| Errata ID | 286 |
|---|---|
| Date | 2016-10-12 |
| Source package | linux |
| Fixed in version | 4.1.6-1.205.201610070933 |
| Description | This update addresses the following issues:
* unix: properly account for FDs passed over unix sockets (CVE-2013-4312)
* KVM: x86: Reload pit counters for all channels when restoring state
(CVE-2015-7513)
* usbvision: fix crash on detecting device with invalid configuration
(CVE-2015-7833)
* KEYS: Fix handling of stored error in a negatively instantiated user key
(CVE-2015-8539)
* ovl: fix permission checking for setattr (CVE-2015-8660)
* fuse: break infinite loop in fuse_fill_write_pages()(CVE-2015-8785)
* iw_cxgb3: Fix incorrectly returning error on success (CVE-2015-8812)
* include/linux/poison.h: fix LIST_POISON{1,2} offset (CVE-2016-0821)
* ecryptfs: forbid opening files without mmap handler (CVE-2016-1583)
* atl2: Disable unimplemented scatter/gather feature (CVE-2016-2117)
* ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
(CVE-2016-2184)
* Input: ati_remote2 - fix crashes on detecting device with invalid
descriptor (CVE-2016-2185)
* Input: powermate - fix oops with malicious USB descriptors (CVE-2016-2186)
* Input: gtco - fix crash on detecting device without endpoints
(CVE-2016-2187)
* USB: iowarrior: fix oops with malicious USB descriptors (CVE-2016-2188)
* bpf: fix branch offset adjustment on backjumps after patching ctx expansion
(CVE-2016-2383)
* netfilter: x_tables: fix unconditional helper (CVE-2016-3134)
* USB: mct_u232: add sanity checking in probe (CVE-2016-3136)
* USB: cypress_m8: add endpoint sanity check (CVE-2016-3137)
* USB: cdc-acm: more sanity checking (CVE-2016-3138)
* USB: digi_acceleport: do sanity checking for the number of ports
(CVE-2016-3140)
* ipv4: Don't do expensive useless work during inetdev destroy
(CVE-2016-3156)
* Xen: I/O port access privilege escalation in x86-64 Linux (CVE-2016-3157)
* Input: ims-pcu - sanity check against missing interfaces (CVE-2016-3689)
* usbnet: memory corruption triggered by invalid USB descriptor
(CVE-2016-3951)
* USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
* xen: hugetlbfs use may crash PV Linux guests (CVE-2016-3961)
* KEYS: potential uninitialized variable (CVE-2016-4470)
* net: fix infoleak in llc (CVE-2016-4485)
* net: fix infoleak in rtnetlink (CVE-2016-4486)
* bpf: fix double-fdput in replace_map_fd_with_map_ptr() (CVE-2016-4557)
* IB/security: Restrict use of the write() interface (CVE-2016-4565)
* net: fix a kernel infoleak in x25 module (CVE-2016-4580)
* propogate_mnt: Handle the first propogated copy being a slave
(CVE-2016-4581)
* percpu: fix synchronization between synchronous map extension and chunk
destruction (CVE-2016-4794)
* ppp: take reference on channels netns (CVE-2016-4805)
* get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)
* tipc: check nl sock before parsing nested attributes (CVE-2016-4951)
* netfilter: x_tables: check for bogus target offset (CVE-2016-4997)
* netfilter: x_tables: make sure e->next_offset covers remaining blob size
(CVE-2016-4998)
* media: fix airspy usb probe error path (CVE-2016-5400)
* tcp: make challenge acks less predictable (CVE-2016-5696)
* powerpc/tm: Always reclaim in start_thread() for exec() class syscalls
(CVE-2016-5828)
* HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
(CVE-2016-5829)
* Race condition in the audit_log_single_execve_arg function in
kernel/auditsc.c in the Linux kernel through 4.7 allows local users to
bypass intended character-set restrictions or disrupt system-call auditing
by changing a certain string, aka a "double fetch" vulnerability.
(CVE-2016-6136)
* Race condition in the ioctl_send_fib function in
drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows
local users to cause a denial of service (out-of-bounds access or system
crash) by changing a certain size value, aka a "double fetch"
vulnerability. (CVE-2016-6480)
* Linux tcp_xmit_retransmit_queue use after free (CVE-2016-6828)
* USB: serial: visor: fix crash on detecting device without write_urbs
(CVE-2015-7566)
* tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723)
* ALSA: usb-audio: avoid freeing umidi object twice (CVE-2016-2384)
* unix: correctly track in-flight fds in sending process user_struct
(CVE-2016-2550)
* USB: visor: fix null-deref at probe (CVE-2016-2782)
* ppp, slip: Validate VJ compression slot parameters completely
(CVE-2015-7799)
* [media] media/vivid-osd: fix info leak in ioctl (CVE-2015-7884)
* KVM: svm: unconditionally intercept #DB (CVE-2015-8104)
* Xen: when used on a system providing PV backends, allows local guest OS
administrators to cause a denial of service (host OS crash) or gain
privileges by writing to memory shared between the frontend and backend,
aka a double fetch vulnerability (CVE-2015-8550)
* Xen: Linux pciback missing sanity checks leading to crash (CVE-2015-8551)
* sctp: Prevent soft lockup when sctp_accept() is called during a timeout
event (CVE-2015-8767)
* netfilter: nf_nat_redirect: add missing NULL pointer check (CVE-2015-8787)
* USB: fix invalid memory access in hub_activate() (CVE-2015-8816)
* powerpc/tm: Block signal return setting invalid MSR state (CVE-2015-8844)
* powerpc/tm: Check for already reclaimed tasks (CVE-2015-8845)
* nfsd: check permissions when setting ACLs (CVE-2016-1237)
* x86/mm: Add barriers and document switch_mm()-vs-flush synchronization
(CVE-2016-2069)
* EVM: Use crypto_memneq() for digest comparisons (CVE-2016-2085)
* s390/mm: four page table levels vs. fork (CVE-2016-2143)
* ALSA: seq: Fix missing NULL check at remove_events ioctl (CVE-2016-2543)
* ALSA: seq: Fix race at timer setup and close (CVE-2016-2544)
* ALSA: timer: Fix double unlink of active_list (CVE-2016-2545)
* ALSA: timer: Fix race among timer ioctls (CVE-2016-2546)
* ALSA: timer: Harden slave timer list handling (CVE-2016-2547)
* ALSA: hrtimer: Fix stall by hrtimer_cancel() (CVE-2016-2549)
* ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569)
* ALSA: timer: Fix leak in events via snd_timer_user_ccallback
(CVE-2016-4578)
* KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE (CVE-2016-5412)
* ovl: verify upper dentry before unlink and rename (CVE-2016-6197)
* IB/srpt: Simplify srpt_handle_tsk_mgmt() (CVE-2016-6327)
* net: Fix use after free in the recvmmsg exit path (CVE-2016-7117) |
| Additional notes | This is the first part of three parts of the Linux kernel update. |
| CVE ID | CVE-2013-4312 CVE-2015-7513 CVE-2015-7566 CVE-2015-7799 CVE-2015-7833 CVE-2015-7884 CVE-2015-8104 CVE-2015-8539 CVE-2015-8550 CVE-2015-8551 CVE-2015-8660 CVE-2015-8767 CVE-2015-8785 CVE-2015-8787 CVE-2015-8812 CVE-2015-8816 CVE-2015-8844 CVE-2015-8845 CVE-2016-0723 CVE-2016-0821 CVE-2016-1237 CVE-2016-1583 CVE-2016-2069 CVE-2016-2085 CVE-2016-2117 CVE-2016-2143 CVE-2016-2184 CVE-2016-2185 CVE-2016-2186 CVE-2016-2187 CVE-2016-2188 CVE-2016-2383 CVE-2016-2384 CVE-2016-2543 CVE-2016-2544 CVE-2016-2545 CVE-2016-2546 CVE-2016-2547 CVE-2016-2549 CVE-2016-2550 CVE-2016-2782 CVE-2016-3134 CVE-2016-3136 CVE-2016-3137 CVE-2016-3138 CVE-2016-3140 CVE-2016-3156 CVE-2016-3157 CVE-2016-3689 CVE-2016-3951 CVE-2016-3955 CVE-2016-3961 CVE-2016-4470 CVE-2016-4485 CVE-2016-4486 CVE-2016-4557 CVE-2016-4565 CVE-2016-4569 CVE-2016-4578 CVE-2016-4580 CVE-2016-4581 CVE-2016-4794 CVE-2016-4805 CVE-2016-4913 CVE-2016-4951 CVE-2016-4997 CVE-2016-4998 CVE-2016-5400 CVE-2016-5412 CVE-2016-5696 CVE-2016-5828 CVE-2016-5829 CVE-2016-6136 CVE-2016-6197 CVE-2016-6327 CVE-2016-6480 CVE-2016-6828 CVE-2016-7117 |
| UCS Bug number | #41058 |
