http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=999653786df6954a31044528ac3f7a5dadca08f4

DSA-3607

[oss-security] 20160625 Linux CVE-2016-1237: nfsd: any user can set a file's ACL over NFS and grant access to it

91456

USN-3053-1

USN-3070-1

USN-3070-2

USN-3070-3

USN-3070-4

https://bugzilla.redhat.com/show_bug.cgi?id=1350845

https://github.com/torvalds/linux/commit/999653786df6954a31044528ac3f7a5dadca08f4

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka     GPU driver) for the Linux kernel 3.x, as used in     Qualcomm Innovation Center (QuIC) Android contributions     for MSM devices and other products, mishandles the     KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers     to gain privileges by leveraging accidental read-write     mappings, aka Qualcomm internal bug     CR988993.(CVE-2016-2067i1/4%0

  - Integer overflow in the mem_check_range function in     drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel     before 4.9.10 allows local users to cause a denial of     service (memory corruption), obtain sensitive     information from kernel memory, or possibly have     unspecified other impact via a write or read request     involving the 'RDMA protocol over infiniband' (aka Soft     RoCE) technology.(CVE-2016-8636i1/4%0

  - Heap-based buffer overflow in the     logi_dj_ll_raw_request function in     drivers/hid/hid-logitech-dj.c in the Linux kernel     before 3.16.2 allows physically proximate attackers to     cause a denial of service (system crash) or possibly     execute arbitrary code via a crafted device that     specifies a large report size for an LED     report.(CVE-2014-3183i1/4%0

  - The futex_requeue function in kernel/futex.c in the     Linux kernel, before 4.14.15, might allow attackers to     cause a denial of service (integer overflow) or     possibly have unspecified other impacts by triggering a     negative wake or requeue value. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we believe it is     unlikely.(CVE-2018-6927i1/4%0

  - The hub_activate function in drivers/usb/core/hub.c in     the Linux kernel before 4.3.5 does not properly     maintain a hub-interface data structure, which allows     physically proximate attackers to cause a denial of     service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device.(CVE-2015-8816i1/4%0

  - It was found that the blk_rq_map_user_iov() function in     the Linux kernel's block device implementation did not     properly restrict the type of iterator, which could     allow a local attacker to read or write to arbitrary     kernel memory locations or cause a denial of service     (use-after-free) by leveraging write access to a     /dev/sg device.(CVE-2016-9576i1/4%0

  - A security flaw was found in the Linux kernel's     networking subsystem that destroying the network     interface with huge number of ipv4 addresses assigned     keeps 'rtnl_lock' spinlock for a very long time (up to     hour). This blocks many network-related operations,     including creation of new incoming ssh connections.The     problem is especially important for containers, as the     container owner has enough permissions to trigger this     and block a network access on a whole host, outside the     container.(CVE-2016-3156i1/4%0

  - The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allows     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an     io_ti USB serial device) to trigger an integer     underflow.(CVE-2017-8924i1/4%0

  - The IPv4 implementation in the Linux kernel before     3.18.8 does not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allows remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of     packets.(CVE-2015-1465i1/4%0

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9728i1/4%0

  - net/ipv6/ip6_output.c in the Linux kernel through     3.11.4 does not properly determine the need for UDP     Fragmentation Offload (UFO) processing of small packets     after the UFO queueing of a large packet, which allows     remote attackers to cause a denial of service (memory     corruption and system crash) or possibly have     unspecified other impact via network traffic that     triggers a large response packet.(CVE-2013-4387i1/4%0

  - It was found that nfsd is missing permissions check     when setting ACL on files, this may allow a local users     to gain access to any file by setting a crafted     ACL.(CVE-2016-1237i1/4%0

  - In the Linux kernel before 4.13.5, a local user could     create keyrings for other users via keyctl commands,     setting unwanted defaults or causing a denial of     service.(CVE-2017-18270i1/4%0

  - An issue was discovered in the Linux kernel where an     integer overflow in kernel/time/posix-timers.c in the     POSIX timer code is caused by the way the overrun     accounting works. Depending on interval and expiry time     values, the overrun can be larger than INT_MAX, but the     accounting is int based. This basically makes the     accounting values, which are visible to user space via     timer_getoverrun(2) and siginfo::si_overrun,     random.(CVE-2018-12896i1/4%0

