[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 516-1] linux security update

Package        : linux
Version        : 3.2.81-1
CVE ID         : CVE-2016-0821 CVE-2016-1583 CVE-2016-2184 CVE-2016-2185
    	         CVE-2016-2186 CVE-2016-2187 CVE-2016-3134 CVE-2016-3136
		 CVE-2016-3137 CVE-2016-3138 CVE-2016-3140 CVE-2016-3157
		 CVE-2016-3672 CVE-2016-3951 CVE-2016-3955 CVE-2016-3961
		 CVE-2016-4482 CVE-2016-4485 CVE-2016-4486 CVE-2016-4565
		 CVE-2016-4569 CVE-2016-4578 CVE-2016-4580 CVE-2016-4913
		 CVE-2016-5243 CVE-2016-5244
Debian Bug     : #627782

This update fixes the CVEs described below.


    Solar Designer noted that the list 'poisoning' feature, intended
    to mitigate the effects of bugs in list manipulation in the
    kernel, used poison values within the range of virtual addresses
    that can be allocated by user processes.


    Jann Horn of Google Project Zero reported that the eCryptfs
    filesystem could be used together with the proc filesystem to
    cause a kernel stack overflow.  If the ecryptfs-utils package was
    installed, local users could exploit this, via the
    mount.ecryptfs_private program, for denial of service (crash) or
    possibly for privilege escalation.

CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187,
CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140

    Ralf Spenneberg of OpenSource Security reported that various USB
    drivers do not sufficiently validate USB descriptors.  This
    allowed a physically present user with a specially designed USB
    device to cause a denial of service (crash).  Not all the drivers
    have yet been fixed.


    The Google Project Zero team found that the netfilter subsystem
    does not sufficiently validate filter table entries.  A user with
    the CAP_NET_ADMIN capability could use this for denial of service
    (crash) or possibly for privilege escalation.

CVE-2016-3157 / XSA-171

    Andy Lutomirski discovered that the x86_64 (amd64) task switching
    implementation did not correctly update the I/O permission level
    when running as a Xen paravirtual (PV) guest.  In some
    configurations this would allow local users to cause a denial of
    service (crash) or to escalate their privileges within the guest.


    Hector Marco and Ismael Ripoll noted that it was still possible to
    disable Address Space Layout Randomisation (ASLR) for x86_32
    (i386) programs by removing the stack resource limit.  This made
    it easier for local users to exploit security flaws in programs
    that have the setuid or setgid flag set.


    It was discovered that the cdc_ncm driver would free memory
    prematurely if certain errors occurred during its initialisation.
    This allowed a physically present user with a specially designed
    USB device to cause a denial of service (crash) or possibly to
    escalate their privileges.


    Ignat Korchagin reported that the usbip subsystem did not check
    the length of data received for a USB buffer.  This allowed denial
    of service (crash) or privilege escalation on a system configured
    as a usbip client, by the usbip server or by an attacker able to
    impersonate it over the network.  A system configured as a usbip
    server might be similarly vulnerable to physically present users.

CVE-2016-3961 / XSA-174

    Vitaly Kuznetsov of Red Hat discovered that Linux allowed use of
    hugetlbfs on x86 (i386 and amd64) systems even when running as a
    Xen paravirtualised (PV) guest, although Xen does not support huge
    pages.  This allowed users with access to /dev/hugepages to cause
    a denial of service (crash) in the guest.

CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4569,
CVE-2016-4578, CVE-2016-4580, CVE-2016-5243, CVE-2016-5244

    Kangjie Lu reported that the USB devio, llc, rtnetlink, ALSA
    timer, x25, tipc, and rds facilities leaked information from the
    kernel stack.


    Jann Horn of Google Project Zero reported that various components
    in the InfiniBand stack implemented unusual semantics for the
    write() operation.  On a system with InfiniBand drivers loaded,
    local users could use this for denial of service or privilege


    Al Viro found that the ISO9660 filesystem implementation did not
    correctly count the length of certain invalid name entries.
    Reading a directory containing such name entries would leak
    information from kernel memory.  Users permitted to mount disks or
    disk images could use this to obtain sensitive information.

For Debian 7 "Wheezy", these problems have been fixed in version

This update also fixes bug #627782, which caused data corruption in
some applications running on an aufs filesystem, and includes many
other bug fixes from upstream stable updates 3.2.79, 3.2.80 and

For Debian 8 "Jessie", these problems will be fixed soon.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Ben Hutchings - Debian developer, member of kernel, installer and LTS teams

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: