Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem

To: Jan Lühr <jan@jluehr.de>
Cc: debian-security@lists.debian.org
Subject: Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 5 Oct 2016 06:52:02 +0200
Message-id: <[🔎] 20161005045202.GA3607@lorien.valinor.li>
Mail-followup-to: Jan Lühr <jan@jluehr.de>, debian-security@lists.debian.org
In-reply-to: <[🔎] af662606-88fe-8ec9-3d57-b11de4b9acec@jluehr.de>
References: <[🔎] e8d1f1cc-523f-660d-449a-e8a43f66091f@jluehr.de> <[🔎] fdec9413-db10-3657-2fb0-456f59641487@felixknecht.de> <[🔎] 6f109906-14e3-41db-cba4-349af11e4c92@hpe.com> <[🔎] af662606-88fe-8ec9-3d57-b11de4b9acec@jluehr.de>

Hi,

On Tue, Oct 04, 2016 at 11:54:12PM +0200, Jan Lühr wrote:
> Hello,
> Am 10/04/2016 um 07:57 PM schrieb Nicholas Luedtke:
> > On 10/04/2016 11:40 AM, Felix Knecht wrote:
> > 
> >> On 10/04/2016 06:38 PM, Jan Lühr wrote:
> >>> CVE-2016-7117 was patched in Android today.I don't see much information
> >>> right now. The title is rather frightening - the issue appears to be urgent.
> >> The following upstream kernel commit is referenced in the security bulletin:
> >>
> >> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d
> >>
> >> No idea if this is fixed in Debian though.
> >>
> >> Felix
> >>
> > Looks like it was picked up when Debian rolled to 3.16.36-1.
> 
> Thanks for the info - if Felix is right, then 4.7 (jessie backports) is
> secure, since it was released months after the fix was pushed to the
> mainline kernel.
> 
> However, it's somewhat strange that a bug labeled "Linux Kernel
> Use-After-Free Remote Code Execution Vulnerability", concerning a lot of
> kernels released in the last years
> (http://www.securityfocus.com/bid/93304) seem to be fixed in android
> only. Do you know any details?
> 
> Anyway, using jessie-backports seem to help, thus I'm going for it...

I updated the security-tracker information for CVE-2016-7117:

https://security-tracker.debian.org/tracker/CVE-2016-7117 . The fix is
as well included in 3.16.36-1.

HTH,

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Jan Lühr <jan@jluehr.de>

References:
- CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Jan Lühr <jan@jluehr.de>
- Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Felix Knecht <debian@felixknecht.de>
- Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Nicholas Luedtke <nicholas.luedtke@hpe.com>
- Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Jan Lühr <jan@jluehr.de>

Prev by Date: Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
Next by Date: Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
Previous by thread: Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
Next by thread: Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
Index(es):
- Date
- Thread