User login
Qlustar: Install and enjoy!

[QSA-0622151] Linux kernel vulnerabilities

Qlustar Security Advisory 0622151

June 22, 2015


The system could crash or be made to run programs as an administrator.

Package(s)       : linux-image-ql-generic,
Qlustar releases : 9.0
Affected versions: All versions prior to this update
Vulnerability    : privilege escalation/denial of service
Problem type     : local
Qlustar-specific : no
CVE Id(s)        : CVE-2015-4036, CVE-2015-3636, CVE-2015-3339,

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem:


A memory corruption flaw was discovered in the Linux kernel's scsi subsystem. A local attacker could potentially exploit this flaw to cause a denial of service (system crash).


Wen Xu discovered a use-after-free flaw in the Linux kernel's ipv4 ping support. A local user could exploit this flaw to cause a denial of service (system crash) or gain administrative privileges on the system.


A race condition between chown() and execve() was discovered in the Linux kernel. A local attacker could exploit this race by using chown on a setuid-user-binary to gain administrative privileges.


It was discovered that the open_by_handle_at() system call reads the handle size from user memory a second time after validating it. A local user with the CAP_DAC_READ_SEARCH capability could use this flaw for privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions (follow the Qlustar Update Guide):

linux-image-ql-generic                     3.12.44-ql-generic-57
glqxz9283 sfy39587stf02 mnesdcuix8