[kernel-sec-discuss] r5376 - active

Ben Hutchings benh at moszumanska.debian.org
Thu Jun 22 13:49:11 UTC 2017 

Author: benh
Date: 2017-06-22 13:49:10 +0000 (Thu, 22 Jun 2017)
New Revision: 5376

Modified:
   active/CVE-2017-1000365
   active/CVE-2017-1000370
   active/CVE-2017-1000371
   active/CVE-2017-1000379
   active/CVE-2017-9605
Log:
Fill in status and add notes for several issues

Modified: active/CVE-2017-1000365
===================================================================
--- active/CVE-2017-1000365	2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-1000365	2017-06-22 13:49:10 UTC (rev 5376)
@@ -1,12 +1,14 @@
-Description:
+Description: argv and envp pointer arrays do not count toward the argument/environment size limit
 References:
+ https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
 Notes:
+ bwh> Introduced by commit b6a2fea39318 "mm: variable length argument support"
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed

Modified: active/CVE-2017-1000370
===================================================================
--- active/CVE-2017-1000370	2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-1000370	2017-06-22 13:49:10 UTC (rev 5376)
@@ -1,4 +1,4 @@
-Description: a local-root exploit against ld.so and most SUID-root binaries
+Description: Very large argument/environment list breaks 32-bit PIE ASLR
 References:
  https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
 Notes:
@@ -6,11 +6,11 @@
  nsl> "mm: split ET_DYN ASLR from mmap ASLR" in 4.1-rc1. This was seemly
  nsl> added to jessie with patch mm-split-et_dyn-aslr-from-mmap-aslr.patch 
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: N/A "Memory layout is different"
+3.2-upstream-stable: N/A "Memory layout is different"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Memory layout is different"

Modified: active/CVE-2017-1000371
===================================================================
--- active/CVE-2017-1000371	2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-1000371	2017-06-22 13:49:10 UTC (rev 5376)
@@ -1,4 +1,4 @@
-Description: a local-root exploit against ld.so and most SUID-root PIEs
+Description: Very large argument/environment list can result in stack/heap clash for 32-bit PIEs
 References:
  https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
 Notes:
@@ -6,11 +6,11 @@
  nsl> "mm: split ET_DYN ASLR from mmap ASLR" in 4.1-rc1. This was seemly
  nsl> added to jessie with patch mm-split-et_dyn-aslr-from-mmap-aslr.patch
 Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: N/A "Memory layout is different"
+3.2-upstream-stable: N/A "Memory layout is different"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Memory layout is different"

Modified: active/CVE-2017-1000379
===================================================================
--- active/CVE-2017-1000379	2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-1000379	2017-06-22 13:49:10 UTC (rev 5376)
@@ -1,7 +1,9 @@
-Description: Incorrectly mapped contents of PIE executable
+Description: mmap'd regions including ld.so data segment may be close to stack limit
 References:
  https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
 Notes:
+ bwh> It's unclear to me whether this deserves a specific fix, separate
+ bwh> from that for CVE-2017-1000364.
 Bugs:
 upstream:
 4.9-upstream-stable:

Modified: active/CVE-2017-9605
===================================================================
--- active/CVE-2017-9605	2017-06-20 17:18:35 UTC (rev 5375)
+++ active/CVE-2017-9605	2017-06-22 13:49:10 UTC (rev 5376)
@@ -2,12 +2,13 @@
 References:
  http://www.openwall.com/lists/oss-security/2017/06/13/2
 Notes:
+ bwh> Introduced by commit a97e21923b42 "drm/vmwgfx: Hook up guest-backed surfaces"
 Bugs:
 upstream: released (4.12-rc5) [07678eca2cf9c9a18584e546c2b2a0d0c9a3150c]
 4.9-upstream-stable: released (4.9.32) [7860d0e5e2bf986d4bd06e7b029786747b5dc766]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
 sid: released (4.11.6-1)
 4.9-stretch-security: needed
-3.16-jessie-security:
-3.2-wheezy-security:
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"

More information about the kernel-sec-discuss mailing list