[security-announce] Security Update: linux-ls1 CVE-2017-2636 ** HIGH **

Sona Sarmadi sona.sarmadi at enea.com
Thu Apr 20 13:44:11 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (linux-ls1 3.12)
Severity: High
Architecture: ARM
CVE Name: CVE-2017-2636
====================================================================

This security update fixes a race condition flaw in the N_HLDC Linux
kernel driver when accessing n_hdlc.tbuf list that can lead to double
free.
A local, unprivileged user able to set the HDLC line discipline on the
tty device could use this flaw to increase their privileges on the syste
m.

Description
===========
Race condition in drivers/tty/n_hdlc.c in the Linux kernel through
4.10.1 allows local users to gain privileges or cause a denial of
service (double free) by setting the HDLC line discipline.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2636

Upstream patch
===============
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/
patch/?id=63075fbddd5151d2e98fa7cf0608a2113e23607d

Correction for Enea Linux
=========================
https://git.enea.com/cgit/linux/meta-enea-bsp-arm.git/patch/?id=4c7fbbf1
721c7e4fcf39e2d0f96f385c1ce1a5cf

How to get the latest patches
=============================
- - If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- - If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init -u git://git.enea.com/linux/el_manifests-standard.git -b
krogoth -m <manifest file>
$ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/products/security/security-updates

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJY+J8LAAoJEAilI68fskZdFk0IAJ8EJ7DK6roH3gMJhthIo6j9
mncwCayMwmJLHa/L8sx3USMQSmf8EmXdiruvd8EjwUwd6mdxFeM23QhgfhOpJJWZ
+W3V6WNQn5NiMga9wYu6heOKGaHFoo8136MElVwWfYplkYDS+QO1D4RtWQkkfx7+
zontY9VED+m4wr0Fyj+OG6mwIkx5w62WT7HBrLxliJbcjHbiB6G3FYe4he3DGyG3
xTbxHgHVVXeaV+lF8/VQz9zNGiL/SzPBNmfze0x53Xma9LIg/ZFTVlJ366QseHbG
cuf248VEC0neH5HgrMr/KDv0/qxOBeWZg7feLr1hbrBOSxRaRKdhu+23J7t9CrY=
=bjKQ
-----END PGP SIGNATURE-----


More information about the security-announce mailing list