Advisories ยป MGASA-2016-0233

Updated kernel-tmb packages fix security vulnerabilities

Publication date: 22 Jun 2016
Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 5
CVE: CVE-2013-4312 , CVE-2015-5257 , CVE-2015-5307 , CVE-2015-5327 , CVE-2015-6937 , CVE-2015-7550 , CVE-2015-7799 , CVE-2015-8104 , CVE-2015-8543 , CVE-2016-0758 , CVE-2016-2085 , CVE-2016-2117 , CVE-2016-2143 , CVE-2016-3136 , CVE-2016-3137 , CVE-2016-3672 , CVE-2016-3713 , CVE-2016-3961

Description

This kernel-tmb update provides an upgrade to the upstream 4.4 longterm
kernel series, currently based on 4.4.13 and resolves at least the following
security issues:

The Linux kernel before 4.4.1 allows local users to bypass file-descriptor
limits and cause a denial of service (memory consumption) by sending each
descriptor over a UNIX socket before closing it, related to 
net/unix/af_unix.c and net/unix/garbage.c (CVE-2013-4312).

drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows
physically proximate attackers to cause a denial of service (NULL pointer
dereference and OOPS) or possibly have unspecified other impact via a
crafted USB device (CVE-2015-5257).

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through
4.6.x, allows guest OS users to cause a denial of service (host OS panic or
hang) by triggering many #AC (aka Alignment Check) exceptions, related to
svm.c and vmx.c (CVE-2015-5307).

An out-of-bounds memory read was found, affecting kernels from 4.3-rc1
onwards. This vulnerability was caused by incorrect X.509 time validation
in x509_decode_time() function in x509_cert_parser.c (CVE-2015-5327).

The __rds_conn_create function in net/rds/connection.c in the Linux kernel
through 4.2.3 allows local users to cause a denial of service (NULL pointer
dereference and system crash) or possibly have unspecified other impact by
using a socket that was not properly bound (CVE-2015-6937).

The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel
before 4.3.4 does not properly use a semaphore, which allows local users
to cause a denial of service (NULL pointer dereference and system crash)
or possibly have unspecified other impact via a crafted application that
leverages a race condition between keyctl_revoke and keyctl_read calls
(CVE-2015-7550).

The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel
through 4.2.3 does not ensure that certain slot numbers are valid, which
allows local users to cause a denial of service (NULL pointer dereference
and system crash) via a crafted PPPIOCSMAXCID ioctl call (CVE-2015-7799).

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through
4.6.x, allows guest OS users to cause a denial of service (host OS panic
or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c
(CVE-2015-8104).

The networking implementation in the Linux kernel through 4.3.3, as used
in Android and other products, does not validate protocol identifiers for
certain protocol families, which allows local users to cause a denial of
service (NULL function pointer dereference and system crash) or possibly
gain privileges by leveraging CLONE_NEWUSER support to execute a crafted
SOCK_RAW application (CVE-2015-8543).

An issue with ASN.1 DER decoder was reported that could lead to memory
corruptions, possible privilege escalation, or complete local denial
of service via x509 certificate DER files (CVE-2016-0758).

The evm_verify_hmac function in security/integrity/evm/evm_main.c in the
Linux kernel before 4.5 does not properly copy data, which makes it easier
for local users to forge MAC values via a timing side-channel attack
(CVE-2016-2085).

The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the
Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which
allows remote attackers to obtain sensitive information from kernel memory
by reading packet data (CVE-2016-2117).

The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the
Linux kernel before 4.5.1 allows physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) via a crafted
USB device without two interrupt-in endpoint descriptors (CVE-2016-3136).

drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows
physically proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a USB device without both an interrupt-in
and an interrupt-out endpoint descriptor, related to the
cypress_generic_port_probe and cypress_open functions (CVE-2016-3137).

The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux
kernel through 4.5.2 does not properly randomize the legacy base address,
which makes it easier for local users to defeat the intended restrictions
on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism
for a setuid or setgid program, by disabling stack-consumption resource
limits (CVE-2016-3672).

Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) with
variable Memory Type Range Registers(MTRR) support is vulnerable to an
out-of-bounds r/w access issue. It could occur while accessing processors
MTRRs via ioctl(2) calls. A privileged user inside guest could use this
flaw to manipulate host kernels memory bytes leading to information
disclosure OR potentially crashing the kernel resulting in DoS
(CVE-2016-3713).

Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs
support in x86 PV guests, which allows local PV guest users to cause a
denial of service (guest OS crash) by attempting to access a hugetlbfs
mapped area (CVE-2016-3961).

This update also provides better support for various newer hardware.

For other changes in this update, see the referenced changelogs.
                

References

SRPMS

5/core