Bug 40838 – linux: Multiple security issues (4.0)

Bug 40838 - linux: Multiple security issues (4.0)


Summary:	linux: Multiple security issues (4.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.0-5-errata
Assigned To:	Philipp Hahn
QA Contact:	Janek Walkenhorst

URL:	https://anonscm.debian.org/cgit/kerne...
Keywords:

Duplicates:	41048 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-03-04 10:10 CET by Arvid Requate
Modified:	2016-06-01 17:28 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-03-04 10:10:13 CET

Upstream Debian Jessie Kernel package version 3.16.7-ckt20-1+deb8u4 fixes these issues:

* unix: properly account for FDs passed over unix sockets (CVE-2013-4312)
* The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel before 4.4 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov. (CVE-2015-8785)
* Flaw in CXGB3 driver (CVE-2015-8812)
* USB hub invalid memory access in hub_activate() (CVE-2015-8816)
* aio write triggers integer overflow in some network protocols (CVE-2015-8830)
* x86 Linux TLB flush bug (CVE-2016-2069)
* Double-free in snd-usbmidi-lib triggered by invalid USB descriptor (CVE-2016-2384)
* ALSA: seq: Fix missing NULL check at remove_events ioctl (CVE-2016-2543)
* ALSA: seq: Fix race at timer setup and close (CVE-2016-2544)
* ALSA: timer: Fix double unlink of active_list (CVE-2016-2545)
* ALSA: timer: Fix race among timer ioctls (CVE-2016-2546)
* Bug 1311566 – CVE-2016-2547 kernel: sound: use-after-free in snd_timer_user_ioctl (CVE-2016-2547)
* Bug 1311568 – CVE-2016-2548 kernel: sound: linked lists of slave instances not unlinked immediately (CVE-2016-2548)
* ALSA: hrtimer: Fix stall by hrtimer_cancel() (CVE-2016-2549)
* unix: correctly track in-flight fds in sending process user_struct (CVE-2016-2550)

Comment 1 Arvid Requate

2016-04-14 20:52:49 CEST

Additional info from the changelog:

  * pipe: limit the per-user amount of pages allocated in pipes (CVE-2013-4312)
    [Original reference is incorrect; should be CVE-2016-2847.]

  * af_unix: Guard against other == sk in unix_dgram_sendmsg
    (regression in 3.16.7-ckt20-1+deb8u1)
  * Revert "workqueue: make sure delayed work run in local cpu"
    (regression in 3.16.7-ckt20)

  * unix: correctly track in-flight fds in sending process user_struct
    (regression in 3.16.7-ckt20-1+deb8u3) (CVE-2016-2550)

  * AIO: properly check iovec sizes
    [This was later designated CVE-2015-8830.]

Comment 2 Arvid Requate

2016-04-14 21:07:09 CEST

A new upstream Debian package version 3.16.7-ckt25-1 is available from jessie.

Comment 3 Philipp Hahn

2016-04-15 16:20:10 CEST

Stolen from <http://incoming.debian.org/debian-buildd/pool/main/l/linux/>
$ repo_admin.py -F -p linux -r 4.0 -s errata4.0-5
r16410 | linux-3.16.7-ckt25-2~bpo70+1 UCS-4.0-5
r16411 | repo_admin patch copy
r16412 | revert r16411

Package: linux
Version: 3.16.7-ckt25-2~bpo70+1.191.201604151111
Branch: ucs_4.0-0
Scope: errata4.0-5

OK: amd64 @ kmv
OK: i386 @ kvm
OK: dmesg
OK: zless /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz

