ESB-2017.3104 - [SUSE] kernel: Multiple vulnerabilities 2017-12-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3104
        SUSE Security Update: Security update for the Linux Kernel
                              5 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Root Compromise   -- Existing Account
                   Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1000405 CVE-2017-16939 CVE-2017-16650
                   CVE-2017-16649 CVE-2017-16537 CVE-2017-16536
                   CVE-2017-16535 CVE-2017-16531 CVE-2017-16529
                   CVE-2017-16527 CVE-2017-16525 CVE-2017-15102
                   CVE-2017-12193 CVE-2014-0038 

Reference:         ESB-2017.3075
                   ESB-2017.2980
                   ESB-2017.2979

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2017/suse-su-20173210-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:3210-1
Rating:             important
References:         #1047626 #1059465 #1066471 #1066472 #1069496 
                    #860993 #975788 
Cross-References:   CVE-2014-0038 CVE-2017-1000405 CVE-2017-12193
                    CVE-2017-15102 CVE-2017-16525 CVE-2017-16527
                    CVE-2017-16529 CVE-2017-16531 CVE-2017-16535
                    CVE-2017-16536 CVE-2017-16537 CVE-2017-16649
                    CVE-2017-16650 CVE-2017-16939
Affected Products:
                    SUSE OpenStack Cloud 6
                    SUSE Linux Enterprise Server for SAP 12-SP1
                    SUSE Linux Enterprise Server 12-SP1-LTSS
                    SUSE Linux Enterprise Module for Public Cloud 12
______________________________________________________________________________

   An update that fixes 14 vulnerabilities is now available.

Description:



   The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2017-16939: The XFRM dump policy implementation in
     net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain
     privileges or cause a denial of service (use-after-free) via a crafted
     SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY
     Netlink messages. (bnc#1069702)
   - CVE-2017-1000405: mm, thp: do not dirty huge pages on read fault
     (bnc#1069496).
   - CVE-2017-16649: The usbnet_generic_cdc_bind function in
     drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to
     cause a denial of service (divide-by-zero error and system crash) or
     possibly have unspecified other impact via a crafted USB device.
     (bnc#1067085)
   - CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c, when
     CONFIG_X86_X32 is enabled, allowed local users to gain privileges via a
     recvmmsg system call with a crafted timeout pointer parameter
     (bnc#860993).
   - CVE-2017-16650: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c
     in the Linux kernel allowed local users to cause a denial of service
     (divide-by-zero error and system crash) or possibly have unspecified
     other impact via a crafted USB device. (bnc#1067086)
   - CVE-2017-16535: The usb_get_bos_descriptor function in
     drivers/usb/core/config.c in the Linux kernel allowed local users to
     cause a denial of service (out-of-bounds read and system crash) or
     possibly have unspecified other impact via a crafted USB device.
     (bnc#1066700)
   - CVE-2017-15102: The tower_probe function in
     drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users
     (who are physically proximate for inserting a crafted USB device) to
     gain privileges by leveraging a write-what-where condition that occurs
     after a race condition and a NULL pointer dereference. (bnc#1066705)
   - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed
     local users to cause a denial of service (out-of-bounds read and system
     crash) or possibly have unspecified other impact via a crafted USB
     device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.
     (bnc#1066671)
   - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in
     lib/assoc_array.c in the Linux kernel mishandled node splitting, which
     allowed local users to cause a denial of service (NULL pointer
     dereference and panic) via a crafted application, as demonstrated by the
     keyring key type, and key addition and link creation operations.
     (bnc#1066192)
   - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c
     in the Linux kernel allowed local users to cause a denial of service
     (out-of-bounds read and system crash) or possibly have unspecified other
     impact via a crafted USB device. (bnc#1066650)
   - CVE-2017-16525: The usb_serial_console_disconnect function in
     drivers/usb/serial/console.c in the Linux kernel allowed local users to
     cause a denial of service (use-after-free and system crash) or possibly
     have unspecified other impact via a crafted USB device, related to
     disconnection and failed setup. (bnc#1066618)
   - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in
     the Linux kernel allowed local users to cause a denial of service (NULL
     pointer dereference and system crash) or possibly have unspecified other
     impact via a crafted USB device. (bnc#1066573)
   - CVE-2017-16536: The cx231xx_usb_probe function in
     drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed
     local users to cause a denial of service (NULL pointer dereference and
     system crash) or possibly have unspecified other impact via a crafted
     USB device. (bnc#1066606)
   - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local
     users to cause a denial of service (snd_usb_mixer_interrupt
     use-after-free and system crash) or possibly have unspecified other
     impact via a crafted USB device. (bnc#1066625)

