File _patchinfo of Package patchinfo.5830

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.5830

<patchinfo incident="5830">
  <issue id="1064388" tracker="bnc">VUL-0: CVE-2017-15649: kernel: net/packet/af_packet.c allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures</issue>
  <issue id="1045327" tracker="bnc">VUL-1: CVE-2017-15274: kernel-source: add_key syscall causes NULL pointer dereference</issue>
  <issue id="1062520" tracker="bnc">VUL-1: CVE-2017-15265: kernel: Use-after-free in /dev/snd/seq</issue>
  <issue id="1063667" tracker="bnc">VUL-0: CVE-2017-13080: kernel-source: mac80211 driver also has key reinstallation problem "KRACK"</issue>
  <issue id="1008353" tracker="bnc">WARNING: CPU: 2 PID: 452 at ../fs/btrfs/extent-tree.c:3731 btrfs_free_reserved_data_space_noquota+0xe8/0x100 [btrfs]()</issue>
  <issue id="1012422" tracker="bnc">Better compiler warning check</issue>
  <issue id="1017941" tracker="bnc">Btrfs corruption, causes filesystem to mount "read only".</issue>
  <issue id="1029850" tracker="bnc">VUL-0: CVE-2017-6951: kernel-source: NULL pointer dereference in keyring_search_aux function</issue>
  <issue id="1030593" tracker="bnc">VUL-0: CVE-2017-2647: kernel-source: Null pointer dereference in search_keyring</issue>
  <issue id="1032268" tracker="bnc">VUL-0: CVE-2016-10229: kernel-source: udp.c in the Linux kernel before 4.5 allows remote attackers to executearbitrary code via UDP traff...</issue>
  <issue id="1034405" tracker="bnc">VUL-0: CVE-2017-7889: kernel-source: mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism</issue>
  <issue id="1034670" tracker="bnc">VUL-0: CVE-2017-7645: kernel-source: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernelthrough 4.10.11 allows remote attac...</issue>
  <issue id="1035576" tracker="bnc">VUL-0: CVE-2016-9604: kernel-source: Keyrings whose name begin with a '.' are special internal keyrings and souserspace isn't allowed to...</issue>
  <issue id="1035877" tracker="bnc">VUL-0: CVE-2017-8106: kernel-source: The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 through 3.15 allows privil...</issue>
  <issue id="1036752" tracker="bnc">vSocket stream sockets may be incorrectly terminated</issue>
  <issue id="1037182" tracker="bnc">VUL-1: kernel-source: large kernel memory information leak in io_ti driver</issue>
  <issue id="1037183" tracker="bnc">VUL-1: kernel-source: omninet driver allows a DOS to any user that can open a serial tty</issue>
  <issue id="1037306" tracker="bnc">VUL-0: CVE-2015-9004: kernel-source: kernel/events/core.c in &lt; 3.19 mishandles counter grouping (perf_pmu_register and perf_event_open)</issue>
  <issue id="1037994" tracker="bnc">VUL-0: CVE-2017-8831: kernel-source: Double fetch problem in Linux-4.10.1 (saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c)</issue>
  <issue id="1038544" tracker="bnc">VUL-0: CVE-2017-8890: kernel-source: denial of service (double free) by leveraging use of the accept system call (inet_csk_clone_lock func in net/ipv4/inet_connection_sock.c)</issue>
  <issue id="1038879" tracker="bnc">VUL-0: CVE-2017-7487: kernel-source:  Reference counter leak in ipxitf_ioctl resulting into use after free</issue>
  <issue id="1038981" tracker="bnc">VUL-0: CVE-2017-8925: kernel-source: denial of service (tty exhaustion) by leveraging reference count mishandling</issue>
  <issue id="1038982" tracker="bnc">VUL-0: CVE-2017-8924: kernel-source: USB: serial: io_ti: information leak in completion handler (edge_bulk_in_callback func in drivers/usb/serial/io_ti.c)</issue>
  <issue id="1039348" tracker="bnc">VUL-0: CVE-2017-1000364: kernel-source: stack gap guard page too small: Qualys new root/setuid privilege escalation method 05-2017</issue>
  <issue id="1039349" tracker="bnc">VUL-0: CVE-2017-1000370 CVE-2017-1000371: kernel-source: offset2lib bypass: Qualys new root/setuid privilege escalation method 05-2017</issue>
  <issue id="1039354" tracker="bnc">VUL-0: CVE-2017-1000365: kernel-source: argv and env usage concerns: Qualys new root/setuid privilege escalation method 05-2017</issue>
  <issue id="1039456" tracker="bnc">VUL-0: CVE-2017-1000363: kernel: drivers/char/lp.c Out-of-Bounds Write</issue>
  <issue id="1039721" tracker="bnc">kernel: printk: prevent userland from spoofing kernel messages</issue>
  <issue id="1039882" tracker="bnc">VUL-0: CVE-2017-9074: kernel-source: IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option</issue>
  <issue id="1039883" tracker="bnc">VUL-0: CVE-2017-9075: kernel-source: denial of service or possibly have unspecified other impact via crafted system calls (sctp_v6_create_accept_sk function in net/sctp/ipv6.c)</issue>
  <issue id="1039885" tracker="bnc">VUL-0: CVE-2017-9076: kernel-source: denial of service or possibly have unspecified other impact via crafted system calls (IPv6 DCCP implementation)</issue>
  <issue id="1040069" tracker="bnc">VUL-0: CVE-2017-9077: kernel-source: net: tcp_v6_syn_recv_sock function mishandles inheritance</issue>
  <issue id="1041431" tracker="bnc">VUL-0: CVE-2017-9242: kernel-source: Incorrect overwrite check in __ip6_append_data()</issue>
