[security-announce] Security Update: linux-qoriq kernel CVE-2016-10229 ** HIGH **

Sona Sarmadi sona.sarmadi at enea.com
Fri May 19 13:34:38 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (linux-qoriq kernel 3.12)
Severity: High
Architecture: PowerPC
CVE Name: CVE-2016-10229
====================================================================

This security update fixes a security vulnerability in the Linux
kernel. This flaw could allows remote attackers to execute arbitrary
code via UDP traffic that triggers an unsafe second checksum
calculation during execution of a recv system call with the MSG_PEEK
flag. This may create a kernel panic or memory corruption leading to
privilege escalation.

Mitre Description
=================
udp.c in the Linux kernel before 4.5 allows remote attackers to
execute arbitrary code via UDP traffic that triggers an unsafe second
checksum calculation during execution of a recv system call with the
MSG_PEEK flag.

References
==========
https://nvd.nist.gov/vuln/detail/CVE-2016-10229

Upstream patch
===============
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/
commit/?h=v3.12.74&id=c3bfbecb1bb575278ce4812746a29c04875a2926

Correction for Enea Linux
=========================
https://git.enea.com/cgit/linux/meta-enea-bsp-ppc.git/patch/?id=7fa63864
b6a627b7406c181d93f1550aef2e67e5

How to get the latest patches
=============================
- - If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- - If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
- -u git://git.enea.com/linux/el_manifests-standard.git \
- -b krogoth\
- -m <manifest file> $ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZHthOAAoJEAilI68fskZd+7wH/RZq32p+ziZPDhVdS4i6dLgQ
b/KY/kHrL8mE1UsJY1HRopduft8ZFifygZVxksYieuT0O1AgHegjJs+U3zwe6A0C
7CwmfKNZpl78DAw2F5cjgCVZ6ieQHiluxnUGyAIuv04V6AByBLw1ff4nEbPWR0Mw
1g1HIHEb+fCBd9jFGi58qwFJflyhZoDGr7sSfN3YkIdFjjlF9sNteRELN/IsYbDC
qRDXbXPLWBRMMmAooPEDUKJt86JoU9owTLg1GIYoNp0wn77ISeyfFpTM2EnDIL+f
KK78F/0jDvsCySt49GTmywu096OO+H6Hto4KNy1I7sOjlvXEW/7Asp4A88o6NiU=
=q6C7
-----END PGP SIGNATURE-----


More information about the security-announce mailing list