Univention Bugzilla – Bug 42754
linux: Multiple security issues (4.1)
Last modified: 2017-02-01 12:07:19 CET
+++ This bug was initially created as a clone of Bug #42727 +++ There are a couple of new issues reported for the Linux Kernel: * The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956) * The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042) * The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425)
During build please check if CONFIG_X86_SYSFB needs to be changed to "n", see * http://bugs.debian.org/822575 * https://bugzilla.novell.com/show_bug.cgi?id=855821 * http://lkml.iu.edu/hypermail/linux/kernel/1312.2/03055.html
Note: Current ucs207 Kernel (Errata 314) is *not* affected by this CVSS 7+ issue: * mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous pages, which allows local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero (CVE-2015-3288)
git log v4.1.34..v4.1.36 shows the following additional issues as fixed: * The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042) CVSSv3 base score 5.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) * drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets (CVE-2016-8633) CVSSv3 base score 6.8 (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) * The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call (CVE-2016-9178) CVSSv3 base score 3.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Additionally this issue has been reported as fixed in sid: * af_packet.c race condition (local root) (CVE-2016-8655) CVSSv3 base score 7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Debian: "Non-privileged user namespaces disabled by default, only vulnerable with sysctl kernel.unprivileged_userns_clone=1" Patch: bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
Yet another: * The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (CVE-2016-8632) CVSSv3 base score 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Sid Patch: bugfix/all/tipc-check-minimum-bearer-MTU.patch
The Enterprise Customer affected flag is set but neither a Ticket number is referenced nor a Customer ID is set. Please set a Ticket number or a Customer ID. Otherwise the Enterprise Customer affected flag will be reset.
r17003 | Bug #42754 UCS-4.1.4: linux-4.1.36 + Package: linux Version: 4.1.6-1.217.201612141323 Branch: ucs_4.1-0 Scope: errata4.1-4 r75291 | Bug #42754 UCS-4.1-4: Update to linux-4.1.36-ucs217 Package: univention-kernel-image-signed Version: 2.0.0-9.24.201612141729 Branch: ucs_4.1-0 Scope: errata4.1-4 r75292 | Bug #42754 UCS-4.1-4: Update to linux-4.1.36-ucs217 r75293 | Bug #42754 UCS-4.1-4: Update to linux-4.1.36-ucs217 Package: univention-kernel-image Version: 9.0.0-13.119.201612141800 Branch: ucs_4.1-0 Scope: errata4.1-4 r75295 | Bug #42754 UCS-4.1-4: Update to linux-4.1.36-ucs217 YAML linux.yaml univention-kernel-image-signed.yaml univention-kernel-image.yaml (In reply to Arvid Requate from comment #1) > During build please check if CONFIG_X86_SYSFB needs to be changed to "n", see $ diff `dmesg` -simple-framebuffer simple-framebuffer.0: framebuffer at 0xfc000000, 0x160000 bytes, mapped to 0xffffc90000200000 -simple-framebuffer simple-framebuffer.0: format=r8g8b8, mode=800x600x24, linelength=2400 -Console: switching to colour frame buffer device 100x37 -simple-framebuffer simple-framebuffer.0: fb0: simplefb registered! +efifb: probing for efifb +efifb: framebuffer at 0xfc000000, mapped to 0xffffc90000200000, using 1408k, total 1408k +efifb: mode is 800x600x24, linelength=2400, pages=1 +efifb: scrolling: redraw +efifb: Truecolor: size=0:8:8:8, shift=0:16:8:0 +Console: switching to colour frame buffer device 100x37 +fb0: EFI VGA frame buffer device
r75454: Remove UCS 4.1-3 from YAML file since UCS 4.1-3 is no longer in maintenance (Bug #42754)
*** Bug 43347 has been marked as a duplicate of this bug. ***
r17054 | Bug #42754: linux-4.1.37 Package: linux Version: 4.1.6-1.218.201701181054 Branch: ucs_4.1-0 Scope: errata4.1-4
r75901 | Bug #42754 UCS-4.1-4: Update to linux-4.1.37-ucs218 Package: univention-kernel-image Version: 9.0.0-14.120.201701181405 Branch: ucs_4.1-0 Scope: errata4.1-4 r75902 | Bug #42754 UCS-4.1-4: Update to linux-4.1.37-ucs218 r75903 | Bug #42754 UCS-4.1-4: Update to linux-4.1.37-ucs218 Package: univention-kernel-image-signed Version: 2.0.0-11.25.201701181403 Branch: ucs_4.1-0 Scope: errata4.1-4 r75904 | Bug #42754 UCS-4.1-4: Update to linux-4.1.37-ucs218 YAML FYI: Fixed megasas_raid issue Bug #42204 FYI: Packages were links to ucs_4.2-0
r17055 | Bug #42754: linux-4.1.38 Package: linux Version: 4.1.6-1.219.201701191415 Branch: ucs_4.1-0 Scope: errata4.1-4
r17056 | Bug #42754: linux-4.1.38+CVE-2016-10147 r17057 | Bug #42754: linux-4.1.38+CVE-2017-2583 r17058 | Bug #42754: linux-4.1.38+CVE-2017-2584 r17059 | Bug #42754: linux-4.1.38+CVE-2017-2584 Package: linux Version: 4.1.6-1.220.201701191504 Version: 4.1.6-1.221.201701191522 Branch: ucs_4.1-0 Scope: errata4.1-4 r75954 | Bug #42754: Update to linux-4.1.38-ucs221 Package: univention-kernel-image-signed Version: 2.0.0-12.26.201701201022 Branch: ucs_4.1-0 Scope: errata4.1-4 r75952 | Bug #42754 kernel: Update to linux-4.1.38-ucs221 Package: univention-kernel-image Version: 9.0.0-15.121.201701200827 Branch: ucs_4.1-0 Scope: errata4.1-4 r75955 | Bug #42754 UCS-4.1-4: Update to linux-4.1.38-ucs221 YAML linux.yaml univention-kernel-image-signed.yaml univention-kernel-image.yaml QA: OK: xen1 OK: kvm64 OK: uefi64 OK: dmesg: simple-framebuffer -> efifb, USB devices reordered
Verified: * Patches ok * Update & reboot: i386, amd64, hardware * meta-packages adjusted and rebuilt * Advisories: ok > OK: dmesg: simple-framebuffer -> efifb, USB devices reordered * yes, CONFIG_X86_SYSFB and CONFIG_FB_SIMPLE have been disabled, efifb (kvm) or vesafb (hardware) are selected instead. * ok: order of PATA and SATA has changed (hardware)
There is a regression in fs/posix_acl.c; needs <https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=497de07d89c1410d76a15bec2bb41f24a2a89f31> Package: linux Version: 4.1.6-1.222.201701250821 Branch: ucs_4.1-0 Scope: errata4.1-4 ...
(In reply to Philipp Hahn from comment #14) > There is a regression in fs/posix_acl.c; needs > <https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/ > ?id=497de07d89c1410d76a15bec2bb41f24a2a89f31> > > Package: linux > Version: 4.1.6-1.222.201701250821 > Branch: ucs_4.1-0 > Scope: errata4.1-4 > ... OK, I'll re-open the bug.
r17065 | Bug #42754: linux-4.1.38 r76085 | Bug #42754: Update to linux-4.1.38-ucs222 Package: univention-kernel-image-signed Version: 2.0.0-13.27.201701251447 Branch: ucs_4.1-0 Scope: errata4.1-4 Package: univention-kernel-image Version: 9.0.0-16.122.201701251450 Branch: ucs_4.1-0 Scope: errata4.1-4 r76091 | Bug #42754: Update to linux-4.1.38-ucs222 YAML QA: OK: xen1 OK: amd64 kvm OK: amd64 UEFI-SB
I have added the corresponding CVE-2017-5551 to the advisories. The new patch 7003-tmpfs-clear-S_ISGID-when-setting-posix-ACLs looks ok and has been applied ad build time. Package update and reboot ok (amd64)
FYI: There seems to be another problem with KVM when this kernel is used as a guest kernel within qemu-v2.5.0-rc0~87^2~6: <http://marc.info/?t=148538832600001&r=1&w=2>. So "only" testers running a modern OS testing UCS will be affected (for now). Depending on the version of qemu we're going to use with UCS-4.2, we might get the problem then with users running old UCS releases. Fix it now or later with the next 4.1 kernel? FYI: I haven't verified that the problem really exists, only read the mails.
<http://errata.software-univention.de/ucs/4.1/383.html> <http://errata.software-univention.de/ucs/4.1/384.html> <http://errata.software-univention.de/ucs/4.1/385.html>