Univention Bugzilla – Bug 41058
linux: Multiple security issues (4.1)
Last modified: 2016-10-12 13:06:44 CEST
Linux 4.1.21 fixes several issues. We are currently at 4.1.16 (Bug #40481) One of them is: * It was discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not correctly compute branch offsets for backward jumps after ctx expansion. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-2383)
Linux 4.1.24 fixes several issues with respect to 4.1.21: * CVE-2015-7513 * CVE-2015-7833 * CVE-2015-8539 * CVE-2015-8660 * CVE-2015-8785 * CVE-2015-8812 * CVE-2016-0821 * CVE-2016-2184 * CVE-2016-2185 * CVE-2016-2186 * CVE-2016-2187 * CVE-2016-2188 * CVE-2016-3136 * CVE-2016-3137 * CVE-2016-3138 * CVE-2016-3140 * CVE-2016-3157 * CVE-2016-3689 * CVE-2016-3961 / XSA-174 * CVE-2016-partial-SMAP-bypass
Linux 4.1.30 fixes several issues with respect to 4.1.24: CVE-2016-5400 CVE-2016-4998 CVE-2016-4997 CVE-2016-4998 CVE-2016-4997 CVE-2016-4998 CVE-2016-4998 CVE-2016-3134 CVE-2016-3134 CVE-2016-4951 CVE-2013-4312 CVE-2016-4580 CVE-2016-4486 CVE-2016-4485 CVE-2016-4557 CVE-2016-2117 CVE-2016-3955 CVE-2016-4805 CVE-2016-3156 CVE-2016-3951 CVE-2016-5828 CVE-2016-5829 CVE-2016-4470 CVE-2016-4794 CVE-2016-4794 CVE-2016-1583 CVE-2016-1583 CVE-2016-4913 CVE-2016-4581 CVE-2016-4565 No fix for CVE-2016-5696 yet, maybe we can backport https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758 . Debian does this for their kernel versions (tcp-make-challenge-acks-less-predictable.patch)
New issues, currently only fixed in Debian sid (currently at Kernel 4.7): * Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a "double fetch" vulnerability. (CVE-2016-6136) * Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. (CVE-2016-6480) * Race condition in the ioctl_file_dedupe_range function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (heap-based buffer overflow) or possibly gain privileges by changing a certain count value, aka a "double fetch" vulnerability. (CVE-2016-6516) * Linux tcp_xmit_retransmit_queue use after free (CVE-2016-6828)
CVE-2016-6136: ChangeLog-4.1.31 CVE-2016-6480: ChangeLog-4.1.32 CVE-2016-6516: not vulnerable - introduced v4.5-rc1~135^2~1 CVE-2016-6828: bb1fceca22492109be12640d49f5ea5a544c6bb4 Also fixes not yet mentioned CVEs: CVE-2015-7566: v4.1.18~87 CVE-2016-0723: v4.1.18~72 CVE-2016-2384: v4.1.19~52 CVE-2016-2550: v4.1.19~20 CVE-2016-2782: v4.1.18~88 repo_admin.py --cherrypick -r 4.1 -s errata4.1-1 --releasedest 4.1 --dest errata4.1-3 -p linux --ignore-patches r16771 | Bug #41058: linux-4.1.33 errata4.1-3' 4.1.6-1-errata4.1-3 r16772 | Bug #41058: linux-4.1.33 errata4.1-3' 4.1.6-1-errata4.1-3 r16773 | Bug #41058: linux-4.1.33 errata4.1-3' 4.1.6-1-errata4.1-3 (set -e dpkg-source --skip-patches -x linux_4.1.6-1.dsc cd linux-4.1.6 for p in ~/src/patches/linux/4.1-0-0-ucs/4.1.6-1-errata4.1-3/* do d=debian/patches case "$p" in *.patch) patch -p1 -i "$p" ;; *.quilt) ln -nf "$p" "$d/" && echo "${p##*/}" >>"$d/series" esac done quilt push --fuzz=0 -a) Package: linux Version: 4.1.6-1.204.201610070847 Version: 4.1.6-1.205.201610070933 Branch: ucs_4.1-0 Scope: errata4.1-3 r73000 | Bug #41058: Update to linux-4.1.33-ucs205 Package: univention-kernel-image-signed Version: 2.0.0-8.20.201610071354 Branch: ucs_4.1-0 Scope: errata4.1-3 r72999 | Bug #41058: Update to linux-4.1.33 errata4.1-3 Package: univention-kernel-image Version: 9.0.0-11.108.201610071354 Branch: ucs_4.1-0 Scope: errata4.1-3 QA: uname -r # 4.1.0-ucs205-amd64 zless /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz diff dmesg
r73005 | Bug #41058: Update to linux-4.1.33-ucs205 YAML linux.yaml univention-kernel-image-signed.yaml univention-kernel-image.yaml
Created attachment 8079 [details] v4.1.16..v4.1.33.log The attached file contains the accumulated changelog. Verified: * All existing patches converted and applied * All new patches from 4.1.16 to 4.1.33 applied * 61_linux-4.1.19.quilt and 61_linux-4.1.26.quilt have minor context adjustment * Patches applied during built * * Installation (update) on i386 (i386) and amd64 (hardware) Ok * Advisory: Ok The *.quilt patches are not mentioned yet in the changelog, but this is just a minor thing, it's fixed for the future via Bug 42238 Comment 2. It may be helpful for future updates to explain changes, either adding the CVE to new cherrypicked patches or in the commit message: * 72_tcp-fix-use-after-free-in-tcp_xmit_retransmit_queue.quilt corresponds to CVE-2016-6828 * 58_revert-patches.patch reverts four debian/patches, that used to be reverted in errata4.1-1 already via 60_linux-4.1.7.patch 64_linux-4.1.11.patch 66_linux-4.1.13.patch * 4.1.6-1-errata4.1-1/72_fix-crypto-strip.patch (cherrypicked for Bug 41054) is part of 4.1.6-1-errata4.1-3/61_linux-4.1.18.quilt * 71_revert-net-unix.patch (Introduced for Bug 40558): reverting 5c77e26862ce has been replaced by commit 73fd505d3432 which is part of 61_linux-4.1.19.quilt Since output of the Jenkins job autotest-091-master-smbtorture.cfg doesn't look very convincing currently, I've run the torture test for Bug 40558 manually on hardware (amd64) and in a dual-core VM (i386): git clone samba [...]; ./configure.developer; \ TDB_NO_FSYNC=1 make -j test FAIL_IMMEDIATELY=1 \ SOCKET_WRAPPER_KEEP_PCAP=1 TESTS="samba3.raw.composite" The test was successful.
<http://errata.software-univention.de/ucs/4.1/286.html> <http://errata.software-univention.de/ucs/4.1/287.html> <http://errata.software-univention.de/ucs/4.1/288.html>