[kernel-sec-discuss] r4591 - active retired
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Wed Aug 24 08:26:40 UTC 2016
Author: carnil
Date: 2016-08-24 08:26:40 +0000 (Wed, 24 Aug 2016)
New Revision: 4591
Added:
retired/CVE-2014-9904
retired/CVE-2016-1237
retired/CVE-2016-1583
retired/CVE-2016-4482
retired/CVE-2016-4568
retired/CVE-2016-4569
retired/CVE-2016-4578
retired/CVE-2016-4997
retired/CVE-2016-4998
retired/CVE-2016-5243
retired/CVE-2016-5244
retired/CVE-2016-5728
retired/CVE-2016-5828
retired/CVE-2016-6130
Removed:
active/CVE-2014-9904
active/CVE-2016-1237
active/CVE-2016-1583
active/CVE-2016-4482
active/CVE-2016-4568
active/CVE-2016-4569
active/CVE-2016-4578
active/CVE-2016-4997
active/CVE-2016-4998
active/CVE-2016-5243
active/CVE-2016-5244
active/CVE-2016-5728
active/CVE-2016-5828
active/CVE-2016-6130
Log:
Retire several CVEs
Deleted: active/CVE-2014-9904
===================================================================
--- active/CVE-2014-9904 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2014-9904 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,10 +0,0 @@
-Description:
-References:
-Notes: Introduced in 3.7-rc1 with b35cc8225845112a616e3a2266d2fde5ab13d3ab
-Bugs:
-upstream: released (3.17-rc1) [6217e5ede23285ddfee10d2e4ba0cc2d4c046205]
-3.16-upstream-stable: released (3.16.37) [alsa-compress-fix-an-integer-overflow-check.patch]
-3.2-upstream-stable: N/A "Introduced with b35cc8225845112a616e3a2266d2fde5ab13d3ab in 3.7-rc1"
-sid: released (4.0.2-1)
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2016-1237
===================================================================
--- active/CVE-2016-1237 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-1237 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,11 +0,0 @@
-Description: nfsd: any user can set a file's ACL over NFS and grant access to it
-References:
-Notes:
- Requisite for the fix: 485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f
-Bugs:
-upstream: released (4.7-rc5) [999653786df6954a31044528ac3f7a5dadca08f4]
-3.16-upstream-stable: released (3.16.37) [nfsd-check-permissions-when-setting-acls.patch]
-3.2-upstream-stable: N/A "Introduced in v3.14-rc1 with 4ac7249ea5a0ceef9f8269f63f33cc873c3fac61"
-sid: released (4.6.2-2) [bugfix/all/nfsd-check-permissions-when-setting-acls.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2016-1583
===================================================================
--- active/CVE-2016-1583 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-1583 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,31 +0,0 @@
-Description: eCryptfs layered over procfs can trigger stack overflow
-References:
- http://www.openwall.com/lists/oss-security/2016/06/10/8
-Notes:
- carnil> backport to kernels pre 4.6 need to cherry-pick 6a480a7842545ec520a91730209ec0bae41694c1 (4.6)
- carnil> as well.
- bwh> The issue here is:
- bwh> 1. ecryptfs never uses mmap() on the lower file, so did not check
- bwh> that it was implemented.
- bwh> 2. procfs includes files that map to (part of) a process's VM.
- bwh> 3. mount.ecryptfs_private is setuid-root and allows layering over any
- bwh> directory owned by the caller.
- bwh> So it was possible to mmap part of an ecryptfs file layered on a procfs
- bwh> file that maps to another mmapped region, and then to chain mappings
- bwh> to an arbitrary depth. This could result in calling page fault
- bwh> handlers recursively, again to an arbitrary depth. Either the procfs
- bwh> change *or* the ecryptfs change should be sufficient to fix this.
- bwh> The procfs fix depends on commit 69c433ed2ecd (3.18) which is an ABI
- bwh> breaker.
- bwh> The ecryptfs fix depends on the commit carnil mentioned.
- bwh> The first ecryptfs fix prevents reading directories on many underlying
- bwh> filesystems. It was reverted upstream and replaced with commit
- bwh> f0fe970df383. But with this version it's important to have the procfs
- bwh> fix as well.
