[kernel-sec-discuss] r5376 - active
Ben Hutchings
benh at moszumanska.debian.org
Thu Jun 22 13:49:11 UTC 2017
Author: benh
Date: 2017-06-22 13:49:10 +0000 (Thu, 22 Jun 2017)
New Revision: 5376
Modified:
active/CVE-2017-1000365
active/CVE-2017-1000370
active/CVE-2017-1000371
active/CVE-2017-1000379
active/CVE-2017-9605
Log:
Fill in status and add notes for several issues
Modified: active/CVE-2017-1000365
===================================================================
--- active/CVE-2017-1000365 2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-1000365 2017-06-22 13:49:10 UTC (rev 5376)
@@ -1,12 +1,14 @@
-Description:
+Description: argv and envp pointer arrays do not count toward the argument/environment size limit
References:
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Notes:
+ bwh> Introduced by commit b6a2fea39318 "mm: variable length argument support"
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2017-1000370
===================================================================
--- active/CVE-2017-1000370 2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-1000370 2017-06-22 13:49:10 UTC (rev 5376)
@@ -1,4 +1,4 @@
-Description: a local-root exploit against ld.so and most SUID-root binaries
+Description: Very large argument/environment list breaks 32-bit PIE ASLR
References:
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Notes:
@@ -6,11 +6,11 @@
nsl> "mm: split ET_DYN ASLR from mmap ASLR" in 4.1-rc1. This was seemly
nsl> added to jessie with patch mm-split-et_dyn-aslr-from-mmap-aslr.patch
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: N/A "Memory layout is different"
+3.2-upstream-stable: N/A "Memory layout is different"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Memory layout is different"
Modified: active/CVE-2017-1000371
===================================================================
--- active/CVE-2017-1000371 2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-1000371 2017-06-22 13:49:10 UTC (rev 5376)
@@ -1,4 +1,4 @@
-Description: a local-root exploit against ld.so and most SUID-root PIEs
+Description: Very large argument/environment list can result in stack/heap clash for 32-bit PIEs
References:
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Notes:
@@ -6,11 +6,11 @@
nsl> "mm: split ET_DYN ASLR from mmap ASLR" in 4.1-rc1. This was seemly
nsl> added to jessie with patch mm-split-et_dyn-aslr-from-mmap-aslr.patch
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: N/A "Memory layout is different"
+3.2-upstream-stable: N/A "Memory layout is different"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Memory layout is different"
Modified: active/CVE-2017-1000379
===================================================================
--- active/CVE-2017-1000379 2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-1000379 2017-06-22 13:49:10 UTC (rev 5376)
@@ -1,7 +1,9 @@
-Description: Incorrectly mapped contents of PIE executable
+Description: mmap'd regions including ld.so data segment may be close to stack limit
References:
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Notes:
+ bwh> It's unclear to me whether this deserves a specific fix, separate
+ bwh> from that for CVE-2017-1000364.
Bugs:
upstream:
4.9-upstream-stable:
Modified: active/CVE-2017-9605
===================================================================
--- active/CVE-2017-9605 2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-9605 2017-06-22 13:49:10 UTC (rev 5376)
@@ -2,12 +2,13 @@
References:
http://www.openwall.com/lists/oss-security/2017/06/13/2
Notes:
+ bwh> Introduced by commit a97e21923b42 "drm/vmwgfx: Hook up guest-backed surfaces"
Bugs:
upstream: released (4.12-rc5) [07678eca2cf9c9a18584e546c2b2a0d0c9a3150c]
4.9-upstream-stable: released (4.9.32) [7860d0e5e2bf986d4bd06e7b029786747b5dc766]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.11.6-1)
4.9-stretch-security: needed
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"
More information about the kernel-sec-discuss
mailing list