upstream in 3.14, so the kernel in UCS 4.0 is not affected.
Comment 14 Moritz Muehlenhoff univentionstaff 2015-03-09 08:25:11 CET
(In reply to Moritz Muehlenhoff from comment #8)
> Denial of service in nftables (CVE-2015-1573)

This was introduced in 3.18, so the kernel in UCS 4.0 is not affected.
Comment 15 Moritz Muehlenhoff univentionstaff 2015-03-09 09:11:04 CET
These are fixed as of 3.16.7-ckt7:
Denial of service in the dcache in the fs layer (CVE-2014-8559) (3.16.7-ckt4)
User namespaces can bypass group-based restrictions (CVE-2014-8989) (3.16.7-ckt4)
Denial of service in batman-adv (CVE-2014-9428) (3.16.7-ckt4)
TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.16.7-ckt4)  
Denial of service in isofs (CVE-2014-9420) (3.16.7-ckt4)
espfix can by bypassed (CVE-2014-8133) (3.16.7-ckt4)
espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.16.7-ckt4)
Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.16.7-ckt4)
Information leak in isofs (CVE-2014-9584) (3.16.7-ckt4)
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) (3.16.7-ckt5)
Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.16.7-ckt5)
Denial of service in packet routing (CVE-2015-1465) (3.16.7-ckt6)
Use-after-free in SCTP (CVE-2015-1421) (3.16.7-ckt6)
Incorrect implementation of SYSENTER emulation (CVE-2015-0239) (3.16.7-ckt6)
Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.16.7-ckt6)
ecryptfs 1-byte overwrite (CVE-2014-9683) (3.16.7-ckt4)



These are pending for 3.16.7-ckt8:
ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593)
Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042)
Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041)



These are unfixed in the upstream kernel:
Ext4: fallocate zero range page size > block size (CVE-2015-0275)
chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Race condition in file handle support (CVE-2015-1420)
Comment 16 Arvid Requate univentionstaff 2015-03-11 22:15:49 CET
Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150)
Comment 17 Moritz Muehlenhoff univentionstaff 2015-03-13 08:22:45 CET
58_CVE-2014-9090_CVE-2014-9322.patch was removed; the following upstream fixes were merged into 3.16.7-ckt3:

af726f21ed8af2cdaa4e93098dc211521218ae65 
6f442be2fb22be02cafa606f1769fa1e6f894441
b645af2d5905c4e32399005b867987919cbfc3ae
7ddc6a2199f1da405a2fb68c40db8899b1a8cd87
Comment 18 Moritz Muehlenhoff univentionstaff 2015-03-13 10:48:10 CET
These are fixed as of 3.16.7-ckt8:

Denial of service in the dcache in the fs layer (CVE-2014-8559) (3.16.7-ckt4)
User namespaces can bypass group-based restrictions (CVE-2014-8989) (3.16.7-ckt4)
Denial of service in batman-adv (CVE-2014-9428) (3.16.7-ckt4)
TLS base address leak allows partial ASLR bypass (CVE-2014-9419) (3.16.7-ckt4)  
Denial of service in isofs (CVE-2014-9420) (3.16.7-ckt4)
espfix can by bypassed (CVE-2014-8133) (3.16.7-ckt4)
espfix not available for KVM paravirtualised guests (CVE-2014-8134) (3.16.7-ckt4)
Memory corruption in garbage collector for unused security keys (CVE-2014-9529) (3.16.7-ckt4)
Information leak in isofs (CVE-2014-9584) (3.16.7-ckt4)
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) (3.16.7-ckt5)
Insufficient randomisation of the vdso segment (CVE-2014-9585) (3.16.7-ckt5)
Denial of service in packet routing (CVE-2015-1465) (3.16.7-ckt6)
Use-after-free in SCTP (CVE-2015-1421) (3.16.7-ckt6)
Incorrect implementation of SYSENTER emulation (CVE-2015-0239) (3.16.7-ckt6)
Crypto userspace API allows loading of arbitrary kernel modules (CVE-2013-7421, CVE-2014-9644) (3.16.7-ckt6)
ecryptfs 1-byte overwrite (CVE-2014-9683) (3.16.7-ckt4)
ASLR integer overflow: Reducing stack entropy by four (CVE-2015-1593)
Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042)
Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041)



These are unfixed in the upstream kernel:
Ext4: fallocate zero range page size > block size (CVE-2015-0275)
chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Race condition in file handle support (CVE-2015-1420)
Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150)
infiniband: uverbs: unprotected physical memory access (CVE-2014-8159)
Comment 19 Moritz Muehlenhoff univentionstaff 2015-03-30 10:59:01 CEST
(In reply to Moritz Muehlenhoff from comment #18)
> These are fixed as of 3.16.7-ckt8:

All stable kernels update to 3.16.7-ckt8 have been integrated and the univention-kernel-image meta package has been updated.