-Bugs:
-upstream: released (4.7-rc3) [e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9, 2f36db71009304b3f0b95afacd8eba1f9f046b87, 29d6455178a09e1dc340380c582b13356227e8df]
-3.16-upstream-stable: released (3.16.37) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch]
-3.2-upstream-stable: released (3.2.82) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch]
-sid: released (4.6.2-1) [bugfix/all/proc-prevent-stacking-filesystems-on-top.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch, bugfix/all/sched-panic-on-corrupted-stack-end.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]
-3.2-wheezy-security: released (3.2.81-1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]
Deleted: active/CVE-2016-4482
===================================================================
--- active/CVE-2016-4482 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-4482 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,14 +0,0 @@
-Description: information leak in devio
-References:
- http://www.spinics.net/lists/linux-usb/msg140243.html
-Notes:
- bwh> There may or may not be an information leak here in practice,
- bwh> depending on how the compiler optimises the structure
- bwh> initialisation.
-Bugs:
-upstream: released (4.7-rc1) [681fef8380eb818c0b845fca5d2ab1dcbab114ee]
-3.16-upstream-stable: released (3.16.37) [usb-usbfs-fix-potential-infoleak-in-devio.patch]
-3.2-upstream-stable: released (3.2.82) [usb-usbfs-fix-potential-infoleak-in-devio.patch]
-sid: released (4.5.5-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch]
-3.2-wheezy-security: released (3.2.81-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch]
Deleted: active/CVE-2016-4568
===================================================================
--- active/CVE-2016-4568 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-4568 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,13 +0,0 @@
-Description: Kernel memory overwrite in media/videobuf2
-References:
-Notes:
- bwh> This was supposed to be fixed upstream in 4.6-rc6 by commit
- bwh> 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab. However that caused a
- bwh> regression and was reverted.
-Bugs:
-upstream: released (4.8-rc1) [e7e0c3e26587749b62d17b9dd0532874186c77f7, 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab, 126f40298446a82116e1f92a1aaf72b8c8228fae]
-3.16-upstream-stable: N/A "Introduced by b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 in 4.4-rc1"
-3.2-upstream-stable: N/A "Introduced by b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 in 4.4-rc1"
-sid: released (4.5.3-1)
-3.16-jessie-security: N/A "Vulnerable code not present"
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2016-4569
===================================================================
--- active/CVE-2016-4569 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-4569 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,13 +0,0 @@
-Description: information leak in ALSA timers
-References:
- http://comments.gmane.org/gmane.linux.kernel/2214250
-Notes:
- bwh> This only affects 64-bit architectures as no padding is needed in
- bwh> struct snd_timer_tread on 32-bit architectures.
-Bugs:
-upstream: released (4.7-rc1) [cec8f96e49d9be372fdb0c3836dcf31ec71e457e]
-3.16-upstream-stable: released (3.16.37) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
-3.2-upstream-stable: released (3.2.82) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
-sid: released (4.4.5-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
-3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
Deleted: active/CVE-2016-4578
===================================================================
--- active/CVE-2016-4578 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-4578 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,12 +0,0 @@
-Description: information leaks in ALSA timers
-References:
-Notes:
- bwh> This only affects 64-bit architectures as no padding is needed in
- bwh> struct snd_timer_tread on 32-bit architectures.