  <issue id="1041958" tracker="bnc">Incorrect UDP checksums lead to hanging NFS requests</issue>
  <issue id="1044125" tracker="bnc">VUL-0: CVE-2017-1000380: kernel-source: sound: information leak due to a data race in ALSA timer</issue>
  <issue id="1045487" tracker="bnc">A wusb hub with malicious descriptors can oops the kernel</issue>
  <issue id="1045922" tracker="bnc">VUL-0: CVE-2017-7518: kernel: KVM: debug exception via syscall emulation</issue>
  <issue id="1046107" tracker="bnc">VUL-0: CVE-2017-7482 kernel: net/rxrpc: overflow in decoding of krb5 principal</issue>
  <issue id="1047408" tracker="bnc">Sles for sap sles12 VMs hang on VMware</issue>
  <issue id="1048275" tracker="bnc">VUL-0: CVE-2017-11176: kernel-source: The mq_notify function in the Linux kernel through 4.11.9 does not set the sockpointer to NULL upon entry into the retry logic</issue>
  <issue id="1049645" tracker="bnc">VUL-0: CVE-2017-7541 kernel: Heap buffer overflow in brcmf_cfg80211_mgmt_tx()</issue>
  <issue id="1049882" tracker="bnc">VUL-0: CVE-2017-7542 kernel: Integer overflow in ip6_find_1stfragopt() causes infinite loop</issue>
  <issue id="1052593" tracker="bnc">L3: getcwd() sometimes fails (ENOENT) with Lustre, SGI/Intel MPI, and Fortran MPI code in libmpifort.so</issue>
  <issue id="1053148" tracker="bnc">VUL-0: CVE-2017-12762: kernel-source: /drivers/isdn/i4l/isdn_net.c: user-controlled buffer is copied into a localbuffer of constant size using strcpy without a length check which can cause abuffer overflow. This affects the Linux ker</issue>
  <issue id="1053152" tracker="bnc">VUL-0: CVE-2017-10661: kernel-source: timerfd: missing locking in cancel might cause races and use-after-free</issue>
  <issue id="1056588" tracker="bnc">VUL-0: CVE-2017-14051: kernel-source: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function indrivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10allows local users to cause a denial of service (memory corrupti</issue>
  <issue id="1056982" tracker="bnc">VUL-0: CVE-2017-14106: kernel-source: Divide-by-zero in __tcp_select_window</issue>
  <issue id="1057179" tracker="bnc">VUL-1: CVE-2017-14140: kernel: Missing permission check in move_pages system call</issue>
  <issue id="1058038" tracker="bnc">VUL-0: CVE-2017-1000252: kernel: KVM denial of service (vmx_update_pi_irte())</issue>
  <issue id="1058410" tracker="bnc">VUL-0: CVE-2017-12153: kernel-source: null pointer dereference in nl80211_set_rekey_data()</issue>
  <issue id="1058507" tracker="bnc">VUL-0: CVE-2017-12154: kernel-source: kvm: nVMX: L2 guest could access hardware(L0) CR8 register</issue>
  <issue id="1058524" tracker="bnc">VUL-0: CVE-2017-14340: kernel-source: xfs: unprivileged user kernel oops</issue>
  <issue id="938162" tracker="bnc">Multipath fails paths on reservation conflict</issue>
  <issue id="975596" tracker="bnc">warning  at ../fs/btrfs/extent -tree.c:3731 btrfs_free_reserved_data_space_noquota</issue>
  <issue id="977417" tracker="bnc">VMWare ESXi 6.0: SLES12 SP1 guest with kernel 3.12.57-60.35-default is crashing with an invalid RIP:</issue>
  <issue id="984779" tracker="bnc">SLES 12 SP1 - kernel call trace in btrfs_free_reserved_data_space_noquota during Spectrum scale SMB workload</issue>
  <issue id="985562" tracker="bnc">WARNING: CPU: 2 PID: 452 at ../fs/btrfs/extent-tree.c:3731 btrfs_free_reserved_data_space_noquota+0xe8/0x100 [btrfs]()</issue>
  <issue id="990682" tracker="bnc">reiserfs crash due to attempt to delete empty list in __discard_prealloc</issue>
  <issue id="2017-15649" tracker="cve" />
  <issue id="2017-13080" tracker="cve" />
  <issue id="2017-15274" tracker="cve" />
  <issue id="2017-15265" tracker="cve" />
  <issue id="2016-9604" tracker="cve" />
  <issue id="2017-1000365" tracker="cve" />
  <issue id="2017-12153" tracker="cve" />
  <issue id="2017-12154" tracker="cve" />
  <issue id="2017-14106" tracker="cve" />
  <issue id="2017-14140" tracker="cve" />
  <issue id="2017-14051" tracker="cve" />
  <issue id="2017-10661" tracker="cve" />
  <issue id="2017-12762" tracker="cve" />
  <issue id="2017-8831" tracker="cve" />
  <issue id="2017-7482" tracker="cve" />
  <issue id="2017-7542" tracker="cve" />
  <issue id="2017-11176" tracker="cve" />
  <issue id="2017-7541" tracker="cve" />
  <issue id="2017-7518" tracker="cve" />
  <issue id="2015-9004" tracker="cve" />
  <issue id="2017-8924" tracker="cve" />
  <issue id="2017-8925" tracker="cve" />
  <issue id="2017-1000380" tracker="cve" />
  <issue id="2017-9242" tracker="cve" />
  <issue id="2017-1000363" tracker="cve" />
  <issue id="2017-9076" tracker="cve" />
  <issue id="2017-9077" tracker="cve" />
  <issue id="2017-9075" tracker="cve" />
  <issue id="2017-9074" tracker="cve" />
  <issue id="2017-7487" tracker="cve" />
  <issue id="2017-8890" tracker="cve" />
  <issue id="2017-7889" tracker="cve" />
  <issue id="2017-2647" tracker="cve" />
  <issue id="2017-6951" tracker="cve" />
  <issue id="2017-8106" tracker="cve" />
  <issue id="2016-10229" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>alnovak</packager>
  <reboot_needed/>
  <description>

