Bug 42353 - linux: Multiple security issues (3.3)
linux: Multiple security issues (3.3)
Status: CLOSED DUPLICATE of bug 41693
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.3
Other Linux
: P1 major (vote)
: UCS 3.3-0-errata
Assigned To: Philipp Hahn
Arvid Requate
https://packages.debian.org/source/je...
:
Depends on: 41693
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-12 10:30 CEST by Philipp Hahn
Modified: 2016-10-27 18:22 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2016-09-12 10:30:10 CEST
We should update UCS-3.3 to the latest 3.16[.36] (or later, e.g. .37 from <https://www.kernel.org/>) kernel, as <http://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_3.16.36-1+deb8u1_changelog> contains a lot more fixes than 
<http://metadata.ftp-master.debian.org/changelogs//main/l/linux/linux_3.16.7-ckt25-2+deb8u3~bpo70+1_changelog>

Currently there is no Debian-Wheezy backport, so we can take the version from Debian-Jessie, but must add the changes to support the old build-system:
>  * Rebuild for wheezy:
>    - Disable architectures that weren't part of wheezy
>    - Use gcc-4.6 for all architectures
>    - Change ABI number to 0.bpo.4
>    - [arm] btrfs: Work around bug in gcc-4.6 (fixes FTBFS)
>    - linux-image: Depend on initramfs-tools without any alternatives, so
>      that neither apt nor aptitude will automatically switch to dracut

+++ This bug was initially created as a clone of Bug #41693 +++
Comment 1 Arvid Requate univentionstaff 2016-10-21 12:30:21 CEST
Upstream Debian (Jessie) package version 3.16.36-1+deb8u2 fixes the following issues:

* The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)

* privilege escalation via MAP_PRIVATE COW breakage (CVE-2016-5195)

* The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042)

* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)
Comment 2 Jens Thorp-Hansen univentionstaff 2016-10-26 12:52:17 CEST
requested here: Ticket#2016102621000346
Comment 3 Philipp Hahn univentionstaff 2016-10-26 18:03:02 CEST
Package: linux
Version: 3.16.38-0.1~bpo70+1.211.201610261422
Version: 3.16.38-0.1~bpo70+1.212.201610261445
Branch: ucs_3.3-0
Scope: errata3.3-0

r73665 | Bug #42353 kernel: Update to linux-3.16.38

Package: univention-kernel-image
Version: 7.100.0-9.115.201610261744
Branch: ucs_3.3-0
Scope: errata3.3-0

r73667 | Bug #42353 kernel: Update to linux-3.16.38 YAML
Comment 4 Arvid Requate univentionstaff 2016-10-27 17:37:14 CEST
Ok, the 3.16.36-1+deb8u2~bpo70+1  Debian source package has been updated to the state of the kernel.org linux-stable branch linux-3.16.y tag v3.16.38 and the UCS and Debian patches have been merged into the source package, see Bug 41693 and:

* This UCS patch for 3.16.7-ckt25-2~bpo70+1:
  60_KVM-x86-bit-ops-emulation-ignores-offset-on-64-bit.patch
  is now part of 3.16.38-0.1+deb8u2~bpo70+1-errata3.3-0 applied as debian/patches:
  bugfix/x86/KVM-x86-bit-ops-emulation-ignores-offset-on-64-bit.patch

* Package update and reboot: Ok

* Advisory: Ok
  From my research there are a couple of additional CVEs fixed
  between 3.16.7-ckt25-2_bpo70+1 and 3.16.36-1+deb8u2_bpo70+1 and
  between v3.16.36..v3.16.38 , e.g. CVE-2016-7117, but that's ok, i guess.
  The important thing is that we have an updated package.
Comment 5 Arvid Requate univentionstaff 2016-10-27 18:21:56 CEST
Damn, the Bug ID was missing in the advisory.
Marking it as duplicate of Bug 41693, so this can be detected via that Bug.

*** This bug has been marked as a duplicate of bug 41693 ***