CVE-2016-0723: Infoleak
First published: Wed Jan 06 2016(Updated: )
A flaw was discovered in the linux kernel tty subsystem which allows for disclosure of uncontrolled memory location and possible kernel panic. The information leak is caused by a race condition when attempting to set and read the tty line discipline. An attacker can use the TIOCSETD (via tty_set_ldisc ) to switch to a new line discipline, a concurrent call to with a TIOCGETD ioctl performs a read on a given tty may be able to access memory previously allocated. Up to 4 bytes may leaked when querying the line discipline. The problematic code: case TIOCGETD: return put_user(tty->ldisc->ops->num, (int __user *)p); The flaw is triggered when ldisc's address is loaded before the new address is set and the access is performed after the old is freed, which results to crash due to the kernel accessing an invalid address. If an attacker prepares the kernel slab by setting up the ldisc struct at the correct offset they can effectively read 4 bytes from any kernel memory. Invalid data at the ldisc address may also panic the machine if it is not pointing to valid mappable memory. Upstream fix: <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5c17c861a357e9458001f021a7afa7aab9937439">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5c17c861a357e9458001f021a7afa7aab9937439</a> Original proposed fix: <a href="https://bugzilla.redhat.com/attachment.cgi?id=1112221&action=diff">https://bugzilla.redhat.com/attachment.cgi?id=1112221&action=diff</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | <=4.4.1 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.123-1 6.1.128-1 6.12.17-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5c17c861a357e9458001f021a7afa7aab9937439
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176464.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176484.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00038.html
- http://source.android.com/security/bulletin/2016-07-01.html
- http://www.debian.org/security/2016/dsa-3448
- http://www.debian.org/security/2016/dsa-3503
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
- http://www.securityfocus.com/bid/82950
- http://www.securitytracker.com/id/1035695
- http://www.ubuntu.com/usn/USN-2929-1
- http://www.ubuntu.com/usn/USN-2929-2
- http://www.ubuntu.com/usn/USN-2930-1
- http://www.ubuntu.com/usn/USN-2930-2
- http://www.ubuntu.com/usn/USN-2930-3
- http://www.ubuntu.com/usn/USN-2932-1
- http://www.ubuntu.com/usn/USN-2948-1
- http://www.ubuntu.com/usn/USN-2948-2
- http://www.ubuntu.com/usn/USN-2967-1
- http://www.ubuntu.com/usn/USN-2967-2
- https://bugzilla.redhat.com/show_bug.cgi?id=1296253
- https://github.com/torvalds/linux/commit/5c17c861a357e9458001f021a7afa7aab9937439
- https://security-tracker.debian.org/tracker/CVE-2016-0723
- https://support.f5.com/csp/article/K43650115
- https://launchpad.net/bugs/cve/CVE-2016-0723
- https://bugzilla.redhat.com/attachment.cgi?id=1112221&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1112221&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1112221&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1300224
- http://lkml.iu.edu/hypermail/linux/kernel/1511.3/03045.html
- https://access.redhat.com/support/policy/updates/errata/
- https://git.kernel.org/linus/5c17c861a357e9458001f021a7afa7aab9937439
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0723
- https://nvd.nist.gov/vuln/detail/CVE-2016-0723
- https://ubuntu.com/security/CVE-2016-0723
Frequently Asked Questions
What is CVE-2016-0723?
CVE-2016-0723 is a vulnerability in the Linux kernel that allows local users to obtain sensitive information from kernel memory or cause a denial of service.
How severe is CVE-2016-0723?
CVE-2016-0723 has a severity rating of medium.
Which software versions are affected by CVE-2016-0723?
The affected software versions include linux-armadaxp (3.2.0-1665.90), linux-armadaxp (4.5~), linux-aws (4.5~), linux-flo (4.5~), linux-gke (4.5~), linux-goldfish (4.5~), linux-grouper (4.5~), linux-hwe (4.5~), linux-hwe-edge (4.5~), linux-linaro-vexpress (4.5~), linux-lts-quantal (4.5~), linux-lts-raring (4.5~), linux-lts-saucy (4.5~), linux-lts-trusty (3.13.0-83.127~), linux-lts-trusty (4.5~), linux-lts-utopic (4.5~), linux-lts-vivid (4.5~), linux-lts-wily (4.5~), linux-lts-xenial (4.5~), linux-maguro (4.5~), linux-mako (4.5~), linux-manta (4.5~), linux-qcm-msm (4.5~), linux-raspi2 (4.5~), linux-raspi2 (4.2.0-1027.35), linux-snapdragon (4.5~), linux-ti-omap4 (4.5~), linux-ti-omap4 (3.2.0-1480.106), linux (4.5~), linux (3.2.0-102.142), linux (3.13.0-83.127), linux (4.2.0-34.39), linux-fsl-imx51 (4.5~), linux-linaro-omap (4.5~), linux-linaro-shared (4.5~), and linux (4.19.249-2, 4.19.289-2, 5.10.178-3, 5.10.191-1, 6.1.38-1, 6.1.52-1, 6.5.3-1).
How can I fix CVE-2016-0723?
To fix CVE-2016-0723, you should update the affected software versions to the specified remedy versions (e.g., linux-armadaxp 4.5~).
Are there any references for CVE-2016-0723?
Yes, you can find references for CVE-2016-0723 at the following links: [Link to SecurityTracker](http://www.securitytracker.com/id/1035695), [Link to SecurityFocus](http://www.securityfocus.com/bid/82950), [Link to Debian Security Advisory](http://www.debian.org/security/2016/dsa-3448).
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-0723
- agent/author
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/security-tracker-debian
- source/Debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.4.1
- package-manager/debian