SUSE-SU-2018:1080-1: important: Security update for the Linux Kernel
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Wed Apr 25 13:07:10 MDT 2018
SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:1080-1
Rating: important
References: #1010470 #1013018 #1039348 #1052943 #1062568
#1062840 #1063416 #1063516 #1065600 #1065999
#1067118 #1067912 #1068032 #1072689 #1072865
#1075088 #1075091 #1075994 #1078669 #1078672
#1078673 #1078674 #1080464 #1080757 #1080813
#1081358 #1082091 #1082424 #1083242 #1083275
#1083483 #1083494 #1084536 #1085113 #1085279
#1085331 #1085513 #1086162 #1087092 #1087260
#1087762 #1088147 #1088260 #1089608 #909077
#940776 #943786
Cross-References: CVE-2015-5156 CVE-2016-7915 CVE-2017-0861
CVE-2017-12190 CVE-2017-13166 CVE-2017-16644
CVE-2017-16911 CVE-2017-16912 CVE-2017-16913
CVE-2017-16914 CVE-2017-18203 CVE-2017-18208
CVE-2017-5715 CVE-2018-10087 CVE-2018-6927
CVE-2018-7566 CVE-2018-7757 CVE-2018-8822
Affected Products:
SUSE Linux Enterprise Software Development Kit 11-SP4
SUSE Linux Enterprise Server 11-SP4
SUSE Linux Enterprise Server 11-EXTRA
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________
An update that solves 18 vulnerabilities and has 29 fixes
is now available.
Description:
The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
security and bugfixes.
The following security bugs were fixed:
- CVE-2017-5715: Systems with microprocessors utilizing speculative
execution and indirect branch prediction may allow unauthorized
disclosure of information to an attacker with local user access via a
side-channel analysis (bnc#1068032).
Enhancements and bugfixes over the previous fixes have been added to
this kernel.
- CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have
allowed local users to cause a denial of service by triggering an
attempted use of the -INT_MIN value (bnc#1089608).
- CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in
drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial
of service (memory consumption) via many read accesses to files in the
/sys/class/sas_phy directory, as demonstrated by the
/sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).
- CVE-2018-7566: There was a buffer overflow via an
SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by
a local user (bnc#1083483).
- CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function
in the ALSA subsystem allowed attackers to gain privileges via
unspecified vectors (bnc#1088260).
- CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel
function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious
NCPFS servers to crash the kernel or execute code (bnc#1086162).
- CVE-2017-13166: An elevation of privilege vulnerability in the kernel
v4l2 video driver. (bnc#1072865).
- CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c
allowed local users to cause a denial of service (BUG) by leveraging a
race condition with __dm_destroy during creation and removal of DM
devices (bnc#1083242).
- CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to
disclose kernel memory addresses. Successful exploitation requires that
a USB device is attached over IP (bnc#1078674).
- CVE-2017-18208: The madvise_willneed function in mm/madvise.c local
users to cause a denial of service (infinite loop) by triggering use of
MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
- CVE-2017-16644: The hdpvr_probe function in
drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a
denial of service (improper error handling and system crash) or possibly
have unspecified other impact via a crafted USB device (bnc#1067118).
- CVE-2018-6927: The futex_requeue function in kernel/futex.c in the Linux
kernel might allow attackers to cause a denial of service (integer
overflow) or possibly have unspecified other impact by triggering a
negative wake or requeue value (bnc#1080757).
- CVE-2017-16914: The "stub_send_ret_submit()" function
(drivers/usb/usbip/stub_tx.c) allowed attackers to cause a denial of
service (NULL pointer dereference) via a specially crafted USB over IP
packet (bnc#1078669).
- CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c
allowed physically proximate attackers to obtain sensitive information
from kernel memory or cause a denial of service (out-of-bounds read) by
connecting a device, as demonstrated by a Logitech DJ receiver
(bnc#1010470).
- CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c
attempted to support a FRAGLIST feature without proper memory
allocation, which allowed guest OS users to cause a denial of service
(buffer overflow and memory corruption) via a crafted sequence of
fragmented packets (bnc#940776).
- CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in
block/bio.c did unbalanced refcounting when a SCSI I/O vector has small
consecutive buffers belonging to the same page. The bio_add_pc_page
function merges them into one, but the page reference is never dropped.
This causes a memory leak and possible system lockup (exploitable
against the host OS by a guest OS user, if a SCSI disk is passed through
to a virtual machine) due to an out-of-memory condition (bnc#1062568).
- CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c)
allowed attackers to cause a denial of service (out-of-bounds read) via
a specially crafted USB over IP packet (bnc#1078673).
- CVE-2017-16913: The "stub_recv_cmd_submit()" function
(drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed
attackers to cause a denial of service (arbitrary memory allocation) via
a specially crafted USB over IP packet (bnc#1078672).
The following non-security bugs were fixed:
- af_iucv: enable control sends in case of SEND_SHUTDOWN (bnc#1085513,
LTC#165135).
- cifs: fix buffer overflow in cifs_build_path_to_root() (bsc#1085113).
- drm/mgag200: fix a test in mga_vga_mode_valid() (bsc#1087092).
- hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
(bnc#1013018).
- hrtimer: Reset hrtimer cpu base proper on CPU hotplug (bnc#1013018).
- ide-cd: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
- ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
- ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
- ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
- jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
(git-fixes).
- kabi: x86/kaiser: properly align trampoline stack.
- keys: do not let add_key() update an uninstantiated key (bnc#1063416).
- keys: prevent creating a different user's keyrings (bnc#1065999).
- leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
- mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
(bnc#1039348).
- nfsv4: fix getacl head length estimation (git-fixes).
- pci: Use function 0 VPD for identical functions, regular VPD for others
(bnc#943786 git-fixes).
- pipe: actually allow root to exceed the pipe buffer limits (git-fixes).
- posix-timers: Protect posix clock array access against speculation
(bnc#1081358).
- powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032,
bsc#1075088).
- qeth: repair SBAL elements calculation (bnc#1085513, LTC#165484).
- Revert "USB: cdc-acm: fix broken runtime suspend" (bsc#1067912)
- s390/qeth: fix underestimated count of buffer elements (bnc#1082091,
LTC#164529).
- scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813).
- usbnet: Fix a race between usbnet_stop() and the BH (bsc#1083275).
- x86-64: Move the "user" vsyscall segment out of the data segment
(bsc#1082424).
- x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).
- x86/kaiser: properly align trampoline stack (bsc#1087260).
- x86/retpoline: do not perform thunk calls in ring3 vsyscall code
(bsc#1085331).
- xen/x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and
sync_regs (bsc#909077).
- xen/x86/cpu: Check speculation control CPUID bit (bsc#1068032).
- xen/x86/cpu: Factor out application of forced CPU caps (bsc#1075994
bsc#1075091).
- xen/x86/cpu: Fix bootup crashes by sanitizing the argument of the
'clearcpuid=' command-line option (bsc#1065600).
- xen/x86/cpu: Sync CPU feature flags late (bsc#1075994 bsc#1075091).
- xen/x86/entry: Use IBRS on entry to kernel space (bsc#1068032).
- xen/x86/idle: Toggle IBRS when going idle (bsc#1068032).
- xen/x86/kaiser: Move feature detection up (bsc#1068032).
- xfs: check for buffer errors before waiting (bsc#1052943).
- xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).
- xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near
(bsc#1087762).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11-SP4:
zypper in -t patch sdksp4-kernel-source-20180417-13574=1
- SUSE Linux Enterprise Server 11-SP4:
zypper in -t patch slessp4-kernel-source-20180417-13574=1
- SUSE Linux Enterprise Server 11-EXTRA:
zypper in -t patch slexsp3-kernel-source-20180417-13574=1
- SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-kernel-source-20180417-13574=1
Package List:
- SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch):
kernel-docs-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
kernel-default-3.0.101-108.38.1
kernel-default-base-3.0.101-108.38.1
kernel-default-devel-3.0.101-108.38.1
kernel-source-3.0.101-108.38.1
kernel-syms-3.0.101-108.38.1
kernel-trace-3.0.101-108.38.1
kernel-trace-base-3.0.101-108.38.1
kernel-trace-devel-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-SP4 (i586 x86_64):
kernel-ec2-3.0.101-108.38.1
kernel-ec2-base-3.0.101-108.38.1
kernel-ec2-devel-3.0.101-108.38.1
kernel-xen-3.0.101-108.38.1
kernel-xen-base-3.0.101-108.38.1
kernel-xen-devel-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-SP4 (s390x):
kernel-default-man-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-SP4 (ppc64):
kernel-bigmem-3.0.101-108.38.1
kernel-bigmem-base-3.0.101-108.38.1
kernel-bigmem-devel-3.0.101-108.38.1
kernel-ppc64-3.0.101-108.38.1
kernel-ppc64-base-3.0.101-108.38.1
kernel-ppc64-devel-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-SP4 (i586):
kernel-pae-3.0.101-108.38.1
kernel-pae-base-3.0.101-108.38.1
kernel-pae-devel-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64):
kernel-default-extra-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64):
kernel-xen-extra-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-EXTRA (x86_64):
kernel-trace-extra-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-EXTRA (ppc64):
kernel-ppc64-extra-3.0.101-108.38.1
- SUSE Linux Enterprise Server 11-EXTRA (i586):
kernel-pae-extra-3.0.101-108.38.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
kernel-default-debuginfo-3.0.101-108.38.1
kernel-default-debugsource-3.0.101-108.38.1
kernel-trace-debuginfo-3.0.101-108.38.1
kernel-trace-debugsource-3.0.101-108.38.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 s390x x86_64):
kernel-default-devel-debuginfo-3.0.101-108.38.1
kernel-trace-devel-debuginfo-3.0.101-108.38.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64):
kernel-ec2-debuginfo-3.0.101-108.38.1
kernel-ec2-debugsource-3.0.101-108.38.1
kernel-xen-debuginfo-3.0.101-108.38.1
kernel-xen-debugsource-3.0.101-108.38.1
kernel-xen-devel-debuginfo-3.0.101-108.38.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64):
kernel-bigmem-debuginfo-3.0.101-108.38.1
kernel-bigmem-debugsource-3.0.101-108.38.1
kernel-ppc64-debuginfo-3.0.101-108.38.1
kernel-ppc64-debugsource-3.0.101-108.38.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586):
kernel-pae-debuginfo-3.0.101-108.38.1
kernel-pae-debugsource-3.0.101-108.38.1
kernel-pae-devel-debuginfo-3.0.101-108.38.1
References:
https://www.suse.com/security/cve/CVE-2015-5156.html
https://www.suse.com/security/cve/CVE-2016-7915.html
https://www.suse.com/security/cve/CVE-2017-0861.html
https://www.suse.com/security/cve/CVE-2017-12190.html
https://www.suse.com/security/cve/CVE-2017-13166.html
https://www.suse.com/security/cve/CVE-2017-16644.html
https://www.suse.com/security/cve/CVE-2017-16911.html
https://www.suse.com/security/cve/CVE-2017-16912.html
https://www.suse.com/security/cve/CVE-2017-16913.html
https://www.suse.com/security/cve/CVE-2017-16914.html
https://www.suse.com/security/cve/CVE-2017-18203.html
https://www.suse.com/security/cve/CVE-2017-18208.html
https://www.suse.com/security/cve/CVE-2017-5715.html
https://www.suse.com/security/cve/CVE-2018-10087.html
https://www.suse.com/security/cve/CVE-2018-6927.html
https://www.suse.com/security/cve/CVE-2018-7566.html
https://www.suse.com/security/cve/CVE-2018-7757.html
https://www.suse.com/security/cve/CVE-2018-8822.html
https://bugzilla.suse.com/1010470
https://bugzilla.suse.com/1013018
https://bugzilla.suse.com/1039348
https://bugzilla.suse.com/1052943
https://bugzilla.suse.com/1062568
https://bugzilla.suse.com/1062840
https://bugzilla.suse.com/1063416
https://bugzilla.suse.com/1063516
https://bugzilla.suse.com/1065600
https://bugzilla.suse.com/1065999
https://bugzilla.suse.com/1067118
https://bugzilla.suse.com/1067912
https://bugzilla.suse.com/1068032
https://bugzilla.suse.com/1072689
https://bugzilla.suse.com/1072865
https://bugzilla.suse.com/1075088
https://bugzilla.suse.com/1075091
https://bugzilla.suse.com/1075994
https://bugzilla.suse.com/1078669
https://bugzilla.suse.com/1078672
https://bugzilla.suse.com/1078673
https://bugzilla.suse.com/1078674
https://bugzilla.suse.com/1080464
https://bugzilla.suse.com/1080757
https://bugzilla.suse.com/1080813
https://bugzilla.suse.com/1081358
https://bugzilla.suse.com/1082091
https://bugzilla.suse.com/1082424
https://bugzilla.suse.com/1083242
https://bugzilla.suse.com/1083275
https://bugzilla.suse.com/1083483
https://bugzilla.suse.com/1083494
https://bugzilla.suse.com/1084536
https://bugzilla.suse.com/1085113
https://bugzilla.suse.com/1085279
https://bugzilla.suse.com/1085331
https://bugzilla.suse.com/1085513
https://bugzilla.suse.com/1086162
https://bugzilla.suse.com/1087092
https://bugzilla.suse.com/1087260
https://bugzilla.suse.com/1087762
https://bugzilla.suse.com/1088147
https://bugzilla.suse.com/1088260
https://bugzilla.suse.com/1089608
https://bugzilla.suse.com/909077
https://bugzilla.suse.com/940776
https://bugzilla.suse.com/943786
More information about the sle-updates
mailing list