Bug 1010492 (CVE-2015-8961)

Summary: VUL-0: CVE-2015-8961: kernel: Use after free in __ext4_journal_stop function allowing privilege escalation
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, jack, mbenes, meissner, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/176391/
Whiteboard: CVSSv2:NVD:CVE-2015-8961:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2016-11-16 14:26:33 UTC

The __ext4_journal_stop function in fs/ext4/ext4_jbd2.c in the Linux kernel
before 4.3.3 allows local users to gain privileges or cause a denial of service
(use-after-free) by leveraging improper access to a certain error field.

Comment 2 Swamp Workflow Management 2016-11-16 23:04:09 UTC
bugbot adjusting priority
Comment 3 Jan Kara 2016-11-21 13:05:14 UTC
So the problematic commit that introduced the bug was 9d506594069355d1fb2de3f9104667312ff08ed3 (not the one mentioned in the Fixes tag) which got merged in 4.1-rc4. The fix got into 4.4-rc5. I've checked and SLE12-LTSS and SLE12-SP1 branches got both involved patches from the 3.12-stable kernel. openSUSE 42.1 and thus SLE12-SP1 ARM branches got the fix from 4.1 stable as well. SLE12-SP2 is already based on 4.4, openSUSE 13.2 and SLE11-SP4 kernels didn't get the original buggy commit. So we are fine.

Reassigning back to security-team as there's nothing more to do.
Comment 4 Marcus Meissner 2016-11-25 15:13:31 UTC