github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-10-31 08:41:13 +00:00
Code Issues Projects Releases Wiki Activity
Files
b6339500598924c6c425a59160ed48a2e743ca90
linuxkit/docs/security-events.md
Tycho Andersen 4bf7bfff2d docs: add some more CVE writeups 
Signed-off-by: Tycho Andersen <tycho@docker.com>
2017-07-07 09:52:26 -06:00

53 lines
3.0 KiB
Markdown
Raw Blame History

# LinuxKit Security Events
The incomplete list below is an assessment of some CVEs, and LinuxKit's resilience
(or not) to them.
### Bugs mitigated:
* [CVE-2017-9075](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075):
Requires CONFIG_IP_SCTP=y, which we do not set.
* [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076):
Requires CONFIG_IP_DCCP=y, which we do not set. (However, we were vulnerable
to the ipv6 pieces that this patch fixes.)
* [CVE-2017-1000363](http://www.openwall.com/lists/oss-security/2017/05/23/16):
This CVE requires `CONFIG_PRINTER=y`, so we are not vulnerable.
* [CVE-2017-2636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636)
([exploit post](https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html)):
This CVE requires `CONFIG_N_HDLC={y|m}`, which LinuxKit does not specify, and so
is not vulnerable.
* [CVE-2016-10229](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229)
This CVE only applies to kernels `<= 4.5, <= 4.4.21`. By using recent kernels
(specifically, kernels `=> 4.9, >= 4.4.21`, LinuxKit mitigates this bug.
* [CVE-2017-9605](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9605):
Requires CONFIG_DRM_VMWGFX=y, which we do not set.
* [CVE-2017-1000380](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000380):
Requires CONFIG_SOUND=y, which we do not set.
* [CVE-2017-7518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7518):
Requires the KVM backend (CONFIG_KVM=y), and we only have CONFIG_KVM_GUEST=y.
* [CVE-2017-10810](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10810)
Requires CONFIG_DRM_VIRTIO_GPU, which we do not set.
* [CVE-2017-10911](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10911)
aka XSA-216: we only have the XEN frontend, and do not set
CONFIG_XEN_BLKDEV_BACKEND.
### Bugs fixed:
* [CVE-2017-8890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890)
All users can do `accept()`, mitigated for kernels `>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit
* [CVE-2017-9077](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077)
Same as CVE-2017-8890, but for ipv6.
* [CVE-2017-9074](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074):
Users have access to ipv6 sockets, mitigated for kernels `>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit
* [CVE-2017-9242](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242):
Same as CVE-2017-9074.
* [CVE-2017-9076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076):
Users have access to ipv6 sockets (note that part of this is mitigated as
well, so listed above: we do not set CONFIG_IP_DCCP), mitigated for kernels
`>= 4.9.31, >= 4.10.16, >= 4.11.2` now packaged by LinuxKit
* [CVE-2017-1000364](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364):
[Qualys writeup](https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt).
Fixed in kernels `>= 4.9.35, >= 4.11.8`, now packaged by LinuxKit.
### Bugs outstanding:
Reference in New Issue View Git Blame Copy Permalink