[kernel-sec-discuss] r5774 - active

Ben Hutchings benh at moszumanska.debian.org
Sat Dec 9 18:33:46 UTC 2017 

Author: benh
Date: 2017-12-09 18:33:46 +0000 (Sat, 09 Dec 2017)
New Revision: 5774

Modified:
   active/CVE-2017-0861
   active/CVE-2017-1000407
   active/CVE-2017-1000410
   active/CVE-2017-15116
   active/CVE-2017-15868
   active/CVE-2017-16939
   active/CVE-2017-16994
   active/CVE-2017-17448
   active/CVE-2017-17449
   active/CVE-2017-17450
Log:
Fill in status for most issues

Modified: active/CVE-2017-0861
===================================================================
--- active/CVE-2017-0861	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-0861	2017-12-09 18:33:46 UTC (rev 5774)
@@ -1,12 +1,17 @@
 Description: ALSA: pcm: prevent UAF in snd_pcm_info
 References:
 Notes:
+ bwh> Commit 362bca57f5d7 "ALSA: pcm: prevent UAF in snd_pcm_info" claims to
+ bwh> fix this, but the UAF was already removed in 4.13 by commit e11f0f90a626
+ bwh> "ALSA: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command".  Based on
+ bwh> the latter commit message it appears that the UAF is totally harmless
+ bwh> in practice.
 Bugs:
-upstream: pending [362bca57f5d78220f8b5907b875961af9436e229]
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: released (4.13-rc1) [e11f0f90a626f93899687b1cc909ee37dd6c5809]
+4.9-upstream-stable: ignored "Minor issue"
+3.16-upstream-stable: ignored "Minor issue"
+3.2-upstream-stable: ignored "Minor issue"
+sid: released (4.13~rc5-1~exp1)
+4.9-stretch-security: ignored "Minor issue"
+3.16-jessie-security: ignored "Minor issue"
+3.2-wheezy-security: ignored "Minor issue"

Modified: active/CVE-2017-1000407
===================================================================
--- active/CVE-2017-1000407	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-1000407	2017-12-09 18:33:46 UTC (rev 5774)
@@ -4,11 +4,11 @@
  https://www.spinics.net/lists/kvm/msg159809.html
 Notes:
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: pending [d59d51f088014f25c2562de59b9abff4f42a7468]
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-1000410
===================================================================
--- active/CVE-2017-1000410	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-1000410	2017-12-09 18:33:46 UTC (rev 5774)
@@ -2,12 +2,14 @@
 References:
  http://www.openwall.com/lists/oss-security/2017/12/06/3
 Notes:
+ bwh> Introduced in 3.3 by commits 42dceae2819b "Bluetooth: EFS: parse L2CAP config
+ bwh> request" and 66af7aaf9edf "Bluetooth: EFS: parse L2CAP config response".
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"

Modified: active/CVE-2017-15116
===================================================================
--- active/CVE-2017-15116	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-15116	2017-12-09 18:33:46 UTC (rev 5774)
@@ -3,6 +3,9 @@
  https://bugzilla.redhat.com/show_bug.cgi?id=1485815 (not accessible)
  https://bugzilla.redhat.com/show_bug.cgi?id=1514609
 Notes:
+ bwh> Clearly we can't apply the upstream fix for this, but need to guard
+ bwh> against the null pointer somehow.  I can't work out which pointer
+ bwh> can be null though.
 Bugs:
 upstream: released (4.2-rc1) [94f1bb15bed84ad6c893916b7e7b9db6f1d7eec6]
 4.9-upstream-stable: N/A "Fixed before branching point"

Modified: active/CVE-2017-15868
===================================================================
--- active/CVE-2017-15868	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-15868	2017-12-09 18:33:46 UTC (rev 5774)
@@ -2,12 +2,16 @@
 References:
  https://source.android.com/security/bulletin/pixel/2017-12-01
 Notes:
+ bwh> Depends on commit b3916db32c4a "Bluetooth: hidp: verify l2cap sockets"
+ bwh> which is also an important security fix.  Should also apply commit
+ bwh> 96c26653ce65 "Bluetooth: cmtp: cmtp_add_connection() should verify that
+ bwh> it's dealing with l2cap socket".
 Bugs:
 upstream: released (3.19-rc3) [71bb99a02b32b4cc4265118e85f6035ca72923f0]
 4.9-upstream-stable: N/A "Fixed before branching point"
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: released (4.0.2-1)
 4.9-stretch-security: N/A "Fixed before branching point"
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-16939
===================================================================
--- active/CVE-2017-16939	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-16939	2017-12-09 18:33:46 UTC (rev 5774)
@@ -6,9 +6,9 @@
 Bugs:
 upstream: released (4.14-rc7) [1137b5e2529a8f5ca8ee709288ecba3e68044df2]
 4.9-upstream-stable: released (4.9.60) [543aabb7d14b2414f40b632e37b0921bd0af3a96]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
 sid: released (4.13.13-1)
 4.9-stretch-security: released (4.9.65-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-16994
===================================================================
--- active/CVE-2017-16994	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-16994	2017-12-09 18:33:46 UTC (rev 5774)
@@ -2,12 +2,14 @@
 References:
  https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
 Notes:
+ bwh> Introduced in 4.0 by commit 1e25a271c8ac "mincore: apply page table walker
+ bwh> on do_mincore()".
 Bugs:
 upstream: released (4.15-rc1) [373c4557d2aa362702c4c2d41288fb1e54990b7c]
 4.9-upstream-stable: released (4.9.65) [ceaec6e8cd98c8fd87701ddfb7468a13d989d79d]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: N/A "Vulnerability introduced later"
+3.2-upstream-stable: N/A "Vulnerability introduced later"
 sid: released (4.14.2-1)
 4.9-stretch-security: released (4.9.65-1)
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: N/A "Vulnerability introduced later"
+3.2-wheezy-security: N/A "Vulnerability introduced later"

Modified: active/CVE-2017-17448
===================================================================
--- active/CVE-2017-17448	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-17448	2017-12-09 18:33:46 UTC (rev 5774)
@@ -2,12 +2,14 @@
 References:
  https://patchwork.kernel.org/patch/10089373/
 Notes:
+ bwh> This is mitigated in Debian by unprivileged user namespaces being
+ bwh> default-disabled.
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: pending [4b380c42f7d00a395feede754f0bc2292eebe6e5]
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "User namespaces not supported"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "User namespaces not supported"

Modified: active/CVE-2017-17449
===================================================================
--- active/CVE-2017-17449	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-17449	2017-12-09 18:33:46 UTC (rev 5774)
@@ -1,13 +1,16 @@
 Description: netlink: Add netns check on taps
 References:
  https://lkml.org/lkml/2017/12/5/950
+ https://patchwork.ozlabs.org/patch/845319/
 Notes:
+ bwh> The fix accepted upstream is the second version, which doesn't treat the
+ bwh> init namespace as special.
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: ignored "Minor issue as user namespaces not supported"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: ignored "Minor issue as user namespaces not supported"

Modified: active/CVE-2017-17450
===================================================================
--- active/CVE-2017-17450	2017-12-09 15:41:14 UTC (rev 5773)
+++ active/CVE-2017-17450	2017-12-09 18:33:46 UTC (rev 5774)
@@ -3,11 +3,11 @@
  https://lkml.org/lkml/2017/12/5/982
 Notes:
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: pending [916a27901de01446bcf57ecca4783f6cff493309]
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "User namespaces not supported"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "User namespaces not supported"

More information about the kernel-sec-discuss mailing list