Message ID | 1550831307-3376-1-git-send-email-tyhicks@canonical.com |
---|---|
Headers | show |
Series | CVE-2019-8956 - SCTP use-after-free | expand |
On 22/02/2019 10:28, Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8956.html The URL seems to point to a non-existent page. > > Secunia Research has discovered a vulnerability in Linux Kernel, which > can be exploited by malicious, local users to potentially gain > escalated privileges. > > A use-after-free error in the "sctp_sendmsg()" function > (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited > to corrupt memory. > > Clean cherry pick back to Cosmic (older releases are not affected). > Build logs are clean. > > Tyler > > Greg Kroah-Hartman (1): > sctp: walk the list of asoc safely > > net/sctp/socket.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >
On 2019-02-22 10:40:50, Colin Ian King wrote: > On 22/02/2019 10:28, Tyler Hicks wrote: > > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8956.html > > The URL seems to point to a non-existent page. It is due to an unfortunate, but useful, race condition between myself and the security team. The security team periodically monitors (sometimes, multiple times per day) for Ubuntu CVE Tracker changes proposed by the kernel team, double checks them for accuracy, and merges them. Once they merge my changes, the page at the above URL will be populated. It just so happens that I got this particular kernel patch out the door before they merged my Ubuntu CVE Tracker changes. I'll paste in the top portion of the CVE file from my pending Ubuntu CVE Tracker changes: ===== Candidate: CVE-2019-8956 PublicDate: 2019-02-22 References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8956 Description: Secunia Research has discovered a vulnerability in Linux Kernel, which can be exploited by malicious, local users to potentially gain escalated privileges. A use-after-free error in the "sctp_sendmsg()" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory. The vulnerability is confirmed in version 4.20.0-rc2 and reported in versions 4.20.x prior to 4.20.8 and 4.19.x prior to 4.19.21. Ubuntu-Description: Notes: Bugs: Priority: medium Discovered-by: Jakub Jirasek Assigned-to: Patches_linux: break-fix: 4910280503f3af2857d5aa77e35b22d93a8960a8 ba59fb0273076637f0add4311faa990a5eec27c0 upstream_linux: released (5.0~rc6) precise/esm_linux: not-affected (3.0.0-12.20) trusty_linux: not-affected (3.11.0-12.19) xenial_linux: not-affected (4.2.0-16.19) bionic_linux: not-affected (4.13.0-16.19) cosmic_linux: needed devel_linux: needed ===== Tyler > > > > > Secunia Research has discovered a vulnerability in Linux Kernel, which > > can be exploited by malicious, local users to potentially gain > > escalated privileges. > > > > A use-after-free error in the "sctp_sendmsg()" function > > (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited > > to corrupt memory. > > > > Clean cherry pick back to Cosmic (older releases are not affected). > > Build logs are clean. > > > > Tyler > > > > Greg Kroah-Hartman (1): > > sctp: walk the list of asoc safely > > > > net/sctp/socket.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 22/02/2019 10:28, Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8956.html > > Secunia Research has discovered a vulnerability in Linux Kernel, which > can be exploited by malicious, local users to potentially gain > escalated privileges. > > A use-after-free error in the "sctp_sendmsg()" function > (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited > to corrupt memory. > > Clean cherry pick back to Cosmic (older releases are not affected). > Build logs are clean. > > Tyler > > Greg Kroah-Hartman (1): > sctp: walk the list of asoc safely > > net/sctp/socket.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > Looks good. Acked-by: Colin Ian King <colin.king@canonical.com>
On 22/02/2019 11:16, Tyler Hicks wrote: > On 2019-02-22 10:40:50, Colin Ian King wrote: >> On 22/02/2019 10:28, Tyler Hicks wrote: >>> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8956.html >> >> The URL seems to point to a non-existent page. > > It is due to an unfortunate, but useful, race condition between myself > and the security team. The security team periodically monitors (sometimes, > multiple times per day) for Ubuntu CVE Tracker changes proposed by the > kernel team, double checks them for accuracy, and merges them. Once they > merge my changes, the page at the above URL will be populated. It just > so happens that I got this particular kernel patch out the door before > they merged my Ubuntu CVE Tracker changes. > > I'll paste in the top portion of the CVE file from my pending Ubuntu CVE > Tracker changes: > > ===== > Candidate: CVE-2019-8956 > PublicDate: 2019-02-22 > References: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8956 > Description: > Secunia Research has discovered a vulnerability in Linux Kernel, which > can be exploited by malicious, local users to potentially gain > escalated privileges. > > A use-after-free error in the "sctp_sendmsg()" function > (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited > to corrupt memory. > > The vulnerability is confirmed in version 4.20.0-rc2 and reported > in versions 4.20.x prior to 4.20.8 and 4.19.x prior to 4.19.21. > Ubuntu-Description: > Notes: > Bugs: > Priority: medium > Discovered-by: Jakub Jirasek > Assigned-to: > > Patches_linux: > break-fix: 4910280503f3af2857d5aa77e35b22d93a8960a8 ba59fb0273076637f0add4311faa990a5eec27c0 > upstream_linux: released (5.0~rc6) > precise/esm_linux: not-affected (3.0.0-12.20) > trusty_linux: not-affected (3.11.0-12.19) > xenial_linux: not-affected (4.2.0-16.19) > bionic_linux: not-affected (4.13.0-16.19) > cosmic_linux: needed > devel_linux: needed > ===== Thanks :-) > > Tyler > >> >>> >>> Secunia Research has discovered a vulnerability in Linux Kernel, which >>> can be exploited by malicious, local users to potentially gain >>> escalated privileges. >>> >>> A use-after-free error in the "sctp_sendmsg()" function >>> (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited >>> to corrupt memory. >>> >>> Clean cherry pick back to Cosmic (older releases are not affected). >>> Build logs are clean. >>> >>> Tyler >>> >>> Greg Kroah-Hartman (1): >>> sctp: walk the list of asoc safely >>> >>> net/sctp/socket.c | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >> >> >> -- >> kernel-team mailing list >> kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team >
Acked-By: You-Sheng Yang <vicamo.yang@canonical.com>
On Fri, Feb 22, 2019 at 10:28:26AM +0000, Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8956.html > > Secunia Research has discovered a vulnerability in Linux Kernel, which > can be exploited by malicious, local users to potentially gain > escalated privileges. > > A use-after-free error in the "sctp_sendmsg()" function > (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited > to corrupt memory. > > Clean cherry pick back to Cosmic (older releases are not affected). > Build logs are clean. Applied to disco/master-next, thanks!
On 2/22/19 11:28 AM, Tyler Hicks wrote: > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8956.html > > Secunia Research has discovered a vulnerability in Linux Kernel, which > can be exploited by malicious, local users to potentially gain > escalated privileges. > > A use-after-free error in the "sctp_sendmsg()" function > (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited > to corrupt memory. > > Clean cherry pick back to Cosmic (older releases are not affected). > Build logs are clean. > > Tyler > > Greg Kroah-Hartman (1): > sctp: walk the list of asoc safely > > net/sctp/socket.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > This patch has already been applied to cosmic/master-next branch. Thanks, Kleber