ESB-2018.2665 - [SUSE] linux kernel: Multiple vulnerabilities 2018-09-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2665
                   Security update for the Linux Kernel
                             7 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux kernel
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Root Compromise          -- Existing Account      
                   Access Privileged Data   -- Remote/Unauthenticated
                   Create Arbitrary Files   -- Existing Account      
                   Denial of Service        -- Existing Account      
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000204 CVE-2018-13406 CVE-2018-13053
                   CVE-2018-12233 CVE-2018-7492 CVE-2018-5814
                   CVE-2018-5803 CVE-2018-3646 CVE-2018-3620
                   CVE-2018-1130 CVE-2018-1068 CVE-2017-13305
                   CVE-2016-8405  

Reference:         ASB-2018.0204
                   ESB-2018.2612
                   ESB-2018.0923
                   ESB-2018.0844

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20182637-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2637-1
Rating:             important
References:         #1015828 #1037441 #1047487 #1082962 #1083900 
                    #1085107 #1087081 #1089343 #1092904 #1093183 
                    #1094353 #1096480 #1096728 #1097125 #1097234 
                    #1097562 #1098016 #1098658 #1099709 #1099924 
                    #1099942 #1100091 #1100132 #1100418 #1102087 
                    #1103884 #1103909 #1104365 #1104475 #1104684 
                    #909361 
Cross-References:   CVE-2016-8405 CVE-2017-13305 CVE-2018-1000204
                    CVE-2018-1068 CVE-2018-1130 CVE-2018-12233
                    CVE-2018-13053 CVE-2018-13406 CVE-2018-3620
                    CVE-2018-3646 CVE-2018-5803 CVE-2018-5814
                    CVE-2018-7492
Affected Products:
                    SUSE Linux Enterprise Real Time Extension 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that solves 13 vulnerabilities and has 18 fixes
   is now available.

Description:



   The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2016-8405: An information disclosure vulnerability in kernel
     components including the ION subsystem, Binder, USB driver and
     networking subsystem could enable a local malicious application to
     access data outside of its permission levels. (bnc#1099942).
   - CVE-2017-13305: A information disclosure vulnerability was fixed in the
     encrypted-keys handling. (bnc#1094353).
   - CVE-2018-1000204: A malformed SG_IO ioctl issued for a SCSI device lead
     to a local kernel data leak manifesting in up to approximately 1000
     memory pages copied to the userspace. The problem has limited scope as
     non-privileged users usually have no permissions to access SCSI device
     files. (bnc#1096728).
   - CVE-2018-1068: A flaw was found in the implementation of 32-bit syscall
     interface for bridging. This allowed a privileged user to arbitrarily
     write to a limited range of kernel memory (bnc#1085107).
   - CVE-2018-1130: Linux kernel was vulnerable to a null pointer dereference
     in dccp_write_xmit() function in net/dccp/output.c in that allowed a
     local user to cause a denial of service by a number of certain crafted
     system calls (bnc#1092904).
   - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c a memory
     corruption bug in JFS could be triggered by calling setxattr twice with
     two different extended attribute names on the same file. This
     vulnerability can be triggered by an unprivileged user with the ability
     to create files and execute programs. A kmalloc call is incorrect,
     leading to slab-out-of-bounds in jfs_xattr (bnc#1097234).
   - CVE-2018-13053: The alarm_timer_nsleep function in
     kernel/time/alarmtimer.c had an integer overflow via a large relative
     timeout because ktime_add_safe is not used (bnc#1099924).
   - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in
     drivers/video/fbdev/uvesafb.c could result in local attackers being able
     to crash the kernel or potentially elevate privileges because
     kmalloc_array is not used (bnc#1098016 bnc#1100418).
   - CVE-2018-3620: Systems with microprocessors utilizing speculative
     execution and address translations may allow unauthorized disclosure of
     information residing in the L1 data cache to an attacker with local user
     access via a terminal page fault and a side-channel analysis
     (bnc#1087081).
   - CVE-2018-3646: Systems with microprocessors utilizing speculative
     execution and address translations may allow unauthorized disclosure of
     information residing in the L1 data cache to an attacker with local user
     access with guest OS privilege via a terminal page fault and a
     side-channel analysis (bnc#1089343 bnc#1104365).
   - CVE-2018-5803: An error in the "_sctp_make_chunk()" function
     (net/sctp/sm_make_chunk.c) when handling SCTP packets length could be
     exploited to cause a kernel crash (bnc#1083900).
   - CVE-2018-5814: Multiple race condition errors when handling probe,
     disconnect, and rebind operations can be exploited to trigger a
     use-after-free condition or a NULL pointer dereference by sending
     multiple USB over IP packets (bnc#1096480).
   - CVE-2018-7492: A NULL pointer dereference was found in the
     net/rds/rdma.c __rds_rdma_map() function allowed local attackers to
     cause a system panic and a denial-of-service, related to RDS_GET_MR and
     RDS_GET_MR_FOR_DEST (bnc#1082962).

