[security-announce] SUSE-SU-2017:1247-1: important: Security update for the Linux Kernel

[news 28]

SUSE Security Update: Security update for the Linux Kernel

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2017:1247-1

Rating: important

References: #1003077 #1015703 #1021256 #1021762 #1023377

#1023762 #1023992 #1024938 #1025235 #1026024

#1026722 #1026914 #1027066 #1027149 #1027178

#1027189 #1027190 #1028415 #1028895 #1029986

#1030118 #1030213 #1030901 #1031003 #1031052

#1031440 #1031579 #1032344 #1033336 #914939

#954763 #968697 #979215 #983212 #989056

Cross-References: CVE-2015-1350 CVE-2016-10044 CVE-2016-10200

CVE-2016-10208 CVE-2016-2117 CVE-2016-3070

CVE-2016-5243 CVE-2016-7117 CVE-2016-9588

CVE-2017-2671 CVE-2017-5669 CVE-2017-5897

CVE-2017-5970 CVE-2017-5986 CVE-2017-6074

CVE-2017-6214 CVE-2017-6345 CVE-2017-6346

CVE-2017-6348 CVE-2017-6353 CVE-2017-7187

CVE-2017-7261 CVE-2017-7294 CVE-2017-7308

CVE-2017-7616

Affected Products:

SUSE Linux Enterprise Server for SAP 12

SUSE Linux Enterprise Server 12-LTSS

SUSE Linux Enterprise Module for Public Cloud 12

______________________________________________________________________________

 

An update that solves 25 vulnerabilities and has 10 fixes

is now available.

 

Description:

 

 

 

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various

security and bugfixes.

 

The following security bugs were fixed:

 

- CVE-2015-1350: The VFS subsystem in the Linux kernel provided an

incomplete set of requirements for setattr operations that

underspecifies removing extended privilege attributes, which allowed

local users to cause a denial of service (capability stripping) via a

failed invocation of a system call, as demonstrated by using chown to

remove a capability from the ping or Wireshark dumpcap program

(bnc#914939).

- CVE-2016-2117: The atl2_probe function in

drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly

enabled scatter/gather I/O, which allowed remote attackers to obtain

sensitive information from kernel memory by reading packet data

(bnc#968697).

- CVE-2016-3070: The trace_writeback_dirty_page implementation in

include/trace/events/writeback.h in the Linux kernel improperly

interacted with mm/migrate.c, which allowed local users to cause a

denial of service (NULL pointer dereference and system crash) or

possibly have unspecified other impact by triggering a certain page move

(bnc#979215).

- CVE-2016-5243: The tipc_nl_compat_link_dump function in

net/tipc/netlink_compat.c in the Linux kernel did not properly copy a

certain string, which allowed local users to obtain sensitive

information from kernel stack memory by reading a Netlink message

(bnc#983212).

- CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg

function in net/socket.c in the Linux kernel allowed remote attackers to

execute arbitrary code via vectors involving a recvmmsg system call that

is mishandled during error processing (bnc#1003077).

- CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanages the #BP

and #OF exceptions, which allowed guest OS users to cause a denial of

service (guest OS crash) by declining to handle an exception thrown by

an L2 guest (bnc#1015703).

- CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel

did not properly restrict execute access, which made it easier for local

users to bypass intended SELinux W^X policy restrictions, and

consequently gain privileges, via an io_setup system call (bnc#1023992).

- CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in

the Linux kernel allowed local users to gain privileges or cause a

denial of service (use-after-free) by making multiple bind system calls

without properly ascertaining whether a socket has the SOCK_ZAPPED

status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c

(bnc#1028415).

- CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the

Linux kernel did not properly validate meta block groups, which allowed

physically proximate attackers to cause a denial of service

(out-of-bounds read and system crash) via a crafted ext4 image

(bnc#1023377).

- CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux

kernel is too late in obtaining a certain lock and consequently cannot

ensure that disconnect function calls are safe, which allowed local

users to cause a denial of service (panic) by leveraging access to the

protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003).

- CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel

did not restrict the address calculated by a certain rounding operation,

which allowed local users to map page zero, and consequently bypass a

protection mechanism that exists for the mmap system call, by making

crafted shmget and shmat system calls in a privileged context

(bnc#1026914).

- CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the

Linux kernel allowed remote attackers to have unspecified impact via

vectors involving GRE flags in an IPv6 packet, which trigger an

out-of-bounds access (bnc#1023762).

- CVE-2017-5970: The ipv4_pktinfo_prepare function in

net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a

denial of service (system crash) via (1) an application that made

crafted system calls or possibly (2) IPv4 traffic with invalid IP

options (bnc#1024938).

- CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in

net/sctp/socket.c in the Linux kernel allowed local users to cause a

denial of service (assertion failure and panic) via a multithreaded

application that peels off an association in a certain buffer-full state

(bnc#1025235).

- CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c

in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures

in the LISTEN state, which allowed local users to obtain root privileges

or cause a denial of service (double free) via an application that made

an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024).

- CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the

Linux kernel allowed remote attackers to cause a denial of service

(infinite loop and soft lockup) via vectors involving a TCP packet with

the URG flag (bnc#1026722).

- CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that

a certain destructor exists in required circumstances, which allowed

local users to cause a denial of service (BUG_ON) or possibly have

unspecified other impact via crafted system calls (bnc#1027190).

- CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux

kernel allowed local users to cause a denial of service (use-after-free)

or possibly have unspecified other impact via a multithreaded

application that made PACKET_FANOUT setsockopt system calls

(bnc#1027189).

- CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the

Linux kernel improperly managed lock dropping, which allowed local users

to cause a denial of service (deadlock) via crafted operations on IrDA

devices (bnc#1027178).

- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly

restrict association peel-off operations during certain wait states,

which allowed local users to cause a denial of service (invalid unlock

and double free) via a multithreaded application. NOTE: this

vulnerability exists because of an incorrect fix for CVE-2017-5986

(bnc#1027066).

- CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux

kernel allowed local users to cause a denial of service (stack-based

buffer overflow) or possibly have unspecified other impact via a large

command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds

write access in the sg_write function (bnc#1030213).

- CVE-2017-7261: The vmw_surface_define_ioctl function in

drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not

check for a zero value of certain levels data, which allowed local users

to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and

possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device

(bnc#1031052).

- CVE-2017-7294: The vmw_surface_define_ioctl function in

drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not

validate addition of certain levels data, which allowed local users to

trigger an integer overflow and out-of-bounds write, and cause a denial

of service (system hang or crash) or possibly gain privileges, via a

crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).

- CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in

the Linux kernel did not properly validate certain block-size data,

which allowed local users to cause a denial of service (overflow) or

possibly have unspecified other impact via crafted system calls

(bnc#1031579).

- CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind

compat syscalls in mm/mempolicy.c in the Linux kernel allowed local

users to obtain sensitive information from uninitialized stack data by

triggering failure of a certain bitmap operation (bnc#1033336).

 

The following non-security bugs were fixed:

 

- ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).

- hwrng: virtio - ensure reads happen after successful probe (bsc#954763

bsc#1032344).

- kgr/module: make a taint flag module-specific (fate#313296).

- l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).

- l2tp: fix lookup for sockets not bound to a device in l2tp_ip

(bsc#1028415).

- l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()

(bsc#1028415).

- l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()

(bsc#1028415).

- l2tp: hold tunnel socket when handling control frames in l2tp_ip and

l2tp_ip6 (bsc#1028415).

- l2tp: lock socket before checking flags in connect() (bsc#1028415).

- mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118).

- module: move add_taint_module() to a header file (fate#313296).

- netfilter: bridge: Fix the build when IPV6 is disabled (bsc#1027149).

- nfs: flush out dirty data on file fput() (bsc#1021762).

- powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).

- powerpc: Reject binutils 2.24 when building little endian (boo#1028895).

- revert "procfs: mark thread stack correctly in proc//maps"

(bnc#1030901).

- taint/module: Clean up global and module taint flags handling

(fate#313296).

- usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).

- xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).

- xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Server for SAP 12:

 

zypper in -t patch SUSE-SLE-SAP-12-2017-749=1

 

- SUSE Linux Enterprise Server 12-LTSS:

 

zypper in -t patch SUSE-SLE-SERVER-12-2017-749=1

 

- SUSE Linux Enterprise Module for Public Cloud 12:

 

zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-749=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Server for SAP 12 (x86_64):

 

kernel-default-3.12.61-52.72.1

kernel-default-base-3.12.61-52.72.1

kernel-default-base-debuginfo-3.12.61-52.72.1

kernel-default-debuginfo-3.12.61-52.72.1

kernel-default-debugsource-3.12.61-52.72.1

kernel-default-devel-3.12.61-52.72.1

kernel-syms-3.12.61-52.72.1

kernel-xen-3.12.61-52.72.1

kernel-xen-base-3.12.61-52.72.1

kernel-xen-base-debuginfo-3.12.61-52.72.1

kernel-xen-debuginfo-3.12.61-52.72.1

kernel-xen-debugsource-3.12.61-52.72.1

kernel-xen-devel-3.12.61-52.72.1

kgraft-patch-3_12_61-52_72-default-1-2.1

kgraft-patch-3_12_61-52_72-xen-1-2.1

 

- SUSE Linux Enterprise Server for SAP 12 (noarch):

 

kernel-devel-3.12.61-52.72.1

kernel-macros-3.12.61-52.72.1

kernel-source-3.12.61-52.72.1

 

- SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):