-Bugs:
-upstream: released (4.7-rc1) [9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6, e4ec8cc8039a7063e24204299b462bd1383184a5]
-3.16-upstream-stable: released (3.16.37) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch]
-3.2-upstream-stable: released (3.2.82) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch]
-sid: released (4.5.5-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch]
-3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch]
Deleted: active/CVE-2016-4997
===================================================================
--- active/CVE-2016-4997 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-4997 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,10 +0,0 @@
-Description: Corrupted offset allows for arbitrary decrements in compat IPT_SO_SET_REPLACE setsockopt
-References:
-Notes:
-Bugs:
-upstream: released (4.7-rc1) [fc1221b3a163d1386d1052184202d5dc50d302d1, ce683e5f9d045e5d67d1312a42b359cb2ab2a13c]
-3.16-upstream-stable: released (3.16.37) [netfilter-x_tables-add-compat-version-of-xt_check_entry_offsets.patch, netfilter-x_tables-check-for-bogus-target-offset.patch]
-3.2-upstream-stable: ignored "too many changes required, and netfilter is not exposed to unprivileged users"
-sid: released (4.6.2-2) [bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch, bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch, bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch]
-3.2-wheezy-security: ignored "too many changes required, and netfilter is not exposed to unprivileged users"
Deleted: active/CVE-2016-4998
===================================================================
--- active/CVE-2016-4998 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-4998 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,10 +0,0 @@
-Description: out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt
-References:
-Notes:
-Bugs:
-upstream: released (4.7-rc1) [7d35812c3214afa5b37a675113555259cfd67b98, a08e4e190b866579896c09af59b3bdca821da2cd, 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44, 13631bfc604161a9d69cd68991dff8603edd66f9, b7eba0f3515fca3296b8881d583f7c1042f5226]
-3.16-upstream-stable: released (3.16.37) [netfilter-x_tables-add-and-use-xt_check_entry_offsets.patch, netfilter-x_tables-assert-minimum-target-size.patch, netfilter-x_tables-check-standard-target-size-too.patch, netfilter-x_tables-validate-all-offsets-and-sizes-in-a-rule.patch, netfilter-x_tables-don-t-reject-valid-target-size-on-some.patch]
-3.2-upstream-stable: ignored "too many changes required, and netfilter is not exposed to unprivileged users"
-sid: released (4.6.2-2) [bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch, bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch, bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch, bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch, bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch, bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch, bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch, bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch, bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch]
-3.2-wheezy-security: ignored "too many changes required, and netfilter is not exposed to unprivileged users"
Deleted: active/CVE-2016-5243
===================================================================
--- active/CVE-2016-5243 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-5243 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,12 +0,0 @@
-Description: tipc: an infoleak in tipc_nl_compat_link_dump
-References:
- https://patchwork.ozlabs.org/patch/629100/
-Notes:
- bwh> In kernel versions older than 4.0 the bug is in tipc_node_get_links()
-Bugs:
-upstream: released (4.7-rc3) [5d2be1422e02ccd697ccfcd45c85b4a26e6178e2]
-3.16-upstream-stable: released (3.16.37) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
-3.2-upstream-stable: released (3.2.82) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
-sid: released (4.6.2-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
-3.2-wheezy-security: released (3.2.81-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
Deleted: active/CVE-2016-5244
===================================================================
--- active/CVE-2016-5244 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-5244 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,11 +0,0 @@
-Description: rds: fix an infoleak in rds_inc_info_copy
-References:
- https://patchwork.ozlabs.org/patch/629110/
-Notes:
-Bugs:
-upstream: released (4.7-rc3) [4116def2337991b39919f3b448326e21c40e0dbb]
-3.16-upstream-stable: released (3.16.37) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
-3.2-upstream-stable: released (3.2.82) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
-sid: released (4.6.2-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
-3.2-wheezy-security: released (3.2.81-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
Deleted: active/CVE-2016-5728
===================================================================
--- active/CVE-2016-5728 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-5728 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,24 +0,0 @@
-Description: Race condition vulnerability in VOP driver
-References:
-Notes:
- From Red Hat Bugzilla: The VOP driver is "new" in the 4.6 kernel only
- in that the functionality was moved out of the host MIC driver into a
- new driver entirely with commit
- 61e9c905df78c253752971e200f0ac6d8667dda6. Prior to that, the
- functionality was in the drivers/misc/mic/host/mic_virtio.c host driver,
- which was introduced with commit f69bcbf3b4c4 (v3.13).
- .
- If you look at versions of the kernel prior to 4.6, you will see the
- code sequence that is fixed by the mentioned upstream patch is still in
- the host driver in the mic_copy_dp_entry function. That needs to be
- patched with a similar fix.
- .
- Introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5
-Bugs:
- https://bugzilla.kernel.org/show_bug.cgi?id=116651
-upstream: released (v4.7-rc1) [9bf292bfca94694a721449e3fd752493856710f6]
-3.16-upstream-stable: released (3.16.37) [misc-mic-fix-for-double-fetch-security-bug-in-vop-driver.patch]
-3.2-upstream-stable: N/A "Vulnerable code introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5"
-sid: released (4.6.1-1) [2a9369456a384d84c521c8ebb48d247e8738f84f]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2016-5828
===================================================================
--- active/CVE-2016-5828 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-5828 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,12 +0,0 @@
-Description: powerpc/tm: Always reclaim in start_thread() for exec() class syscalls
-References:
-Notes:
- Fix: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?id=8e96a87c5431c256feb65bcfc5
- not yet merged in Linus' tree.
-Bugs:
-upstream: released (4.7-rc6) [8e96a87c5431c256feb65bcfc5aec92d9f7839b6]
-3.16-upstream-stable: released (3.16.37) [powerpc-tm-always-reclaim-in-start_thread-for-exec-class.patch]
-3.2-upstream-stable: N/A "Introduced in 3.10-rc1 with bc2a9408fa65195288b41751016c36fd00a75a85"
-sid: released (4.6.3-1) [bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch]
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"
Deleted: active/CVE-2016-6130
===================================================================
--- active/CVE-2016-6130 2016-08-24 08:23:14 UTC (rev 4590)
+++ active/CVE-2016-6130 2016-08-24 08:26:40 UTC (rev 4591)
@@ -1,11 +0,0 @@
-Description: Information leak in s390 sclp driver
-References:
-Notes:
-Bugs:
- https://bugzilla.kernel.org/show_bug.cgi?id=116741
-upstream: released (4.6-rc6) [532c34b5fbf1687df63b3fcd5b2846312ac943c6]
-3.16-upstream-stable: released (3.16.37) [s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch]
-3.2-upstream-stable: N/A "Vulnerable code introduced in 3.11 with d475f942b1dd6a897dac3ad4ed98d6994b275378"
-sid: released (4.6.1-1)
-3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2014-9904 (from rev 4590, active/CVE-2014-9904)
===================================================================
--- retired/CVE-2014-9904 (rev 0)
+++ retired/CVE-2014-9904 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,10 @@
+Description:
+References:
+Notes: Introduced in 3.7-rc1 with b35cc8225845112a616e3a2266d2fde5ab13d3ab
+Bugs:
+upstream: released (3.17-rc1) [6217e5ede23285ddfee10d2e4ba0cc2d4c046205]
+3.16-upstream-stable: released (3.16.37) [alsa-compress-fix-an-integer-overflow-check.patch]
+3.2-upstream-stable: N/A "Introduced with b35cc8225845112a616e3a2266d2fde5ab13d3ab in 3.7-rc1"
+sid: released (4.0.2-1)
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2016-1237 (from rev 4590, active/CVE-2016-1237)
===================================================================
--- retired/CVE-2016-1237 (rev 0)
+++ retired/CVE-2016-1237 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,11 @@
+Description: nfsd: any user can set a file's ACL over NFS and grant access to it
+References:
+Notes:
+ Requisite for the fix: 485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f
+Bugs:
+upstream: released (4.7-rc5) [999653786df6954a31044528ac3f7a5dadca08f4]
+3.16-upstream-stable: released (3.16.37) [nfsd-check-permissions-when-setting-acls.patch]
+3.2-upstream-stable: N/A "Introduced in v3.14-rc1 with 4ac7249ea5a0ceef9f8269f63f33cc873c3fac61"
+sid: released (4.6.2-2) [bugfix/all/nfsd-check-permissions-when-setting-acls.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2016-1583 (from rev 4590, active/CVE-2016-1583)
===================================================================
--- retired/CVE-2016-1583 (rev 0)
+++ retired/CVE-2016-1583 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,31 @@
+Description: eCryptfs layered over procfs can trigger stack overflow
+References:
+ http://www.openwall.com/lists/oss-security/2016/06/10/8
+Notes:
+ carnil> backport to kernels pre 4.6 need to cherry-pick 6a480a7842545ec520a91730209ec0bae41694c1 (4.6)
+ carnil> as well.
