CVE-2016-0774

27.04.2016, 17:59

The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a certain Linux kernel backport in the linux package before 3.2.73-2+deb7u3 on Debian wheezy and the kernel package before 3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun." NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-1805.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.8 MEDIUM	LOCAL	LOW	NONE	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Vendor	Product	Version
linux	linux_kernel	-
google	android	𝑥 ≤ 6.0.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
trixie	6.11.5-1 fixed
sid	6.11.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

yakkety	not-affected
xenial	not-affected
wily	not-affected
trusty	Fixed 3.13.0-86.130 released
precise	Fixed 3.2.0-102.142 released

linux-armadaxp

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	Fixed 3.2.0-1665.90 released

linux-aws

yakkety	dne
xenial	not-affected
trusty	not-affected
precise	dne

linux-flo

yakkety	not-affected
xenial	not-affected
wily	not-affected
trusty	dne
precise	dne

linux-gke

yakkety	dne
xenial	not-affected
trusty	dne
precise	dne

linux-goldfish

yakkety	not-affected
xenial	not-affected
wily	not-affected
trusty	dne
precise	dne

linux-grouper

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	dne

linux-hwe

yakkety	dne
xenial	not-affected
trusty	dne
precise	dne

linux-hwe-edge

yakkety	dne
xenial	not-affected
trusty	dne
precise	dne

linux-linaro-omap

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	ignored

linux-linaro-shared

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	ignored

linux-linaro-vexpress

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	ignored

linux-lts-quantal

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	ignored

linux-lts-raring

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	ignored

linux-lts-saucy

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	ignored

linux-lts-trusty

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	Fixed 3.13.0-86.130~precise1 released

linux-lts-utopic

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	dne

linux-lts-vivid

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	dne

linux-lts-wily

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	dne

linux-lts-xenial

yakkety	dne
xenial	dne
wily	dne
trusty	not-affected
precise	dne

linux-maguro

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	dne

linux-mako

yakkety	not-affected
xenial	not-affected
wily	not-affected
trusty	dne
precise	dne

linux-manta

yakkety	dne
xenial	dne
wily	not-affected
trusty	dne
precise	dne

linux-qcm-msm

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	ignored

linux-raspi2

yakkety	not-affected
xenial	not-affected
wily	not-affected
trusty	dne
precise	dne

linux-snapdragon

yakkety	not-affected
xenial	not-affected
wily	dne
trusty	dne
precise	dne

linux-ti-omap4

yakkety	dne
xenial	dne
wily	dne
trusty	dne
precise	Fixed 3.2.0-1480.106 released

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00025.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00026.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00027.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00028.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00029.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00030.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00031.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00032.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00033.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00034.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00036.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00037.html

http://rhn.redhat.com/errata/RHSA-2016-0494.html

http://rhn.redhat.com/errata/RHSA-2016-0617.html

http://source.android.com/security/bulletin/2016-05-01.html

http://www.debian.org/security/2016/dsa-3503

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

http://www.securityfocus.com/bid/84126

http://www.ubuntu.com/usn/USN-2967-1

http://www.ubuntu.com/usn/USN-2967-2

http://www.ubuntu.com/usn/USN-2968-1

http://www.ubuntu.com/usn/USN-2968-2

https://bugzilla.redhat.com/show_bug.cgi?id=1303961

https://security-tracker.debian.org/tracker/CVE-2016-0774