Bug 40481 - linux: Multiple security issues (4.1)
linux: Multiple security issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P2 normal (vote)
: UCS 4.1-0-errata
Assigned To: Philipp Hahn
Arvid Requate
http://git.kernel.org/cgit/linux/kern...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-21 17:46 CET by Arvid Requate
Modified: 2016-10-05 12:46 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-01-21 17:46:08 CET
Upstream Linux Kernel 4.1.15 fixes a couple of security issues:

* Use-after-free vulnerability in net/unix/af_unix.c allows local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (CVE-2013-7446)

* virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156)

* [x86] KVM: Intercept #AC to avoid guest->host denial-of-service (CVE-2015-5307)

* RDS: verify the underlying transport exists before creating a connection (CVE-2015-6937)

* RDS: fix race condition when sending a message on unbound socket (CVE-2015-7990)

* fs/btrfs/inode.c mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action (CVE-2015-8374)
Comment 1 Arvid Requate univentionstaff 2016-01-21 18:16:39 CET
Upcoming patches which could be backported from Debian sid:

* usb: serial: visor: fix crash on detecting device without write_urbs (CVE-2015-7566)

* tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723)

  https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=sid&id=18e70e2c53ad469c01d7b99a33a84b54abfb3fed


* unix: properly account for FDs passed over unix sockets (CVE-2013-4312)
  https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=sid&id=f335c0cfcc1879a21f4acdad2c6860084bf271a2
  https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=sid&id=18b52b0baabd4729b293649cf49ad08323c9a069


* keyring ref leak in join_session_keyring() (CVE-2016-0728)
  https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=sid&id=e9490659aaedd81d48f783c9df4852e2d16ee8e4
Comment 2 Philipp Hahn univentionstaff 2016-01-25 22:48:34 CET
r15760 | Bug #40481: linux-4.1-16
 Dropped 70_undo_netlink-replace-rhash_portid-with-bound.patch as it is fixed upstream.
 CVE-2016-0728 is included in linux-4.1.16
Comment 3 Philipp Hahn univentionstaff 2016-01-26 14:58:06 CET
Package: linux
Version: 4.1.6-1.167.201601252247
Branch: ucs_4.1-0-errata4.1-0
Scope: errata4.1-0

r66969 | Bug #40481 kernel: Update to linux-4.1.16
r66968 | Bug #40481 kernel: Copyright 2016
r66967 | Bug #40481 kernel: Update to linux-4.1.16

Package: univention-kernel-image
Version: 9.0.0-6.85.201601261412
Branch: ucs_4.1-0
Scope: errata4.1-0

Package: univention-kernel-image-signed
Version: 2.0.0-4.13.201601261420
Branch: ucs_4.1-0
Scope: errata4.1-0

r66974 | Bug #40481 kernel: Update to linux-4.1.16 YAML
 linux.yaml
 univention-kernel-image-signed.yaml
 univention-kernel-image.yaml
Comment 4 Arvid Requate univentionstaff 2016-01-27 19:44:12 CET
Verified:

* Upstream patches 4.1.13, 4.1.14, 4.1.15, 4.1.16 have been merged below
  patches/linux/4.1-0-0-ucs/4.1.6-1-errata4.1-0

* 66_linux-4.1.13.patch contains a trivial additional patch to make patch-4.1.12-13 apply without adjustment

* The patches for CVE-2013-4312, CVE-2015-7566 and CVE-2016-0723 are Ok too

* errata4.1-0 build log shows patch application and success
* univention-kernel-image: ABI and dependency updated to ucs167
* univention-kernel-image-signed: updated to ucs167

* Package-Update: Ok
* Boot-Tests: Ok on:
** KVM i386
** KVM amd64
** UEFI hardware amd64 (USB Keyboard)
* Bug 40059 is not reproducible (dual core hardware amd64)
* KVM-Test: Ok (hardware amd64)
* Advisories: Ok (listed CVEs match patches)