As discussed, what remains to be done:
- YAML files
- Tests on hardware and KVM
- Sign the kernel modules
Comment 20 Arvid Requate univentionstaff 2015-04-07 15:07:25 CEST
These are fixed as of 3.16.7-ckt9:

Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150)
Linux mishandles int80 fork from 64-bit tasks (CVE-2015-2830)


These are unfixed in the upstream kernel:
infiniband: uverbs: unprotected physical memory access (CVE-2014-8159)
btrfs: non-atomic xattr replace operation (CVE-2014-9710)
Ext4: fallocate zero range page size > block size (CVE-2015-0275)
chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Race condition in file handle support (CVE-2015-1420)
Kernel execution in the early microcode loader via crafted microcode (CVE-2015-2666)
IPv6 Hop limit lowering via RA messages (CVE-2015-2922)
Comment 21 Arvid Requate univentionstaff 2015-04-24 12:25:10 CEST
These are fixed as of 3.16.7-ckt9-3:

* Buffer overruns in Linux kernel RFC4106 implementation using AESNI (CVE-2015-3331)
* TCP Fast Open local DoS (CVE-2015-3332)
* chown() was racy relative to execve() (CVE-2015-3339)
Comment 22 Arvid Requate univentionstaff 2015-04-27 15:27:46 CEST
DoS -- OOPS NULL pointer dereference in nf_nat_setup_info+0x471 (CVE-2014-9715)
Comment 23 Arvid Requate univentionstaff 2015-04-28 17:56:45 CEST
USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)
Comment 24 Arvid Requate univentionstaff 2015-05-04 13:54:41 CEST
These are now fixed in upstream package version 3.16.7-ckt10:

infiniband: uverbs: unprotected physical memory access (CVE-2014-8159)
btrfs: non-atomic xattr replace operation (CVE-2014-9710)
DoS -- OOPS NULL pointer dereference in nf_nat_setup_info+0x471 (CVE-2014-9715)
Ext4: fallocate zero range page size > block size (CVE-2015-0275)
Race condition in file handle support (CVE-2015-1420)
Kernel execution in the early microcode loader via crafted microcode (CVE-2015-2666)
IPv6 Hop limit lowering via RA messages (CVE-2015-2922)



These are currently still unfixed in the upstream kernel package:

chown can be abused to remove xattr permissions of files (CVE-2015-1350)
USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)
Comment 25 Arvid Requate univentionstaff 2015-05-18 11:20:30 CEST
One more:

* privilege escalation via ping sockets due to use-after-free (CVE-2015-3636)

Fixed in http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt11:

 CVE-2015-0275 CVE-2015-3339 CVE-2015-3636
Comment 26 Arvid Requate univentionstaff 2015-06-18 18:38:20 CEST
Fixed in http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt13:

* udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167)
* Race condition in file handle support (CVE-2015-1420) [Now really].



These are currently still unfixed in the upstream kernel package:

chown can be abused to remove xattr permissions of files (CVE-2015-1350)
USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)
Comment 27 Arvid Requate univentionstaff 2015-06-22 21:35:06 CEST
Additional CVE fixed in (3.16.7-ckt9-1) for the changelog:

* drivers/vhost/scsi.c: potential memory corruption (CVE-2015-4036)
Comment 28 Janek Walkenhorst univentionstaff 2015-06-24 12:44:42 CEST
New version
 linux (3.16.7-ckt11-1~bpo70+1) wheezy-backports
built as
 linux (3.16.7-ckt11-1~bpo70+1.134.201506231755)
yielding
 linux-image-3.16.0-ucs134*
.

