Bugzilla – Bug 968014
VUL-0: CVE-2016-2550: kernel: unix: correctly track in-flight fds in sending process user_struct
Last modified: 2016-12-02 19:20:33 UTC
http://seclists.org/oss-sec/2016/q1/412 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=415e3d3e90ce9e18727e8843ae343eda5a58fad6 unix: correctly track in-flight fds in sending process user_struct The commit referenced in the Fixes tag incorrectly accounted the number of in-flight fds over a unix domain socket to the original opener of the file-descriptor. This allows another process to arbitrary deplete the original file-openers resource limit for the maximum of open files. CVE-2016-2550 was assigned to this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2550 http://seclists.org/oss-sec/2016/q1/412 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2550.html
bugbot adjusting priority
Introduced in 4.5-rc1, fixed in 4.5-rc4. However, first patch has been picked into some stable branches as it's part of a CVE fix. As far as I can see, Greg's stable 4.1 and 4.4 already have both (since 4.1.19 and 4.4.4). Factory and SLE12-SP2 already have 4.4.4, openSUSE-42.1 is still on 4.1.18 and is going to get the fix with 4.1.19. openSUSE-13.2 has neither. First patch was also considered for stable 3.12 but didn't get in. Jiří, what is the plan there?
(In reply to Michal Kubeček from comment #2) > First patch was also considered for stable 3.12 but didn't get in. Jiří, what > is the plan there? I dropped it temporarily and put it onto TODO list to have both in at once: https://lkml.org/lkml/2016/2/12/25
Thank you. Let's wait until 4.1.19 with second patch gets into openSUSE-42.1 and both patches get into SLE12(-SP1), then we can close.
Fixed now in openSUSE-42.1 SLE12 SLE12-SP1 SLE12-SP2 openSUSE-13.2 doesn't need the fix as it never received a backport of 712f4aad406b ("unix: properly account for FDs passed over unix sockets") Closing.
SUSE-SU-2016:2976-1: An update that solves 13 vulnerabilities and has 87 fixes is now available. Category: security (important) Bug References: 1000189,1001419,1002165,1003077,1003344,1003568,1003677,1003866,1003925,1004517,1004520,1005857,1005896,1005903,1006917,1006919,1007944,763198,771065,799133,803320,839104,843236,860441,863873,865783,871728,907611,908458,908684,909077,909350,909484,909618,909994,911687,915183,920016,922634,922947,928138,929141,934760,951392,956514,960689,963655,967716,968010,968014,971975,971989,973203,974620,976867,977687,979514,979595,979681,980371,982218,982783,983535,983619,984102,984194,984992,985206,986337,986362,986365,986445,987565,988440,989152,989261,989764,989779,991608,991665,991923,992566,993127,993890,993891,994296,994436,994618,994759,994926,995968,996329,996664,997708,998399,998689,999584,999600,999907,999932 CVE References: CVE-2013-4312,CVE-2015-7513,CVE-2015-8956,CVE-2016-0823,CVE-2016-3841,CVE-2016-4998,CVE-2016-5696,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7425 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): kernel-docs-3.0.101-88.3 SUSE Linux Enterprise Server 11-SP4 (src): kernel-bigmem-3.0.101-88.1, kernel-default-3.0.101-88.1, kernel-ec2-3.0.101-88.1, kernel-pae-3.0.101-88.1, kernel-ppc64-3.0.101-88.1, kernel-source-3.0.101-88.1, kernel-syms-3.0.101-88.1, kernel-trace-3.0.101-88.1, kernel-xen-3.0.101-88.1 SUSE Linux Enterprise Server 11-EXTRA (src): kernel-default-3.0.101-88.1, kernel-pae-3.0.101-88.1, kernel-ppc64-3.0.101-88.1, kernel-trace-3.0.101-88.1, kernel-xen-3.0.101-88.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kernel-bigmem-3.0.101-88.1, kernel-default-3.0.101-88.1, kernel-ec2-3.0.101-88.1, kernel-pae-3.0.101-88.1, kernel-ppc64-3.0.101-88.1, kernel-trace-3.0.101-88.1, kernel-xen-3.0.101-88.1