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19.(CVE-2018-18281i1/4%0

  - The netfilter subsystem in the Linux kernel through     4.15.7 mishandles the case of a rule blob that contains     a jump but lacks a user-defined chain, which allows     local users to cause a denial of service (NULL pointer     dereference) by leveraging the CAP_NET_RAW or     CAP_NET_ADMIN capability, related to arpt_do_table in     net/ipv4/netfilter/arp_tables.c, ipt_do_table in     net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in     net/ipv6/netfilter/ip6_tables.c.(CVE-2018-1065i1/4%0

  - The use of a kzalloc with an integer multiplication     allowed an integer overflow condition to be reached in     vfio_pci_intrs.c. This combined with CVE-2016-9083 may     allow an attacker to craft an attack and use     unallocated memory, potentially crashing the     machine.(CVE-2016-9084i1/4%0

  - The acm_probe function in drivers/usb/class/cdc-acm.c     in the Linux kernel before 4.5.1 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a USB device     without both a control and a data endpoint     descriptor.(CVE-2016-3138i1/4%0

  - It was discovered that root can gain direct access to     an internal keyring, such as '.dns_resolver' in RHEL-7     or '.builtin_trusted_keys' upstream, by joining it as     its session keyring. This allows root to bypass module     signature verification by adding a new public key of     its own devising to the keyring.(CVE-2016-9604i1/4%0

  - An information leak flaw was found in the Linux     kernel's IEEE 802.11 wireless networking     implementation. When software encryption was used, a     remote attacker could use this flaw to leak up to 8     bytes of plaintext.(CVE-2014-8709i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE 13.2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2015-8956: The rfcomm_sock_bind function in     net/bluetooth/rfcomm/sock.c in the Linux kernel allowed     local users to obtain sensitive information or cause a     denial of service (NULL pointer dereference) via vectors     involving a bind system call on a Bluetooth RFCOMM     socket (bnc#1003925).

  - CVE-2016-5195: A local privilege escalation using     MAP_PRIVATE was fixed, which is reportedly exploited in     the wild (bsc#1004418).

  - CVE-2016-8658: Stack-based buffer overflow in the     brcmf_cfg80211_start_ap function in     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c in the Linux kernel allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a long SSID Information     Element in a command to a Netlink socket (bnc#1004462).

  - CVE-2016-7117: Use-after-free vulnerability in the
    __sys_recvmmsg function in net/socket.c in the Linux     kernel allowed remote attackers to execute arbitrary     code via vectors involving a recvmmsg system call that     is mishandled during error processing (bnc#1003077).

  - CVE-2016-0823: The pagemap_open function in     fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as     used in Android 6.0.1 before 2016-03-01, allowed local     users to obtain sensitive physical-address information     by reading a pagemap file, aka Android internal bug     25739721 (bnc#994759).

  - CVE-2016-7425: The arcmsr_iop_message_xfer function in     drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did     not restrict a certain length field, which allowed local     users to gain privileges or cause a denial of service     (heap-based buffer overflow) via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

  - CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in     the Linux kernel allowed local users to cause a denial     of service (NULL pointer dereference and system crash)     by using an ABORT_TASK command to abort a device write     operation (bnc#994748).

  - CVE-2016-6828: The tcp_check_send_head function in     include/net/tcp.h in the Linux kernel did not properly     maintain certain SACK state after a failed data copy,     which allowed local users to cause a denial of service     (tcp_xmit_retransmit_queue use-after-free and system     crash) via a crafted SACK option (bnc#994296).

  - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel     did not properly determine the rate of challenge ACK     segments, which made it easier for man-in-the-middle     attackers to hijack TCP sessions via a blind in-window     attack (bnc#989152)

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel     did not reset the PIT counter values during state     restoration, which allowed guest OS users to cause a     denial of service (divide-by-zero error and host OS     crash) via a zero value, related to the     kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions     (bnc#960689).

