Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1364971 - (CVE-2016-3841) CVE-2016-3841 kernel: use-after-free via crafted IPV6 sendmsg for raw / tcp / udp / l2tp sockets.
CVE-2016-3841 kernel: use-after-free via crafted IPV6 sendmsg for raw / tcp /...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20160808,repo...
: Security
Depends On: 1286695 1312740 1364972 1366974 1374026
Blocks: 1364973
  Show dependency treegraph
 
Reported: 2016-08-08 06:02 EDT by Martin Prpič
Modified: 2018-08-28 18:07 EDT (History)
35 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Linux kernel's IPv6 implementation mishandled socket options. A local attacker could abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2574 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-03 08:06:10 EDT
Red Hat Product Errata RHSA-2016:2584 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-11-03 08:08:49 EDT
Red Hat Product Errata RHSA-2016:2695 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-09 16:48:29 EST

  None (edit)
Description Martin Prpič 2016-08-08 06:02:29 EDT 
It was found that the Linux kernel's IPv6 implementation mishandles socket option data. A local attacker can abuse concurrent access to the socket options to escalate their privileges, or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call.

Upstream patch:

https://github.com/torvalds/linux/commit/45f6fad84cc305103b28d73482b344d7f5b76f39
Comment 1 Martin Prpič 2016-08-08 06:02:50 EDT 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1364972]
Comment 2 Justin M. Forbes 2016-08-08 13:41:20 EDT 
This was fixed in upstream 4.4 kernels. All Fedora releases are currently shipping newer kernels than this which contain the listed fix.
Comment 6 Wade Mealing 2016-08-15 04:08:47 EDT 
Statement:

This issue affects Red Hat Enterprise Linux 6 and 7 kernels.  This issue was fixed in a version 6 prior to this issue being raised.

As this issue is rated as important, it has been scheduled to be fixed in a future version of Red Hat Enterprise Linux 7.
Comment 12 errata-xmlrpc 2016-11-03 13:24:19 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 13 errata-xmlrpc 2016-11-03 15:56:43 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 16 errata-xmlrpc 2016-11-09 11:50:55 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2016:2695 https://rhn.redhat.com/errata/RHSA-2016-2695.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.