Bug 42727

Summary:	linux: Multiple security issues (4.1)
Product:	UCS	Reporter:	Arvid Requate <requate>
Component:	Security updates	Assignee:	Arvid Requate <requate>
Status:	CLOSED FIXED	QA Contact:	Philipp Hahn <hahn>
Severity:	major
Priority:	P1	CC:	best, gohmann, hahn, scheinig, stoeckigt, walkenhorst
Version:	UCS 4.1
Target Milestone:	UCS 4.1-3-errata
Hardware:	Other
OS:	Linux
URL:	http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?h=linux-4.1.y
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:	Yes
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	Security
Max CVSS v3 score:
Bug Depends on:
Bug Blocks:	42754

Description Arvid Requate

2016-10-21 12:26:29 CEST

There are a couple of new issues reported for the Linux Kernel:

* The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)

* privilege escalation via MAP_PRIVATE COW breakage (CVE-2016-5195)

* The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042)

* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)

Comment 1 Arvid Requate

2016-10-21 12:53:57 CEST

Of those http://dirtycow.ninja/ (CVE-2016-5195) currently has these metrics:

CVSSv3 base score: 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSSv3 base score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

i.e. it's locally exploitable (AV:L)

Comment 2 Arvid Requate

2016-10-24 20:43:41 CEST

r16806 | Bug #42727: linux-4.1.34 for errata4.1-3
r16807 | Bug #42727: patch for CVE-2016-5195
Package: linux
Version: 4.1.6-1.207.201610241620
Branch: ucs_4.1-0
Scope: errata4.1-3

r73520 | Bug #42727: Update to linux-4.1.34 plus patch for CVE-2016-5195
Package: univention-kernel-image
Version: 9.0.0-12.113.201610242025
Branch: ucs_4.1-0
Scope: errata4.1-3

r73527 | Bug #42727: Update to linux-4.1.34-ucs207
r73530 | Bug #42727: Update dependency to ucs207
Package: univention-kernel-image-signed
Version: 2.0.0-10.23.201610242026
Branch: ucs_4.1-0
Scope: errata4.1-3

r73512, r73528, r73531 | YAML files

I've split off the remaining issues as Bug 42754.

Comment 3 Philipp Hahn

2016-10-25 17:32:11 CEST

OK: 4.1.0-ucs207-686-pae @ kvm
OK: 4.1.0-ucs207-amd64 @ kvm
OK: 4.1.0-ucs207-amd64 @ xen14
OK: diff dmesg
OK: /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz
 70_CVE-2016-5195

NOT-TESTED: UEFI-SB
MISSING: Merge to UCS-4.1-4

OK: errata-announce -V --only linux.yaml
OK: errata-announce -V --only univention-kernel-image-signed.yaml
OK: errata-announce -V --only univention-kernel-image.yaml
OK: linux.yaml univention-kernel-image-signed.yaml univention-kernel-image.yaml

Comment 4 Arvid Requate

2016-10-25 18:29:18 CEST

> MISSING: Merge to UCS-4.1-4

Ok, merged in svn and copied the packages to the ucs4.1-4 apt repository.

Comment 5 Janek Walkenhorst

2016-10-26 17:09:05 CEST

<http://errata.software-univention.de/ucs/4.1/314.html>
<http://errata.software-univention.de/ucs/4.1/315.html>
<http://errata.software-univention.de/ucs/4.1/316.html>