+ bwh> The issue here is:
+ bwh> 1. ecryptfs never uses mmap() on the lower file, so did not check
+ bwh> that it was implemented.
+ bwh> 2. procfs includes files that map to (part of) a process's VM.
+ bwh> 3. mount.ecryptfs_private is setuid-root and allows layering over any
+ bwh> directory owned by the caller.
+ bwh> So it was possible to mmap part of an ecryptfs file layered on a procfs
+ bwh> file that maps to another mmapped region, and then to chain mappings
+ bwh> to an arbitrary depth. This could result in calling page fault
+ bwh> handlers recursively, again to an arbitrary depth. Either the procfs
+ bwh> change *or* the ecryptfs change should be sufficient to fix this.
+ bwh> The procfs fix depends on commit 69c433ed2ecd (3.18) which is an ABI
+ bwh> breaker.
+ bwh> The ecryptfs fix depends on the commit carnil mentioned.
+ bwh> The first ecryptfs fix prevents reading directories on many underlying
+ bwh> filesystems. It was reverted upstream and replaced with commit
+ bwh> f0fe970df383. But with this version it's important to have the procfs
+ bwh> fix as well.
+Bugs:
+upstream: released (4.7-rc3) [e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9, 2f36db71009304b3f0b95afacd8eba1f9f046b87, 29d6455178a09e1dc340380c582b13356227e8df]
+3.16-upstream-stable: released (3.16.37) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch]
+3.2-upstream-stable: released (3.2.82) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch]
+sid: released (4.6.2-1) [bugfix/all/proc-prevent-stacking-filesystems-on-top.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch, bugfix/all/sched-panic-on-corrupted-stack-end.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]
+3.2-wheezy-security: released (3.2.81-1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch]
Copied: retired/CVE-2016-4482 (from rev 4590, active/CVE-2016-4482)
===================================================================
--- retired/CVE-2016-4482 (rev 0)
+++ retired/CVE-2016-4482 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,14 @@
+Description: information leak in devio
+References:
+ http://www.spinics.net/lists/linux-usb/msg140243.html
+Notes:
+ bwh> There may or may not be an information leak here in practice,
+ bwh> depending on how the compiler optimises the structure
+ bwh> initialisation.
+Bugs:
+upstream: released (4.7-rc1) [681fef8380eb818c0b845fca5d2ab1dcbab114ee]
+3.16-upstream-stable: released (3.16.37) [usb-usbfs-fix-potential-infoleak-in-devio.patch]
+3.2-upstream-stable: released (3.2.82) [usb-usbfs-fix-potential-infoleak-in-devio.patch]
+sid: released (4.5.5-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch]
+3.2-wheezy-security: released (3.2.81-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch]
Copied: retired/CVE-2016-4568 (from rev 4590, active/CVE-2016-4568)
===================================================================
--- retired/CVE-2016-4568 (rev 0)
+++ retired/CVE-2016-4568 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,13 @@
+Description: Kernel memory overwrite in media/videobuf2
+References:
+Notes:
+ bwh> This was supposed to be fixed upstream in 4.6-rc6 by commit
+ bwh> 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab. However that caused a
+ bwh> regression and was reverted.
+Bugs:
+upstream: released (4.8-rc1) [e7e0c3e26587749b62d17b9dd0532874186c77f7, 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab, 126f40298446a82116e1f92a1aaf72b8c8228fae]
+3.16-upstream-stable: N/A "Introduced by b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 in 4.4-rc1"
+3.2-upstream-stable: N/A "Introduced by b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 in 4.4-rc1"
+sid: released (4.5.3-1)
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2016-4569 (from rev 4590, active/CVE-2016-4569)
===================================================================
--- retired/CVE-2016-4569 (rev 0)
+++ retired/CVE-2016-4569 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,13 @@
+Description: information leak in ALSA timers
+References:
+ http://comments.gmane.org/gmane.linux.kernel/2214250
+Notes:
+ bwh> This only affects 64-bit architectures as no padding is needed in
+ bwh> struct snd_timer_tread on 32-bit architectures.
