ESB-2018.0962 - [SUSE] kernel: Multiple vulnerabilities 2018-04-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0962
        SUSE Security Update: Security update for the Linux Kernel
                               3 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Root Compromise   -- Existing Account
                   Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7566 CVE-2018-6927 CVE-2018-5333
                   CVE-2018-5332 CVE-2018-1068 CVE-2018-1066
                   CVE-2017-18221 CVE-2017-18208 CVE-2017-18204
                   CVE-2017-18017 CVE-2017-16914 CVE-2017-16913
                   CVE-2017-16912 CVE-2017-16911 CVE-2017-16644
                   CVE-2017-15299 CVE-2017-13166 CVE-2017-12190
                   CVE-2016-7915  

Reference:         ASB-2016.0103
                   ESB-2018.0844
                   ESB-2018.0505
                   ESB-2018.0430
                   ESB-2018.0392

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20180848-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:0848-1
Rating:             important
References:         #1010470 #1012382 #1045330 #1055755 #1062568 
                    #1063416 #1066001 #1067118 #1068032 #1072689 
                    #1072865 #1074488 #1075617 #1075621 #1077182 
                    #1077560 #1077779 #1078669 #1078672 #1078673 
                    #1078674 #1080255 #1080287 #1080464 #1080757 
                    #1081512 #1082299 #1083244 #1083483 #1083494 
                    #1083640 #1084323 #1085107 #1085114 #1085447 
                    
Cross-References:   CVE-2016-7915 CVE-2017-12190 CVE-2017-13166
                    CVE-2017-15299 CVE-2017-16644 CVE-2017-16911
                    CVE-2017-16912 CVE-2017-16913 CVE-2017-16914
                    CVE-2017-18017 CVE-2017-18204 CVE-2017-18208
                    CVE-2017-18221 CVE-2018-1066 CVE-2018-1068
                    CVE-2018-5332 CVE-2018-5333 CVE-2018-6927
                    CVE-2018-7566
Affected Products:
                    SUSE OpenStack Cloud 6
                    SUSE Linux Enterprise Server for SAP 12-SP1
                    SUSE Linux Enterprise Server 12-SP1-LTSS
                    SUSE Linux Enterprise Module for Public Cloud 12
______________________________________________________________________________

   An update that solves 19 vulnerabilities and has 16 fixes
   is now available.

Description:


   The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall
     interface for bridging. This allowed a privileged user to arbitrarily
     write to a limited range of kernel memory (bnc#1085107).
   - CVE-2017-18221: The __munlock_pagevec function allowed local users to
     cause a denial of service (NR_MLOCK accounting corruption) via crafted
     use of mlockall and munlockall system calls (bnc#1084323).
   - CVE-2018-1066: Prevent NULL pointer dereference in
     fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker
     controlling a CIFS server to kernel panic a client that has this server
     mounted, because an empty TargetInfo field in an NTLMSSP setup
     negotiation response was mishandled during session recovery
     (bnc#1083640).
   - CVE-2017-13166: Prevent elevation of privilege vulnerability in the
     kernel v4l2 video driver (bnc#1072865).
   - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose
     kernel memory addresses. Successful exploitation required that a USB
     device was attached over IP (bnc#1078674).
   - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key
     that already exists but is uninstantiated, which allowed local users to
     cause a denial of service (NULL pointer dereference and system crash) or
     possibly have unspecified other impact via a crafted system call
     (bnc#1063416).
   - CVE-2017-18208: The madvise_willneed function kernel allowed local users
     to cause a denial of service (infinite loop) by triggering use of
     MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
   - CVE-2018-7566: The ALSA sequencer core initializes the event pool on
     demand by invoking snd_seq_pool_init() when the first write happens and
     the pool is empty. A user could have reset the pool size manually via
     ioctl concurrently, which may have lead UAF or out-of-bound access
     (bsc#1083483).
   - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause
     a denial of service (deadlock) via DIO requests (bnc#1083244).
   - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a
     denial of service (improper error handling and system crash) or possibly
     have unspecified other impact via a crafted USB device (bnc#1067118).
   - CVE-2018-6927: The futex_requeue function allowed attackers to cause a
     denial
     of service (integer overflow) or possibly have unspecified other impact
      by triggering a negative wake or requeue value (bnc#1080757).
   - CVE-2017-16914: The "stub_send_ret_submit()" function allowed attackers
     to cause a denial of service (NULL pointer dereference) via a specially
     crafted USB over IP packet (bnc#1078669).
   - CVE-2016-7915: The hid_input_field function allowed physically proximate
     attackers to obtain sensitive information from kernel memory or cause a
     denial
     of service (out-of-bounds read) by connecting a device (bnc#1010470).
   - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did
     unbalanced refcounting when a SCSI I/O vector had small consecutive
     buffers belonging to the same page. The bio_add_pc_page function merged
     them into one, but the page reference was never dropped. This caused a
     memory leak and possible system lockup (exploitable against the host OS
     by a guest OS user, if a SCSI disk is passed through to a virtual
     machine) due to an out-of-memory condition (bnc#1062568).
   - CVE-2017-16912: The "get_pipe()" function allowed attackers to cause a
     denial
     of service (out-of-bounds read) via a specially crafted USB over IP
      packet (bnc#1078673).
   - CVE-2017-16913: The "stub_recv_cmd_submit()" function when handling
     CMD_SUBMIT packets allowed attackers to cause a denial of service
     (arbitrary memory allocation) via a specially crafted USB over IP packet
     (bnc#1078672).
   - CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a
     value that is used during DMA page allocation, leading to a heap-based
     out-of-bounds write (related to the rds_rdma_extra_size function in
     net/rds/rdma.c) (bnc#1075621).
   - CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled
     cases where page pinning fails or an invalid address is supplied,
     leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617).
   - CVE-2017-18017: The tcpmss_mangle_packet function allowed remote
     attackers to cause a denial of service (use-after-free and memory
     corruption) or possibly have unspecified other impact by leveraging the
     presence of xt_TCPMSS in an iptables action (bnc#1074488).

