Updated kernel-tmb packages fix security vulnerabilities
Publication date: 22 Jun 2016Modification date: 17 Feb 2022
Type: security
Affected Mageia releases : 5
CVE: CVE-2013-4312 , CVE-2015-5257 , CVE-2015-5307 , CVE-2015-5327 , CVE-2015-6937 , CVE-2015-7550 , CVE-2015-7799 , CVE-2015-8104 , CVE-2015-8543 , CVE-2016-0758 , CVE-2016-2085 , CVE-2016-2117 , CVE-2016-2143 , CVE-2016-3136 , CVE-2016-3137 , CVE-2016-3672 , CVE-2016-3713 , CVE-2016-3961
Description
This kernel-tmb update provides an upgrade to the upstream 4.4 longterm kernel series, currently based on 4.4.13 and resolves at least the following security issues: The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c (CVE-2013-4312). drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted USB device (CVE-2015-5257). The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (CVE-2015-5307). An out-of-bounds memory read was found, affecting kernels from 4.3-rc1 onwards. This vulnerability was caused by incorrect X.509 time validation in x509_decode_time() function in x509_cert_parser.c (CVE-2015-5327). The __rds_conn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (CVE-2015-6937). The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls (CVE-2015-7550). The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (CVE-2015-7799). The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (CVE-2015-8104). The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (CVE-2015-8543). An issue with ASN.1 DER decoder was reported that could lead to memory corruptions, possible privilege escalation, or complete local denial of service via x509 certificate DER files (CVE-2016-0758). The evm_verify_hmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel attack (CVE-2016-2085). The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data (CVE-2016-2117). The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors (CVE-2016-3136). drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (CVE-2016-3137). The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits (CVE-2016-3672). Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) with variable Memory Type Range Registers(MTRR) support is vulnerable to an out-of-bounds r/w access issue. It could occur while accessing processors MTRRs via ioctl(2) calls. A privileged user inside guest could use this flaw to manipulate host kernels memory bytes leading to information disclosure OR potentially crashing the kernel resulting in DoS (CVE-2016-3713). Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area (CVE-2016-3961). This update also provides better support for various newer hardware. For other changes in this update, see the referenced changelogs.
References
- https://bugs.mageia.org/show_bug.cgi?id=18375
- http://kernelnewbies.org/Linux_4.2
- http://kernelnewbies.org/Linux_4.3
- http://kernelnewbies.org/Linux_4.4
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.1
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.2
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.3
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.4
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.5
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.6
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.7
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.8
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.9
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.10
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.11
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.12
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.13
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4312
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5257
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5307
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5327
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6937
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7550
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7799
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8543
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0758
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2085
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2117
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2143
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3136
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3137
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3672
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3713
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3961
SRPMS
5/core
- kernel-tmb-4.4.13-1.mga5