Lucene search

K
suseSuseOPENSUSE-SU-2017:0906-1
HistoryApr 01, 2017 - 3:07 p.m.

Security update for the Linux Kernel (important)

2017-04-0115:07:45
lists.opensuse.org
75

0.025 Low

EPSS

Percentile

88.9%

======================================================================
Still left to do:

  • Check CVE descriptions. They need to be written in the past tense. They
    are processed automatically, THERE CAN BE ERRORS IN THERE!
  • Remove version numbers from the CVE descriptions
  • Check the capitalization of the subsystems, then sort again
  • For each CVE: Check the corresponding bug if everything is okay
  • If you remove CVEs or bugs: Do not forget to change the meta information
  • Determine which of the bugs after the CVE lines is the right one

======================================================================

The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various
security and bugfixes.

The following security bugs were fixed:

  • CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel
    did not restrict the address calculated by a certain rounding operation,
    which allowed local users to map page zero, and consequently bypass a
    protection mechanism that exists for the mmap system call, by making
    crafted shmget and shmat system calls in a privileged context
    (bnc#1026914).
  • CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the
    Linux kernel improperly manages lock dropping, which allowed local users
    to cause a denial of service (deadlock) via crafted operations on IrDA
    devices (bnc#1027178).
  • CVE-2017-7184: The xfrm_replay_verify_len function in
    net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size
    data after an XFRM_MSG_NEWAE update, which allowed local users to obtain
    root privileges or cause a denial of service (heap-based out-of-bounds
    access) by leveraging the CAP_NET_ADMIN capability, as demonstrated
    during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10
    linux-image-* package 4.8.0.41.52 (bnc#1030573).
  • CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in
    the Linux kernel allowed local users to gain privileges or cause a
    denial of service (use-after-free) by making multiple bind system calls
    without properly ascertaining whether a socket has the SOCK_ZAPPED
    status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c
    (bnc#1028415).
  • CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux
    kernel allowed local users to gain privileges or cause a denial of
    service (double free) by setting the HDLC line discipline (bnc#1027565).
  • CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that
    a certain destructor exists in required circumstances, which allowed
    local users to cause a denial of service (BUG_ON) or possibly have
    unspecified other impact via crafted system calls (bnc#1027190).
  • CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux
    kernel allowed local users to cause a denial of service (use-after-free)
    or possibly have unspecified other impact via a multithreaded
    application that made PACKET_FANOUT setsockopt system calls
    (bnc#1027189).
  • CVE-2017-6347: The ip_cmsg_recv_checksum function in
    net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations
    about skb data layout, which allowed local users to cause a denial of
    service (buffer over-read) or possibly have unspecified other impact via
    crafted system calls, as demonstrated by use of the MSG_MORE flag in
    conjunction with loopback UDP transmission (bnc#1027179).
  • CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly
    restrict association peel-off operations during certain wait states,
    which allowed local users to cause a denial of service (invalid unlock
    and double free) via a multithreaded application. NOTE: this
    vulnerability exists because of an incorrect fix for CVE-2017-5986
    (bnc#1025235).
  • CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the
    Linux kernel allowed remote attackers to cause a denial of service
    (infinite loop and soft lockup) via vectors involving a TCP packet with
    the URG flag (bnc#1026722).
  • CVE-2016-2117: The atl2_probe function in
    drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly
    enables scatter/gather I/O, which allowed remote attackers to obtain
    sensitive information from kernel memory by reading packet data
    (bnc#968697).
  • CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the
    Linux kernel did not properly validate meta block groups, which allowed
    physically proximate attackers to cause a denial of service
    (out-of-bounds read and system crash) via a crafted ext4 image
    (bnc#1023377).
  • CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c
    in the Linux kernel improperly emulates the VMXON instruction, which
    allowed KVM L1 guest OS users to cause a denial of service (host OS
    memory consumption) by leveraging the mishandling of page references
    (bnc#1022785).
  • CVE-2017-2583: The load_segment_descriptor implementation in
    arch/x86/kvm/emulate.c in the Linux kernel improperly emulates a "MOV
    SS, NULL selector" instruction, which allowed guest OS users to cause a
    denial of service (guest OS crash) or gain guest OS privileges via a
    crafted application (bnc#1020602).
  • CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux kernel allowed local
    users to obtain sensitive information from kernel memory or cause a
    denial of service (use-after-free) via a crafted application that
    leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt
    (bnc#1019851).

The following non-security bugs were fixed:

  • Fix kABI breakage of musb struct in 4.1.39 (stable 4.1.39).
  • Revert "ptrace: Capture the ptracer’s creds not PT_PTRACE_CAP" (stable
    4.1.39).
  • ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).
  • ext4: validate s_first_meta_bg at mount time (bsc#1023377).
  • kabi/severities: Ignore x86/kvm kABI changes for 4.1.39
  • l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).
  • l2tp: fix lookup for sockets not bound to a device in l2tp_ip
    (bsc#1028415).
  • l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()
    (bsc#1028415).
  • l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
    (bsc#1028415).
  • l2tp: lock socket before checking flags in connect() (bsc#1028415).
  • mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bsc#1030118).

0.025 Low

EPSS

Percentile

88.9%

Related for OPENSUSE-SU-2017:0906-1