   The following non-security bugs were fixed:

   - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
   - KEYS: fix writing past end of user-supplied buffer in keyring_read()
     (bsc#1066001).
   - KEYS: return full count in keyring_read() if buffer is too small
     (bsc#1066001).
   - NFS: Add a cond_resched() to nfs_commit_release_pages() (bsc#1077779).
   - btrfs: qgroup: move noisy underflow warning to debugging build
     (bsc#1055755 and bsc#1080287).
   - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
   - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
   - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
   - x86/kaiser: use trampoline stack for kernel entry (bsc#1077560)
   - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
   - livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow
     variables support (bsc#1082299).
   - livepatch: introduce shadow variable API. Shadow variables support
     (bsc#1082299)
   - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF
     (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32
     (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32
     (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: do not copy back the result for certain
     errors (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type
     (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382).
   - media: v4l2-compat-ioctl32.c: move 'helper' functions to
     __get/put_v4l2_format32 (bnc#1012382).
   - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382).
   - media: v4l2-ioctl.c: do not copy back the result for -ENOTTY
     (bnc#1012382).
   - netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets
     (bsc#1085107).
   - netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107).
   - packet: only call dev_add_pack() on freshly allocated fanout instances
   - pipe: cap initial pipe capacity according to pipe-max-size limit
     (bsc#1045330).
   - powerpc/64s: Improve RFI L1-D cache flush fallback (bsc#1068032,
     bsc#1077182).
   - powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove
     (bsc#1081512).
   - powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032,
     bsc#1077182).
   - powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032,
     bsc#1077182).
   - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032,
     bsc#1077182).
   - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032,
     bsc#1077182).
   - rfi-flush: Move the logic to avoid a redo into the debugfs code
     (bsc#1068032, bsc#1077182).
   - rfi-flush: Switch to new linear fallback flush (bsc#1068032,
     bsc#1077182).