  - CVE-2016-1237: nfsd in the Linux kernel allowed local     users to bypass intended file-permission restrictions by     setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c,     and nfs4acl.c (bnc#986570).

The following non-security bugs were fixed :

  - AF_VSOCK: Shrink the area influenced by prepare_to_wait     (bsc#994520).

  - xen: Fix refcnt regression in xen netback introduced by     changes made for bug#881008 (bnc#978094)

  - MSI-X: fix an error path (luckily none so far).

  - usb: fix typo in wMaxPacketSize validation (bsc#991665).

  - usb: validate wMaxPacketValue entries in endpoint     descriptors (bnc#991665).

  - Update     patches.fixes/0002-nfsd-check-permissions-when-setting-A     CLs.patch (bsc#986570 CVE#2016-1237).

  - Update     patches.fixes/0001-posix_acl-Add-set_posix_acl.patch     (bsc#986570 CVE#2016-1237).

  - apparmor: fix change_hat not finding hat after policy     replacement (bsc#1000287).

  - arm64: Honor __GFP_ZERO in dma allocations     (bsc#1004045).

  - arm64: __clear_user: handle exceptions on strb     (bsc#994752).

  - arm64: dma-mapping: always clear allocated buffers     (bsc#1004045).

  - arm64: perf: reject groups spanning multiple HW PMUs     (bsc#1003931).

  - blkfront: fix an error path memory leak (luckily none so     far).

  - blktap2: eliminate deadlock potential from shutdown path     (bsc#909994).

  - blktap2: eliminate race from deferred work queue     handling (bsc#911687).

  - btrfs: ensure that file descriptor used with subvol     ioctls is a dir (bsc#999600).

  - cdc-acm: added sanity checking for probe() (bsc#993891).

  - kaweth: fix firmware download (bsc#993890).

  - kaweth: fix oops upon failed memory allocation     (bsc#993890).

  - netback: fix flipping mode (bsc#996664).

  - netback: fix flipping mode (bsc#996664).

  - netfront: linearize SKBs requiring too many slots     (bsc#991247).

  - nfsd: check permissions when setting ACLs (bsc#986570).

  - posix_acl: Add set_posix_acl (bsc#986570).

  - ppp: defer netns reference release for ppp channel     (bsc#980371).

  - tunnels: Do not apply GRO to multiple layers of     encapsulation (bsc#1001486).

  - usb: hub: Fix auto-remount of safely removed or ejected     USB-3 devices (bsc#922634).

  - x86: suppress lazy MMU updates during vmalloc fault     processing (bsc#951155).

  - xen-netback-generalize.patch: Fold back into base patch.

  - xen3-patch-2.6.31.patch: Fold back into base patch.

  - xen3-patch-3.12.patch: Fold bac into base patch.

  - xen3-patch-3.15.patch: Fold back into base patch.

  - xen3-patch-3.3.patch: Fold back into base patch.

  - xen3-patch-3.9.patch: Fold bac into base patch.

  - xen3-patch-3.9.patch: Fold back into base patch.

  - xenbus: do not bail early from     xenbus_dev_request_and_reply() (luckily none so far).

  - xenbus: inspect the correct type in     xenbus_dev_request_and_reply().

The openSUSE Leap 42.1 kernel was updated to 4.1.31 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandled destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-4485: The llc_cmsg_rcv function in     net/llc/af_llc.c in the Linux kernel did not initialize     a certain data structure, which allowed attackers to     obtain sensitive information from kernel stack memory by     reading a message (bnc#978821).

  - CVE-2016-4486: The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#978822).

  - CVE-2016-4557: The replace_map_fd_with_map_ptr function     in kernel/bpf/verifier.c in the Linux kernel did not     properly maintain an fd data structure, which allowed     local users to gain privileges or cause a denial of     service (use-after-free) via crafted BPF instructions     that reference an incorrect file descriptor     (bnc#979018).

  - CVE-2016-4580: The x25_negotiate_facilities function in     net/x25/x25_facilities.c in the Linux kernel did not     properly initialize a certain data structure, which     allowed attackers to obtain sensitive information from     kernel stack memory via an X.25 Call Request     (bnc#981267).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2016-4951: The tipc_nl_publ_dump function in     net/tipc/socket.c in the Linux kernel did not verify     socket existence, which allowed local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     dumpit operation (bnc#981058).