+Bugs:
+upstream: released (4.7-rc1) [cec8f96e49d9be372fdb0c3836dcf31ec71e457e]
+3.16-upstream-stable: released (3.16.37) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
+3.2-upstream-stable: released (3.2.82) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
+sid: released (4.4.5-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
+3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch]
Copied: retired/CVE-2016-4578 (from rev 4590, active/CVE-2016-4578)
===================================================================
--- retired/CVE-2016-4578 (rev 0)
+++ retired/CVE-2016-4578 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,12 @@
+Description: information leaks in ALSA timers
+References:
+Notes:
+ bwh> This only affects 64-bit architectures as no padding is needed in
+ bwh> struct snd_timer_tread on 32-bit architectures.
+Bugs:
+upstream: released (4.7-rc1) [9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6, e4ec8cc8039a7063e24204299b462bd1383184a5]
+3.16-upstream-stable: released (3.16.37) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch]
+3.2-upstream-stable: released (3.2.82) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch]
+sid: released (4.5.5-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch]
+3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch]
Copied: retired/CVE-2016-4997 (from rev 4590, active/CVE-2016-4997)
===================================================================
--- retired/CVE-2016-4997 (rev 0)
+++ retired/CVE-2016-4997 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,10 @@
+Description: Corrupted offset allows for arbitrary decrements in compat IPT_SO_SET_REPLACE setsockopt
+References:
+Notes:
+Bugs:
+upstream: released (4.7-rc1) [fc1221b3a163d1386d1052184202d5dc50d302d1, ce683e5f9d045e5d67d1312a42b359cb2ab2a13c]
+3.16-upstream-stable: released (3.16.37) [netfilter-x_tables-add-compat-version-of-xt_check_entry_offsets.patch, netfilter-x_tables-check-for-bogus-target-offset.patch]
+3.2-upstream-stable: ignored "too many changes required, and netfilter is not exposed to unprivileged users"
+sid: released (4.6.2-2) [bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch, bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch, bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch]
+3.2-wheezy-security: ignored "too many changes required, and netfilter is not exposed to unprivileged users"
Copied: retired/CVE-2016-4998 (from rev 4590, active/CVE-2016-4998)
===================================================================
--- retired/CVE-2016-4998 (rev 0)
+++ retired/CVE-2016-4998 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,10 @@
+Description: out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt
+References:
+Notes:
+Bugs:
+upstream: released (4.7-rc1) [7d35812c3214afa5b37a675113555259cfd67b98, a08e4e190b866579896c09af59b3bdca821da2cd, 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44, 13631bfc604161a9d69cd68991dff8603edd66f9, b7eba0f3515fca3296b8881d583f7c1042f5226]
+3.16-upstream-stable: released (3.16.37) [netfilter-x_tables-add-and-use-xt_check_entry_offsets.patch, netfilter-x_tables-assert-minimum-target-size.patch, netfilter-x_tables-check-standard-target-size-too.patch, netfilter-x_tables-validate-all-offsets-and-sizes-in-a-rule.patch, netfilter-x_tables-don-t-reject-valid-target-size-on-some.patch]
+3.2-upstream-stable: ignored "too many changes required, and netfilter is not exposed to unprivileged users"
+sid: released (4.6.2-2) [bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch, bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch, bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch, bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch, bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch, bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch, bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch, bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch, bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch]
+3.2-wheezy-security: ignored "too many changes required, and netfilter is not exposed to unprivileged users"
Copied: retired/CVE-2016-5243 (from rev 4590, active/CVE-2016-5243)
===================================================================
--- retired/CVE-2016-5243 (rev 0)
+++ retired/CVE-2016-5243 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,12 @@
+Description: tipc: an infoleak in tipc_nl_compat_link_dump
+References:
