Overview

File _patchinfo of Package patchinfo.10047

<patchinfo incident="10047">
  <issue tracker="bnc" id="1121753">command "top" shows old summary data from initial boot for %CPU(s)</issue>
  <issue tracker="bnc" id="1092100">VUL-0: CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126: procps: Multiple issues found by qualys</issue>
  <issue tracker="cve" id="2018-1126"/>
  <issue tracker="cve" id="2018-1125"/>
  <issue tracker="cve" id="2018-1124"/>
  <issue tracker="cve" id="2018-1123"/>
  <issue tracker="cve" id="2018-1122"/>
  <category>security</category>
  <rating>important</rating>
  <packager>WernerFink</packager>
  <description>
  
This update for procps fixes the following security issues:

- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
  with HOME unset in an attacker-controlled directory, the attacker could have
  achieved privilege escalation by exploiting one of several vulnerabilities in
  the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
  Inbuilt protection in ps maped a guard page at the end of the overflowed
  buffer, ensuring that the impact of this flaw is limited to a crash (temporary
  denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
  corruption in file2strvec function. This allowed a privilege escalation for a
  local attacker who can create entries in procfs by starting processes, which
  could result in crashes or arbitrary code execution in proc utilities run by
  other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
  mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
  truncation/integer overflow issues (bsc#1092100).

(These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.)

Also the following non-security issue was fixed:

- Fix CPU summary showing old data. (bsc#1121753)
</description>
  <summary>Security update for procps</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places