  - CVE-2015-8787: The nf_nat_redirect_ipv4 function in     net/netfilter/nf_nat_redirect.c in the Linux kernel     allowed remote attackers to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact by sending certain IPv4     packets to an incompletely configured interface, a     related issue to CVE-2003-1604 (bnc#963931).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-6828: A use after free in     tcp_xmit_retransmit_queue() was fixed that could be used     by local attackers to crash the kernel (bsc#994296).

  - CVE-2016-6480: Race condition in the ioctl_send_fib     function in drivers/scsi/aacraid/commctrl.c in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds access or system crash) by changing a     certain size value, aka a 'double fetch' vulnerability     (bnc#991608).

  - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt     implementation in the netfilter subsystem in the Linux     kernel allowed local users to cause a denial of service     (out-of-bounds read) or possibly obtain sensitive     information from kernel heap memory by leveraging     in-container root access to provide a crafted offset     value that leads to crossing a ruleset blob boundary     (bnc#986362 986365 990058).

  - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel     did not properly determine the rate of challenge ACK     segments, which made it easier for man-in-the-middle     attackers to hijack TCP sessions via a blind in-window     attack (bnc#989152).

  - CVE-2016-1237: nfsd in the Linux kernel allowed local     users to bypass intended file-permission restrictions by     setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c,     and nfs4acl.c (bnc#986570).

The following non-security bugs were fixed :

  - AF_VSOCK: Shrink the area influenced by prepare_to_wait     (bsc#994520).

  - KVM: arm/arm64: Handle forward time correction     gracefully (bnc#974266).

  - Linux 4.1.29. Refreshed patch:
    patches.xen/xen3-fixup-xen Deleted patches:
    patches.fixes/0001-Revert-ecryptfs-forbid-opening-files-     without-mmap-ha.patch     patches.fixes/0001-ecryptfs-don-t-allow-mmap-when-the-lo     wer-file-system.patch     patches.rpmify/Revert-mm-swap.c-flush-lru-pvecs-on-compo     und-page-ar     patches.rpmify/Revert-powerpc-Update-TM-user-feature-bit     s-in-scan_f

  - Revert 'mm/swap.c: flush lru pvecs on compound page     arrival' (boo#989084).

  - Revert 'powerpc: Update TM user feature bits in     scan_features()'. Fix the build error of 4.1.28 on ppc.

  - Revive i8042_check_power_owner() for 4.1.31 kabi fix.

  - USB: OHCI: Do not mark EDs as ED_OPER if scheduling     fails (bnc#987886).

  - USB: validate wMaxPacketValue entries in endpoint     descriptors (bnc#991665).

  - Update     patches.fixes/0002-nfsd-check-permissions-when-setting-A     CLs.patch (bsc#986570 CVE-2016-1237).

  - Update     patches.fixes/0001-posix_acl-Add-set_posix_acl.patch     (bsc#986570 CVE-2016-1237).

  - netfilter: x_tables: fix 4.1 stable backport     (bsc#989176).

  - nfsd: check permissions when setting ACLs (bsc#986570).

  - posix_acl: Add set_posix_acl (bsc#986570).

  - ppp: defer netns reference release for ppp channel     (bsc#980371).

  - series.conf: Move a kABI patch to its own section

  - supported.conf: enable i2c-designware driver     (bsc#991110)

  - tcp: enable per-socket rate limiting of all 'challenge     acks' (bsc#989152).