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 6:

      zypper in -t patch SUSE-OpenStack-Cloud-6-2018-568=1

   - SUSE Linux Enterprise Server for SAP 12-SP1:

      zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-568=1

   - SUSE Linux Enterprise Server 12-SP1-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-568=1

   - SUSE Linux Enterprise Module for Public Cloud 12:

      zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-568=1



Package List:

   - SUSE OpenStack Cloud 6 (x86_64):

      kernel-default-3.12.74-60.64.85.1
      kernel-default-base-3.12.74-60.64.85.1
      kernel-default-base-debuginfo-3.12.74-60.64.85.1
      kernel-default-debuginfo-3.12.74-60.64.85.1
      kernel-default-debugsource-3.12.74-60.64.85.1
      kernel-default-devel-3.12.74-60.64.85.1
      kernel-syms-3.12.74-60.64.85.1
      kernel-xen-3.12.74-60.64.85.1
      kernel-xen-base-3.12.74-60.64.85.1
      kernel-xen-base-debuginfo-3.12.74-60.64.85.1
      kernel-xen-debuginfo-3.12.74-60.64.85.1
      kernel-xen-debugsource-3.12.74-60.64.85.1
      kernel-xen-devel-3.12.74-60.64.85.1
      kgraft-patch-3_12_74-60_64_85-default-1-2.3.1
      kgraft-patch-3_12_74-60_64_85-xen-1-2.3.1

   - SUSE OpenStack Cloud 6 (noarch):

      kernel-devel-3.12.74-60.64.85.1
      kernel-macros-3.12.74-60.64.85.1
      kernel-source-3.12.74-60.64.85.1

   - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64):

      kernel-default-3.12.74-60.64.85.1
      kernel-default-base-3.12.74-60.64.85.1
      kernel-default-base-debuginfo-3.12.74-60.64.85.1
      kernel-default-debuginfo-3.12.74-60.64.85.1
      kernel-default-debugsource-3.12.74-60.64.85.1
      kernel-default-devel-3.12.74-60.64.85.1
      kernel-syms-3.12.74-60.64.85.1

   - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):

      kernel-xen-3.12.74-60.64.85.1
      kernel-xen-base-3.12.74-60.64.85.1
      kernel-xen-base-debuginfo-3.12.74-60.64.85.1
      kernel-xen-debuginfo-3.12.74-60.64.85.1
      kernel-xen-debugsource-3.12.74-60.64.85.1
      kernel-xen-devel-3.12.74-60.64.85.1
      kgraft-patch-3_12_74-60_64_85-default-1-2.3.1
      kgraft-patch-3_12_74-60_64_85-xen-1-2.3.1

   - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch):

      kernel-devel-3.12.74-60.64.85.1
      kernel-macros-3.12.74-60.64.85.1
      kernel-source-3.12.74-60.64.85.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):

      kernel-default-3.12.74-60.64.85.1
      kernel-default-base-3.12.74-60.64.85.1
      kernel-default-base-debuginfo-3.12.74-60.64.85.1
      kernel-default-debuginfo-3.12.74-60.64.85.1
      kernel-default-debugsource-3.12.74-60.64.85.1
      kernel-default-devel-3.12.74-60.64.85.1
      kernel-syms-3.12.74-60.64.85.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):

      kernel-xen-3.12.74-60.64.85.1
      kernel-xen-base-3.12.74-60.64.85.1
      kernel-xen-base-debuginfo-3.12.74-60.64.85.1
      kernel-xen-debuginfo-3.12.74-60.64.85.1
      kernel-xen-debugsource-3.12.74-60.64.85.1
      kernel-xen-devel-3.12.74-60.64.85.1
      kgraft-patch-3_12_74-60_64_85-default-1-2.3.1
      kgraft-patch-3_12_74-60_64_85-xen-1-2.3.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch):

      kernel-devel-3.12.74-60.64.85.1
      kernel-macros-3.12.74-60.64.85.1
      kernel-source-3.12.74-60.64.85.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x):

      kernel-default-man-3.12.74-60.64.85.1

   - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64):

      kernel-ec2-3.12.74-60.64.85.1
      kernel-ec2-debuginfo-3.12.74-60.64.85.1
      kernel-ec2-debugsource-3.12.74-60.64.85.1
      kernel-ec2-devel-3.12.74-60.64.85.1
      kernel-ec2-extra-3.12.74-60.64.85.1
      kernel-ec2-extra-debuginfo-3.12.74-60.64.85.1


