[security-announce] Security Update: CVE-2015-2042, CVE-2015-5707, CVE-2015-6252 Kernel (linux-qoriq 3.12)

Sona Sarmadi sona.sarmadi at enea.com
Wed Feb 10 08:08:31 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: kernel (linux-qoriq 3.12)
Severity: Low, Medium,Low
CVE Name: CVE-2015-2042 (Low), CVE-2015-5707 (Medium)
CVE-2015-6252 (Low)
Layer: meta-enea
=========================================================

This update fixes several vulnerabilities in the  Freescale kernel
version 3.12:

rds-CVE-2015-2042: rds: information handling flaw in rds sysctl files.
drivers-scsi: CVE-2015-5707: number wraparound vulnerability in
function start_req()
vhost driver: CVE-2015-6252: vhost fd leak in ioctl VHOST_SET_LOG_FD

Description
===========
CVE-2015-2042:
net/rds/sysctl.c in the Linux kernel before 3.19 uses an incorrect
data type in a sysctl table, which allows local users to obtain
potentially sensitive information from kernel memory or possibly have
unspecified other impact by accessing a sysctl entry.

CVE-2015-5707:
Integer overflow in the sg_start_req function in drivers/scsi/sg.c in
the Linux kernel 2.6.x through 4.x before 4.1 allows local users to
cause a denial of service or possibly have unspecified other impact
via a large iov_count value in a write request.

CVE-2015-6252:
The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux
kernel before 4.1.5 allows local users to cause a denial of service
(memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers
permanent file-descriptor allocation.

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5707
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5707
http://www.openwall.com/lists/oss-security/2015/08/01/6
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6252
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-6252
http://www.openwall.com/lists/oss-security/2015/08/18/3

Reference to the upstream fixes:
===============================
rds: CVE-2015-2042:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=b4482b533bfb54232f31d72c8ab70c1400385040

drivers-scsi: CVE-2015-5707:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=aba300b9c26f063efcaee374e54264c79a611f22

vhost driver: CVE-2015-6252:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=a5b3343b05e58b8f8ce7481426f89c048229b50d

Correction for Enea Linux
=========================
rds: CVE-2015-2042:
http://git.enea.com/cgit/linux/meta-enea.git/patch/?id=8f34b8efbd344ab53
d0757e5a08cbf9778191d9b

drivers-scsi: CVE-2015-5707:
http://git.enea.com/cgit/linux/meta-enea.git/patch/?id=743d7ed8232663977
b19c0887561a6204bea3e5b

vhost driver: CVE-2015-6252:
http://git.enea.com/cgit/linux/meta-enea.git/patch/?id=7e15834edfd7f1a4b
ed0555440b7db97c2b1198e

How to get the latest patches
=============================
- - If you have already cloned meta-enea, update it to get new security
patches.

cd Enea-Linux-5.0/poky/meta-enea
git pull

- - If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/
meta-hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/
meta-openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy
git://git.enea.com/linux/meta-enea/meta-vt.git

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWuuHvAAoJEAilI68fskZdOD0H/iAHYGFoqJaih/PwM42A55AS
/iHnMTH4E7TByKUiFTpa8ks5JOz+6XIzSu2ZnxjHfsfXuZ7azIFdeQT+gLZPKo4i
V5LYig45i/xVWzx3LzxCzl62NuDHmPMJ27aB/0k0GqlwQRQvZiWbP5fAvswMHf+M
25bCX0zVCzljjFgKHOA090XLDQQRnBCfEArtjUccSrXt178eWtmbR6/oGHhtaQj8
U1YxKkFzhkbJcTKoBKQrx5nrdn3iPV6UwCJi9n3RH6KuEVTYOthahNB9PELqbUfT
nKFx8O8R5eHuOAUqrGpqYsZ6WcmiM5AtEth74ksxyRqEor/e8Fs7OSVFjZ8jz4s=
=UYCz
-----END PGP SIGNATURE-----



More information about the security-announce mailing list