+ https://patchwork.ozlabs.org/patch/629100/
+Notes:
+ bwh> In kernel versions older than 4.0 the bug is in tipc_node_get_links()
+Bugs:
+upstream: released (4.7-rc3) [5d2be1422e02ccd697ccfcd45c85b4a26e6178e2]
+3.16-upstream-stable: released (3.16.37) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
+3.2-upstream-stable: released (3.2.82) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
+sid: released (4.6.2-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
+3.2-wheezy-security: released (3.2.81-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch]
Copied: retired/CVE-2016-5244 (from rev 4590, active/CVE-2016-5244)
===================================================================
--- retired/CVE-2016-5244 (rev 0)
+++ retired/CVE-2016-5244 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,11 @@
+Description: rds: fix an infoleak in rds_inc_info_copy
+References:
+ https://patchwork.ozlabs.org/patch/629110/
+Notes:
+Bugs:
+upstream: released (4.7-rc3) [4116def2337991b39919f3b448326e21c40e0dbb]
+3.16-upstream-stable: released (3.16.37) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
+3.2-upstream-stable: released (3.2.82) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
+sid: released (4.6.2-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
+3.2-wheezy-security: released (3.2.81-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch]
Copied: retired/CVE-2016-5728 (from rev 4590, active/CVE-2016-5728)
===================================================================
--- retired/CVE-2016-5728 (rev 0)
+++ retired/CVE-2016-5728 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,24 @@
+Description: Race condition vulnerability in VOP driver
+References:
+Notes:
+ From Red Hat Bugzilla: The VOP driver is "new" in the 4.6 kernel only
+ in that the functionality was moved out of the host MIC driver into a
+ new driver entirely with commit
+ 61e9c905df78c253752971e200f0ac6d8667dda6. Prior to that, the
+ functionality was in the drivers/misc/mic/host/mic_virtio.c host driver,
+ which was introduced with commit f69bcbf3b4c4 (v3.13).
+ .
+ If you look at versions of the kernel prior to 4.6, you will see the
+ code sequence that is fixed by the mentioned upstream patch is still in
+ the host driver in the mic_copy_dp_entry function. That needs to be
+ patched with a similar fix.
+ .
+ Introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5
+Bugs:
+ https://bugzilla.kernel.org/show_bug.cgi?id=116651
+upstream: released (v4.7-rc1) [9bf292bfca94694a721449e3fd752493856710f6]
+3.16-upstream-stable: released (3.16.37) [misc-mic-fix-for-double-fetch-security-bug-in-vop-driver.patch]
+3.2-upstream-stable: N/A "Vulnerable code introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5"
+sid: released (4.6.1-1) [2a9369456a384d84c521c8ebb48d247e8738f84f]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2016-5828 (from rev 4590, active/CVE-2016-5828)
===================================================================
--- retired/CVE-2016-5828 (rev 0)
+++ retired/CVE-2016-5828 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,12 @@
+Description: powerpc/tm: Always reclaim in start_thread() for exec() class syscalls
+References:
+Notes:
+ Fix: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?id=8e96a87c5431c256feb65bcfc5
+ not yet merged in Linus' tree.
+Bugs:
+upstream: released (4.7-rc6) [8e96a87c5431c256feb65bcfc5aec92d9f7839b6]
+3.16-upstream-stable: released (3.16.37) [powerpc-tm-always-reclaim-in-start_thread-for-exec-class.patch]
+3.2-upstream-stable: N/A "Introduced in 3.10-rc1 with bc2a9408fa65195288b41751016c36fd00a75a85"
+sid: released (4.6.3-1) [bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"
Copied: retired/CVE-2016-6130 (from rev 4590, active/CVE-2016-6130)
===================================================================
--- retired/CVE-2016-6130 (rev 0)
+++ retired/CVE-2016-6130 2016-08-24 08:26:40 UTC (rev 4591)
@@ -0,0 +1,11 @@
+Description: Information leak in s390 sclp driver
+References:
+Notes:
+Bugs:
+ https://bugzilla.kernel.org/show_bug.cgi?id=116741
+upstream: released (4.6-rc6) [532c34b5fbf1687df63b3fcd5b2846312ac943c6]
+3.16-upstream-stable: released (3.16.37) [s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch]
+3.2-upstream-stable: N/A "Vulnerable code introduced in 3.11 with d475f942b1dd6a897dac3ad4ed98d6994b275378"
+sid: released (4.6.1-1)
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"
More information about the kernel-sec-discuss
mailing list