http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9bf292bfca94694a721449e3fd752493856710f6

DSA-3616

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.1

20160630 [CVE-2016-5728] Double-Fetch Vulnerability in Linux-4.5/drivers/misc/mic/host/mic_virtio.c

USN-3070-1

USN-3070-2

USN-3070-3

USN-3070-4

USN-3071-1

USN-3071-2

https://bugzilla.kernel.org/show_bug.cgi?id=116651

https://github.com/torvalds/linux/commit/9bf292bfca94694a721449e3fd752493856710f6

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The pagemap_open function in fs/proc/task_mmu.c in the     Linux kernel before 3.19.3, as used in Android 6.0.1     before 2016-03-01, allows local users to obtain     sensitive physical-address information by reading a     pagemap file, aka Android internal bug     25739721.(CVE-2016-0823i1/4%0

  - drivers/hid/hid-steelseries.c in the Human Interface     Device (HID) subsystem in the Linux kernel through     3.11, when CONFIG_HID_STEELSERIES is enabled, allows     physically proximate attackers to cause a denial of     service (heap-based out-of-bounds write) via a crafted     device.(CVE-2013-2891i1/4%0

  - The overlayfs implementation in the Linux kernel     through 4.5.2 does not properly maintain POSIX ACL     xattr data, which allows local users to gain privileges     by leveraging a group-writable setgid     directory.(CVE-2016-1575i1/4%0

  - Integer overflow in the vc4_get_bcl function in     drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM     driver in the Linux kernel before 4.9.7 allows local     users to cause a denial of service or possibly have     unspecified other impact via a crafted size value in a     VC4_SUBMIT_CL ioctl call.(CVE-2017-5576i1/4%0

  - The KVM subsystem in the Linux kernel through 3.12.5     allows local users to gain privileges or cause a denial     of service (system crash) via a VAPIC synchronization     operation involving a page-end     address.(CVE-2013-6368i1/4%0

  - It was found that the code in net/sctp/socket.c in the     Linux kernel through 4.10.1 does not properly restrict     association peel-off operations during certain wait     states, which allows local users to cause a denial of     service (invalid unlock and double free) via a     multithreaded application. This vulnerability was     introduced by CVE-2017-5986 fix (commit     2dcab5984841).(CVE-2017-6353i1/4%0

  - net/netfilter/nf_conntrack_proto_dccp.c in the Linux     kernel through 3.13.6 uses a DCCP header pointer     incorrectly, which allows remote attackers to cause a     denial of service (system crash) or possibly execute     arbitrary code via a DCCP packet that triggers a call     to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error     function.(CVE-2014-2523i1/4%0

  - Race condition vulnerability was found in     drivers/misc/mic/vop/vop_vringh.c in the MIC VOP driver     in the Linux kernel before 4.6.1. MIC VOP driver does     two successive reads from user space to read a variable     length data structure. Local user can obtain sensitive     information from kernel memory or can cause DoS by     corrupting kernel memory if the data structure changes     between the two reads.(CVE-2016-5728i1/4%0

  - An issue was discovered in the btrfs filesystem code in     the Linux kernel. An invalid pointer dereference in     io_ctl_map_page() when mounting and operating a crafted     btrfs image is due to a lack of block group item     validation in check_leaf_item() in     fs/btrfs/tree-checker.c function. This could lead to a     system crash and a denial of service.(CVE-2018-14613i1/4%0

  - A flaw was found in the way the Linux kernel handled GS     segment register base switching when recovering from a     #SS (stack segment) fault on an erroneous return to     user space. A local, unprivileged user could use this     flaw to escalate their privileges on the     system.(CVE-2014-9322i1/4%0

  - The keyring_search_aux function in     security/keys/keyring.c in the Linux kernel allows     local users to cause a denial of service via a     request_key system call for the 'dead' key     type.(CVE-2017-6951i1/4%0

  - A flaw was found in the way the Linux kernel's XFS file     system handled replacing of remote attributes under     certain conditions. A local user with access to XFS     file system mount could potentially use this flaw to     escalate their privileges on the     system.(CVE-2015-0274i1/4%0

  - A memory leak in the kernel_read_file function in     fs/exec.c in the Linux kernel through 4.20.11 allows     attackers to cause a denial of service (memory     consumption) by triggering vfs_read     failures.(CVE-2019-8980i1/4%0

  - A flaw was found in the kernel's implementation of the     Berkeley Packet Filter (BPF). A local attacker could     craft BPF code to crash the system by creating a     situation in which the JIT compiler would fail to     correctly optimize the JIT image on the last pass. This     would lead to the CPU executing instructions that were     not part of the JIT code.(CVE-2015-4700i1/4%0

  - A security flaw was discovered in     nl80211_set_rekey_data() function in the Linux kernel     since v3.1-rc1 through v4.13. This function does not     check whether the required attributes are present in a     netlink request. This request can be issued by a user     with CAP_NET_ADMIN privilege and may result in NULL     dereference and a system crash.(CVE-2017-12153i1/4%0