 

kernel-default-3.12.61-52.72.1

kernel-default-base-3.12.61-52.72.1

kernel-default-base-debuginfo-3.12.61-52.72.1

kernel-default-debuginfo-3.12.61-52.72.1

kernel-default-debugsource-3.12.61-52.72.1

kernel-default-devel-3.12.61-52.72.1

kernel-syms-3.12.61-52.72.1

 

- SUSE Linux Enterprise Server 12-LTSS (noarch):

 

kernel-devel-3.12.61-52.72.1

kernel-macros-3.12.61-52.72.1

kernel-source-3.12.61-52.72.1

 

- SUSE Linux Enterprise Server 12-LTSS (x86_64):

 

kernel-xen-3.12.61-52.72.1

kernel-xen-base-3.12.61-52.72.1

kernel-xen-base-debuginfo-3.12.61-52.72.1

kernel-xen-debuginfo-3.12.61-52.72.1

kernel-xen-debugsource-3.12.61-52.72.1

kernel-xen-devel-3.12.61-52.72.1

kgraft-patch-3_12_61-52_72-default-1-2.1

kgraft-patch-3_12_61-52_72-xen-1-2.1

 

- SUSE Linux Enterprise Server 12-LTSS (s390x):

 

kernel-default-man-3.12.61-52.72.1

 

- SUSE Linux Enterprise Module for Public Cloud 12 (x86_64):

 

kernel-ec2-3.12.61-52.72.1

kernel-ec2-debuginfo-3.12.61-52.72.1

kernel-ec2-debugsource-3.12.61-52.72.1

kernel-ec2-devel-3.12.61-52.72.1

kernel-ec2-extra-3.12.61-52.72.1

kernel-ec2-extra-debuginfo-3.12.61-52.72.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2015-1350.html

https://www.suse.com/security/cve/CVE-2016-10044.html

https://www.suse.com/security/cve/CVE-2016-10200.html

https://www.suse.com/security/cve/CVE-2016-10208.html

https://www.suse.com/security/cve/CVE-2016-2117.html

https://www.suse.com/security/cve/CVE-2016-3070.html

https://www.suse.com/security/cve/CVE-2016-5243.html

https://www.suse.com/security/cve/CVE-2016-7117.html

https://www.suse.com/security/cve/CVE-2016-9588.html

https://www.suse.com/security/cve/CVE-2017-2671.html

https://www.suse.com/security/cve/CVE-2017-5669.html

https://www.suse.com/security/cve/CVE-2017-5897.html

https://www.suse.com/security/cve/CVE-2017-5970.html

https://www.suse.com/security/cve/CVE-2017-5986.html

https://www.suse.com/security/cve/CVE-2017-6074.html

https://www.suse.com/security/cve/CVE-2017-6214.html

https://www.suse.com/security/cve/CVE-2017-6345.html

https://www.suse.com/security/cve/CVE-2017-6346.html

https://www.suse.com/security/cve/CVE-2017-6348.html

https://www.suse.com/security/cve/CVE-2017-6353.html

https://www.suse.com/security/cve/CVE-2017-7187.html

https://www.suse.com/security/cve/CVE-2017-7261.html

https://www.suse.com/security/cve/CVE-2017-7294.html

https://www.suse.com/security/cve/CVE-2017-7308.html

https://www.suse.com/security/cve/CVE-2017-7616.html

https://bugzilla.suse.com/1003077

https://bugzilla.suse.com/1015703

https://bugzilla.suse.com/1021256

https://bugzilla.suse.com/1021762

https://bugzilla.suse.com/1023377

https://bugzilla.suse.com/1023762

https://bugzilla.suse.com/1023992

https://bugzilla.suse.com/1024938

https://bugzilla.suse.com/1025235

https://bugzilla.suse.com/1026024

https://bugzilla.suse.com/1026722

https://bugzilla.suse.com/1026914

https://bugzilla.suse.com/1027066

https://bugzilla.suse.com/1027149

https://bugzilla.suse.com/1027178

https://bugzilla.suse.com/1027189

https://bugzilla.suse.com/1027190

https://bugzilla.suse.com/1028415

https://bugzilla.suse.com/1028895

https://bugzilla.suse.com/1029986

https://bugzilla.suse.com/1030118

https://bugzilla.suse.com/1030213

https://bugzilla.suse.com/1030901

https://bugzilla.suse.com/1031003

https://bugzilla.suse.com/1031052

https://bugzilla.suse.com/1031440

https://bugzilla.suse.com/1031579

https://bugzilla.suse.com/1032344

https://bugzilla.suse.com/1033336

https://bugzilla.suse.com/914939

https://bugzilla.suse.com/954763

https://bugzilla.suse.com/968697

https://bugzilla.suse.com/979215

https://bugzilla.suse.com/983212

https://bugzilla.suse.com/989056

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org