[security-announce] Security Update: linux-qoriq kernel CVE-2017-2636 ** HIGH **

Sona Sarmadi sona.sarmadi at enea.com
Thu Apr 6 16:42:43 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (linux-qoriq kernel 3.12)
Severity: High
Architecture: PowerPC
CVE Name: CVE-2017-2636
====================================================================

This security update fixes a race condition flaw in the N_HLDC Linux
kernel driver when accessing n_hdlc.tbuf list that can lead to double fr
ee.
A local, unprivileged user able to set the HDLC line discipline on the
tty device could use this flaw to increase their privileges on the syste
m.

Description
===========
Race condition in drivers/tty/n_hdlc.c in the Linux kernel through
4.10.1 allows local users to gain privileges or cause a denial of
service (double free) by setting the HDLC line discipline.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2636

Upstream patch
===============
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/
patch/?id=63075fbddd5151d2e98fa7cf0608a2113e23607d

Correction for Enea Linux
=========================
https://git.enea.com/cgit/linux/meta-enea-bsp-ppc.git/patch/?id=736f356c
04e93c253a674cf242898a8cdec5dd6a

How to get the latest patches
=============================
- - If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- - If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
- -u git://git.enea.com/linux/el_manifests-standard.git \ -b krogoth\ -m
<manifest file> $ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJY5lPjAAoJEAilI68fskZdZukH/0Tt8vcO42706QGPbsqizXCU
1ZkPFF8DQyDHJQH7Zcb2pyxneI5BiPvo/uUrR6CJ/TL9BM1KAeFych1pbFKXeZvL
7Tjt0VUuXxZ65YJc8bU0DzsHDgoLK7VyKzCc4xIRLqSIw6OSvDh++8yV3Ovc7G+P
viionLb1Cdu5ckiDQ+TLGd37TraiJKcIqU85qljazBmQyngX4zRQSdbB6jICca18
H5UfC17UzOnzLeTWfZkin3TCT/9HCLgOfslOScR4HaacM0sf0YWCE/00API2YOQ0
d0YRx9Wn3uJ337Lb2c3UK71p76nGH6oS57WE13CqmZGPS+pmHEZ/2EHWB4mFpPU=
=XlrT
-----END PGP SIGNATURE-----


More information about the security-announce mailing list