[Secure-testing-commits] r42588 - data/CVE

Ben Hutchings benh at moszumanska.debian.org
Fri Jun 17 03:06:30 UTC 2016 

Author: benh
Date: 2016-06-17 03:06:30 +0000 (Fri, 17 Jun 2016)
New Revision: 42588

Modified:
   data/CVE/list
Log:
Triage some linux kernel issues

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-06-17 00:38:26 UTC (rev 42587)
+++ data/CVE/list	2016-06-17 03:06:30 UTC (rev 42588)
@@ -3081,6 +3081,8 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/8
 CVE-2016-4558 (The BPF subsystem in the Linux kernel before 4.5.5 mishandles ...)
 	- linux 4.5.3-1
+	[jessie] - linux <not-affected> (Issue introduced later)
+	[wheezy] - linux <not-affected> (Issue introduced later)
 	NOTE: Fixed by: https://git.kernel.org/linus/92117d8443bc5afacc8d5ba82e541946310f106e
 	NOTE: Introduced by: https://git.kernel.org/linus/1be7f75d1668d6296b80bf35dcf6762393530afc(v4.4-rc1)
 	NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=809
@@ -7757,15 +7759,21 @@
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1296567
 	NOTE: http://www.openwall.com/lists/oss-security/2016/03/03/9
 CVE-2016-2854 (The aufs module for the Linux kernel 3.x and 4.x does not properly ...)
-	- linux <unfixed>
+	- linux <not-affected> (Vulnerable code is not present)
+	[jessie] - linux <no-dsa> (Not exploitable in default configuration)
 	NOTE: http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/
 	NOTE: https://sourceforge.net/p/aufs/mailman/message/34864744/
-	TODO: doublecheck with Ben, aufs is available as udebs, but not as a standard kernel module (possibly only in use for live images)
+	NOTE: This depends on a user namespace creator being able to mount aufs.
+	NOTE: jessie: Unprivileged users are not allowed to create user namespaces by default; aufs is not allowed to be mounted from a new user namespace by default.
+	NOTE: wheezy: User namespaces are non-functional.
 CVE-2016-2853 (The aufs module for the Linux kernel 3.x and 4.x does not properly ...)
-	- linux <unfixed>
+	- linux <not-affected> (Vulnerable code is not present)
+	[jessie] - linux <no-dsa> (Not exploitable in default configuration)
 	NOTE: http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/
 	NOTE: https://sourceforge.net/p/aufs/mailman/message/34864744/
-	TODO: doublecheck with Ben, aufs is available as udebs, but not as a standard kernel module (possibly only in use for live images)
+	NOTE: This depends on a user namespace creator being able to mount aufs.
+	NOTE: jessie: Unprivileged users are not allowed to create user namespaces by default; aufs is not allowed to be mounted from a new user namespace by default.
+	NOTE: wheezy: User namespaces are non-functional.
 CVE-2016-2839
 	RESERVED
 CVE-2016-2838

More information about the Secure-testing-commits mailing list