Univention Bugzilla – Full Text Bug Listing |
Summary: | linux: Multiple security issues (4.1) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
Severity: | normal | ||
Priority: | P5 | CC: | damrose, gohmann, hahn, scheinig, stoeckigt, walkenhorst |
Version: | UCS 4.1 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/log/?h=linux-4.1.y | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=42204 | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | ||
Bug Depends on: | 42727 | ||
Bug Blocks: | 42204 |
Description
Arvid Requate
2016-10-24 20:39:55 CEST
During build please check if CONFIG_X86_SYSFB needs to be changed to "n", see * http://bugs.debian.org/822575 * https://bugzilla.novell.com/show_bug.cgi?id=855821 * http://lkml.iu.edu/hypermail/linux/kernel/1312.2/03055.html Note: Current ucs207 Kernel (Errata 314) is *not* affected by this CVSS 7+ issue: * mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous pages, which allows local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero (CVE-2015-3288) git log v4.1.34..v4.1.36 shows the following additional issues as fixed: * The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042) CVSSv3 base score 5.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) * drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets (CVE-2016-8633) CVSSv3 base score 6.8 (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) * The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call (CVE-2016-9178) CVSSv3 base score 3.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Additionally this issue has been reported as fixed in sid: * af_packet.c race condition (local root) (CVE-2016-8655) CVSSv3 base score 7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Debian: "Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1" Patch: bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch Yet another: * The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (CVE-2016-8632) CVSSv3 base score 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Sid Patch: bugfix/all/tipc-check-minimum-bearer-MTU.patch The Enterprise Customer affected flag is set but neither a Ticket number is referenced nor a Customer ID is set. Please set a Ticket number or a Customer ID. Otherwise the Enterprise Customer affected flag will be reset. r17003 | Bug #42754 UCS-4.1.4: linux-4.1.36 + Package: linux Version: 4.1.6-1.217.201612141323 Branch: ucs_4.1-0 Scope: errata4.1-4 r75291 | Bug #42754 UCS-4.1-4: Update to linux-4.1.36-ucs217 Package: univention-kernel-image-signed Version: 2.0.0-9.24.201612141729 Branch: ucs_4.1-0 Scope: errata4.1-4 r75292 | Bug #42754 UCS-4.1-4: Update to linux-4.1.36-ucs217 r75293 | Bug #42754 UCS-4.1-4: Update to linux-4.1.36-ucs217 Package: univention-kernel-image Version: 9.0.0-13.119.201612141800 Branch: ucs_4.1-0 Scope: errata4.1-4 r75295 | Bug #42754 UCS-4.1-4: Update to linux-4.1.36-ucs217 YAML linux.yaml univention-kernel-image-signed.yaml univention-kernel-image.yaml (In reply to Arvid Requate from comment #1) > During build please check if CONFIG_X86_SYSFB needs to be changed to "n", see $ diff `dmesg` -simple-framebuffer simple-framebuffer.0: framebuffer at 0xfc000000, 0x160000 bytes, mapped to 0xffffc90000200000 -simple-framebuffer simple-framebuffer.0: format=r8g8b8, mode=800x600x24, linelength=2400 -Console: switching to colour frame buffer device 100x37 -simple-framebuffer simple-framebuffer.0: fb0: simplefb registered! +efifb: probing for efifb +efifb: framebuffer at 0xfc000000, mapped to 0xffffc90000200000, using 1408k, total 1408k +efifb: mode is 800x600x24, linelength=2400, pages=1 +efifb: scrolling: redraw +efifb: Truecolor: size=0:8:8:8, shift=0:16:8:0 +Console: switching to colour frame buffer device 100x37 +fb0: EFI VGA frame buffer device r75454: Remove UCS 4.1-3 from YAML file