First Last Prev Next    This bug is not in your last search results.
Bug 41314 - linux: Multiple security issues (3.2)
linux: Multiple security issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P1 major (vote)
: UCS 3.2-8-errata
Assigned To: Philipp Hahn
Arvid Requate
http://git.kernel.org/cgit/linux/kern...
:
Depends on: 39209
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-20 15:01 CEST by Arvid Requate
Modified: 2016-10-26 17:34 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-05-20 15:01:31 CEST 
Upstream v3.10.101 fixes several issues with respect to v3.10.96 (Bug #39209):

CVE-2015-7566
CVE-2015-7990
CVE-2015-8785
CVE-2015-8812
CVE-2016-0723
CVE-2016-2384
CVE-2016-2550
CVE-2016-2782
CVE-2016-partial-SMAP-bypass

I identified these from the git commit IDs.
Comment 1 Arvid Requate univentionstaff 2016-08-15 17:47:08 CEST 
Upstream v3.10.102 fixes several issues with respect to v3.10.101

CVE-2016-4580: 79e48650320e6fba48369fccf13fd045315b19b8
CVE-2016-4486: 5f8e44741f9f216e33736ea4ec65ca9ac03036e6
CVE-2016-4485: b8670c09f37bdf2847cc44f36511a53afc6161fd
CVE-2016-2117: f43bfaeddc79effbf3d0fcb53ca477cca66f3db8
CVE-2016-4913: 99d825822eade8d827a1817357cbf3f889a552d6
CVE-2016-0821: 8a5e5e02fc83aaf67053ab53b359af08c6c49aaf
CVE-2016-3955: b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb
CVE-2016-2187: 162f98dea487206d9ab79fc12ed64700667a894d
CVE-2015-7833: fa52bd506f274b7619955917abfde355e3d19ffe
CVE-2016-4805: 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89
CVE-2016-3951: 1666984c8625b3db19a9abc298931d35ab7bc64b
CVE-2016-2185: 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d
CVE-2016-3689: a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff
CVE-2016-2186: 9c6ba456711687b794dcf285856fc14e2c76074f
CVE-2016-3137: c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754
CVE-2016-3140: 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f
CVE-2016-3136: 4e9a0b05257f29cf4b75f3209243ed71614d062e
CVE-2016-2188: 4ec0ef3a82125efc36173062a50624550a900ae0
CVE-2016-3138: 8835ba4a39cf53f705417b3b3a94eb067673f2c9
CVE-2016-3157: b7a584598aea7ca73140cb87b40319944dd3393f

I identified these from the git commit IDs above.
Comment 2 Arvid Requate univentionstaff 2016-08-15 17:51:48 CEST 
I guess we should also pick up the forthcoming yet unreleased tcp-make-challenge-acks-less-predictable.patch from https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=wheezy-security&id=f383788fb866fc61daf26836bccd92ebf7a6f02f (the patch applies cleanly). While it may not be that critical, and there is a workaround via sysctl.conf, it enjoys a certain publicity currently and customers will inquire.
Comment 3 Arvid Requate univentionstaff 2016-08-29 12:07:56 CEST 
New issues, currently only fixed in Debian sid (currently at Kernel 4.7):

* Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a "double fetch" vulnerability. (CVE-2016-6136)
           
* Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. (CVE-2016-6480)

* Linux tcp_xmit_retransmit_queue use after free (CVE-2016-6828)
Comment 4 Philipp Hahn univentionstaff 2016-10-04 17:30:42 CEST 
CVE-2016-6136: 43761473c254b45883a64441dd0bc85a42f3645c
CVE-2016-6480: fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3
CVE-2016-6828: bb1fceca22492109be12640d49f5ea5a544c6bb4
 bd131fb1aa5e4cd879f89aef30f4f7cde6d4b409 audit: Kill the unused struct audit_aux_data_capset
 9462dc59817580419ef1f2504e32f861c290f251 audit: remove unused envc member of audit_aux_data_execve
 d9cfea91e97d5d19f9d69beaa844f5fe56a6adc6 audit: move audit_aux_data_execve contents into audit_context union
 9410d228a4cf434305306746bb799fb7acdd8648 audit: call audit_bprm() only once to add AUDIT_EXECVE information

 b7550787fe8b5beffb5f56fa11a87712d699d085 audit: remove stray newline from audit_log_execve_info() audit_panic() call

 a49b282f08d96cd73838e4e1a5ace747d432ba7d audit: Fix check of return value of strnlen_user()
 a4664afa0dffd5340c61511d3da14e30bfd01517 Fix broken audit tests for exec arg len
 634a3fc5f16470e9b78ccd7ce643305122d5ebb2 audit: fix a double fetch in audit_log_single_execve_arg()

r16767
Comment 5 Philipp Hahn univentionstaff 2016-10-06 15:34:42 CEST 
r16768

Package: linux
Version: 3.10.103-1.203.201610051715
Branch: ucs_3.2-0
Scope: errata3.2-8

r72952 | Bug #41314: Copyright 2016
r72951 | Bug #41314: Update to linux-3.10.103

Package: univention-kernel-image
Version: 7.0.0-24.107.201610060920
Branch: ucs_3.2-0
Scope: errata3.2-8

r72960 | Bug #41314: linux-3.10.103 YAML
 linux.yaml
 univention-kernel-image.yaml

QA: uname -r # 3.10.0-ucs203-686-pae
QA: uname -r # 3.10.0-ucs203-amd64
QA: diff dmesg
QA: zless /usr/share/doc/linux-image-3.10.0-ucs203-686-pae/changelog.Debian.gz
Comment 6 Arvid Requate univentionstaff 2016-10-21 12:42:38 CEST 
There are a couple of new issues reported for the Linux Kernel:

* The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956)

* privilege escalation via MAP_PRIVATE COW breakage (CVE-2016-5195)

* The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042)

* The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)


Of those upstream v3.10.104 fixes only http://dirtycow.ninja/ (CVE-2016-5195):

    mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
    
    commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream

We should pick that up with this erratum.
Comment 7 Philipp Hahn univentionstaff 2016-10-25 16:30:19 CEST 
Package: linux
Version: 3.10.104-0.1.208.201610250906
Version: 3.10.104-0.1.209.201610250949
Version: 3.10.104-0.1.210.201610251001
Branch: ucs_3.2-0
Scope: errata3.2-8

Package: univention-kernel-image
Version: 7.0.0-25.114.201610251616
Branch: ucs_3.2-0
Scope: errata3.2-8

r73581 | Bug #41314: Update to 3.10.104 YAML
Comment 8 Arvid Requate univentionstaff 2016-10-26 12:20:48 CEST 
Verified:

* Upstream sources have been imported and UCS patches refreshed

* Imported sources match upstream v3.10.104 tag including the patch for CVE-2016-5195

* Existing Univention source patches have been merged into the new Debian source package

* New security patches merged into source package match upstream code  

* The source version contains now "-0.1" instead of "-1" but that's ok:
  3.10.104-0.1.210.201610251001

* Package update and reboot Ok

* PoC exploit rendered ineffective

* Advisory Ok
First Last Prev Next    This bug is not in your last search results.