CVE-2016-5829: Buffer Overflow
First published: Mon Jun 27 2016(Updated: )
A vulnerabilty was found in the Linux kernels hiddev driver. An attacker with permissions to the USB HID device can call an ioctl with the HIDIOCGUSAGES or HIDIOCSUSAGES command, and passes a report id of HID_REPORT_ID_UNKNOWN range checks that would prevent oversize buffers being copied from userspace to kernel space were bypassed. The kernel would loop on a a value passed by userspace and can copy memory outside of the intended range. This can corrupt memory located after the struct in memory, duplicating the kernel memory or crashing the system Upstream patch: <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5">https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian Debian Linux | =8.0 | |
| Linux Linux kernel | <3.2.82 | |
| Linux Linux kernel | >=3.3<3.10.103 | |
| Linux Linux kernel | >=3.11<3.12.62 | |
| Linux Linux kernel | >=3.13<3.14.74 | |
| Linux Linux kernel | >=3.15<3.16.37 | |
| Linux Linux kernel | >=3.17<3.18.37 | |
| Linux Linux kernel | >=3.19<4.1.28 | |
| Linux Linux kernel | >=4.2<4.4.16 | |
| Linux Linux kernel | >=4.5<4.6.5 | |
| Novell Suse Linux Enterprise Real Time Extension | =12-sp1 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.11.10-1 6.12.5-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5
- http://seclists.org/oss-sec/2016/q2/609
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1350513
- https://access.redhat.com/support/policy/updates/errata/
- https://rhn.redhat.com/errata/RHSA-2016-2006.html
- https://rhn.redhat.com/errata/RHSA-2016-2574.html
- https://rhn.redhat.com/errata/RHSA-2016-2584.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1350509
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00049.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00055.html
- http://rhn.redhat.com/errata/RHSA-2016-2006.html
- http://rhn.redhat.com/errata/RHSA-2016-2574.html
- http://rhn.redhat.com/errata/RHSA-2016-2584.html
- http://www.debian.org/security/2016/dsa-3616
- http://www.openwall.com/lists/oss-security/2016/06/26/2
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
- http://www.securityfocus.com/bid/91450
- http://www.ubuntu.com/usn/USN-3070-1
- http://www.ubuntu.com/usn/USN-3070-2
- http://www.ubuntu.com/usn/USN-3070-3
- http://www.ubuntu.com/usn/USN-3070-4
- http://www.ubuntu.com/usn/USN-3071-1
- http://www.ubuntu.com/usn/USN-3071-2
- http://www.ubuntu.com/usn/USN-3072-1
- http://www.ubuntu.com/usn/USN-3072-2
- https://github.com/torvalds/linux/commit/93a2001bdfd5376c3dc2158653034c20392d15c5
- https://launchpad.net/bugs/cve/CVE-2016-5829
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5829
- https://nvd.nist.gov/vuln/detail/CVE-2016-5829
- https://security-tracker.debian.org/tracker/CVE-2016-5829
- https://ubuntu.com/security/CVE-2016-5829
- https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5
Frequently Asked Questions
What is CVE-2016-5829?
CVE-2016-5829 is a vulnerability in the Linux kernel that allows local users to cause a denial of service or possibly have other unspecified impact via a crafted HIDIOCGUSAGES or HIDIOCSUSAGES ioctl call.
How severe is CVE-2016-5829?
CVE-2016-5829 is classified as a medium severity vulnerability.
Which software versions are affected by CVE-2016-5829?
CVE-2016-5829 affects various versions of the Linux kernel: 3.2.0-109.150, 3.13.0-95.142, 4.4.0-36.55, and 4.7~ (upstream).
How can I fix CVE-2016-5829?
To fix CVE-2016-5829, update your Linux kernel to version 3.2.0-109.150, 3.13.0-95.142, 4.4.0-36.55, or a later version.
Where can I find more information about CVE-2016-5829?
You can find more information about CVE-2016-5829 at the following references: [link1](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=93a2001bdfd5376c3dc2158653034c20392d15c5), [link2](http://seclists.org/oss-sec/2016/q2/609), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1350513).
- collector/redhat-bugzilla
- alias/CVE-2016-5829
- collector/nvd-index
- agent/type
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/3.3
- version/linux linux kernel/3.11
- version/linux linux kernel/3.13
- version/linux linux kernel/3.15
- version/linux linux kernel/3.17
- version/linux linux kernel/3.19
- version/linux linux kernel/4.2
- version/linux linux kernel/4.5
- vendor/novell
- canonical/novell suse linux enterprise real time extension
- version/novell suse linux enterprise real time extension/12-sp1
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- package-manager/debian