Overview

File _patchinfo of Package patchinfo.6912

<patchinfo incident="6912">
  <issue id="1010470" tracker="bnc">VUL-0: CVE-2016-7915: kernel: Physically proximate attackers can cause DoS or read memory because of incomplete checks in hid_input_field</issue>
  <issue id="1012382" tracker="bnc">Continuous stable update tracker for 4.4</issue>
  <issue id="1045330" tracker="bnc">fcntl ingores /proc/sys/fs/pipe-max-size</issue>
  <issue id="1062568" tracker="bnc">VUL-0: CVE-2017-12190: kernel: memory leak when merging buffers in SCSI IO vectors</issue>
  <issue id="1063416" tracker="bnc">VUL-0: CVE-2017-15299: kernel: Incorrect updates of uninstantiated keys can cause DoS</issue>
  <issue id="1066001" tracker="bnc">VUL-0: kernel: KEYCTL_READ writes past end of user supplied buffer</issue>
  <issue id="1067118" tracker="bnc">VUL-0: CVE-2017-16644: kernel: The hdpvr_probe function allows local users to cause DoS (improper error handling and system crash)</issue>
  <issue id="1068032" tracker="bnc">VUL-0: speculative side channel attacks on various CPU platforms aka "SpectreAttack" and "MeltdownAttack"</issue>
  <issue id="1072689" tracker="bnc">shmctl(index, SHM_STAT, &amp;buf) requires read permissions to read metadata of shm-segments</issue>
  <issue id="1072865" tracker="bnc">VUL-0: CVE-2017-13166: kernel-source: An elevation of privilege vulnerability in the kernel v4l2 video driver.Product: Android. Versions: Android kernel. Android ID A-34624167.</issue>
  <issue id="1074488" tracker="bnc">VUL-0: CVE-2017-18017: kernel-source: tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c allows remote attackers to cause a denial of service</issue>
  <issue id="1075617" tracker="bnc">VUL-0: CVE-2018-5333: kernel-source: In the Linux kernel through 4.14.13, the rds_cmsg_atomic function innet/rds/rdma.c mishandles cases where page pinning fails or an invalid addressis supplied, leading to an rds_atomic_free_op NULL poin</issue>
  <issue id="1075621" tracker="bnc">VUL-0: CVE-2018-5332: kernel-source: In the Linux kernel through 4.14.13, the rds_message_alloc_sgs() function doesnot validate a value that is used during DMA page allocation, leading to aheap-based out-of-bounds write (related to the rd</issue>
  <issue id="1077560" tracker="bnc">kaiser patches in 3.0, 3.12, 4.4 map kernel stack</issue>
  <issue id="1078669" tracker="bnc">VUL-0: CVE-2017-16914: kernel-source: The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) in the LinuxKernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers tocause a denial of service (NULL pointer der</issue>
  <issue id="1078672" tracker="bnc">VUL-0: CVE-2017-16913: kernel-source: The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) in the LinuxKernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMITpackets allows attackers to cause a denial of</issue>
  <issue id="1078673" tracker="bnc">VUL-0: CVE-2017-16912: kernel-source: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernelbefore version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial ofservice (out-of-bounds read) via a specially</issue>
  <issue id="1078674" tracker="bnc">VUL-1: CVE-2017-16911: kernel-source: The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allowsallows local attackers to disclose kernel memory addresses. Successfulexploitation requires that a USB device is attache</issue>
  <issue id="1080255" tracker="bnc">VUL-0: CVE-2017-18017: kernel-source: tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c allows remote attackers to cause a denial of service - Request for SLES 11 SP3 LTSS</issue>
  <issue id="1080464" tracker="bnc">KunLun Server Hotplug: page table corruption during hotplug test under stress test</issue>
  <issue id="1080757" tracker="bnc">VUL-1: CVE-2018-6927: kernel-source: The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15might allow attackers to cause a denial of service (integer overflow) orpossibly have unspecified other impact by triggeri</issue>
  <issue id="1082299" tracker="bnc">Backport of shadow variables</issue>
  <issue id="1083244" tracker="bnc">VUL-0: CVE-2017-18204: kernel-source: denial of service (deadlock) via DIO requests inside the ocfs2_setattr function in fs/ocfs2/file.c</issue>
  <issue id="1083483" tracker="bnc">VUL-0: CVE-2018-7566: kernel-source: race condition in snd_seq_write() may lead to UAF or OOB-access</issue>
  <issue id="1083494" tracker="bnc">VUL-0: CVE-2017-18208: kernel: The madvise_willneed function allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping</issue>
  <issue id="1083640" tracker="bnc">VUL-0: CVE-2018-1066: kernel: Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel</issue>
  <issue id="1084323" tracker="bnc">VUL-0: CVE-2017-18221: kernel: The __munlock_pagevec function allows local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall</issue>
  <issue id="1085107" tracker="bnc">VUL-0:  CVE-2018-1068: kernel: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets</issue>
  <issue id="1085114" tracker="bnc">VUL-0:  CVE-2018-1068: kernel live patch: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets</issue>
  <issue id="1085279" tracker="bnc">Kernel crashes when 32-bit ldt_gdt selftest is run on x86_64</issue>
  <issue id="1085447" tracker="bnc">VUL-0: CVE-2017-13166: kernel live patch: An elevation of privilege vulnerability in the kernel v4l2 video driver.Product: Android. Versions: Android kernel. Android ID A-34624167.</issue>
  <issue id="2018-1068" tracker="cve" />
  <issue id="2017-18221" tracker="cve" />
  <issue id="2018-1066" tracker="cve" />
  <issue id="2017-13166" tracker="cve" />
  <issue id="2017-16911" tracker="cve" />
  <issue id="2017-15299" tracker="cve" />
  <issue id="2017-18208" tracker="cve" />
  <issue id="2018-7566" tracker="cve" />
  <issue id="2017-18204" tracker="cve" />
  <issue id="2017-16644" tracker="cve" />
  <issue id="2018-6927" tracker="cve" />
  <issue id="2017-16914" tracker="cve" />
  <issue id="2016-7915" tracker="cve" />
  <issue id="2017-12190" tracker="cve" />
  <issue id="2017-16912" tracker="cve" />
  <issue id="2017-16913" tracker="cve" />
  <issue id="2018-5332" tracker="cve" />
  <issue id="2018-5333" tracker="cve" />
  <issue id="2017-18017" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>alnovak</packager>
  <reboot_needed/>
  <description>
The SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface
  for bridging. This allowed a privileged user to arbitrarily write to a limited
  range of kernel memory (bnc#1085107).
- CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a
  denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall
  and munlockall system calls (bnc#1084323).
- CVE-2018-1066: Prevent NULL pointer dereference in
  fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a
  CIFS server to kernel panic a client that has this server mounted, because an
  empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled
  during session recovery (bnc#1083640).
- CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel
  v4l2 video driver (bnc#1072865).
- CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose
  kernel memory addresses. Successful exploitation required that a USB device was
  attached over IP (bnc#1078674).
- CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that
  already exists but is uninstantiated, which allowed local users to cause a
  denial of service (NULL pointer dereference and system crash) or possibly have
  unspecified other impact via a crafted system call (bnc#1063416).
- CVE-2017-18208: The madvise_willneed function kernel allowed local users to
  cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED
  for a DAX mapping (bnc#1083494).
- CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand
  by invoking snd_seq_pool_init() when the first write happens and the pool is
  empty. A user could have reset the pool size manually via ioctl concurrently,
  which may have lead UAF or out-of-bound access (bsc#1083483).
- CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a
  denial of service (deadlock) via DIO requests (bnc#1083244).
- CVE-2017-16644: The hdpvr_probe function allowed local users to cause a
  denial of service (improper error handling and system crash) or possibly have
  unspecified other impact via a crafted USB device (bnc#1067118).
- CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial
  of service (integer overflow) or possibly have unspecified other impact by
  triggering a negative wake or requeue value (bnc#1080757).
- CVE-2017-16914: The "stub_send_ret_submit()" function allowed attackers to
  cause a denial of service (NULL pointer dereference) via a specially crafted
  USB over IP packet (bnc#1078669).
- CVE-2016-7915: The hid_input_field function allowed physically proximate
  attackers to obtain sensitive information from kernel memory or cause a denial
  of service (out-of-bounds read) by connecting a device (bnc#1010470).
- CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did
  unbalanced refcounting when a SCSI I/O vector had small consecutive buffers
  belonging to the same page. The bio_add_pc_page function merged them into one,
  but the page reference was never dropped. This caused a memory leak and
  possible system lockup (exploitable against the host OS by a guest OS user, if
  a SCSI disk is passed through to a virtual machine) due to an out-of-memory
  condition (bnc#1062568).
- CVE-2017-16912: The "get_pipe()" function allowed attackers to cause a denial
  of service (out-of-bounds read) via a specially crafted USB over IP packet
  (bnc#1078673).
- CVE-2017-16913: The "stub_recv_cmd_submit()" function when handling
  CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary
  memory allocation) via a specially crafted USB over IP packet (bnc#1078672).
- CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a value
  that is used during DMA page allocation, leading to a heap-based out-of-bounds
  write (related to the rds_rdma_extra_size function in net/rds/rdma.c)
  (bnc#1075621).
- CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled
  cases where page pinning fails or an invalid address is supplied, leading to an
  rds_atomic_free_op NULL pointer dereference (bnc#1075617).
- CVE-2017-18017: The tcpmss_mangle_packet function allowed remote attackers to
  cause a denial of service (use-after-free and memory corruption) or possibly
  have unspecified other impact by leveraging the presence of xt_TCPMSS in an
  iptables action (bnc#1074488).

The following non-security bugs were fixed:

- Fix build on arm64 by defining empty gmb() (bnc#1068032).
- KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
- KEYS: fix writing past end of user-supplied buffer in keyring_read() (bsc#1066001).
- KEYS: return full count in keyring_read() if buffer is too small (bsc#1066001).
- include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header (bsc#1077560).
- ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
- ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
- ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
- x86/kaiser: use trampoline stack for kernel entry (bsc#1077560)
- leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
- livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow variables support (bsc#1082299).
- livepatch: introduce shadow variable API. Shadow variables support (bsc#1082299)
- media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382).
- media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382).
- media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382).
- media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382).
- media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382).
- media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382).
- media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382).
- media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382).
- media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382).
- media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382).
- netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107).
- netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107).
- packet: only call dev_add_pack() on freshly allocated fanout instances
- pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330).
- x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).
</description>
<summary>Security update for the Linux Kernel</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places