Package : linux
Version : 3.2.81-1
CVE ID : CVE-2016-0821 CVE-2016-1583 CVE-2016-2184 CVE-2016-2185
CVE-2016-2186 CVE-2016-2187 CVE-2016-3134 CVE-2016-3136
CVE-2016-3137 CVE-2016-3138 CVE-2016-3140 CVE-2016-3157
CVE-2016-3672 CVE-2016-3951 CVE-2016-3955 CVE-2016-3961
CVE-2016-4482 CVE-2016-4485 CVE-2016-4486 CVE-2016-4565
CVE-2016-4569 CVE-2016-4578 CVE-2016-4580 CVE-2016-4913
CVE-2016-5243 CVE-2016-5244
Debian Bug : #627782
This update fixes the CVEs described below.
CVE-2016-0821
Solar Designer noted that the list 'poisoning' feature, intended
to mitigate the effects of bugs in list manipulation in the
kernel, used poison values within the range of virtual addresses
that can be allocated by user processes.
CVE-2016-1583
Jann Horn of Google Project Zero reported that the eCryptfs
filesystem could be used together with the proc filesystem to
cause a kernel stack overflow. If the ecryptfs-utils package was
installed, local users could exploit this, via the
mount.ecryptfs_private program, for denial of service (crash) or
possibly for privilege escalation.
CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187,
CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140
Ralf Spenneberg of OpenSource Security reported that various USB
drivers do not sufficiently validate USB descriptors. This
allowed a physically present user with a specially designed USB
device to cause a denial of service (crash). Not all the drivers
have yet been fixed.
CVE-2016-3134
The Google Project Zero team found that the netfilter subsystem
does not sufficiently validate filter table entries. A user with
the CAP_NET_ADMIN capability could use this for denial of service
(crash) or possibly for privilege escalation.
CVE-2016-3157 / XSA-171
Andy Lutomirski discovered that the x86_64 (amd64) task switching
implementation did not correctly update the I/O permission level
when running as a Xen paravirtual (PV) guest. In some
configurations this would allow local users to cause a denial of
service (crash) or to escalate their privileges within the guest.
CVE-2016-3672
Hector Marco and Ismael Ripoll noted that it was still possible to
disable Address Space Layout Randomisation (ASLR) for x86_32
(i386) programs by removing the stack resource limit. This made
it easier for local users to exploit security flaws in programs
that have the setuid or setgid flag set.
CVE-2016-3951
It was discovered that the cdc_ncm driver would free memory
prematurely if certain errors occurred during its initialisation.
This allowed a physically present user with a specially designed
USB device to cause a denial of service (crash) or possibly to
escalate their privileges.
CVE-2016-3955
Ignat Korchagin reported that the usbip subsystem did not check
the length of data received for a USB buffer. This allowed denial
of service (crash) or privilege escalation on a system configured
as a usbip client, by the usbip server or by an attacker able to
impersonate it over the network. A system configured as a usbip
server might be similarly vulnerable to physically present users.
CVE-2016-3961 / XSA-174
Vitaly Kuznetsov of Red Hat discovered that Linux allowed use of
hugetlbfs on x86 (i386 and amd64) systems even when running as a
Xen paravirtualised (PV) guest, although Xen does not support huge
pages. This allowed users with access to /dev/hugepages to cause
a denial of service (crash) in the guest.
CVE-2016-4482, CVE-2016-4485, CVE-2016-4486, CVE-2016-4569,
CVE-2016-4578, CVE-2016-4580, CVE-2016-5243, CVE-2016-5244
Kangjie Lu reported that the USB devio, llc, rtnetlink, ALSA
timer, x25, tipc, and rds facilities leaked information from the
kernel stack.
CVE-2016-4565
Jann Horn of Google Project Zero reported that various components
in the InfiniBand stack implemented unusual semantics for the
write() operation. On a system with InfiniBand drivers loaded,
local users could use this for denial of service or privilege
escalation.
CVE-2016-4913
Al Viro found that the ISO9660 filesystem implementation did not
correctly count the length of certain invalid name entries.
Reading a directory containing such name entries would leak
information from kernel memory. Users permitted to mount disks or
disk images could use this to obtain sensitive information.
For Debian 7 "Wheezy", these problems have been fixed in version
3.2.81-1.
This update also fixes bug #627782, which caused data corruption in
some applications running on an aufs filesystem, and includes many
other bug fixes from upstream stable updates 3.2.79, 3.2.80 and
3.2.81.
For Debian 8 "Jessie", these problems will be fixed soon.
We recommend that you upgrade your linux packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
--
Ben Hutchings - Debian developer, member of kernel, installer and LTS teamsAttachment:
signature.asc
Description: This is a digitally signed message part