TODO: univention-kernel-image-signed
TODO: univention-kernel-image
TODO: .yaml

Comment 4 Philipp Hahn

2016-04-15 16:21:40 CEST

*** Bug 41048 has been marked as a duplicate of this bug. ***

Comment 5 Philipp Hahn

2016-04-19 14:25:01 CEST

Fix file-system-corruption with KVM (Ticket#2016041221000419 <https://bugzilla.kernel.org/show_bug.cgi?id=102731> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818502>)

r16416 | Bug #40838,Bug #41051: linux file-system corruption

Package: linux
Version: 3.16.7-ckt25-2~bpo70+1.194.201604181018
Branch: ucs_4.0-0
Scope: errata4.0-5

r68751 | Bug #40838 kernel: Update to 3.16.7-ckt25-2~bpo70+1

Package: univention-kernel-image
Version: 8.0.6-10.100.201604190907
Branch: ucs_4.0-0
Scope: errata4.0-5

r68784 | Bug #40838 kernel: Update to 3.16.7-ckt25-2~bpo70+1

Package: univention-kernel-image-signed
Version: 1.0.3-4.16.201604191326
Branch: ucs_4.0-0
Scope: errata4.0-5

r68785 | Bug #40838 kernel: Update to 3.16.7-ckt25-2~bpo70+1 YAML
 linux.yaml
 univention-kernel-image-signed.yaml
 univention-kernel-image.yaml

Comment 6 Philipp Hahn

2016-04-27 08:49:53 CEST

(In reply to Philipp Hahn from comment #5)
> Fix file-system-corruption with KVM (Ticket#2016041221000419
> <https://bugzilla.kernel.org/show_bug.cgi?id=102731>
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818502>)

Ticket #2016041221000419 reported ucs191 works fine for him fixing that file system corruption bug on old KVM Intel CPUs.

Comment 7 Philipp Hahn

2016-05-13 16:02:53 CEST

(In reply to Philipp Hahn from comment #6)
> (In reply to Philipp Hahn from comment #5)
> > Fix file-system-corruption with KVM (Ticket#2016041221000419
> > <https://bugzilla.kernel.org/show_bug.cgi?id=102731>
> > <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818502>)
> 
> Ticket #2016041221000419 reported ucs191 works fine for him fixing that file
> system corruption bug on old KVM Intel CPUs.

New feedback from same customer: Does *NOT* fix the problem. ext4 corruption after 19 days.

Comment 8 Arvid Requate

2016-05-19 19:40:47 CEST

There is a ctk27 upstream:
  http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y

* aiptek: crash on invalid USB device descriptors (CVE-2015-7515)
* aio write triggers integer overflow in some network protocols (CVE-2015-8830) commit 393d7444b291449373ff14138ec4cc5ab9042813
* Too big poison pointer space (CVE-2016-0821)
* Kernel panic on invalid USB device descriptor (snd_usb_audio driver) (CVE-2016-2184)
* Kernel panic on invalid USB device descriptor (ati_remote2 driver) (CVE-2016-2185)
* Kernel panic on invalid USB device descriptor (powermate driver) (CVE-2016-2186)
* Kernel panic on invalid USB device descriptor (iowarrior driver) (CVE-2016-2188)
* crash on invalid USB device descriptors (cdc_acm driver) (CVE-2016-3138)
* ipv4: Don't do expensive useless work during inetdev destroy (CVE-2016-3156)
* I/O port access privilege escalation in x86-64 Linux under Xen (CVE-2016-3157)
* usbnet: memory corruption triggered by invalid USB descriptor (CVE-2016-3951)
* Partial SMAP bypass on 64-bit Linux kernels (CVE-2016-partial-SMAP-bypass)


And there are some additional CVEs marked as pending for 3.16.7-ckt25-2+deb8u1:

* memory disclosure into ethernet frames due to incorrect driver handling of scatter/gather IO (CVE-2016-2117)
* s390/mm: page table corruption (CVE-2016-3134)
* netfilter IPT_SO_SET_REPLACE memory corruption (CVE-2016-3672)
* Unlimiting the stack disables ASLR on i386 (CVE-2016-3955)
* remote buffer overflow in usbip (CVE-2016-3961)
* XSA-174: hugetlbfs use may crash PV Linux guests (CVE-2016-3961)