The SUSE Linux Enterprise 12 GA LTS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388).
- CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions (bnc#1037306).
- CVE-2016-10229: udp.c in the Linux kernel allowed remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag (bnc#1032268).
- CVE-2016-9604: The handling of keyrings starting with '.' in KEYCTL_JOIN_SESSION_KEYRING, which could have allowed local users to manipulate privileged keyrings, was fixed (bsc#1035576)
- CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g. Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the command line) can overflow the parport_nr array in the following code, by appending many (&gt;LP_NO) 'lp=none' arguments to the command line (bnc#1039456).
- CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354).
- CVE-2017-1000380: sound/core/timer.c in the Linux kernel is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time (bnc#1044125).
- CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing (bnc#1053152).
- CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bnc#1048275).
- CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410).
- CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the "CR8-load exiting" and "CR8-store exiting" L0 vmcs02 controls exist in cases where L1 omits the "use TPR shadow" vmcs12 control, which allowed KVM L2 guest OS users to obtain read and write access to the hardware CR8 register (bnc#1058507).
- CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. (bnc#1053148).
- CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667).
- CVE-2017-14051: An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash) by leveraging root access (bnc#1056588).
- CVE-2017-14106: The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel allowed local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path (bnc#1056982).
- CVE-2017-14140: The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR (bnc#1057179).
- CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520).
- CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327).
- CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bnc#1030593).
- CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the "dead" type (bnc#1029850).
- CVE-2017-7482: A potential memory corruption was fixed in decoding of krb5 principals in the kernels kerberos handling. (bnc#1046107).
- CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel mishandled reference counts, which allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface (bnc#1038879).
- CVE-2017-7518: The Linux kernel was vulnerable to an incorrect debug exception(#DB) error. It could occur while emulating a syscall instruction and potentially lead to guest privilege escalation. (bsc#1045922).
- CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645).
- CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882).
- CVE-2017-7889: The mm subsystem in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allowed local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c (bnc#1034405).
- CVE-2017-8106: The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 allowed privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer (bnc#1035877).
- CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a "double fetch" vulnerability (bnc#1037994).
- CVE-2017-8890: The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call (bnc#1038544).
- CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1037182 bsc#1038982).
- CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1037183 bsc#1038981).
- CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel did not consider that the nexthdr field may be associated with an invalid option, which allowed local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls (bnc#1039882).
- CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883).
- CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885).
- CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandled inheritance, which allowed local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069).
- CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel is too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431).