References:

   https://www.suse.com/security/cve/CVE-2016-7915.html
   https://www.suse.com/security/cve/CVE-2017-12190.html
   https://www.suse.com/security/cve/CVE-2017-13166.html
   https://www.suse.com/security/cve/CVE-2017-15299.html
   https://www.suse.com/security/cve/CVE-2017-16644.html
   https://www.suse.com/security/cve/CVE-2017-16911.html
   https://www.suse.com/security/cve/CVE-2017-16912.html
   https://www.suse.com/security/cve/CVE-2017-16913.html
   https://www.suse.com/security/cve/CVE-2017-16914.html
   https://www.suse.com/security/cve/CVE-2017-18017.html
   https://www.suse.com/security/cve/CVE-2017-18204.html
   https://www.suse.com/security/cve/CVE-2017-18208.html
   https://www.suse.com/security/cve/CVE-2017-18221.html
   https://www.suse.com/security/cve/CVE-2018-1066.html
   https://www.suse.com/security/cve/CVE-2018-1068.html
   https://www.suse.com/security/cve/CVE-2018-5332.html
   https://www.suse.com/security/cve/CVE-2018-5333.html
   https://www.suse.com/security/cve/CVE-2018-6927.html
   https://www.suse.com/security/cve/CVE-2018-7566.html
   https://bugzilla.suse.com/1010470
   https://bugzilla.suse.com/1012382
   https://bugzilla.suse.com/1045330
   https://bugzilla.suse.com/1055755
   https://bugzilla.suse.com/1062568
   https://bugzilla.suse.com/1063416
   https://bugzilla.suse.com/1066001
   https://bugzilla.suse.com/1067118
   https://bugzilla.suse.com/1068032
   https://bugzilla.suse.com/1072689
   https://bugzilla.suse.com/1072865
   https://bugzilla.suse.com/1074488
   https://bugzilla.suse.com/1075617
   https://bugzilla.suse.com/1075621
   https://bugzilla.suse.com/1077182
   https://bugzilla.suse.com/1077560
   https://bugzilla.suse.com/1077779
   https://bugzilla.suse.com/1078669
   https://bugzilla.suse.com/1078672
   https://bugzilla.suse.com/1078673
   https://bugzilla.suse.com/1078674
   https://bugzilla.suse.com/1080255
   https://bugzilla.suse.com/1080287
   https://bugzilla.suse.com/1080464
   https://bugzilla.suse.com/1080757
   https://bugzilla.suse.com/1081512
   https://bugzilla.suse.com/1082299
   https://bugzilla.suse.com/1083244
   https://bugzilla.suse.com/1083483
   https://bugzilla.suse.com/1083494
   https://bugzilla.suse.com/1083640
   https://bugzilla.suse.com/1084323
   https://bugzilla.suse.com/1085107
   https://bugzilla.suse.com/1085114
   https://bugzilla.suse.com/1085447

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsMBxIx+lLeg9Ub1AQjNzA/+OAk+++lBVtJOWDqc40f9mwsD180eFmfi
wjSVtKkdZhTS76frT/yQS2sxtBBI4y7Cv/ntTbimmXMRPkW4rppArsU4ixjnXgJ5
MowAR+LtaecZJ6PyIC6Nr1as0F27tu2pmDAEzZO24WAza6TPqNf0JVaT01GXyj35
JlplS35vmAVywOztbBGpyoMQVMeRYMCM7IPqkr7R7J3opYHzTvW0cRQ6p58gHIoI
HBMpk7fiztFmuFqtguAJb3elFMe54yh00B8Z6CBU820yRKTib2c0OEJVYBTMO5cM
QPoR3T3K7DC5L5HNYrq1rPNGH3DrjjVhDUW/K0W5AG24Lo322Tq+rfJ3OuW0lAVj
HO4IMtlgilUsYs8rwnQJsHT5rNO8rNYWMI9jxwKlZRxg6l9dvv2ocDGvt5h3llky
gwNo2MURW11/WRQvmKNAsW9qyvIrc+f9NSRakqH9S4ueUMKPw/DzWXWYGHE9AH7+
V58jyibHVOLOLcKmijBK8Bdeq/26Wdq3hNJB2lMUEj+mv8hWr0i8dCvzh4VK/rlp
hHkjtGRDOXI6Kk/9aPLaR3WN1OtKpExlLD3T03JMDyzlFbn6xzqK+13/d9w1carO
CcZPMVFTUM0za0LN+eyaYdCYQJ0SgHA3jIE/1xbinRsvbsJjTQINFow3H8WXzxUa
yGvj/bPiu+0=
=PnZN
-----END PGP SIGNATURE-----

« Back to bulletins