[security-announce] Kernel: Security update

Sona Sarmadi sona.sarmadi at enea.com
Wed May 27 15:40:25 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		Enea Linux Security Advisory

=========================================================
Product/package: kernel (x86/romley-ivb: 3.10.38)
Severity: Low
CVE Names: CVE-2015-1593
Layer: meta-enea
=========================================================

This security update fixes stack ASLR implementation Integer
overflow on Linux kernel. The problem only affect the x86_64
architecture.

The patch and README files are gpg signed by ESRT (Enea Security
Response Team) for verification of origin.
To verify the integrity of patches download the ESRT public Key from:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14

For detailed info refer to https://linux.enea.com/4.0/patches/README.asc

Signed/SHA512 patch/README files
================================
0076-x86-mm-ASLR-CVE-2015-1593.REAME.asc
0076-x86-mm-ASLR-CVE-2015-1593.patch.asc
0076-x86-mm-ASLR-CVE-2015-1593.patch.sha

Description
===========
The stack randomization feature in the Linux kernel before 3.19.1
on 64-bit platforms uses incorrect data types for the results of
bitwise left-shift operations, which makes it easier for attackers
to bypass the ASLR protection mechanism by predicting the address
of the top of the stack, related to the randomize_stack_top function
in fs/binfmt_elf.c and the stack_maxrandom_size function in
arch/x86/mm/mmap.c.

References:
http://hmarco.org/bugs/linux-ASLR-integer-overflow.html
http://www.openwall.com/lists/oss-security/2015/02/13/13

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing FSL kernel patches in the right order

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

 - Fetch and apply the new patch
cd Enea-Linux-4.0/poky/meta-enea
wget
https://linux.enea.com/4.0/patches/0076-x86-mm-ASLR-CVE-2015-1593.patch.
asc
patch -p1 < ./0076-x86-mm-ASLR-CVE-2015-1593.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVZclJAAoJEHc+9u9ocWoUDXgP/22jU+wEPdVGtbcg3KK7TVGn
33zSbQqhZn30GLT0fPJAITwvq0htT27sMmYJwZ7jEIYLOsaDA/Ea6Uc5lTUPrhNq
ty/nzj32ybpvfEw8454S9qLkMryH9i+0uwvqjZoHGY2PblUqnS8bNMPMzPD7/wfd
1WJuNSVR2RM1DFhYW2lGVvt0R96K1zuvxlWGR/NkzTCLeqrOpQ0Toe9omOGb7ql2
L7FAtt/a/SOZEm6FnESZ7LKIPAz62MvGLJW9HpIqz6vNc9uf8IXqTJOYaHxJ/zCJ
E0ukV1ei0tJjhZesatXinlxSJ0eEh2vOlXgSrN9yYfqQvSY9Sh8TlMbU0sP/aQVp
i8o+OIVOSNbXiJrEotfzODOAyAJBk1biV6eOaKaO9xcBLJzj2vJO47Q1ZySFGhUd
dKbKjsUnIJImu0UuFTfRBf6qKplWP+YSoMgYgvSMm9r0yOSYpeZ538EeQvI6rU+4
lS1sluio4xhvmB5y7Ea2tmKzcVS/FtSVugh0DSa4DodQbkmJSkKZ0kBKLt6HFQh/
6Nbg9UA9fpvJxkKtsoPVCxQ6jSsAagVsWJPASCO4Eqke7vuQCyRh/jtZgXMqUApt
j2dtChLG/7U0lHe9vb1fPpC74WyIaH444NBj3Ky2T0X3+pJujKfKeWP18RONenv4
SDMdH5tnfitQuIuVa9kU
=oQP8
-----END PGP SIGNATURE-----



More information about the security-announce mailing list