   The following non-security bugs were fixed:

   - usb: add USB_DEVICE_INTERFACE_CLASS macro (bsc#1047487).
   - usb: hub: fix non-SS hub-descriptor handling (bsc#1047487).
   - usb: kobil_sct: fix non-atomic allocation in write path (bsc#1015828).
   - usb: serial: ftdi_sio: fix latency-timer error handling (bsc#1037441).
   - usb: serial: io_edgeport: fix NULL-deref at open (bsc#1015828).
   - usb: serial: io_edgeport: fix possible sleep-in-atomic (bsc#1037441).
   - usb: serial: keyspan_pda: fix modem-status error handling (bsc#1100132).
   - usb: visor: Match I330 phone more precisely (bsc#1047487).
   - cpu/hotplug: Add sysfs state interface (bsc#1089343).
   - cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
   - cpu/hotplug: Provide knobs to control SMT (bsc#1089343).
   - cpu/hotplug: Split do_cpu_down() (bsc#1089343).
   - disable prot_none native mitigation (bnc#1104684)
   - drm/i915: fix use-after-free in page_flip_completed() (bsc#1103909).
   - drm: re-enable error handling (bsc#1103884)
   - efivarfs: maintain the efivarfs interfaces when sysfs be created and
     removed (bsc#1097125).
   - fix pgd underflow (bnc#1104475) custom walk_page_range rework was
     incorrect and could underflow pgd if the given range was below a first
     vma.
   - kthread, tracing: Do not expose half-written comm when creating kthreads
     (Git-fixes).
   - nvme: add device id's with intel stripe quirk (bsc#1097562).
   - perf/core: Fix group scheduling with mixed hw and sw events (Git-fixes).
   - perf/x86/intel: Handle Broadwell family processors (bsc#1093183).
   - s390/qeth: fix IPA command submission race (bnc#1099709, LTC#169004).
   - scsi: zfcp: fix infinite iteration on ERP ready list (bnc#1102087,
     LTC#168038).
   - scsi: zfcp: fix misleading REC trigger trace where erp_action setup
     failed (bnc#1102087, LTC#168765).
   - scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
     (bnc#1102087, LTC#168765).
   - scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
     (bnc#1102087, LTC#168765).
   - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early
     return (bnc#1102087, LTC#168765).
   - scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for
     ERP_FAILED (bnc#1102087, LTC#168765).
   - scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
     (bnc#1102087, LTC#168765).
   - scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
     (bnc#1102087, LTC#168765).
   - series.conf: Remove trailing whitespaces
   - slab: introduce kmalloc_array() (bsc#909361).
   - smsc75xx: Add workaround for gigabit link up hardware errata
     (bsc#1100132).
   - x64/entry: move ENABLE_IBRS after switching from trampoline stack
     (bsc#1098658).
   - x86/CPU/AMD: Do not check CPUID max ext level before parsing SMP info
     (bsc#1089343).
   - x86/CPU/AMD: Move TOPOEXT reenablement before reading smp_num_siblings
     (bsc#1089343).
   - x86/apic: Ignore secondary threads if nosmt=force (bsc#1089343).
   - x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343).
   - x86/cpu/AMD: Evaluate smp_num_siblings early (bsc#1089343).
   - x86/cpu/AMD: Remove the pointless detect_ht() call (bsc#1089343).
   - x86/cpu/common: Provide detect_ht_early() (bsc#1089343).
   - x86/cpu/intel: Evaluate smp_num_siblings early (bsc#1089343).
   - x86/cpu/topology: Provide detect_extended_topology_early() (bsc#1089343).
   - x86/cpu: Remove the pointless CPU printout (bsc#1089343).
   - x86/fpu: fix signal handling with eager FPU switching (bsc#1100091).
   - x86/mm: Simplify p[g4um]d_page() macros (bnc#1087081, bnc#1104684).
   - x86/smp: Provide topology_is_primary_thread() (bsc#1089343).
   - x86/smpboot: Do not use smp_num_siblings in __max_logical_packages
     calculation (bsc#1089343).
   - x86/topology: Add topology_max_smt_threads() (bsc#1089343).
   - x86/topology: Provide topology_smt_supported() (bsc#1089343).
   - x86/traps: Fix bad_iret_stack in fixup_bad_iret() (bsc#1098658).
   - x86/traps: add missing kernel CR3 switch in bad_iret path (bsc#1098658).
   - xen/x86/cpu/common: Provide detect_ht_early() (bsc#1089343).
   - xen/x86/cpu/topology: Provide detect_extended_topology_early()
     (bsc#1089343).
   - xen/x86/cpu: Remove the pointless CPU printout (bsc#1089343).
   - xhci: xhci-mem: off by one in xhci_stream_id_to_ring() (bsc#1100132).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 11-SP4:

      zypper in -t patch slertesp4-kernel-rt-20180827-13770=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-kernel-rt-20180827-13770=1



Package List:

   - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):

      kernel-rt-3.0.101.rt130-69.33.1
      kernel-rt-base-3.0.101.rt130-69.33.1
      kernel-rt-devel-3.0.101.rt130-69.33.1
      kernel-rt_trace-3.0.101.rt130-69.33.1
      kernel-rt_trace-base-3.0.101.rt130-69.33.1
      kernel-rt_trace-devel-3.0.101.rt130-69.33.1
      kernel-source-rt-3.0.101.rt130-69.33.1
      kernel-syms-rt-3.0.101.rt130-69.33.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

      kernel-rt-debuginfo-3.0.101.rt130-69.33.1
      kernel-rt-debugsource-3.0.101.rt130-69.33.1
      kernel-rt_debug-debuginfo-3.0.101.rt130-69.33.1
      kernel-rt_debug-debugsource-3.0.101.rt130-69.33.1
      kernel-rt_trace-debuginfo-3.0.101.rt130-69.33.1
      kernel-rt_trace-debugsource-3.0.101.rt130-69.33.1


References:

   https://www.suse.com/security/cve/CVE-2016-8405.html
   https://www.suse.com/security/cve/CVE-2017-13305.html
   https://www.suse.com/security/cve/CVE-2018-1000204.html
   https://www.suse.com/security/cve/CVE-2018-1068.html
   https://www.suse.com/security/cve/CVE-2018-1130.html
   https://www.suse.com/security/cve/CVE-2018-12233.html
   https://www.suse.com/security/cve/CVE-2018-13053.html
   https://www.suse.com/security/cve/CVE-2018-13406.html
   https://www.suse.com/security/cve/CVE-2018-3620.html
   https://www.suse.com/security/cve/CVE-2018-3646.html
   https://www.suse.com/security/cve/CVE-2018-5803.html
   https://www.suse.com/security/cve/CVE-2018-5814.html
   https://www.suse.com/security/cve/CVE-2018-7492.html
   https://bugzilla.suse.com/1015828
   https://bugzilla.suse.com/1037441
   https://bugzilla.suse.com/1047487
   https://bugzilla.suse.com/1082962
   https://bugzilla.suse.com/1083900
   https://bugzilla.suse.com/1085107
   https://bugzilla.suse.com/1087081
   https://bugzilla.suse.com/1089343
   https://bugzilla.suse.com/1092904
   https://bugzilla.suse.com/1093183
   https://bugzilla.suse.com/1094353
   https://bugzilla.suse.com/1096480
   https://bugzilla.suse.com/1096728
   https://bugzilla.suse.com/1097125
   https://bugzilla.suse.com/1097234
   https://bugzilla.suse.com/1097562
   https://bugzilla.suse.com/1098016
   https://bugzilla.suse.com/1098658
   https://bugzilla.suse.com/1099709
   https://bugzilla.suse.com/1099924
   https://bugzilla.suse.com/1099942
   https://bugzilla.suse.com/1100091
   https://bugzilla.suse.com/1100132
   https://bugzilla.suse.com/1100418
   https://bugzilla.suse.com/1102087
   https://bugzilla.suse.com/1103884
   https://bugzilla.suse.com/1103909
   https://bugzilla.suse.com/1104365
   https://bugzilla.suse.com/1104475
   https://bugzilla.suse.com/1104684
   https://bugzilla.suse.com/909361

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW5HW3WaOgq3Tt24GAQg/QxAArbYvSm2HHBV3TXlzvBVjgW81bMzw0whu
nGueTleIBgOUqh+k9RuGZz+3aeGj4Ny7ooPKz7AY+4W4yn5fO/ekO52Li6tAgmTX
bKhOikE4C/pttdoLo65LKusFwQUKU+Czl7o/XpKKpldytofc9sO+8HfXzRZo9UnX
xg3ZluJvpAhAkiWh5odDkogc0W0kgDIx1BzBTtQluZ7CSFa8wFIz1vxc/U5SK7FO
U7DB0u8L5aAR/BjSXC9mutnMzFUUC3uU8yTj7K6U7638l3KzKPgtqDZn3KpZSFi4
d1P4rseHsA68/VEpstRixh2ChV0YXZrJgyL3LLNZmHoSkPqMYKQKzpzZvF9zwFBJ
daIPQjyNRLko3n0kB2Riy6Lz1FP7xumn7VkFeBJk/kkQghcXhGtNuFO5filS1Ryi
7Wcj8COooARAY6X+nIoC0KZsiQKja3cJaXRtMrOOuPOurnQMmwRKMAKCA0SaC5dF
1Ysh4USb25qA2Am45DCuq5vRlc7XHCMGCJd4k+LYITHCuG3Yxdet+LxmX8hoFWdK
ZRQ5UPEVWg6iSdErvrIKKzHLJOpzYVd9mFsFiUDCZ1KX6JBx/oFpac9dEktxY84t
ehmiW0PMGTvTU9dPqGAL4Fd1/yoFNgtaticb+aNkaS26ofcfZj7xfOXQu4/o0Zev
Ol5F7Gid3Ok=
=UBMk
-----END PGP SIGNATURE-----

« Back to bulletins