USN-3070-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

It was discovered that the keyring implementation in the Linux kernel did not ensure a data structure was initialized before referencing it after an error condition occurred. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-4470)

Sasha Levin discovered that a use-after-free existed in the percpu allocator in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-4794)

Kangjie Lu discovered an information leak in the netlink implementation of the Linux kernel. A local attacker could use this to obtain sensitive information from kernel memory. (CVE-2016-5243).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was found that nfsd is missing permissions check when setting ACL on files, this may allow a local users to gain access to any file by setting a crafted ACL. (CVE-2016-1237)

A flaw was found in the Linux kernel's keyring handling code, where in key_reject_and_link() an uninitialised variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. (CVE-2016-4470)

A leak of information was possible when issuing a netlink command of the stack memory area leading up to this function call. An attacker could use this to determine stack information for use in a later exploit. (CVE-2016-5243)

A vulnerability was found in the Linux kernel in function rds_inc_info_copy of file net/rds/recv.c. The last field 'flags' of object 'minfo' is not initialized. This can leak data previously at the flags location to userspace. (CVE-2016-5244)

A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack where an attacker is able to determine the shared counter which could be used to determine sequence numbers for TCP stream injection. (CVE-2016-5696)

(Updated on 2016-08-17: CVE-2016-5696 was fixed in this release but was not previously part of this errata)

Update to latest upstream stable release, Linux v4.6.4

For those with Skylake CPUs, please note that there may be instability with a recent microcode update. Read https://www.happyassassin.net/2016/07/07/psa-failure-to-boot-after-ker nel-update-on-skylake-systems/ and look for a system firmware update before installing the kernel.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.5.7-202 kernel update contains a number of important security fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2015-7515, CVE-2016-2184, CVE-2016-2185,     CVE-2016-2186, CVE-2016-2187, CVE-2016-3136,     CVE-2016-3137, CVE-2016-3138, CVE-2016-3140     Ralf Spenneberg of OpenSource Security reported that     various USB drivers do not sufficiently validate USB     descriptors. This allowed a physically present user with     a specially designed USB device to cause a denial of     service (crash).

  - CVE-2016-0821     Solar Designer noted that the list 'poisoning' feature,     intended to mitigate the effects of bugs in list     manipulation in the kernel, used poison values within     the range of virtual addresses that can be allocated by     user processes.

  - CVE-2016-1237     David Sinquin discovered that nfsd does not check     permissions when setting ACLs, allowing users to grant     themselves permissions to a file by setting the ACL.

  - CVE-2016-1583     Jann Horn of Google Project Zero reported that the     eCryptfs filesystem could be used together with the proc     filesystem to cause a kernel stack overflow. If the     ecryptfs-utils package is installed, local users could     exploit this, via the mount.ecryptfs_private program,     for denial of service (crash) or possibly for privilege     escalation.

  - CVE-2016-2117     Justin Yackoski of Cryptonite discovered that the     Atheros L2 ethernet driver incorrectly enables     scatter/gather I/O. A remote attacker could take     advantage of this flaw to obtain potentially sensitive     information from kernel memory.

  - CVE-2016-2143     Marcin Koscielnicki discovered that the fork     implementation in the Linux kernel on s390 platforms     mishandles the case of four page-table levels, which     allows local users to cause a denial of service (system     crash).

  - CVE-2016-3070     Jan Stancek of Red Hat discovered a local denial of     service vulnerability in AIO handling.

  - CVE-2016-3134     The Google Project Zero team found that the netfilter     subsystem does not sufficiently validate filter table     entries. A user with the CAP_NET_ADMIN capability could     use this for denial of service (crash) or possibly for     privilege escalation. Debian disables unprivileged user     namespaces by default, if locally enabled with the     kernel.unprivileged_userns_clone sysctl, this allows     privilege escalation.

  - CVE-2016-3156     Solar Designer discovered that the IPv4 implementation     in the Linux kernel did not perform the destruction of     inet device objects properly. An attacker in a guest OS     could use this to cause a denial of service (networking     outage) in the host OS.

  - CVE-2016-3157 / XSA-171     Andy Lutomirski discovered that the x86_64 (amd64) task     switching implementation did not correctly update the     I/O permission level when running as a Xen paravirtual     (PV) guest. In some configurations this would allow     local users to cause a denial of service (crash) or to     escalate their privileges within the guest.

  - CVE-2016-3672     Hector Marco and Ismael Ripoll noted that it was     possible to disable Address Space Layout Randomisation     (ASLR) for x86_32 (i386) programs by removing the stack     resource limit. This made it easier for local users to     exploit security flaws in programs that have the setuid     or setgid flag set.