Tests (KVM): OK
Comment 29 Janek Walkenhorst univentionstaff 2015-06-24 15:43:18 CEST
univention-kernel-image updated with new dependency in
 8.0.6-6.74.201506241245

univention-kernel-image-signed updated with new signed binary and dependencies in
 1.0.3-1.6.201506241503

Tests (UEFI/SecureBoot): OK
Comment 30 Janek Walkenhorst univentionstaff 2015-06-24 18:05:06 CEST
Still unfixed issues moved to Bug #38764
Comment 31 Janek Walkenhorst univentionstaff 2015-06-24 18:10:21 CEST
Advisories:
 2015-06-24-linux.yaml
 2015-06-24-univention-kernel-image-signed.yaml
 2015-06-24-univention-kernel-image.yaml
Comment 32 Philipp Hahn univentionstaff 2015-07-01 14:18:37 CEST
OK: univention-install univention-kernel-image
OK: amd64 KVM
OK: i386 KVM
OK: amd64 HW
OK: uname -r # 3.16.0-ucs134-amd64
FAIL: univention-install univention-kernel-header → linux-headers-3.16.0-ucs134-* → linux-compiler-gcc-4.6-x86 → gcc-4.6

OK: zless /usr/share/doc/linux-image-3.16.0-ucs134-amd64/changelog.Debian.gz

FIXED: 2015-06-24-linux.yaml → r61610
FIXED: 2015-06-24-univention-kernel-image.yaml → r61610
FIXED: 2015-06-24-univention-kernel-image-signed.yaml → r61610
OK: announce-errata -V *.yaml

OK: CVE-2014-8559
OK: CVE-2014-8989
OK: CVE-2014-9428
SKIP: CVE-2013-6885 not affected
OK: CVE-2014-9419
OK: CVE-2014-9420
OK: CVE-2014-8133
OK: CVE-2014-8134
OK: CVE-2014-9529
OK: CVE-2014-9584
OK: CVE-2014-8160
OK: CVE-2014-9585
OK: CVE-2015-1465
OK: CVE-2015-1421
OK: CVE-2015-0239
OK: CVE-2013-7421 CVE-2014-9644
PENDING: CVE-2015-1350 → Bug #387640
PENDING: CVE-2015-1420 incomplete → Bug #387647
SKIP: CVE-2015-1573 not affected
OK: CVE-2015-1593
OK: CVE-2015-2042
OK: CVE-2015-2041
OK: CVE-2015-0275
OK: CVE-2014-9683 'eCryptfs: Remove buggy and unnecessary write in file name decode routine'
OK: CVE-2015-2150
OK: CVE-2015-2830
OK: CVE-2015-3331
OK: CVE-2015-3332
OK: CVE-2015-3339
OK: CVE-2014-8159
OK: CVE-2014-9710
OK: CVE-2014-9715 Debian #741667
PENDING: CVE-2014-9717 → Bug #387647
OK: CVE-2015-2666
OK: CVE-2015-2922
OK: CVE-2015-3636
PENDING: CVE-2015-4167 → Bug #38764
OK: CVE-2015-4036 'vhost/scsi: potential memory corruption'
Comment 33 Janek Walkenhorst univentionstaff 2015-07-17 18:31:55 CEST
(In reply to Philipp Hahn from comment #32)
> OK: univention-install univention-kernel-image
> OK: amd64 KVM
> OK: i386 KVM
> OK: amd64 HW
> OK: uname -r # 3.16.0-ucs134-amd64
> FAIL: univention-install univention-kernel-header →
> linux-headers-3.16.0-ucs134-* → linux-compiler-gcc-4.6-x86 → gcc-4.6
Patched to use gcc-4.7:
 linux
Updated:
 univention-kernel-image
 univention-kernel-image-signed
 Advisories

Tests (UEFI): OK
Tests (KVM i386/amd64): OK
Comment 34 Philipp Hahn univentionstaff 2015-07-20 12:31:48 CEST
OK: r14975 r14976
OK: r62220 YAML
OK: uname -r 3.16.0-ucs135-amd64 3.16.0-ucs135-686-pae
OK: univention-install univention-kernel-image
OK: amd64@hw amd64@kvm i386@kvm
SKIPPED: @xen
OK: univention-install univention-kernel-headers
OK: zless /usr/share/doc/linux-image-3.16.0-ucs134-686-pae/changelog.Debian.gz

OK: 2015-06-24-linux.yaml
OK: 2015-06-24-univention-kernel-image.yaml
OK: 2015-06-24-univention-kernel-image-signed.yaml
OK: errata-announce -V 2015-06-24-*.yaml