Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#4012 closed task (fixed)

linux-4.8.14 (CVE-2016-7596 CVE-2016-9919 CVE-2016-9793 CVE-2016-9794 CVE-2016-9806)

Reported by: Douglas R. Reno Owned by: lfs-book@…
Priority: highest Milestone: 8.0
Component: Book Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version.

Security update with some critical fixes.


http://seclists.org/oss-sec/2016/q4/644

CVE-2016-7596: Linux Kernel use-after-free in SCSI generic device interface


The linux kernel contains a bug where a fragmented IPv6 packet causes a panic after a timeout (seems to be roughly 60 seconds). This can be triggered remotely via the internet and results in a DoS (kernel panic).

http://seclists.org/oss-sec/2016/q4/640

http://seclists.org/oss-sec/2016/q4/641

CVE-2016-9919


CVE Request: Linux: signed overflows for SO_{SND|RCV}BUFFORCE

Memory corruption.

http://seclists.org/oss-sec/2016/q4/573

http://seclists.org/oss-sec/2016/q4/574

Affects all kernels back to 3.5 series, with a different CVE being assigned all the way back to 2.6.x.

Use CVE-2016-9793. This affects, for example, 4.8.12.


We might not completely understand the CVE implications of the "Note
that before
https://github.com/torvalds/linux/commit/82981930125abfd39d7c8378a9cfdf5e1be2002b
the bug was even more serious, since SO_SNDBUF and SO_RCVBUF were
vulnerable" comment within the
b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 commit message.
82981930125abfd39d7c8378a9cfdf5e1be2002b is a commit from 2012. The
3.5 release has this, whereas the 3.4 release does not.

For now, we are assigning CVE-2012-6704 to mean the analogous
vulnerability involving SO_SNDBUF and SO_RCVBUF that affects "before
3.5" kernels.

CVE request: -- Linux kernel: ALSA: use-after-free in,kill_fasync

http://seclists.org/oss-sec/2016/q4/575

http://seclists.org/oss-sec/2016/q4/576

CVE-2016-9794


CVE Request: -- Linux kernel: double free in netlink_dump

http://seclists.org/oss-sec/2016/q4/577

http://seclists.org/oss-sec/2016/q4/580

CVE-2016-9806


My personal advice is to put out an advisory to the list as soon as we are done updating this package, and make a change to the errata for both books. This is serious and is worse than Dirty CoW.

Change History (7)

comment:1 by ken@…, 5 years ago

Is this the same issue as the fix at https://github.com/torvalds/linux/commit/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 (commit b98b0bc) or a different one ?

I'm asking because the changes to net/core/soc.c in patch-4.8.13 (i.e. everything since 4.8.0) seem to be quite different.

comment:2 by Douglas R. Reno, 5 years ago

As far as I know, it is the same issue as the fix at that page.

comment:3 by ken@…, 5 years ago

From lwn.net:

"Greg Kroah-Hartman has announced the release of the 4.8.13 and 4.4.37 stable kernels. As usual, there are fixes throughout the tree and users of those kernel series should upgrade.

Note that the fix for the kernel code execution vulnerability using AF_PACKET sockets (also known as CVE-2016-8655) has not made it into these stable kernels. Those running systemd may want to check Lennart Poettering's blog post on how to mitigate the problem for services started by systemd."

From a comment, it IS fixed in 4.4.38 (and therefore also in 4.8.14).

comment:4 by bdubbs@…, 5 years ago

I intend to wait for 4.8.14. It shouldn't be long.

comment:5 by bdubbs@…, 5 years ago

Summary: linux-4.8.13 (CVE-2016-7596 CVE-2016-9919 CVE-2016-9793 CVE-2016-9794 CVE-2016-9806)linux-4.8.14 (CVE-2016-7596 CVE-2016-9919 CVE-2016-9793 CVE-2016-9794 CVE-2016-9806)

And it wasn't long. 4.8.14 has been released. I'll get it in the book in a few hours.

comment:6 by bdubbs@…, 5 years ago

Resolution: fixed
Status: newclosed

Fixed at revision 11152.

comment:7 by bdubbs@…, 5 years ago

Milestone: 7.118.0

Milestone renamed

Note: See TracTickets for help on using tickets.