Lucene search

K
suseSuseSUSE-SU-2018:0834-1
HistoryMar 28, 2018 - 9:07 p.m.

Security update for the Linux Kernel (important)

2018-03-2821:07:35
lists.opensuse.org
423

0.961 High

EPSS

Percentile

99.4%

The SUSE Linux Enterprise 12 kernel was updated to receive various
security and bugfixes.

The following security bugs were fixed:

  • CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall
    interface for bridging. This allowed a privileged user to arbitrarily
    write to a limited range of kernel memory (bnc#1085107).
  • CVE-2017-18221: The __munlock_pagevec function allowed local users to
    cause a denial of service (NR_MLOCK accounting corruption) via crafted
    use of mlockall and munlockall system calls (bnc#1084323).
  • CVE-2018-1066: Prevent NULL pointer dereference in
    fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker
    controlling a CIFS server to kernel panic a client that has this server
    mounted, because an empty TargetInfo field in an NTLMSSP setup
    negotiation response was mishandled during session recovery
    (bnc#1083640).
  • CVE-2017-13166: Prevent elevation of privilege vulnerability in the
    kernel v4l2 video driver (bnc#1072865).
  • CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose
    kernel memory addresses. Successful exploitation required that a USB
    device was attached over IP (bnc#1078674).
  • CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key
    that already exists but is uninstantiated, which allowed local users to
    cause a denial of service (NULL pointer dereference and system crash) or
    possibly have unspecified other impact via a crafted system call
    (bnc#1063416).
  • CVE-2017-18208: The madvise_willneed function kernel allowed local users
    to cause a denial of service (infinite loop) by triggering use of
    MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
  • CVE-2018-7566: The ALSA sequencer core initializes the event pool on
    demand by invoking snd_seq_pool_init() when the first write happens and
    the pool is empty. A user could have reset the pool size manually via
    ioctl concurrently, which may have lead UAF or out-of-bound access
    (bsc#1083483).
  • CVE-2017-18204: The ocfs2_setattr function allowed local users to cause
    a denial of service (deadlock) via DIO requests (bnc#1083244).
  • CVE-2017-16644: The hdpvr_probe function allowed local users to cause a
    denial of service (improper error handling and system crash) or possibly
    have unspecified other impact via a crafted USB device (bnc#1067118).
  • CVE-2018-6927: The futex_requeue function allowed attackers to cause a
    denial
    of service (integer overflow) or possibly have unspecified other impact
    by triggering a negative wake or requeue value (bnc#1080757).
  • CVE-2017-16914: The "stub_send_ret_submit()" function allowed attackers
    to cause a denial of service (NULL pointer dereference) via a specially
    crafted USB over IP packet (bnc#1078669).
  • CVE-2016-7915: The hid_input_field function allowed physically proximate
    attackers to obtain sensitive information from kernel memory or cause a
    denial
    of service (out-of-bounds read) by connecting a device (bnc#1010470).
  • CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did
    unbalanced refcounting when a SCSI I/O vector had small consecutive
    buffers belonging to the same page. The bio_add_pc_page function merged
    them into one, but the page reference was never dropped. This caused a
    memory leak and possible system lockup (exploitable against the host OS
    by a guest OS user, if a SCSI disk is passed through to a virtual
    machine) due to an out-of-memory condition (bnc#1062568).
  • CVE-2017-16912: The "get_pipe()" function allowed attackers to cause a
    denial
    of service (out-of-bounds read) via a specially crafted USB over IP
    packet (bnc#1078673).
  • CVE-2017-16913: The "stub_recv_cmd_submit()" function when handling
    CMD_SUBMIT packets allowed attackers to cause a denial of service
    (arbitrary memory allocation) via a specially crafted USB over IP packet
    (bnc#1078672).
  • CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a
    value that is used during DMA page allocation, leading to a heap-based
    out-of-bounds write (related to the rds_rdma_extra_size function in
    net/rds/rdma.c) (bnc#1075621).
  • CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled
    cases where page pinning fails or an invalid address is supplied,
    leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617).
  • CVE-2017-18017: The tcpmss_mangle_packet function allowed remote
    attackers to cause a denial of service (use-after-free and memory
    corruption) or possibly have unspecified other impact by leveraging the
    presence of xt_TCPMSS in an iptables action (bnc#1074488).

The following non-security bugs were fixed:

  • Fix build on arm64 by defining empty gmb() (bnc#1068032).
  • KEYS: do not let add_key() update an uninstantiated key (bnc#1063416).
  • KEYS: fix writing past end of user-supplied buffer in keyring_read()
    (bsc#1066001).
  • KEYS: return full count in keyring_read() if buffer is too small
    (bsc#1066001).
  • include/stddef.h: Move offsetofend() from vfio.h to a generic kernel
    header (bsc#1077560).
  • ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).
  • ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).
  • ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).
  • x86/kaiser: use trampoline stack for kernel entry (bsc#1077560)
  • leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).
  • livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow
    variables support (bsc#1082299).
  • livepatch: introduce shadow variable API. Shadow variables support
    (bsc#1082299)
  • media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF
    (bnc#1012382).
  • media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382).
  • media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32
    (bnc#1012382).
  • media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32
    (bnc#1012382).
  • media: v4l2-compat-ioctl32.c: do not copy back the result for certain
    errors (bnc#1012382).
  • media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type
    (bnc#1012382).
  • media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382).
  • media: v4l2-compat-ioctl32.c: move ‘helper’ functions to
    __get/put_v4l2_format32 (bnc#1012382).
  • media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382).
  • media: v4l2-ioctl.c: do not copy back the result for -ENOTTY
    (bnc#1012382).
  • netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets
    (bsc#1085107).
  • netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107).
  • packet: only call dev_add_pack() on freshly allocated fanout instances
  • pipe: cap initial pipe capacity according to pipe-max-size limit
    (bsc#1045330).
  • x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).

0.961 High

EPSS

Percentile

99.4%

Related for SUSE-SU-2018:0834-1