SB2016022503 - Input validation error in linux-grsec (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: CVE-2015-8552)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks."

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=a27a1dfef88c02a9ccc3443b59f9907d630dc82f
• https://git.alpinelinux.org/aports/commit/?id=f4daf7f71ebcae92286f454de52a9eed33c1903d
• https://git.alpinelinux.org/aports/commit/?id=1ab17fee115046c3923d9b2abeb1ff2677caaf76