Bug 968014 - (CVE-2016-2550) VUL-0: CVE-2016-2550: kernel: unix: correctly track in-flight fds in sending process user_struct
(CVE-2016-2550)
VUL-0: CVE-2016-2550: kernel: unix: correctly track in-flight fds in sending ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/162167/
CVSSv2:RedHat:CVE-2016-2550:4.9:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-24 10:53 UTC by Alexander Bergmann
Modified: 2016-12-02 19:20 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-02-24 10:53:48 UTC
http://seclists.org/oss-sec/2016/q1/412

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=415e3d3e90ce9e18727e8843ae343eda5a58fad6

unix: correctly track in-flight fds in sending process user_struct

The commit referenced in the Fixes tag incorrectly accounted the
number of in-flight fds over a unix domain socket to the original
opener of the file-descriptor. This allows another process to
arbitrary deplete the original file-openers resource limit for the
maximum of open files.

CVE-2016-2550 was assigned to this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2550
http://seclists.org/oss-sec/2016/q1/412
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2550.html
Comment 1 Swamp Workflow Management 2016-02-24 23:02:55 UTC
bugbot adjusting priority
Comment 2 Michal Kubeček 2016-03-07 13:24:17 UTC
Introduced in 4.5-rc1, fixed in 4.5-rc4. However, first patch has been picked
into some stable branches as it's part of a CVE fix. As far as I can see,
Greg's stable 4.1 and 4.4 already have both (since 4.1.19 and 4.4.4). Factory
and SLE12-SP2 already have 4.4.4, openSUSE-42.1 is still on 4.1.18 and is
going to get the fix with 4.1.19. openSUSE-13.2 has neither.

First patch was also considered for stable 3.12 but didn't get in. Jiří, what
is the plan there?
Comment 3 Jiri Slaby 2016-03-07 13:28:47 UTC
(In reply to Michal Kubeček from comment #2)
> First patch was also considered for stable 3.12 but didn't get in. Jiří, what
> is the plan there?

I dropped it temporarily and put it onto TODO list to have both in at once:
https://lkml.org/lkml/2016/2/12/25
Comment 4 Michal Kubeček 2016-03-07 13:32:55 UTC
Thank you. Let's wait until 4.1.19 with second patch gets into openSUSE-42.1
and both patches get into SLE12(-SP1), then we can close.
Comment 5 Michal Kubeček 2016-03-21 10:50:28 UTC
Fixed now in

  openSUSE-42.1
  SLE12
  SLE12-SP1
  SLE12-SP2

openSUSE-13.2 doesn't need the fix as it never received a backport of

  712f4aad406b ("unix: properly account for FDs passed over unix sockets")

Closing.
Comment 6 Swamp Workflow Management 2016-12-02 15:28:05 UTC
SUSE-SU-2016:2976-1: An update that solves 13 vulnerabilities and has 87 fixes is now available.

Category: security (important)
Bug References: 1000189,1001419,1002165,1003077,1003344,1003568,1003677,1003866,1003925,1004517,1004520,1005857,1005896,1005903,1006917,1006919,1007944,763198,771065,799133,803320,839104,843236,860441,863873,865783,871728,907611,908458,908684,909077,909350,909484,909618,909994,911687,915183,920016,922634,922947,928138,929141,934760,951392,956514,960689,963655,967716,968010,968014,971975,971989,973203,974620,976867,977687,979514,979595,979681,980371,982218,982783,983535,983619,984102,984194,984992,985206,986337,986362,986365,986445,987565,988440,989152,989261,989764,989779,991608,991665,991923,992566,993127,993890,993891,994296,994436,994618,994759,994926,995968,996329,996664,997708,998399,998689,999584,999600,999907,999932
CVE References: CVE-2013-4312,CVE-2015-7513,CVE-2015-8956,CVE-2016-0823,CVE-2016-3841,CVE-2016-4998,CVE-2016-5696,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7425
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-88.3
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-88.1, kernel-default-3.0.101-88.1, kernel-ec2-3.0.101-88.1, kernel-pae-3.0.101-88.1, kernel-ppc64-3.0.101-88.1, kernel-source-3.0.101-88.1, kernel-syms-3.0.101-88.1, kernel-trace-3.0.101-88.1, kernel-xen-3.0.101-88.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-88.1, kernel-pae-3.0.101-88.1, kernel-ppc64-3.0.101-88.1, kernel-trace-3.0.101-88.1, kernel-xen-3.0.101-88.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-88.1, kernel-default-3.0.101-88.1, kernel-ec2-3.0.101-88.1, kernel-pae-3.0.101-88.1, kernel-ppc64-3.0.101-88.1, kernel-trace-3.0.101-88.1, kernel-xen-3.0.101-88.1