Comment 9 Arvid Requate

2016-05-19 20:02:22 CEST

Patches can be found here:
* http://kernel.ubuntu.com/stable/patch-3.16.7-ckt26.gz
* http://kernel.ubuntu.com/stable/patch-3.16.7-ckt27.gz
* https://anonscm.debian.org/git/kernel/linux.git/log/?h=jessie-security

Comment 10 Stefan Gohmann

2016-05-20 05:25:08 CEST

(In reply to Philipp Hahn from comment #4)
> *** Bug 41048 has been marked as a duplicate of this bug. ***

Next customer reported this issue with UCS 4.0: Ticket #2016051921000315
 BUG: soft lockup - CPU#1 stuck for 22s!

Comment 11 Philipp Hahn

2016-05-30 12:15:32 CEST

Another 22s stall on 'omar' using "btrfs" via "iscsi":
May 28 01:09:01 omar kernel: [2650799.444004] INFO: rcu_sched self-detected stall on CPU { 1}  (t=5250 jiffies g=103968863 c=103968862 q=9687)
May 28 01:09:01 omar kernel: [2650799.444004] sending NMI to all CPUs:
...
May 28 01:09:01 omar kernel: [2650799.444004] NMI backtrace for cpu 1
May 28 01:09:01 omar kernel: [2650799.444004] CPU: 1 PID: 16612 Comm: bacula-fd Not tainted 3.16.0-ucs193-amd64 #1 Debian 3.16.7-ckt25-2~bpo70+1~ucs3.3.193.201604181018
May 28 01:09:01 omar kernel: [2650799.444004] Hardware name: FUJITSU SIEMENS PRIMERGY RX200S2/D1790/M73IL, BIOS 6.0 Rev. R04A5F5.1790 01/16/2006
May 28 01:09:01 omar kernel: [2650799.444004] task: ffff8800c6bf6ce0 ti: ffff8800732cc000 task.ti: ffff8800732cc000
May 28 01:09:01 omar kernel: [2650799.444004] RIP: 0010:[<ffffffff812e4b99>]  [<ffffffff812e4b99>] __const_udelay+0x9/0x30
May 28 01:09:01 omar kernel: [2650799.444004] RSP: 0018:ffff880127c83e20  EFLAGS: 00000046
May 28 01:09:01 omar kernel: [2650799.444004] RAX: 0000000000000000 RBX: 0000000000002710 RCX: 0000000000000008
May 28 01:09:01 omar kernel: [2650799.444004] RDX: 0000000000cf8a71 RSI: 0000000000000200 RDI: 0000000000418958
May 28 01:09:01 omar kernel: [2650799.444004] RBP: ffffffff81852580 R08: 20676e69646e6573 R09: 61206f7420494d4e
May 28 01:09:01 omar kernel: [2650799.444004] R10: 00000000000002f3 R11: 3a73555043206c6c R12: 0000000000000001
May 28 01:09:01 omar kernel: [2650799.444004] R13: ffffffff818e3ac0 R14: 00000000000025d7 R15: ffffffff81852580
May 28 01:09:01 omar kernel: [2650799.444004] FS:  00007fa2e701f700(0000) GS:ffff880127c80000(0000) knlGS:0000000000000000
May 28 01:09:01 omar kernel: [2650799.444004] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
May 28 01:09:01 omar kernel: [2650799.444004] CR2: ffffffffff600400 CR3: 00000000bd005000 CR4: 00000000000007e0
May 28 01:09:01 omar kernel: [2650799.444004] Stack:
May 28 01:09:01 omar kernel: [2650799.444004]  ffffffff8104a40a ffff880127c8d5e0 ffffffff810cdf59 0000000000000096
May 28 01:09:01 omar kernel: [2650799.444004]  ffffffff810d0f03 0000000000012ec0 ffff880127c83e50 ffff8800c6bf6ce0
May 28 01:09:01 omar kernel: [2650799.444004]  ffff8800c6bf6ce0 0000000000000000 0000000000000001 ffff880127c8d180
May 28 01:09:01 omar kernel: [2650799.444004] Call Trace:
May 28 01:09:01 omar kernel: [2650799.444004]  <IRQ> 
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff8104a40a>] ? arch_trigger_all_cpu_backtrace+0x10a/0x140
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff810cdf59>] ? rcu_check_callbacks+0x3e9/0x630
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff810d0f03>] ? update_wall_time+0x1f3/0x660
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff810d9260>] ? tick_sched_do_timer+0x40/0x40
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff81079824>] ? update_process_times+0x44/0x80