  - CVE-2016-3951     It was discovered that the cdc_ncm driver would free     memory prematurely if certain errors occurred during its     initialisation. This allowed a physically present user     with a specially designed USB device to cause a denial     of service (crash) or possibly to escalate their     privileges.

  - CVE-2016-3955     Ignat Korchagin reported that the usbip subsystem did     not check the length of data received for a USB buffer.
    This allowed denial of service (crash) or privilege     escalation on a system configured as a usbip client, by     the usbip server or by an attacker able to impersonate     it over the network. A system configured as a usbip     server might be similarly vulnerable to physically     present users.

  - CVE-2016-3961 / XSA-174     Vitaly Kuznetsov of Red Hat discovered that Linux     allowed the use of hugetlbfs on x86 (i386 and amd64)     systems even when running as a Xen paravirtualised (PV)     guest, although Xen does not support huge pages. This     allowed users with access to /dev/hugepages to cause a     denial of service (crash) in the guest.

  - CVE-2016-4470     David Howells of Red Hat discovered that a local user     can trigger a flaw in the Linux kernel's handling of key     lookups in the keychain subsystem, leading to a denial     of service (crash) or possibly to privilege escalation.

  - CVE-2016-4482, CVE-2016-4485, CVE-2016-4486,     CVE-2016-4569, CVE-2016-4578, CVE-2016-4580,     CVE-2016-5243, CVE-2016-5244

    Kangjie Lu reported that the USB devio, llc, rtnetlink,     ALSA timer, x25, tipc, and rds facilities leaked     information from the kernel stack.

  - CVE-2016-4565     Jann Horn of Google Project Zero reported that various     components in the InfiniBand stack implemented unusual     semantics for the write() operation. On a system with     InfiniBand drivers loaded, local users could use this     for denial of service or privilege escalation.

  - CVE-2016-4581     Tycho Andersen discovered that in some situations the     Linux kernel did not handle propagated mounts correctly.
    A local user can take advantage of this flaw to cause a     denial of service (system crash).

  - CVE-2016-4805     Baozeng Ding discovered a use-after-free in the generic     PPP layer in the Linux kernel. A local user can take     advantage of this flaw to cause a denial of service     (system crash), or potentially escalate their     privileges.

  - CVE-2016-4913     Al Viro found that the ISO9660 filesystem implementation     did not correctly count the length of certain invalid     name entries. Reading a directory containing such name     entries would leak information from kernel memory. Users     permitted to mount disks or disk images could use this     to obtain sensitive information.

  - CVE-2016-4997 / CVE-2016-4998     Jesse Hertz and Tim Newsham discovered that missing     input sanitising in Netfilter socket handling may result     in denial of service. Debian disables unprivileged user     namespaces by default, if locally enabled with the     kernel.unprivileged_userns_clone sysctl, this also     allows privilege escalation.

ID	Name	Product	Family	Severity
124975	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1522)	Nessus	Huawei Local Security Checks	high
94303	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1227) (Dirty COW)	Nessus	SuSE Local Security Checks	critical
93445	openSUSE Security Update : the Linux Kernel (openSUSE-2016-1076)	Nessus	SuSE Local Security Checks	critical
93243	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3070-4)	Nessus	Ubuntu Local Security Checks	high
93242	Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3070-3)	Nessus	Ubuntu Local Security Checks	high
93241	Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3070-2)	Nessus	Ubuntu Local Security Checks	high
93217	Ubuntu 16.04 LTS : linux vulnerabilities (USN-3070-1)	Nessus	Ubuntu Local Security Checks	high
92863	Ubuntu 14.04 LTS : linux-lts-vivid vulnerabilities (USN-3053-1)	Nessus	Ubuntu Local Security Checks	high
92661	Amazon Linux AMI : kernel (ALAS-2016-726)	Nessus	Amazon Linux Local Security Checks	medium
92446	Fedora 24 : kernel (2016-9a16b2e14e)	Nessus	Fedora Local Security Checks	high
92256	Fedora 23 : kernel (2016-73a733f4d9)	Nessus	Fedora Local Security Checks	high
91886	Debian DSA-3607-1 : linux - security update	Nessus	Debian Local Security Checks	critical

CVE-2016-1237

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins