[kernel-sec-discuss] r5115 - active
Ben Hutchings
benh at moszumanska.debian.org
Wed Mar 29 21:13:20 UTC 2017
Author: benh
Date: 2017-03-29 21:13:20 +0000 (Wed, 29 Mar 2017)
New Revision: 5115
Modified:
active/CVE-2017-7184
Log:
Add some details about CVE-2017-7184
Modified: active/CVE-2017-7184
===================================================================
--- active/CVE-2017-7184 2017-03-29 21:00:10 UTC (rev 5114)
+++ active/CVE-2017-7184 2017-03-29 21:13:20 UTC (rev 5115)
@@ -1,13 +1,15 @@
-Description: The linux-image-* package 4.8.0.41.52 for the Linux kernel on Ubuntu 16.10 allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) via unspecified vectors, as demonstrated during a Pwn2Own competition at CanSecWest 2017.
+Description: Missing range checks in xfrm_user allow heap buffer overflow and privilege escalation
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7184
Notes:
- jmm> No details known yet
+ bwh> xfrm_user is only accessible with CAP_NET_ADMIN capability (in any
+ bwh> user namespace). So this is not exploitable by unprivileged users
+ bwh> in a default Debian configuration.
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
More information about the kernel-sec-discuss
mailing list