SUSE-SU-2018:0834-1: important: Security update for the Linux Kernel

sle-updates at lists.suse.com sle-updates at lists.suse.com
Wed Mar 28 13:07:34 MDT 2018


   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:0834-1
Rating:             important
References:         #1010470 #1012382 #1045330 #1062568 #1063416 
                    #1066001 #1067118 #1068032 #1072689 #1072865 
                    #1074488 #1075617 #1075621 #1077560 #1078669 
                    #1078672 #1078673 #1078674 #1080255 #1080464 
                    #1080757 #1082299 #1083244 #1083483 #1083494 
                    #1083640 #1084323 #1085107 #1085114 #1085279 
                    #1085447 
Cross-References:   CVE-2016-7915 CVE-2017-12190 CVE-2017-13166
                    CVE-2017-15299 CVE-2017-16644 CVE-2017-16911
                    CVE-2017-16912 CVE-2017-16913 CVE-2017-16914
                    CVE-2017-18017 CVE-2017-18204 CVE-2017-18208
                    CVE-2017-18221 CVE-2018-1066 CVE-2018-1068
                    CVE-2018-5332 CVE-2018-5333 CVE-2018-6927
                    CVE-2018-7566
Affected Products:
                    SUSE Linux Enterprise Server 12-LTSS
                    SUSE Linux Enterprise Module for Public Cloud 12
______________________________________________________________________________

   An update that solves 19 vulnerabilities and has 12 fixes
   is now available.

Description:


   The SUSE Linux Enterprise 12 kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall
     interface for bridging. This allowed a privileged user to arbitrarily
     write to a limited range of kernel memory (bnc#1085107).
   - CVE-2017-18221: The __munlock_pagevec function allowed local users to
     cause a denial of service (NR_MLOCK accounting corruption) via crafted
     use of mlockall and munlockall system calls (bnc#1084323).
   - CVE-2018-1066: Prevent NULL pointer dereference in
     fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker
     controlling a CIFS server to kernel panic a client that has this server
     mounted, because an empty TargetInfo field in an NTLMSSP setup
     negotiation response was mishandled during session recovery
     (bnc#1083640).
   - CVE-2017-13166: Prevent elevation of privilege vulnerability in the
     kernel v4l2 video driver (bnc#1072865).
   - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose
     kernel memory addresses. Successful exploitation required that a USB
     device was attached over IP (bnc#1078674).
   - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key
     that already exists but is uninstantiated, which allowed local users to
     cause a denial of service (NULL pointer dereference and system crash) or
     possibly have unspecified other impact via a crafted system call
     (bnc#1063416).
   - CVE-2017-18208: The madvise_willneed function kernel allowed local users
     to cause a denial of service (infinite loop) by triggering use of
     MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
   - CVE-2018-7566: The ALSA sequencer core initializes the event pool on
     demand by invoking snd_seq_pool_init() when the first write happens and
     the pool is empty. A user could have reset the pool size manually via
     ioctl concurrently, which may have lead UAF or out-of-bound access
     (bsc#1083483).
   - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause
     a denial of service (deadlock) via DIO requests (bnc#1083244).
   - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a
     denial of service (improper error handling and system crash) or possibly
     have unspecified other impact via a crafted USB device (bnc#1067118).
   - CVE-2018-6927: The futex_requeue function allowed attackers to cause a
     denial
     of service (integer overflow) or possibly have unspecified other impact
      by triggering a negative wake or requeue value (bnc#1080757).
   - CVE-2017-16914: The "stub_send_ret_submit()" function allowed attackers
     to cause a denial of service (NULL pointer dereference) via a specially
     crafted USB over IP packet (bnc#1078669).
   - CVE-2016-7915: The hid_input_field function allowed physically proximate
     attackers to obtain sensitive information from kernel memory or cause a
     denial
     of service (out-of-bounds read) by connecting a device (bnc#1010470).
   - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did
     unbalanced refcounting when a SCSI I/O vector had small consecutive
     buffers belonging to the same page. The bio_add_pc_page function merged
     them into one, but the page reference was never dropped. This caused a
     memory leak and possible system lockup (exploitable against the host OS
     by a guest OS user, if a SCSI disk is passed through to a virtual
     machine) due to an out-of-memory condition (bnc#1062568).
   - CVE-2017-16912: The "get_pipe()" function allowed attackers to cause a
     denial
     of service (out-of-bounds read) via a specially crafted USB over IP
      packet (bnc#1078673).
   - CVE-2017-16913: The "stub_recv_cmd_submit()" function when handling
     CMD_SUBMIT packets allowed attackers to cause a denial of service
     (arbitrary memory allocation) via a specially crafted USB over IP packet
     (bnc#1078672).
   - CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a
     value that is used during DMA page allocation, leading to a heap-based
     out-of-bounds write (related to the rds_rdma_extra_size function in
     net/rds/rdma.c) (bnc#1075621).
   - CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled
     cases where page pinning fails or an invalid address is supplied,
     leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617).
   - CVE-2017-18017: The tcpmss_mangle_packet function allowed remote
     attackers to cause a denial of service (use-after-free and memory
     corruption) or possibly have unspecified other impact by leveraging the
     presence of xt_TCPMSS in an iptables action (bnc#1074488).