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff810d910c>] ? tick_sched_handle.isra.12+0x2c/0x70
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff810d92aa>] ? tick_sched_timer+0x4a/0x80
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff81090ddb>] ? __run_hrtimer+0x6b/0x1b0
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff810915d9>] ? hrtimer_interrupt+0xf9/0x230
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff8157555b>] ? smp_apic_timer_interrupt+0x3b/0x60
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff815735bd>] ? apic_timer_interrupt+0x6d/0x80
May 28 01:09:01 omar kernel: [2650799.444004]  <EOI> 
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811d36c7>] ? __d_lookup_rcu+0x87/0x150
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811c5f3b>] ? __inode_permission+0x7b/0xd0
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811c6449>] ? link_path_walk+0x69/0x850
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811c569e>] ? lookup_fast+0x3e/0x2c0
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811c6d68>] ? path_lookupat+0x138/0x740
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff814bda33>] ? tcp_sendmsg+0xd3/0xd20
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff812138f5>] ? posix_acl_xattr_get+0x45/0xb0
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811c73a4>] ? filename_lookup+0x34/0xd0
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811c5cf1>] ? getname_flags.part.21+0x91/0x140
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811cb289>] ? user_path_at_empty+0x99/0x120
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811f7db4>] ? fsnotify+0x234/0x300
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811ba4cf>] ? do_sync_write+0x5f/0x90
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811bfc00>] ? vfs_fstatat+0x40/0x90
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811bfcc2>] ? SYSC_newlstat+0x12/0x30
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811bb33c>] ? vfs_write+0x16c/0x200
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff811bb80c>] ? SyS_write+0x7c/0xb0
May 28 01:09:01 omar kernel: [2650799.444004]  [<ffffffff8157264d>] ? system_call_fast_compare_end+0x10/0x15
May 28 01:09:01 omar kernel: [2650799.444004] Code: 00 00 0f 1f 44 00 00 48 83 ec 08 48 8b 05 58 49 5b 00 48 83 c4 08 ff e0 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 14 25 60 26 01 00 <48> 8d 0c 12 48 c1 e2 06 48 8d 04 bd 00 00 00 00 48 29 ca f7 e2 
...
May 28 01:09:54 omar kernel: [2650852.168004] BUG: soft lockup - CPU#1 stuck for 22s! [bacula-fd:16612]
May 28 01:09:54 omar kernel: [2650852.168004] Modules linked in: nfsv4 dns_resolver nfsv3 btrfs raid6_pq xor crc32c_generic ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi rpcsec_gss_krb5 nfsd nfs_acl auth_rpcgss nfs fscache lockd sunrpc quota_v2 quota_tree lpc_ich mfd_core psmouse tpm_tis tpm i2c_i801 rng_core serio_raw processor i2c_core e752x_edac evdev shpchp edac_core pcspkr thermal_sys ext4 jbd2 crc16 dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_mod sd_mod crc_t10dif crct10dif_common usb_storage sg sr_mod cdrom ata_generic floppy ehci_pci uhci_hcd ata_piix ehci_hcd mptspi mptscsih libata usbcore e1000 mptbase scsi_transport_spi button usb_common
May 28 01:09:54 omar kernel: [2650852.168004] CPU: 1 PID: 16612 Comm: bacula-fd Not tainted 3.16.0-ucs193-amd64 #1 Debian 3.16.7-ckt25-2~bpo70+1~ucs3.3.193.201604181018
