CVE-2016-4913 – kernel: Information leak when handling NM entries containing NUL
https://notcve.org/view.php?id=CVE-2016-4913
The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem. La función get_rock_ridge_filename en fs/isofs/rock.c en el kernel de Linux en versiones anteriores a 4.5.5 no maneja correctamente entradas NM (también conocidas como alternate name) que contienen caracteres \0, lo que permite a usuarios locales obtener información sensible del kernel de memoria o posiblemente tener otro impacto no especificado a través de un sistema de archivo isofs manipulado. A vulnerability was found in the Linux kernel. Payloads of NM entries are not supposed to contain NUL. When such entry is processed, only the part prior to the first NUL goes into the concatenation (i.e. the directory entry name being encoded by a bunch of NM entries). • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=99d825822eade8d827a1817357cbf3f889a552d6 http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html http://www.debian.org/security/2016/dsa-3607 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5 http://www.openwall.com/lists/oss-security/2016/05/18/3 http://www.openwall.com/lists/oss-security/2016/05/18/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-4578 – Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak
https://notcve.org/view.php?id=CVE-2016-4578
sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions. sound/core/timer.c en el kernel de Linux hasta la versión 4.6 no inicializa determinadas estructuras de datos r1, lo que permite a usuarios locales obtener información sensible del kernel de memoria de pila a través del uso manipulado de la interfaz ALSA timer, relacionado con las funciones (1) snd_timer_user_ccallback y (2) snd_timer_user_tinterrupt. A vulnerability was found in Linux kernel. There is an information leak in file sound/core/timer.c of the latest mainline Linux kernel. The stack object “r1” has a total size of 32 bytes. Its field “event” and “val” both contain 4 bytes padding. • https://www.exploit-db.com/exploits/46529 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e4ec8cc8039a7063e24204299b462bd1383184a5 http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html http://lists.opens • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-665: Improper Initialization •
CVE-2016-4794 – kernel: Use after free in array_map_alloc
https://notcve.org/view.php?id=CVE-2016-4794
Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls. Vulnerabilidad de uso después de liberación de memoria en el kernel de Linux hasta la versión 4.6 permite a usuarios locales provocar una denegación de servicio (BUG) o posiblemente tener otro impacto no especificado a través del uso manipulado de llamadas de sistema mmap y bpf. Use after free vulnerability was found in percpu using previously allocated memory in bpf. First __alloc_percpu_gfp() is called, then the memory is freed with free_percpu() which triggers async pcpu_balance_work and then pcpu_extend_area_map could use a chunk after it has been freed. • http://rhn.redhat.com/errata/RHSA-2016-2574.html http://rhn.redhat.com/errata/RHSA-2016-2584.html http://www.openwall.com/lists/oss-security/2016/05/12/6 http://www.securityfocus.com/bid/90625 http://www.ubuntu.com/usn/USN-3053-1 http://www.ubuntu.com/usn/USN-3054-1 http://www.ubuntu.com/usn/USN-3055-1 http://www.ubuntu.com/usn/USN-3056-1 http://www.ubuntu.com/usn/USN-3057-1 https://bugzilla.redhat.com/show_bug.cgi?id=1335889 https:& • CWE-416: Use After Free •
CVE-2016-4580
https://notcve.org/view.php?id=CVE-2016-4580
The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request. La función x25_negotiate_facilities en net/x25/x25_facilities.c en el kernel de Linux en versiones anteriores a 4.5.5 no inicializa adecuadamente una estructura de datos determinada, lo que permite a atacantes obtener información sensible del kernel de memoria de pila a través de una petición de llamada X.25. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=79e48650320e6fba48369fccf13fd045315b19b8 http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html http://www.debian.org/security/2016/dsa-3607 http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5 http://www.openwall.com/lists/oss-security/2016/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-4565 – kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
https://notcve.org/view.php?id=CVE-2016-4565
The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface. La memoria de pila InfiniBand (también conocida como IB) en el kernel de Linux en versiones anteriores a 4.5.3 confía incorrectamente en llamadas al sistema de escritura, lo que permite a usuarios locales provocar una denegación de servicio (operación de escritura en la memoria del kernel) o posiblemente tener otro impacto no especificado a través de una interfaz uAPI. A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system. • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00003.html http://lists.opensuse.org • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-264: Permissions, Privileges, and Access Controls •