   The following non-security bugs were fixed:

   - Fix build on arm64 by defining empty gmb() (bnc#1068032).
   - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
   - KEYS: fix writing past end of user-supplied buffer in keyring_read()
     (bsc#1066001).
   - KEYS: return full count in keyring_read() if buffer is too small
     (bsc#1066001).
   - include/stddef.h: Move offsetofend() from vfio.h to a generic kernel
     header (bsc#1077560).
   - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
   - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
   - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
   - x86/kaiser: use trampoline stack for kernel entry (bsc#1077560)
   - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
   - livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow
     variables support (bsc#1082299).
   - livepatch: introduce shadow variable API. Shadow variables support
     (bsc#1082299)
   - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF
     (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32
     (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32
     (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: do not copy back the result for certain
     errors (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type
     (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: move 'helper' functions to
     __get/put_v4l2_format32 (bnc#1012382).
   - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382).
   - media: v4l2-ioctl.c: do not copy back the result for -ENOTTY
     (bnc#1012382).
   - netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets
     (bsc#1085107).
   - netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107).
   - packet: only call dev_add_pack() on freshly allocated fanout instances
   - pipe: cap initial pipe capacity according to pipe-max-size limit
     (bsc#1045330).
   - x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2018-558=1

   - SUSE Linux Enterprise Module for Public Cloud 12:

      zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-558=1



Package List:

   - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):

      kernel-default-3.12.61-52.125.1
      kernel-default-base-3.12.61-52.125.1
      kernel-default-base-debuginfo-3.12.61-52.125.1
      kernel-default-debuginfo-3.12.61-52.125.1
      kernel-default-debugsource-3.12.61-52.125.1
      kernel-default-devel-3.12.61-52.125.1
      kernel-syms-3.12.61-52.125.1

   - SUSE Linux Enterprise Server 12-LTSS (x86_64):

      kernel-xen-3.12.61-52.125.1
      kernel-xen-base-3.12.61-52.125.1
      kernel-xen-base-debuginfo-3.12.61-52.125.1
      kernel-xen-debuginfo-3.12.61-52.125.1
      kernel-xen-debugsource-3.12.61-52.125.1
      kernel-xen-devel-3.12.61-52.125.1
      kgraft-patch-3_12_61-52_125-default-1-1.3.1
      kgraft-patch-3_12_61-52_125-xen-1-1.3.1

   - SUSE Linux Enterprise Server 12-LTSS (noarch):

      kernel-devel-3.12.61-52.125.1
      kernel-macros-3.12.61-52.125.1
      kernel-source-3.12.61-52.125.1

   - SUSE Linux Enterprise Server 12-LTSS (s390x):

      kernel-default-man-3.12.61-52.125.1

   - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64):

      kernel-ec2-3.12.61-52.125.1
      kernel-ec2-debuginfo-3.12.61-52.125.1
      kernel-ec2-debugsource-3.12.61-52.125.1
      kernel-ec2-devel-3.12.61-52.125.1
      kernel-ec2-extra-3.12.61-52.125.1
      kernel-ec2-extra-debuginfo-3.12.61-52.125.1


References:

   https://www.suse.com/security/cve/CVE-2016-7915.html
   https://www.suse.com/security/cve/CVE-2017-12190.html
   https://www.suse.com/security/cve/CVE-2017-13166.html
   https://www.suse.com/security/cve/CVE-2017-15299.html
   https://www.suse.com/security/cve/CVE-2017-16644.html
   https://www.suse.com/security/cve/CVE-2017-16911.html
   https://www.suse.com/security/cve/CVE-2017-16912.html
   https://www.suse.com/security/cve/CVE-2017-16913.html
   https://www.suse.com/security/cve/CVE-2017-16914.html
   https://www.suse.com/security/cve/CVE-2017-18017.html
   https://www.suse.com/security/cve/CVE-2017-18204.html
   https://www.suse.com/security/cve/CVE-2017-18208.html
   https://www.suse.com/security/cve/CVE-2017-18221.html
   https://www.suse.com/security/cve/CVE-2018-1066.html
   https://www.suse.com/security/cve/CVE-2018-1068.html
   https://www.suse.com/security/cve/CVE-2018-5332.html
   https://www.suse.com/security/cve/CVE-2018-5333.html
   https://www.suse.com/security/cve/CVE-2018-6927.html
   https://www.suse.com/security/cve/CVE-2018-7566.html
   https://bugzilla.suse.com/1010470
   https://bugzilla.suse.com/1012382
   https://bugzilla.suse.com/1045330
   https://bugzilla.suse.com/1062568
   https://bugzilla.suse.com/1063416
   https://bugzilla.suse.com/1066001
   https://bugzilla.suse.com/1067118
   https://bugzilla.suse.com/1068032
   https://bugzilla.suse.com/1072689
   https://bugzilla.suse.com/1072865
   https://bugzilla.suse.com/1074488
   https://bugzilla.suse.com/1075617
   https://bugzilla.suse.com/1075621
   https://bugzilla.suse.com/1077560
   https://bugzilla.suse.com/1078669
   https://bugzilla.suse.com/1078672
   https://bugzilla.suse.com/1078673
   https://bugzilla.suse.com/1078674
   https://bugzilla.suse.com/1080255
   https://bugzilla.suse.com/1080464
   https://bugzilla.suse.com/1080757
   https://bugzilla.suse.com/1082299
   https://bugzilla.suse.com/1083244
   https://bugzilla.suse.com/1083483
   https://bugzilla.suse.com/1083494
   https://bugzilla.suse.com/1083640
   https://bugzilla.suse.com/1084323
   https://bugzilla.suse.com/1085107
   https://bugzilla.suse.com/1085114
   https://bugzilla.suse.com/1085279
   https://bugzilla.suse.com/1085447



More information about the sle-updates mailing list