Univention Bugzilla – Bug 38764
linux: Multiple security issues (4.0)
Last modified: 2016-01-27 17:11:31 CET
After Bug #37385 the following security issues still need to be fixed: Fixed in http://kernel.ubuntu.com/stable/ChangeLog-3.16.7-ckt13: * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * Race condition in file handle support (CVE-2015-1420) [Now really]. These are currently still unfixed in the upstream kernel package: chown can be abused to remove xattr permissions of files (CVE-2015-1350) USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)
• It is possible to escape from bind mounts (CVE-2015-2925) • SCTP race condition allows list corruption and panic from userlevel (CVE-2015-3212) • kvm: x86: NULL pointer dereference in kvm_apic_has_events function (CVE-2015-4692) • Crafted BPF filters may crash kernel during JIT optimisation (CVE-2015-4700) • Linux UDP checksum DoS (CVE-2015-5364) • Linux UDP checksum DoS EGAIN part (CVE-2015-5366)
DSA 3313-1 mentions these as fixed in 3.16.7-ckt11-1+deb8u3: * Denial of service and possible privilege escalation by local unprivileged user due to incorrect handling of a NMI that interrupts userspace and encounters an IRET (CVE-2015-5157) * Privilege escalation by local unprivileged user due to improper handling of nested NMIs (CVE-2015-3290) * Denial of service due to skiped NMIs triggered by a malicious userspace program (CVE-2015-3291)
Additional fixes in that Debian security update version: * Denial of service due to a flaw in the add_key function of the Linux kernel's keyring subsystem causing memory exhaustion, exploitable by a local user (CVE-2015-1333) * Potential privilege escalation due to a use-after-free vulnerability in path lookup, user triggerable (CVE-2015-5706) * Potential privilege escalation due to an integer overflow in the SCSI generic driver, exploitable by a local user with write permission on a SCSI generic device (CVE-2015-5707) * Information leak in the md driver (CVE-2015-5697)
Upstream Debian Kernel Version 3.16.7-ckt11-1+deb8u4 fixes these issues CVE-2015-0272 It was discovered that NetworkManager would set IPv6 MTUs based on the values received in IPv6 RAs (Router Advertisements), without sufficiently validating these values. A remote attacker could exploit this attack to disable IPv6 connectivity. This has been mitigated by adding validation in the kernel. CVE-2015-2925 Jann Horn discovered that when a subdirectory of a filesystem is bind-mounted into a container that has its own user and mount namespaces, a process with CAP_SYS_ADMIN capability in the user namespace can access files outside of the subdirectory. The default Debian configuration mitigated this as it does not allow unprivileged users to create new user namespaces. CVE-2015-5156 Jason Wang discovered that when a virtio_net device is connected to a bridge in the same VM, a series of TCP packets forwarded through the bridge may cause a heap buffer overflow. A remote attacker could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2015-6252 Michael S. Tsirkin of Red Hat Engineering found that the vhost driver leaked file descriptors passed to it with the VHOST_SET_LOG_FD ioctl command. A privileged local user with access to the /dev/vhost-net file, either directly or via libvirt, could use this to cause a denial of service (hang or crash). CVE-2015-6937 It was found that the Reliable Datagram Sockets (RDS) protocol implementation did not verify that an underlying transport exists when creating a connection. Depending on how a local RDS application initialised its sockets, a remote attacker might be able to cause a denial of service (crash) by sending a crafted packet.
Upstream Debian Kernel Version 3.16.7-ckt11-1+deb8u5 fixes these issues CVE-2015-2925 Jann Horn discovered that when a subdirectory of a filesystem was bind-mounted into a chroot or mount namespace, a user that should be confined to that chroot or namespace could access the whole of that filesystem if they had write permission on an ancestor of the subdirectory. This is not a common configuration for wheezy, and the issue has previously been fixed for jessie. CVE-2015-5257 Moein Ghasemzadeh of Istuary Innovation Labs reported that a USB device could cause a denial of service (crash) by imitating a Whiteheat USB serial device but presenting a smaller number of endpoints. CVE-2015-5283 Marcelo Ricardo Leitner discovered that creating multiple SCTP sockets at the same time could cause a denial of service (crash) if the sctp module had not previously been loaded. This issue only affects jessie. CVE-2015-7613 Dmitry Vyukov discovered that System V IPC objects (message queues and shared memory segments) were made accessible before their ownership and other attributes were fully initialised. If a local user can race against another user or service creating a new IPC object, this may result in unauthorised information disclosure, unauthorised information modification, denial of service and/or privilege escalation. A similar issue existed with System V semaphore arrays, but was less severe because they were always cleared before being fully initialised.
Upstream Debian Kernel Version 3.16.7-ckt11-1+deb8u6 fixes these issues CVE-2015-5307 Ben Serebrin from Google discovered a guest to host denial of service flaw affecting the KVM hypervisor. A malicious guest can trigger an infinite stream of "alignment check" (#AC) exceptions causing the processor microcode to enter an infinite loop where the core never receives another interrupt. This leads to a panic of the host kernel. CVE-2015-7833 Sergej Schumilo, Hendrik Schwartke and Ralf Spenneberg discovered a flaw in the processing of certain USB device descriptors in the usbvision driver. An attacker with physical access to the system can use this flaw to crash the system. CVE-2015-7872 Dmitry Vyukov discovered a vulnerability in the keyrings garbage collector allowing a local user to trigger a kernel panic. CVE-2015-7990 It was discovered that the fix for CVE-2015-6937 was incomplete. A race condition when sending a message on unbound socket can still cause a NULL pointer dereference. A remote attacker might be able to cause a denial of service (crash) by sending a crafted packet.
Upstream Debian Kernel Version 3.16.7-ckt20-1+deb8u1 fixes these issues CVE-2013-7446 Dmitry Vyukov discovered that a particular sequence of valid operations on local (AF_UNIX) sockets can result in a use-after-free. This may be used to cause a denial of service (crash) or possibly for privilege escalation. CVE-2015-7799 It was discovered that a user granted access to /dev/ppp can cause a denial of service (crash) by passing invalid parameters to the PPPIOCSMAXCID ioctl. This also applies to ISDN PPP device nodes. CVE-2015-7833 Sergej Schumilo, Hendrik Schwartke and Ralf Spenneberg discovered a flaw in the processing of certain USB device descriptors in the usbvision driver. An attacker with physical access to the system can use this flaw to crash the system. This was partly fixed by the changes listed in DSA 3396-1. CVE-2015-8104 Jan Beulich reported a guest to host denial-of-service flaw affecting the KVM hypervisor running on AMD processors. A malicious guest can trigger an infinite stream of "debug" (#DB) exceptions causing the processor microcode to enter an infinite loop where the core never receives another interrupt. This leads to a panic of the host kernel. CVE-2015-8374 It was discovered that Btrfs did not correctly implement truncation of compressed inline extents. This could lead to an information leak, if a file is truncated and later made readable by other users. Additionally, it could cause data loss. This has been fixed for the stable distribution (jessie) only. CVE-2015-8543 It was discovered that a local user permitted to create raw sockets could cause a denial-of-service by specifying an invalid protocol number for the socket. The attacker must have the CAP_NET_RAW capability in their user namespace. This has been fixed for the stable distribution (jessie) only.
Upstream Debian Kernel Version 3.16.7-ckt20-1+deb8u2 fixes these issues CVE-2015-7513 It was discovered that a local user permitted to use the x86 KVM subsystem could configure the PIT emulation to cause a denial of service (crash). CVE-2015-7550 Dmitry Vyukov discovered a race condition in the keyring subsystem that allows a local user to cause a denial of service (crash). CVE-2015-8543 It was discovered that a local user permitted to create raw sockets could cause a denial-of-service by specifying an invalid protocol number for the socket. The attacker must have the CAP_NET_RAW capability. CVE-2015-8550 Felix Wilhelm of ERNW discovered that the Xen PV backend drivers may read critical data from shared memory multiple times. This flaw can be used by a guest kernel to cause a denial of service (crash) on the host, or possibly for privilege escalation. CVE-2015-8551 / CVE-2015-8552 Konrad Rzeszutek Wilk of Oracle discovered that the Xen PCI backend driver does not adequately validate the device state when a guest configures MSIs. This flaw can be used by a guest kernel to cause a denial of service (crash or disk space exhaustion) on the host. CVE-2015-8569 Dmitry Vyukov discovered a flaw in the PPTP sockets implementation that leads to an information leak to local users. CVE-2015-8575 David Miller discovered a flaw in the Bluetooth SCO sockets implementation that leads to an information leak to local users. CVE-2015-8709 Jann Horn discovered a flaw in the permission checks for use of the ptrace feature. A local user who has the CAP_SYS_PTRACE capability within their own user namespace could use this flaw for privilege escalation if a more privileged process ever enters that user namespace. This affects at least the LXC system.
Upstream Debian Kernel Version 3.16.7-ckt20-1+deb8u3 fixes these issues: Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial-of-service. CVE-2013-4312 Tetsuo Handa discovered that it is possible for a process to open far more files than the process' limit leading to denial-of-service conditions. CVE-2015-7566 Ralf Spenneberg of OpenSource Security reported that the visor driver crashes when a specially crafted USB device without bulk-out endpoint is detected. CVE-2015-8767 An SCTP denial-of-service was discovered which can be triggered by a local attacker during a heartbeat timeout event after the 4-way handshake. CVE-2016-0723 A use-after-free vulnerability was discovered in the TIOCGETD ioctl. A local attacker could use this flaw for denial-of-service. CVE-2016-0728 The Perception Point research team discovered a use-after-free vulnerability in the keyring facility, possibly leading to local privilege escalation.
# repo_admin.py -U -p linux -d wheezy-backports -r 4.0-0-0 -s errata4.0-4 -> 3.16.7-ckt20-1+deb8u3 -> 3.16.7-ckt20-1+deb8u2~bpo70+1 ^ wrong version → delayed for now. # b40-scope errata4.0-4 linux r15755 | Bug #38764: UCS-4.0 linux Update to 3.16.7-ckt20-1+deb8u2~bpo70+1 and refresh patches r15756 | Bug #38764 linux: wheezy-backports Fix wrong import Release is tagged in <https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=debian/3.16.7-ckt20-1%2bdeb8u3_bpo70%2b1&id=92064eed7ddc549e061695915f23cc29fca75fe7>, but not yet available from Debian <http://incoming.debian.org/debian-buildd/pool/main/l/linux/> nor <http://ftp.de.debian.org/debian/pool/main/l/linux/>
Stolen from <http://ftp.de.debian.org/debian/pool/main/l/linux/> # repo_admin.py -F -p linux -r 4.0-0-0 -s errata4.0-4 Package: linux Version: 3.16.7-ckt20-1+deb8u3~bpo70+1.165.201601221131 Branch: ucs_4.0-0 Scope: errata4.0-4
r66939 r66940 univention-kernel-image-signed (1.0.3-3) * Update to ucs165 (Bug #38764)
Package: univention-kernel-image Version: 8.0.6-8.84.201601231355 Branch: ucs_4.0-0 Scope: errata4.0-4 r66944 | Bug #38764 linux: 3.16.7-ckt20-1+deb8u3~bpo70 linux.yaml univention-kernel-image-signed.yaml univention-kernel-image.yaml OK: amd64 KVM OK: i386 KMV OK: amd64 xen14
FYI: Review for ckt23 started 2016-01-24 and is open for 3 days. <https://lkml.org/lkml/2016/1/24/169> <http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-review>
Verified: * 3.16.7-ckt20-1+deb8u3~bpo70+1 has been imported into errata4.0-4 * errata4.0-2 patches have been merged and adjusted * build log shows patch application and success * univention-kernel-image: ABI and dependency updated to ucs165 * univention-kernel-image-signed: updated to ucs165 * Package-Update: Ok * Boot-Tests: Ok on: ** KVM i386 ** KVM amd64 ** hardware amd64 ** UEFI hardware amd64 (USB Keyboard) * KVM-Test: Ok (hardware amd64) * Advisories: Ok I guess repo-apt-dependencies needs to be run before finally announcing the errata? I didn't see a notice about this in the Errata-Updates wiki page. Note: These are currently still unfixed in the upstream kernel package: * chown can be abused to remove xattr permissions of files (CVE-2015-1350) * USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)
<http://errata.software-univention.de/ucs/4.0/390.html> <http://errata.software-univention.de/ucs/4.0/391.html> <http://errata.software-univention.de/ucs/4.0/392.html>