The following non-security bugs were fixed:

- btrfs: Fix a data space underflow warning (bsc#985562, bsc#975596, bsc#984779, bsc#1008353, bsc#1017941).
- dm-mpath: always return reservation conflict. bsc#938162
- getcwd: Close race with d_move called by lustre (bsc#1052593).
- ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output (bsc#1041958).
- ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output (bsc#1041958).
- kabi: avoid bogus kabi errors in ip_output.c (bsc#1041958).
- keys: Disallow keyrings beginning with '.' to be joined as session keyrings (bnc#1035576).
- mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack (bnc#1039348).
- net: account for current skb length when deciding about UFO (bsc#1041958).
- nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670 CVE#2017-7645).
- nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670 CVE#2017-7645).
- nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670 CVE#2017-7645).
- printk: prevent userland from spoofing kernel messages (bsc#1039721).
- reiserfs: do not preallocate blocks for extended attributes (bsc#990682).
- tcp: do not inherit fastopen_req from parent (bsc#1038544).
- udp: disallow UFO for sockets with SO_NO_CHECK option (bsc#1041958).
- usb: wusbcore: fix NULL-deref at probe (bsc#1045487).
- vsock: Detach QP check should filter out non matching QPs (bsc#1036752 bsc#1047408).
- vsock: Fix lockdep issue (bsc#977417 bsc#1047408).
- vsock: sock_put wasn't safe to call in interrupt context (bsc#977417 bsc#1047408).
- xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present (bsc#1058524).
</description>
<summary>Security update for the Linux Kernel</summary>
</patchinfo>

Places

File _patchinfo of Package patchinfo.5830

Places