Univention Bugzilla – Bug 39209
linux: Multiple security issues (3.2)
Last modified: 2016-05-20 15:01:31 CEST
After Bug 38008 has been released, these issues are still open in the 3.10 kernel in UCS 3.2: * Denial of service in the dcache in the fs layer (CVE-2014-8559) * Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042) * Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041) * Soft lockup in AIO (CVE-2014-8172) * chown can be abused to remove xattr permissions of files (CVE-2015-1350) * Race condition in file handle support (CVE-2015-1420) * Linux mishandles int80 fork from 64-bit tasks (CVE-2015-2830) * Buffer overruns in Linux kernel RFC4106 implementation using AESNI (CVE-2015-3331) * chown() was racy relative to execve() (CVE-2015-3339) * DoS -- OOPS NULL pointer dereference in nf_nat_setup_info+0x471 (CVE-2014-9715) * Kernel execution in the early microcode loader via crafted microcode (CVE-2015-2666) * USERNS allows circumventing MNT_LOCKED (CVE-2014-9717) * It is possible to escape from bind mounts (CVE-2015-2925) * SCTP race condition allows list corruption and panic from userlevel (CVE-2015-3212) * drivers/vhost/scsi.c: potential memory corruption (CVE-2015-4036) * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * kvm: x86: NULL pointer dereference in kvm_apic_has_events function (CVE-2015-4692) * Crafted BPF filters may crash kernel during JIT optimisation (CVE-2015-4700) * Potential privilege escalation due to an integer overflow in the SCSI generic driver, exploitable by a local user with write permission on a SCSI generic device (CVE-2015-5707) * Information leak in the md driver (CVE-2015-5697) DSA 3313-1 mentions these as fixed in 3.16.7-ckt11-1+deb8u3, introduced in 3.3, so they probably affect the 3.10 version too: * Denial of service and possible privilege escalation by local unprivileged user due to incorrect handling of a NMI that interrupts userspace and encounters an IRET (CVE-2015-5157) * Denial of service due to skiped NMIs triggered by a malicious userspace program (CVE-2015-3291)
This is also an open issue: Denial of service in KVM instruction emulation (CVE-2014-3647) Theses issues have been fixed with Bug 38008: > * Linux mishandles int80 fork from 64-bit tasks (CVE-2015-2830) > * Buffer overruns in Linux kernel RFC4106 implementation using AESNI > (CVE-2015-3331) > * chown() was racy relative to execve() (CVE-2015-3339)
These issues are fixed in v3.10.94: * It is possible to escape from bind mounts (CVE-2015-2925) * SCTP race condition allows list corruption and panic from userlevel (CVE-2015-3212) * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) * Crafted BPF filters may crash kernel during JIT optimisation (CVE-2015-4700) * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156) * USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257) * Creating multiple sockets when SCTP module isn't loaded leads to kernel panic (CVE-2015-5283) * RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937) * ipc: Initialize msg/shm IPC objects before doing ipc_addid() (CVE-2015-7613)
Created attachment 7422 [details] ucs40-linux-debian-patches.txt The Debian jessie kernel 3.16 package used in UCS 4.0 (Bug #38764) contains patches for additional issues (see attached list): CVE-2013-4312 CVE-2013-7446 CVE-2015-1333 CVE-2015-3290 CVE-2015-4692 CVE-2015-5156 CVE-2015-5257 CVE-2015-5283 CVE-2015-5307 CVE-2015-5364 CVE-2015-5366 CVE-2015-5697 CVE-2015-5706 CVE-2015-5707 CVE-2015-6252 CVE-2015-6937 CVE-2015-7513 CVE-2015-7550 CVE-2015-7566 CVE-2015-7613 CVE-2015-7799 CVE-2015-7833 CVE-2015-7872 CVE-2015-7990 CVE-2015-8104 CVE-2015-8374 CVE-2015-8543 CVE-2015-8550 CVE-2015-8551 CVE-2015-8552 CVE-2015-8569 CVE-2015-8575 CVE-2015-8709 CVE-2015-8767 CVE-2016-0723 CVE-2016-0728
According to the git commit IDs v3.10.96 fixes: CVE-2013-4312 CVE-2013-7446 CVE-2015-7550 CVE-2015-7799 CVE-2015-7872 CVE-2015-8543 CVE-2015-8569 CVE-2015-8575 CVE-2016-0728
I imported the git tag diffs from v3.10.87 up to and including v3.10.96 and applied them as debian/patches. * Tested on KVM (i386 and amd64) and hardware (amd and intel) * dmesg shows no significant diff between 3.10.0-ucs139 and 3.10.0-ucs168 * usb storage mount ok * KVM virtualization of a windows 7 amd64 (virtio) ok * Xen virtualization of a windows 7 amd64 (gplpv) ok * ucs-test-samba4 ok Advisories: linux.yaml and univention-kernel-image.yaml
Tests are OK so far, but the culprit of the UCS 4.1 kernel bug #40558 is also merged in this version. unix: properly account for FDs passed over unix sockets https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=df87da0783c4492b944badfea9d5c3c56b834697 https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.96 ->REOPEN
Ok, I could reproduce it with make test samba3.raw.composite, but only with the tests build from samba git (samba 4.5.0-pre...1), not with the samba-testsuite from ucs3.2-8. I adjusted the patches like done for Bug 40558, which includes reverting the patch for CVE-2013-4312. Advisories: univention-kernel-image.yaml, linux.yaml
3.10.0-ucs175 OK - build with patches OK - samba test, amd64/i386 KVM OK - i386 kvm Hardware OK - win 8 installation OK - ucs 41 installation OK - amd64 xen Hardware OK - win 10 installation OK - ucs 41 installation OK - linux.yaml OK - univention-kernel-image.yaml
<http://errata.software-univention.de/ucs/3.2/399.html> <http://errata.software-univention.de/ucs/3.2/401.html>