  - The atyfb_ioctl function in     drivers/video/fbdev/aty/atyfb_base.c in the Linux     kernel through 4.12.10 does not initialize a certain     data structure, which allows local users to obtain     sensitive information from kernel stack memory by     reading locations associated with padding     bytes.(CVE-2017-14156i1/4%0

  - kernel/events/core.c in the performance subsystem in     the Linux kernel before 4.0 mismanages locks during     certain migrations, which allows local users to gain     privileges via a crafted application, aka Android     internal bug 31095224.(CVE-2016-6787i1/4%0

  - The ioresources_init function in kernel/resource.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak     permissions for /proc/iomem, which allows local users     to obtain sensitive information by reading this file,     aka Android internal bug 28814213 and Qualcomm internal     bug CR786116. NOTE: the permissions may be intentional     in most non-Android contexts.(CVE-2015-8944i1/4%0

  - Race condition in the ioctl_file_dedupe_range function     in fs/ioctl.c in the Linux kernel through 4.7 allows     local users to cause a denial of service (heap-based     buffer overflow) or possibly gain privileges by     changing a certain count value, aka a 'double fetch'     vulnerability.(CVE-2016-6516i1/4%0

  - It was found that the timer functionality in the Linux     kernel ALSA subsystem is prone to a race condition     between read and ioctl system call handlers, resulting     in an uninitialized memory disclosure to user space. A     local user could use this flaw to read information     belonging to other users.(CVE-2017-1000380i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3070-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A missing permission check when settings ACLs was discovered in nfsd.
A local user could exploit this flaw to gain access to any file by setting an ACL. (CVE-2016-1237)

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

James Patrick-Evans discovered that the airspy USB device driver in the Linux kernel did not properly handle certain error conditions. An attacker with physical access could use this to cause a denial of service (memory consumption). (CVE-2016-5400)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)

It was discovered that the OverlayFS implementation in the Linux kernel did not properly verify dentry state before proceeding with unlink and rename operations. A local attacker could use this to cause a denial of service (system crash). (CVE-2016-6197).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3071-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 LTS.

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Kangjie Lu discovered an information leak in the Reliable Datagram Sockets (RDS) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-5244)

Yue Cao et al discovered a flaw in the TCP implementation's handling of challenge acks in the Linux kernel. A remote attacker could use this to cause a denial of service (reset connection) or inject content into an TCP stream. (CVE-2016-5696)

Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2016-5728)

Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled transactional memory state on exec(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-5828)

It was discovered that a heap based buffer overflow existed in the USB HID driver in the Linux kernel. A local attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 4.5.7-202 kernel update contains a number of important security fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Rebase to latest upstream 4.6 release, 4.6.3.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2014-9904     It was discovered that the snd_compress_check_input     function used in the ALSA subsystem does not properly     check for an integer overflow, allowing a local user to     cause a denial of service.

  - CVE-2016-5728     Pengfei Wang discovered a race condition in the MIC VOP     driver that could allow a local user to obtain sensitive     information from kernel memory or cause a denial of     service.

  - CVE-2016-5828     Cyril Bur and Michael Ellerman discovered a flaw in the     handling of Transactional Memory on powerpc systems     allowing a local user to cause a denial of service     (kernel crash) or possibly have unspecified other     impact, by starting a transaction, suspending it, and     then calling any of the exec() class system calls.

  - CVE-2016-5829     A heap-based buffer overflow vulnerability was found in     the hiddev driver, allowing a local user to cause a     denial of service or, potentially escalate their     privileges.

  - CVE-2016-6130     Pengfei Wang discovered a flaw in the S/390 character     device drivers potentially leading to information leak     with /dev/sclp.

Additionally this update fixes a regression in the ebtables facility (#828914) that was introduced in DSA-3607-1.

ID	Name	Product	Family	Severity
124829	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1506)	Nessus	Huawei Local Security Checks	critical
93243	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3070-4)	Nessus	Ubuntu Local Security Checks	high
93242	Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3070-3)	Nessus	Ubuntu Local Security Checks	high
93241	Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3070-2)	Nessus	Ubuntu Local Security Checks	high
93219	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3071-2)	Nessus	Ubuntu Local Security Checks	high
93218	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3071-1)	Nessus	Ubuntu Local Security Checks	high
93217	Ubuntu 16.04 LTS : linux vulnerabilities (USN-3070-1)	Nessus	Ubuntu Local Security Checks	high
92256	Fedora 23 : kernel (2016-73a733f4d9)	Nessus	Fedora Local Security Checks	high
92232	Fedora 24 : kernel (2016-1c409313f4)	Nessus	Fedora Local Security Checks	high
91927	Debian DSA-3616-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2016-5728

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins