Overview

File _patchinfo of Package patchinfo.4595

<patchinfo incident="4595">
  <issue id="1003077" tracker="bnc">VUL-0: CVE-2016-7117: kernel: use after free in the recvmmsg exit path</issue>
  <issue id="1015703" tracker="bnc">VUL-0: CVE-2016-9588: kernel: kvm: nVMX: uncaught software exceptions in L1 guest lead to DoS</issue>
  <issue id="1021256" tracker="bnc">VUL-0: CVE-2017-5549: kernel-source: USB: serial: kl5kusb105: fix line-state error handling</issue>
  <issue id="1021762" tracker="bnc">L3-Question: lockups during reboots</issue>
  <issue id="1023377" tracker="bnc">VUL-0: CVE-2016-10208: kernel-source: EXT4 Memory Corruption / SLAB-Out-of-Bounds Read [OS-S 2016-22]</issue>
  <issue id="1023762" tracker="bnc">VUL-0: CVE-2017-5897: kernel-source: ip6_gre:invalid reads in ip6gre_err()</issue>
  <issue id="1023992" tracker="bnc">VUL-0: CVE-2016-10044: kernel-source: The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does notproperly restrict execu...</issue>
  <issue id="1024938" tracker="bnc">VUL-0: CVE-2017-5970: kernel-source: ipv4: keep skb-&gt;dst around in presence of IP options</issue>
  <issue id="1025235" tracker="bnc">VUL-1: CVE-2017-5986: kernel-source: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf()</issue>
  <issue id="1026024" tracker="bnc">VUL-0: CVE-2017-6074: kernel-source: local privilege escalation due to double free in dccp code</issue>
  <issue id="1026722" tracker="bnc">VUL-0: CVE-2017-6214: kernel-source: ipv4/tcp: infinite loop in tcp_splice_read()</issue>
  <issue id="1026914" tracker="bnc">VUL-0: CVE-2017-5669: kernel-source: Shmat allows mmap null page protection bypass</issue>
  <issue id="1027066" tracker="bnc">VUL-0: CVE-2017-6353: kernel-source: sctp: deny peeloff operation on asocs with threads sleeping on it</issue>
  <issue id="1027149" tracker="bnc">L3: SUSE-SU-2017:0471-1 Breaks building kernels with CONFIG_IPV6 turned off</issue>
  <issue id="1027178" tracker="bnc">VUL-1: CVE-2017-6348: kernel-source: irda: Fix lockdep annotations in hashbin_delete()</issue>
  <issue id="1027189" tracker="bnc">VUL-1: CVE-2017-6346: kernel-source: packet: fix races in fanout_add()</issue>
  <issue id="1027190" tracker="bnc">VUL-1: CVE-2017-6345: kernel-source: net/llc: avoid BUG_ON() in skb_orphan()</issue>
  <issue id="1028415" tracker="bnc">VUL-0: CVE-2016-10200: kernel-source: l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()</issue>
  <issue id="1028895" tracker="bnc">blacklist tool versions known to build broken kernels</issue>
  <issue id="1029986" tracker="bnc">L3: ext4 first meta block group too large</issue>
  <issue id="1030118" tracker="bnc">Dirty COW fix causes some apps to freeze; patch is available in upstream linux</issue>
  <issue id="1030213" tracker="bnc">VUL-0: CVE-2017-7187: kernel-source: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4allows local users to ...</issue>
  <issue id="1030901" tracker="bnc">L3-Question: How to get information on shared libraries loaded in a process</issue>
  <issue id="1031003" tracker="bnc">VUL-0: CVE-2017-2671: kernel: crash in AF_LLC/ping</issue>
  <issue id="1031052" tracker="bnc">VUL-0: CVE-2017-7261: kernel-source: drm/vmwgfx: check that number of mip levels is above zero</issue>
  <issue id="1031440" tracker="bnc">VUL-0: CVE-2017-7294: kernel-source: The vmw_surface_define_ioctl function indrivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel...</issue>
  <issue id="1031579" tracker="bnc">VUL-0: CVE-2017-7308: kernel-source: The packet_set_ring function in net/packet/af_packet.c in the Linux kernelthrough 4.10.6 does not p...</issue>
  <issue id="1032344" tracker="bnc">kgraft not appliable due to hwrng</issue>
  <issue id="1033336" tracker="bnc">VUL-0: CVE-2017-7616: kernel-source: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c</issue>
  <issue id="914939" tracker="bnc">VUL-1: CVE-2015-1350: kernel-source: denial of service in notify_change for filesystem xattrs</issue>
  <issue id="954763" tracker="bnc">hwrng of kvm virtual machine does not free it's old codepath after poking and also rebooting</issue>
  <issue id="968697" tracker="bnc">VUL-0: CVE-2016-2117: kernel: memory disclosure into ethernet frames due to incorrect driver handling of scatter/gather IO</issue>
  <issue id="979215" tracker="bnc">VUL-0: CVE-2016-3070: kernel: Null pointer dereference in trace_writeback_dirty_page()</issue>
  <issue id="983212" tracker="bnc">VUL-1: CVE-2016-5243: kernel-source: tipc: an infoleak in tipc_nl_compat_link_dump</issue>
  <issue id="989056" tracker="bnc">xfs_dmapi: dm_filldir(2) counts directory entry name twice</issue>
  <issue id="2017-7616" tracker="cve" />
  <issue id="2017-7308" tracker="cve" />
  <issue id="2017-2671" tracker="cve" />
  <issue id="2017-7294" tracker="cve" />
  <issue id="2017-7261" tracker="cve" />
  <issue id="2017-7187" tracker="cve" />
  <issue id="2016-9588" tracker="cve" />
  <issue id="2017-5669" tracker="cve" />
  <issue id="2016-10200" tracker="cve" />
  <issue id="2017-6348" tracker="cve" />
  <issue id="2016-10044" tracker="cve" />
  <issue id="2016-3070" tracker="cve" />
  <issue id="2016-5243" tracker="cve" />
  <issue id="2017-6345" tracker="cve" />
  <issue id="2017-6346" tracker="cve" />
  <issue id="2017-6353" tracker="cve" />
  <issue id="2017-6214" tracker="cve" />
  <issue id="2016-2117" tracker="cve" />
  <issue id="2015-1350" tracker="cve" />
  <issue id="2016-10208" tracker="cve" />
  <issue id="2017-6074" tracker="cve" />
  <issue id="2017-5986" tracker="cve" />
  <issue id="2017-5970" tracker="cve" />
  <issue id="2017-5897" tracker="cve" />
  <issue id="2016-7117" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>alnovak</packager>
  <reboot_needed/>
  <description>

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2015-1350: The VFS subsystem in the Linux kernel provided an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939).
- CVE-2016-2117: The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly enabled scatter/gather I/O, which allowed remote attackers to obtain sensitive information from kernel memory by reading packet data (bnc#968697).
- CVE-2016-3070: The trace_writeback_dirty_page implementation in include/trace/events/writeback.h in the Linux kernel improperly interacted with mm/migrate.c, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by triggering a certain page move (bnc#979215).
- CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212).
- CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077).
- CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanages the #BP and #OF exceptions, which allowed guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest (bnc#1015703).
- CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel did not properly restrict execute access, which made it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call (bnc#1023992).
- CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415).
- CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the Linux kernel did not properly validate meta block groups, which allowed physically proximate attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image (bnc#1023377).
- CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003).
- CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914).
- CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allowed remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access (bnc#1023762).
- CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bnc#1024938).
- CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bnc#1025235).
- CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024).
- CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722).
- CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that a certain destructor exists in required circumstances, which allowed local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls (bnc#1027190).
- CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that made PACKET_FANOUT setsockopt system calls (bnc#1027189).
- CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178).
- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066).
- CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allowed local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function (bnc#1030213).
- CVE-2017-7261: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not check for a zero value of certain levels data, which allowed local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031052).
- CVE-2017-7294: The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not validate addition of certain levels data, which allowed local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).
- CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in the Linux kernel did not properly validate certain block-size data, which allowed local users to cause a denial of service (overflow) or possibly have unspecified other impact via crafted system calls (bnc#1031579).
- CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel allowed local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation (bnc#1033336).

The following non-security bugs were fixed:

- ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).
- hwrng: virtio - ensure reads happen after successful probe (bsc#954763 bsc#1032344).
- kgr/module: make a taint flag module-specific (fate#313296).
- l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).
- l2tp: fix lookup for sockets not bound to a device in l2tp_ip (bsc#1028415).
- l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind() (bsc#1028415).
- l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() (bsc#1028415).
- l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 (bsc#1028415).
- l2tp: lock socket before checking flags in connect() (bsc#1028415).
- mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118).
- module: move add_taint_module() to a header file (fate#313296).
- netfilter: bridge: Fix the build when IPV6 is disabled (bsc#1027149).
- nfs: flush out dirty data on file fput() (bsc#1021762).
- powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).
- powerpc: Reject binutils 2.24 when building little endian (boo#1028895).
- revert "procfs: mark thread stack correctly in proc/&lt;pid&gt;/maps" (bnc#1030901).
- taint/module: Clean up global and module taint flags handling (fate#313296).
- usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).
- xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).
- xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).
</description>
<summary>Security update for the Linux Kernel</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places