Bug 1283385
Summary: | CVE-2016-2187 Local RedHat Enterprise Linux DoS – RHEL 7.1 Kernel crashes on invalid USB device descriptors (gtco driver) [local-DoS] | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ralf Spenneberg <ralf> | ||||||||
Component: | kernel | Assignee: | Don Zickus <dzickus> | ||||||||
kernel sub component: | USB | QA Contact: | Mike Gahagan <mgahagan> | ||||||||
Status: | CLOSED WONTFIX | Docs Contact: | |||||||||
Severity: | high | ||||||||||
Priority: | unspecified | CC: | sergej, vdronov | ||||||||
Version: | 7.1 | Keywords: | Security, SecurityTracking | ||||||||
Target Milestone: | rc | ||||||||||
Target Release: | 7.3 | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2016-03-21 09:05:28 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 1317017 | ||||||||||
Attachments: |
|
Description
Ralf Spenneberg
2015-11-18 20:46:46 UTC
Created attachment 1096315 [details]
vUSBf Payload
Created attachment 1096317 [details]
Stacktrace
Created attachment 1096318 [details]
Arduino firmware demonstrating the bug
CVE-2016-2187 which is Red Hat's private CVE ID was assigned to this security flaw. Please, use it in the public communications regarding this flaw, thank you. patch posted upstream (linux-usb@ and linux-input@ lists): http://www.spinics.net/lists/linux-usb/msg137950.html http://www.spinics.net/lists/linux-input/msg43786.html Thank you for reporting this flaw. The Product Security has rated this flaw as having low security impact (bz#1317017), so the patch is currently not planned to be added to the RHEL source trees. If accepted to the upstream, the patch may get to the RHEL trees later at the next USB subsystem code rebase. |