May 28 01:09:54 omar kernel: [2650852.168004] Hardware name: FUJITSU SIEMENS PRIMERGY RX200S2/D1790/M73IL, BIOS 6.0 Rev. R04A5F5.1790 01/16/2006
May 28 01:09:54 omar kernel: [2650852.168004] task: ffff8800c6bf6ce0 ti: ffff8800732cc000 task.ti: ffff8800732cc000
May 28 01:09:54 omar kernel: [2650852.168004] RIP: 0010:[<ffffffff811d36b0>]  [<ffffffff811d36b0>] __d_lookup_rcu+0x70/0x150
May 28 01:09:54 omar kernel: [2650852.168004] RSP: 0018:ffff8800732cfc58  EFLAGS: 00000217
May 28 01:09:54 omar kernel: [2650852.168004] RAX: 0000000000000000 RBX: 000102d000000000 RCX: 000000000000000d
May 28 01:09:54 omar kernel: [2650852.168004] RDX: ffffc90000005000 RSI: ffff8800732cfe10 RDI: ffff880012c2b918
May 28 01:09:54 omar kernel: [2650852.168004] RBP: ffff880012c2b918 R08: ffff880104804050 R09: 0000000000000023
May 28 01:09:54 omar kernel: [2650852.168004] R10: ffffffffffffffff R11: 7bfe9e189e400000 R12: ffff8800beb5f080
May 28 01:09:54 omar kernel: [2650852.168004] R13: ffff88011b2102e8 R14: ffffffff811a035e R15: 00000000000102d0
May 28 01:09:54 omar kernel: [2650852.168004] FS:  00007fa2e701f700(0000) GS:ffff880127c80000(0000) knlGS:0000000000000000
May 28 01:09:54 omar kernel: [2650852.168004] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
May 28 01:09:54 omar kernel: [2650852.168004] CR2: ffffffffff600400 CR3: 00000000bd005000 CR4: 00000000000007e0
May 28 01:09:54 omar kernel: [2650852.168004] Stack:
May 28 01:09:54 omar kernel: [2650852.168004]  0000000000000006 ffff880104804050 0000000000000000 ffffffff811c6449
May 28 01:09:54 omar kernel: [2650852.168004]  ffff8800732cfcc0 ffff8800732cfd48 ffff8800732cfd38 0000000000000000
May 28 01:09:54 omar kernel: [2650852.168004]  ffff880012c2b918 ffff880121f0e060 ffff8800732cfe00 ffffffff811c569e
May 28 01:09:54 omar kernel: [2650852.168004] Call Trace:
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811c6449>] ? link_path_walk+0x69/0x850
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811c569e>] ? lookup_fast+0x3e/0x2c0
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811c6d68>] ? path_lookupat+0x138/0x740
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff814bda33>] ? tcp_sendmsg+0xd3/0xd20
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff812138f5>] ? posix_acl_xattr_get+0x45/0xb0
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811c73a4>] ? filename_lookup+0x34/0xd0
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811c5cf1>] ? getname_flags.part.21+0x91/0x140
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811cb289>] ? user_path_at_empty+0x99/0x120
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811f7db4>] ? fsnotify+0x234/0x300
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811ba4cf>] ? do_sync_write+0x5f/0x90
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811bfc00>] ? vfs_fstatat+0x40/0x90
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811bfcc2>] ? SYSC_newlstat+0x12/0x30
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811bb33c>] ? vfs_write+0x16c/0x200
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff811bb80c>] ? SyS_write+0x7c/0xb0
May 28 01:09:54 omar kernel: [2650852.168004]  [<ffffffff8157264d>] ? system_call_fast_compare_end+0x10/0x15
May 28 01:09:54 omar kernel: [2650852.168004] Code: d3 e8 48 8d 04 c2 48 8b 18 48 83 e3 fe 0f 84 a8 00 00 00 4d 89 e9 49 c7 c2 ff ff ff ff 49 c1 e9 20 eb 14 0f 1f 84 00 00 00 00 00 <48> 8b 1b 48 85 db 0f 84 84 00 00 00 4c 8d 63 f8 8b 43 fc 48 39 