since UCS 4.1-3 is no longer in maintenance (Bug #42754) *** Bug 43347 has been marked as a duplicate of this bug. *** r17054 | Bug #42754: linux-4.1.37 Package: linux Version: 4.1.6-1.218.201701181054 Branch: ucs_4.1-0 Scope: errata4.1-4 r75901 | Bug #42754 UCS-4.1-4: Update to linux-4.1.37-ucs218 Package: univention-kernel-image Version: 9.0.0-14.120.201701181405 Branch: ucs_4.1-0 Scope: errata4.1-4 r75902 | Bug #42754 UCS-4.1-4: Update to linux-4.1.37-ucs218 r75903 | Bug #42754 UCS-4.1-4: Update to linux-4.1.37-ucs218 Package: univention-kernel-image-signed Version: 2.0.0-11.25.201701181403 Branch: ucs_4.1-0 Scope: errata4.1-4 r75904 | Bug #42754 UCS-4.1-4: Update to linux-4.1.37-ucs218 YAML FYI: Fixed megasas_raid issue Bug #42204 FYI: Packages were links to ucs_4.2-0 r17055 | Bug #42754: linux-4.1.38 Package: linux Version: 4.1.6-1.219.201701191415 Branch: ucs_4.1-0 Scope: errata4.1-4 r17056 | Bug #42754: linux-4.1.38+CVE-2016-10147 r17057 | Bug #42754: linux-4.1.38+CVE-2017-2583 r17058 | Bug #42754: linux-4.1.38+CVE-2017-2584 r17059 | Bug #42754: linux-4.1.38+CVE-2017-2584 Package: linux Version: 4.1.6-1.220.201701191504 Version: 4.1.6-1.221.201701191522 Branch: ucs_4.1-0 Scope: errata4.1-4 r75954 | Bug #42754: Update to linux-4.1.38-ucs221 Package: univention-kernel-image-signed Version: 2.0.0-12.26.201701201022 Branch: ucs_4.1-0 Scope: errata4.1-4 r75952 | Bug #42754 kernel: Update to linux-4.1.38-ucs221 Package: univention-kernel-image Version: 9.0.0-15.121.201701200827 Branch: ucs_4.1-0 Scope: errata4.1-4 r75955 | Bug #42754 UCS-4.1-4: Update to linux-4.1.38-ucs221 YAML linux.yaml univention-kernel-image-signed.yaml univention-kernel-image.yaml QA: OK: xen1 OK: kvm64 OK: uefi64 OK: dmesg: simple-framebuffer -> efifb, USB devices reordered Verified:
* Patches ok
* Update & reboot: i386, amd64, hardware
* meta-packages adjusted and rebuilt
* Advisories: ok
> OK: dmesg: simple-framebuffer -> efifb, USB devices reordered
* yes, CONFIG_X86_SYSFB and CONFIG_FB_SIMPLE have been disabled,
efifb (kvm) or vesafb (hardware) are selected instead.
* ok: order of PATA and SATA has changed (hardware)
There is a regression in fs/posix_acl.c; needs <https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=497de07d89c1410d76a15bec2bb41f24a2a89f31> Package: linux Version: 4.1.6-1.222.201701250821 Branch: ucs_4.1-0 Scope: errata4.1-4 ... (In reply to Philipp Hahn from comment #14) > There is a regression in fs/posix_acl.c; needs > <https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/ > ?id=497de07d89c1410d76a15bec2bb41f24a2a89f31> > > Package: linux > Version: 4.1.6-1.222.201701250821 > Branch: ucs_4.1-0 > Scope: errata4.1-4 > ... OK, I'll re-open the bug. r17065 | Bug #42754: linux-4.1.38 r76085 | Bug #42754: Update to linux-4.1.38-ucs222 Package: univention-kernel-image-signed Version: 2.0.0-13.27.201701251447 Branch: ucs_4.1-0 Scope: errata4.1-4 Package: univention-kernel-image Version: 9.0.0-16.122.201701251450 Branch: ucs_4.1-0 Scope: errata4.1-4 r76091 | Bug #42754: Update to linux-4.1.38-ucs222 YAML QA: OK: xen1 OK: amd64 kvm OK: amd64 UEFI-SB I have added the corresponding CVE-2017-5551 to the advisories. The new patch 7003-tmpfs-clear-S_ISGID-when-setting-posix-ACLs looks ok and has been applied ad build time. Package update and reboot ok (amd64) FYI: There seems to be another problem with KVM when this kernel is used as a guest kernel within qemu-v2.5.0-rc0~87^2~6: <http://marc.info/?t=148538832600001&r=1&w=2>. So "only" testers running a modern OS testing UCS will be affected (for now). Depending on the version of qemu we're going to use with UCS-4.2, we might get the problem then with users running old UCS releases. Fix it now or later with the next 4.1 kernel? FYI: I haven't verified that the problem really exists, only read the mails. |