[security-announce] Security Update: linux kernel: CVE-2016-5195 (Dirty COW)

Sona Sarmadi sona.sarmadi at enea.com
Mon Oct 24 17:56:18 CEST 2016


		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0:
		(linux-yocto 4.4, linux-ls1_3.12 & linux-qoriq_3.12)
Severity: High
Architecture: All
CVE Name: CVE-2016-5195
====================================================================

This security update fixes privilege escalation via MAP_PRIVATE COW
breakage in linux kernel.

Description
===========
A race condition was found in the way Linux kernel's memory subsystem
handled breakage of the read only private mappings COW situation on
write access.

An unprivileged local user could use this flaw to gain
write access to otherwise read only memory mappings and thus increase
their privileges on the system.

References:
===========
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5195
http://www.securityfocus.com/bid/93793
http://lwn.net/Articles/704153/

Reference to the upstream fix:
===============================
4.4 kernel:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=1294d355881cc5c3421d24fee512f16974addb6c

3.12 kernel:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=f949fcd7414197b8e04b07c480d36bc39332ff7b

Correction for Enea Linux
=========================
Kernel 3.12: PPC:
http://git.enea.com/cgit/linux/meta-enea-bsp-ppc.git/patch/?id=372381ce850e3afb4108218fd7e77de851a1a420

Kernel 3.12:ARM:
http://git.enea.com/cgit/linux/meta-enea-bsp-arm.git/patch/?id=7f5d5e29d35616653a50ab44fd2dd330a44c1bcc

linux-yocto: QEMU x86/arm/ppc:
http://git.enea.com/cgit/linux/meta-enea-bsp-common.git/patch/?id=7914c3cba2645ff204e252d1cfc83937aebb0f78

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo
$ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \
-b krogoth\
-m <manifest file>
$ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20161024/50c4494d/attachment.sig>


More information about the security-announce mailing list