# uname -r
3.16.0-ucs193-amd64

Comment 12 Philipp Hahn

2016-05-31 13:21:49 CEST

Package: linux
Version: 3.16.7-ckt25-2~bpo70+1.195.201605301151
Branch: ucs_4.0-0
Scope: errata4.0-5

r69631 | Bug #40838: Update to 3.16.7-ckt25-2~bpo70+1 + ckt27

Package: univention-kernel-image
Version: 8.0.6-11.102.201605311013
Branch: ucs_4.0-0
Scope: errata4.0-5

r69636 | Bug #40838: Update to 3.16.7-ckt25-2~bpo70+1 + ckt27

Package: univention-kernel-image-signed
Version: 1.0.3-5.19.201605311147
Branch: ucs_4.0-0
Scope: errata4.0-5

(In reply to Arvid Requate from comment #8)
> There is a ctk27 upstream:
>   http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y
> 
> * aiptek: crash on invalid USB device descriptors (CVE-2015-7515)
> * aio write triggers integer overflow in some network protocols
> (CVE-2015-8830) commit 393d7444b291449373ff14138ec4cc5ab9042813
> * Too big poison pointer space (CVE-2016-0821)
> * Kernel panic on invalid USB device descriptor (snd_usb_audio driver)
> (CVE-2016-2184)
> * Kernel panic on invalid USB device descriptor (ati_remote2 driver)
> (CVE-2016-2185)
> * Kernel panic on invalid USB device descriptor (powermate driver)
> (CVE-2016-2186)
> * Kernel panic on invalid USB device descriptor (iowarrior driver)
> (CVE-2016-2188)
> * crash on invalid USB device descriptors (cdc_acm driver) (CVE-2016-3138)
> * ipv4: Don't do expensive useless work during inetdev destroy
> (CVE-2016-3156)
> * I/O port access privilege escalation in x86-64 Linux under Xen
> (CVE-2016-3157)
> * usbnet: memory corruption triggered by invalid USB descriptor
> (CVE-2016-3951)
> * Partial SMAP bypass on 64-bit Linux kernels (CVE-2016-partial-SMAP-bypass)

ckt27 has been merged into our UCS tree.

> And there are some additional CVEs marked as pending for
> 3.16.7-ckt25-2+deb8u1:
> 
> * memory disclosure into ethernet frames due to incorrect driver handling of
> scatter/gather IO (CVE-2016-2117)
> * s390/mm: page table corruption (CVE-2016-3134)
> * netfilter IPT_SO_SET_REPLACE memory corruption (CVE-2016-3672)
> * Unlimiting the stack disables ASLR on i386 (CVE-2016-3955)
> * remote buffer overflow in usbip (CVE-2016-3961)
> * XSA-174: hugetlbfs use may crash PV Linux guests (CVE-2016-3961)

They haven't been fixed yet in our UCS package yet.
Ben has already merged ckt27 into his tree and named 3.16.35: <https://anonscm.debian.org/git/kernel/linux.git/log/?h=jessie>
That tree does not build for Wheezy and required additional patches for python compatibility.
We will delay those CVEs until 3.16.35 is officially released (and hopefully a wheezy-backport is done).

We will have to prepare another 3.16 kernel anyway for UCS-3.3 and those xattr-issues need to be sorted out.

Comment 13 Janek Walkenhorst

2016-06-01 13:37:13 CEST

Advisories: OK
Tests: OK
 KVM: OK
  i386: OK
  amd64: OK
 UEFI: OK
  amd64: OK
   SecureBoot: OK
   insecure mode: OK

Comment 14 Janek Walkenhorst

2016-06-01 17:28:09 CEST

<http://errata.software-univention.de/ucs/4.0/428.html>
<http://errata.software-univention.de/ucs/4.0/429.html>
<http://errata.software-univention.de/ucs/4.0/430.html>