   The following non-security bugs were fixed:

   - NVMe: No lock while DMA mapping data (bsc#975788).
   - bcache: Add bch_keylist_init_single() (bsc#1047626).
   - bcache: Add btree_map() functions (bsc#1047626).
   - bcache: Add on error panic/unregister setting (bsc#1047626).
   - bcache: Convert gc to a kthread (bsc#1047626).
   - bcache: Delete some slower inline asm (bsc#1047626).
   - bcache: Drop unneeded blk_sync_queue() calls (bsc#1047626).
   - bcache: Fix a bug recovering from unclean shutdown (bsc#1047626).
   - bcache: Fix a journalling reclaim after recovery bug (bsc#1047626).
   - bcache: Fix a null ptr deref in journal replay (bsc#1047626).
   - bcache: Fix an infinite loop in journal replay (bsc#1047626).
   - bcache: Fix bch_ptr_bad() (bsc#1047626).
   - bcache: Fix discard granularity (bsc#1047626).
   - bcache: Fix for can_attach_cache() (bsc#1047626).
   - bcache: Fix heap_peek() macro (bsc#1047626).
   - bcache: Fix moving_pred() (bsc#1047626).
   - bcache: Fix to remove the rcu_sched stalls (bsc#1047626).
   - bcache: Improve bucket_prio() calculation (bsc#1047626).
   - bcache: Improve priority_stats (bsc#1047626).
   - bcache: Minor btree cache fix (bsc#1047626).
   - bcache: Move keylist out of btree_op (bsc#1047626).
   - bcache: New writeback PD controller (bsc#1047626).
   - bcache: PRECEDING_KEY() (bsc#1047626).
   - bcache: Performance fix for when journal entry is full (bsc#1047626).
   - bcache: Remove redundant block_size assignment (bsc#1047626).
   - bcache: Remove redundant parameter for cache_alloc() (bsc#1047626).
   - bcache: Remove/fix some header dependencies (bsc#1047626).
   - bcache: Trivial error handling fix (bsc#1047626).
   - bcache: Use ida for bcache block dev minor (bsc#1047626).
   - bcache: allows use of register in udev to avoid "device_busy" error
     (bsc#1047626).
   - bcache: bch_allocator_thread() is not freezable (bsc#1047626).
   - bcache: bch_gc_thread() is not freezable (bsc#1047626).
   - bcache: bugfix - gc thread now gets woken when cache is full
     (bsc#1047626).
   - bcache: bugfix - moving_gc now moves only correct buckets (bsc#1047626).
   - bcache: cleaned up error handling around register_cache() (bsc#1047626).
   - bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing
     device (bsc#1047626).
   - bcache: defensively handle format strings (bsc#1047626).
   - bcache: fix BUG_ON due to integer overflow with GC_SECTORS_USED
     (bsc#1047626).
   - bcache: fix a livelock when we cause a huge number of cache misses
     (bsc#1047626).
   - bcache: fix crash in bcache_btree_node_alloc_fail tracepoint
     (bsc#1047626).
   - bcache: fix for gc and writeback race (bsc#1047626).
   - bcache: fix for gc crashing when no sectors are used (bsc#1047626).
   - bcache: kill index() (bsc#1047626).
   - bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
     (bsc#1047626).
   - bcache: stop moving_gc marking buckets that can't be moved (bsc#1047626).
   - mac80211: do not compare TKIP TX MIC key in reinstall prevention
     (bsc#1066472).
   - mac80211: use constant time comparison with keys (bsc#1066471).
   - packet: fix use-after-free in fanout_add()
   - scsi: ILLEGAL REQUEST + ASC==27 produces target failure (bsc#1059465).


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 6:

      zypper in -t patch SUSE-OpenStack-Cloud-6-2017-1995=1

   - SUSE Linux Enterprise Server for SAP 12-SP1:

      zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1995=1

   - SUSE Linux Enterprise Server 12-SP1-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1995=1

   - SUSE Linux Enterprise Module for Public Cloud 12:

      zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2017-1995=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE OpenStack Cloud 6 (noarch):

      kernel-devel-3.12.74-60.64.66.1
      kernel-macros-3.12.74-60.64.66.1
      kernel-source-3.12.74-60.64.66.1

   - SUSE OpenStack Cloud 6 (x86_64):

      kernel-default-3.12.74-60.64.66.1
      kernel-default-base-3.12.74-60.64.66.1
      kernel-default-base-debuginfo-3.12.74-60.64.66.1
      kernel-default-debuginfo-3.12.74-60.64.66.1
      kernel-default-debugsource-3.12.74-60.64.66.1
      kernel-default-devel-3.12.74-60.64.66.1
      kernel-syms-3.12.74-60.64.66.1
      kernel-xen-3.12.74-60.64.66.1
      kernel-xen-base-3.12.74-60.64.66.1
      kernel-xen-base-debuginfo-3.12.74-60.64.66.1
      kernel-xen-debuginfo-3.12.74-60.64.66.1
      kernel-xen-debugsource-3.12.74-60.64.66.1
      kernel-xen-devel-3.12.74-60.64.66.1
      kgraft-patch-3_12_74-60_64_66-default-1-2.1
      kgraft-patch-3_12_74-60_64_66-xen-1-2.1

   - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64):

      kernel-default-3.12.74-60.64.66.1
      kernel-default-base-3.12.74-60.64.66.1
      kernel-default-base-debuginfo-3.12.74-60.64.66.1
      kernel-default-debuginfo-3.12.74-60.64.66.1
      kernel-default-debugsource-3.12.74-60.64.66.1
      kernel-default-devel-3.12.74-60.64.66.1
      kernel-syms-3.12.74-60.64.66.1

   - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch):

      kernel-devel-3.12.74-60.64.66.1
      kernel-macros-3.12.74-60.64.66.1
      kernel-source-3.12.74-60.64.66.1

   - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):

      kernel-xen-3.12.74-60.64.66.1
      kernel-xen-base-3.12.74-60.64.66.1
      kernel-xen-base-debuginfo-3.12.74-60.64.66.1
      kernel-xen-debuginfo-3.12.74-60.64.66.1
      kernel-xen-debugsource-3.12.74-60.64.66.1
      kernel-xen-devel-3.12.74-60.64.66.1
      kgraft-patch-3_12_74-60_64_66-default-1-2.1
      kgraft-patch-3_12_74-60_64_66-xen-1-2.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):

      kernel-default-3.12.74-60.64.66.1
      kernel-default-base-3.12.74-60.64.66.1
      kernel-default-base-debuginfo-3.12.74-60.64.66.1
      kernel-default-debuginfo-3.12.74-60.64.66.1
      kernel-default-debugsource-3.12.74-60.64.66.1
      kernel-default-devel-3.12.74-60.64.66.1
      kernel-syms-3.12.74-60.64.66.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch):

      kernel-devel-3.12.74-60.64.66.1
      kernel-macros-3.12.74-60.64.66.1
      kernel-source-3.12.74-60.64.66.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):

      kernel-xen-3.12.74-60.64.66.1
      kernel-xen-base-3.12.74-60.64.66.1
      kernel-xen-base-debuginfo-3.12.74-60.64.66.1
      kernel-xen-debuginfo-3.12.74-60.64.66.1
      kernel-xen-debugsource-3.12.74-60.64.66.1
      kernel-xen-devel-3.12.74-60.64.66.1
      kgraft-patch-3_12_74-60_64_66-default-1-2.1
      kgraft-patch-3_12_74-60_64_66-xen-1-2.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x):

      kernel-default-man-3.12.74-60.64.66.1

   - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64):

      kernel-ec2-3.12.74-60.64.66.1
      kernel-ec2-debuginfo-3.12.74-60.64.66.1
      kernel-ec2-debugsource-3.12.74-60.64.66.1
      kernel-ec2-devel-3.12.74-60.64.66.1
      kernel-ec2-extra-3.12.74-60.64.66.1
      kernel-ec2-extra-debuginfo-3.12.74-60.64.66.1


References:

   https://www.suse.com/security/cve/CVE-2014-0038.html
   https://www.suse.com/security/cve/CVE-2017-1000405.html
   https://www.suse.com/security/cve/CVE-2017-12193.html
   https://www.suse.com/security/cve/CVE-2017-15102.html
   https://www.suse.com/security/cve/CVE-2017-16525.html
   https://www.suse.com/security/cve/CVE-2017-16527.html
   https://www.suse.com/security/cve/CVE-2017-16529.html
   https://www.suse.com/security/cve/CVE-2017-16531.html
   https://www.suse.com/security/cve/CVE-2017-16535.html
   https://www.suse.com/security/cve/CVE-2017-16536.html
   https://www.suse.com/security/cve/CVE-2017-16537.html
   https://www.suse.com/security/cve/CVE-2017-16649.html
   https://www.suse.com/security/cve/CVE-2017-16650.html
   https://www.suse.com/security/cve/CVE-2017-16939.html
   https://bugzilla.suse.com/1047626
   https://bugzilla.suse.com/1059465
   https://bugzilla.suse.com/1066471
   https://bugzilla.suse.com/1066472
   https://bugzilla.suse.com/1069496
   https://bugzilla.suse.com/860993
   https://bugzilla.suse.com/975788

- --

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWiX0pox+lLeg9Ub1AQgEsA/+OyMP/WcfuPNaJRr2HMOKu+feSbtPaNbI
s2iCxqLwIzuTrHXiXob6uiDmI4ndsboaUQSHEfVtxR1N3kFLRwq1WuE9/9sS31c9
U46sEIG4eLeZoRB26AIAUGUKEcyGZ+FieRz7727swuPslBYt87rNquAaqphEPWlg
ICiNgr40KT4v6OTF2T9IL6Huu3bGqxDsUVd5cAKR/w2uihZTXU3Y1H0RmW1l4kqz
Dm3cKhKnKmjPQaE8Ktu6BA/RMzDQF4MGp2zv1I3V8S5Y72fyyGo9Sp/Xfnaw2v08
HLjxvXvNQGOhcKELnSQpuELilfnsHiCnDM/gqT0J1G57V9QRREDDu9hgiSWpAxh7
9PXEoSxxQUHQiHGzg+MqsD12AjRruvk85vB9/v5FEP79e+r7M8NJiuOxgzE28rCC
1rV/zDXQ6perhui4WrOxFo3Q8fyxdynhJHEQp9/c9IEaSCKj7HBk2NbZ9JarbJa0
I6ElAbjRO8/4cGqj8N6RVHVg5I9EoWJXPapEj2sXbpx10MDD1nZ+3YCdW+9v3eH3
h6I1xURoPKvnLw35bAgnQB1A588WAKRuqdsKXCI+JWW/HBZFT+dlCE7TYf7Lpqow
l5oPLxvlizv4+Vu3vz1xhHTHm680ZJ85v3yZLvbaDS3QMJYqEUvrzW4UkAssMoxn
ZP3JgXo83G8=
=mr65
-----END PGP SIGNATURE-----

« Back to bulletins