Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1349722 (CVE-2016-4997) - CVE-2016-4997 kernel: compat IPT_SO_SET_REPLACE setsockopt
Summary: CVE-2016-4997 kernel: compat IPT_SO_SET_REPLACE setsockopt
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-4997
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: IP6T_SO_SET_REPLACE (view as bug list)
Depends On: 1318693 1318694 1318695 1350769 1351030 1351031 1351032 1351033 1351034 1351035 1351036 1351037 1364809 1364810
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-24 05:39 UTC by Wade Mealing
Modified: 2021-02-17 03:39 UTC (History)
36 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:55:48 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1847 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-09-15 11:38:04 UTC
Red Hat Product Errata RHSA-2016:1875 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2016-09-15 11:39:21 UTC
Red Hat Product Errata RHSA-2016:1883 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2016-09-15 03:41:02 UTC

Description Wade Mealing 2016-06-24 05:39:32 UTC
A flaw was discovered in processing setsockopt for 32 bit processes on
64 bit systems.  This flaw will allow attackers to alter arbitary kernel
memory when unloading a kernel module.  This action is usually restricted
to root-priveledged users but can also be leveraged if the kernel is
compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated priveledges.

This flaw was introduced in commit 52e804c6dfaa,


Upstream fixes

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d04
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb088
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bdf533de6968

Discussion on oss-sec:
http://www.openwall.com/lists/oss-security/2016/06/24/5

Comment 6 Andrej Nemec 2016-06-27 06:37:40 UTC
Public via:

http://seclists.org/oss-sec/2016/q2/599

Comment 8 Wade Mealing 2016-06-28 08:27:32 UTC
Statement:

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux  7, MRG-2 and realtime and will be addressed in a future update.

Comment 11 Adam Mariš 2016-06-28 11:02:24 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1350769]

Comment 18 Fedora Update System 2016-06-30 21:24:53 UTC
kernel-4.6.3-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2016-07-19 07:19:46 UTC
kernel-4.4.14-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 errata-xmlrpc 2016-09-14 23:43:39 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:1883 https://rhn.redhat.com/errata/RHSA-2016-1883.html

Comment 21 errata-xmlrpc 2016-09-15 08:02:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1847 https://rhn.redhat.com/errata/RHSA-2016-1847.html

Comment 22 errata-xmlrpc 2016-09-15 08:11:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1875 https://rhn.redhat.com/errata/RHSA-2016-1875.html

Comment 23 Charlie Brady 2016-09-29 16:04:38 UTC
Is the fix for RHEL6 still in the pipeline?  Am I right in understanding that network namespaces need to be enabled before the vulnerability is exploitable?

Comment 24 Petr Matousek 2016-10-10 11:01:51 UTC
*** Bug 1383265 has been marked as a duplicate of this bug. ***

Comment 25 Wade Mealing 2016-10-13 07:30:16 UTC
The fix for EL6 is not in the pipeline, it was my misunderstanding of the code that marked it vulnerable and I have corrected that understanding in the statement. Sorry for any confusion Charlie Brady.


Note You need to log in before you can comment on or make changes to this bug.