[security-announce] Security Update: linux-ls1_3.12 & linux-qoriq_3.12: CVE-2016-3136

Sona Sarmadi sona.sarmadi at enea.com
Fri Sep 16 10:25:15 CEST 2016


		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (linux-ls1_3.12 & linux-qoriq_3.12)
Severity: Low
Arch: ARM & PPC
CVE Name: CVE-2016-3136
====================================================================

This security update fixes crash on invalid USB device descriptors
(mct_u232 driver).

Description
===========
The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in
the Linux kernel before 4.5.1 allows physically proximate attackers to
cause a denial of service (NULL pointer dereference and system crash)
via a crafted USB device without two interrupt-in endpoint descriptors.

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3136
http://www.openwall.com/lists/oss-security/2016/03/14/2

Reference to the upstream fix:
===============================
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=f9dbb3666b3ddb5f9a7e44a433383cb6880a03f5


Correction for Enea Linux
=========================
ARM:
http://git.enea.com/cgit/linux/meta-enea-bsp-arm.git/patch/?id=07803ad12e6fcc5367f8107ea04eae9af0846fc0

PPC:
http://git.enea.com/cgit/linux/meta-enea-bsp-ppc.git/patch/?id=48a0d93e2e0f1a8a95eaac7c4c04bd768c366a7f

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for Enea Linux, follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init -u git://git.enea.com/linux/el_manifests-standard.git -b
krogoth -m <manifest file>
$ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160916/d3d471e3/attachment.sig>


More information about the security-announce mailing list