CVE-2016-4580
https://notcve.org/view.php?id=CVE-2016-4580
The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request. La función x25_negotiate_facilities en net/x25/x25_facilities.c en el kernel de Linux en versiones anteriores a 4.5.5 no inicializa adecuadamente una estructura de datos determinada, lo que permite a atacantes obtener información sensible del kernel de memoria de pila a través de una petición de llamada X.25. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=79e48650320e6fba48369fccf13fd045315b19b8 http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html http://www.debian.org/security/2016/dsa-3607 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5 http://www.openwall.com/lists/oss-security/2016/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-4565 – kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
https://notcve.org/view.php?id=CVE-2016-4565
The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface. La memoria de pila InfiniBand (también conocida como IB) en el kernel de Linux en versiones anteriores a 4.5.3 confía incorrectamente en llamadas al sistema de escritura, lo que permite a usuarios locales provocar una denegación de servicio (operación de escritura en la memoria del kernel) o posiblemente tener otro impacto no especificado a través de una interfaz uAPI. A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00003.html http://lists.opensuse.org • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-264: Permissions, Privileges, and Access Controls •
CVE-2016-3713
https://notcve.org/view.php?id=CVE-2016-3713
The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in the Linux kernel before 4.6.1 supports MSR 0x2f8, which allows guest OS users to read or write to the kvm_arch_vcpu data structure, and consequently obtain sensitive information or cause a denial of service (system crash), via a crafted ioctl call. La función msr_mtrr_valid en arch/x86/kvm/mtrr.c en el kernel de Linux en versiones anteriores a 4.6.1 sostiene MSR 0x2f8, lo que permite a usuarios invitados del sistema operativo leer o escribir en la estructura de datos kvm_arch_vcpu y, por lo tanto, obtener información sensible o provocar una denegación de servicio (caída de sistema), a través de una llamada ioctl manipulada. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9842df62004f366b9fed2423e24df10542ee0dc5 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.1 http://www.openwall.com/lists/oss-security/2016/05/16/2 https://bugzilla.redhat.com/show_bug.cgi?id=1332139 https://github.com/torvalds/linux/commit/9842df62004f366b9fed2423e24df10542ee0dc5 • CWE-284: Improper Access Control •
CVE-2016-0758 – kernel: tags with indefinite length can corrupt pointers in asn1_find_indefinite_length()
https://notcve.org/view.php?id=CVE-2016-0758
Integer overflow in lib/asn1_decoder.c in the Linux kernel before 4.6 allows local users to gain privileges via crafted ASN.1 data. Desbordamiento de entero en lib/asn1_decoder.c en el kernel de Linux en versiones anteriores a 4.6 permite a usuarios locales obtener privilegios a través de datos ASN.1 manipulados. A flaw was found in the way the Linux kernel's ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 certificate DER file to crash the system or, potentially, escalate their privileges on the system. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00003.html http://lists.opensuse.org • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2016-3955
https://notcve.org/view.php?id=CVE-2016-3955
The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet. La función usbip_recv_xbuff en drivers/usb/usbip/usbip_common.c en el kernel de Linux en versiones anteriores a 4.5.3 permite a atacantes remotos provocar una denegación de servicio (escritura fuera de límites) o posiblemente tener otro impacto no especificado a través de un valor de longitud manipulado en un paquete USB/IP. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html http://www.debian.org/security/2016/dsa-3607 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.3 http://www.openwall.com/lists/oss-security/2016/04/19/1 http://www.securityfocus.com/bid/86534 http://www.ubuntu.com/usn/USN-2989-1 http://www.ubuntu.com/usn/USN-2996-1 http& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •