First Last Prev Next    This bug is not in your last search results.
Bug 42727 - linux: Multiple security issues (4.1)
linux: Multiple security issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P1 major (vote)
: UCS 4.1-3-errata
Assigned To: Arvid Requate
Philipp Hahn
http://git.kernel.org/cgit/linux/kern...
:
Depends on:
Blocks: 42754
  Show dependency treegraph
 
Reported: 2016-10-21 12:26 CEST by Arvid Requate
Modified: 2016-10-26 17:09 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-10-21 12:26:29 CEST 
There are a couple of new issues reported for the Linux Kernel:

* The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)

* privilege escalation via MAP_PRIVATE COW breakage (CVE-2016-5195)

* The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042)

* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)
Comment 1 Arvid Requate univentionstaff 2016-10-21 12:53:57 CEST 
Of those http://dirtycow.ninja/ (CVE-2016-5195) currently has these metrics:

CVSSv3 base score: 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSSv3 base score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

i.e. it's locally exploitable (AV:L)
Comment 2 Arvid Requate univentionstaff 2016-10-24 20:43:41 CEST 
r16806 | Bug #42727: linux-4.1.34 for errata4.1-3
r16807 | Bug #42727: patch for CVE-2016-5195
Package: linux
Version: 4.1.6-1.207.201610241620
Branch: ucs_4.1-0
Scope: errata4.1-3

r73520 | Bug #42727: Update to linux-4.1.34 plus patch for CVE-2016-5195
Package: univention-kernel-image
Version: 9.0.0-12.113.201610242025
Branch: ucs_4.1-0
Scope: errata4.1-3

r73527 | Bug #42727: Update to linux-4.1.34-ucs207
r73530 | Bug #42727: Update dependency to ucs207
Package: univention-kernel-image-signed
Version: 2.0.0-10.23.201610242026
Branch: ucs_4.1-0
Scope: errata4.1-3

r73512, r73528, r73531 | YAML files

I've split off the remaining issues as Bug 42754.
Comment 3 Philipp Hahn univentionstaff 2016-10-25 17:32:11 CEST 
OK: 4.1.0-ucs207-686-pae @ kvm
OK: 4.1.0-ucs207-amd64 @ kvm
OK: 4.1.0-ucs207-amd64 @ xen14
OK: diff dmesg
OK: /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz
 70_CVE-2016-5195

NOT-TESTED: UEFI-SB
MISSING: Merge to UCS-4.1-4

OK: errata-announce -V --only linux.yaml
OK: errata-announce -V --only univention-kernel-image-signed.yaml
OK: errata-announce -V --only univention-kernel-image.yaml
OK: linux.yaml univention-kernel-image-signed.yaml univention-kernel-image.yaml
Comment 4 Arvid Requate univentionstaff 2016-10-25 18:29:18 CEST 
> MISSING: Merge to UCS-4.1-4

Ok, merged in svn and copied the packages to the ucs4.1-4 apt repository.
First Last Prev Next    This bug is not in your last search results.