Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0962 SUSE Security Update: Security update for the Linux Kernel 3 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: SUSE Operating System: SUSE Impact/Access: Root Compromise -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-7566 CVE-2018-6927 CVE-2018-5333 CVE-2018-5332 CVE-2018-1068 CVE-2018-1066 CVE-2017-18221 CVE-2017-18208 CVE-2017-18204 CVE-2017-18017 CVE-2017-16914 CVE-2017-16913 CVE-2017-16912 CVE-2017-16911 CVE-2017-16644 CVE-2017-15299 CVE-2017-13166 CVE-2017-12190 CVE-2016-7915 Reference: ASB-2016.0103 ESB-2018.0844 ESB-2018.0505 ESB-2018.0430 ESB-2018.0392 Original Bulletin: https://www.suse.com/support/update/announcement/2018/suse-su-20180848-1/ - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0848-1 Rating: important References: #1010470 #1012382 #1045330 #1055755 #1062568 #1063416 #1066001 #1067118 #1068032 #1072689 #1072865 #1074488 #1075617 #1075621 #1077182 #1077560 #1077779 #1078669 #1078672 #1078673 #1078674 #1080255 #1080287 #1080464 #1080757 #1081512 #1082299 #1083244 #1083483 #1083494 #1083640 #1084323 #1085107 #1085114 #1085447 Cross-References: CVE-2016-7915 CVE-2017-12190 CVE-2017-13166 CVE-2017-15299 CVE-2017-16644 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017 CVE-2017-18204 CVE-2017-18208 CVE-2017-18221 CVE-2018-1066 CVE-2018-1068 CVE-2018-5332 CVE-2018-5333 CVE-2018-6927 CVE-2018-7566 Affected Products: SUSE OpenStack Cloud 6 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that solves 19 vulnerabilities and has 16 fixes is now available. Description: The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323). - CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640). - CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865). - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation required that a USB device was attached over IP (bnc#1078674). - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416). - CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483). - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244). - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The "stub_send_ret_submit()" function allowed attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet (bnc#1078669). - CVE-2016-7915: The hid_input_field function allowed physically proximate attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) by connecting a device (bnc#1010470). - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions did unbalanced refcounting when a SCSI I/O vector had small consecutive buffers belonging to the same page. The bio_add_pc_page function merged them into one, but the page reference was never dropped. This caused a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition (bnc#1062568). - CVE-2017-16912: The "get_pipe()" function allowed attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet (bnc#1078673). - CVE-2017-16913: The "stub_recv_cmd_submit()" function when handling CMD_SUBMIT packets allowed attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet (bnc#1078672). - CVE-2018-5332: The rds_message_alloc_sgs() function did not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c) (bnc#1075621). - CVE-2018-5333: The rds_cmsg_atomic function in net/rds/rdma.c mishandled cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference (bnc#1075617). - CVE-2017-18017: The tcpmss_mangle_packet function allowed remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action (bnc#1074488). The following non-security bugs were fixed: - KEYS: do not let add_key() update an uninstantiated key (bnc#1063416). - KEYS: fix writing past end of user-supplied buffer in keyring_read() (bsc#1066001). - KEYS: return full count in keyring_read() if buffer is too small (bsc#1066001). - NFS: Add a cond_resched() to nfs_commit_release_pages() (bsc#1077779). - btrfs: qgroup: move noisy underflow warning to debugging build (bsc#1055755 and bsc#1080287). - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689). - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689). - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689). - x86/kaiser: use trampoline stack for kernel entry (bsc#1077560) - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464). - livepatch: __kgr_shadow_get_or_alloc() is local to shadow.c. Shadow variables support (bsc#1082299). - livepatch: introduce shadow variable API. Shadow variables support (bsc#1082299) - media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF (bnc#1012382). - media: v4l2-compat-ioctl32.c: avoid sizeof(type) (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 (bnc#1012382). - media: v4l2-compat-ioctl32.c: do not copy back the result for certain errors (bnc#1012382). - media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type (bnc#1012382). - media: v4l2-compat-ioctl32.c: fix the indentation (bnc#1012382). - media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 (bnc#1012382). - media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha (bnc#1012382). - media: v4l2-ioctl.c: do not copy back the result for -ENOTTY (bnc#1012382). - netfilter: ebtables: CONFIG_COMPAT: do not trust userland offsets (bsc#1085107). - netfilter: ebtables: fix erroneous reject of last rule (bsc#1085107). - packet: only call dev_add_pack() on freshly allocated fanout instances - pipe: cap initial pipe capacity according to pipe-max-size limit (bsc#1045330). - powerpc/64s: Improve RFI L1-D cache flush fallback (bsc#1068032, bsc#1077182). - powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove (bsc#1081512). - powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032, bsc#1077182). - powerpc/powernv: Support firmware disable of RFI flush (bsc#1068032, bsc#1077182). - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1077182). - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032, bsc#1077182). - rfi-flush: Move the logic to avoid a redo into the debugfs code (bsc#1068032, bsc#1077182). - rfi-flush: Switch to new linear fallback flush (bsc#1068032, bsc#1077182). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 6: zypper in -t patch SUSE-OpenStack-Cloud-6-2018-568=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-568=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-568=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-568=1 Package List: - SUSE OpenStack Cloud 6 (x86_64): kernel-default-3.12.74-60.64.85.1 kernel-default-base-3.12.74-60.64.85.1 kernel-default-base-debuginfo-3.12.74-60.64.85.1 kernel-default-debuginfo-3.12.74-60.64.85.1 kernel-default-debugsource-3.12.74-60.64.85.1 kernel-default-devel-3.12.74-60.64.85.1 kernel-syms-3.12.74-60.64.85.1 kernel-xen-3.12.74-60.64.85.1 kernel-xen-base-3.12.74-60.64.85.1 kernel-xen-base-debuginfo-3.12.74-60.64.85.1 kernel-xen-debuginfo-3.12.74-60.64.85.1 kernel-xen-debugsource-3.12.74-60.64.85.1 kernel-xen-devel-3.12.74-60.64.85.1 kgraft-patch-3_12_74-60_64_85-default-1-2.3.1 kgraft-patch-3_12_74-60_64_85-xen-1-2.3.1 - SUSE OpenStack Cloud 6 (noarch): kernel-devel-3.12.74-60.64.85.1 kernel-macros-3.12.74-60.64.85.1 kernel-source-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): kernel-default-3.12.74-60.64.85.1 kernel-default-base-3.12.74-60.64.85.1 kernel-default-base-debuginfo-3.12.74-60.64.85.1 kernel-default-debuginfo-3.12.74-60.64.85.1 kernel-default-debugsource-3.12.74-60.64.85.1 kernel-default-devel-3.12.74-60.64.85.1 kernel-syms-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): kernel-xen-3.12.74-60.64.85.1 kernel-xen-base-3.12.74-60.64.85.1 kernel-xen-base-debuginfo-3.12.74-60.64.85.1 kernel-xen-debuginfo-3.12.74-60.64.85.1 kernel-xen-debugsource-3.12.74-60.64.85.1 kernel-xen-devel-3.12.74-60.64.85.1 kgraft-patch-3_12_74-60_64_85-default-1-2.3.1 kgraft-patch-3_12_74-60_64_85-xen-1-2.3.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): kernel-devel-3.12.74-60.64.85.1 kernel-macros-3.12.74-60.64.85.1 kernel-source-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): kernel-default-3.12.74-60.64.85.1 kernel-default-base-3.12.74-60.64.85.1 kernel-default-base-debuginfo-3.12.74-60.64.85.1 kernel-default-debuginfo-3.12.74-60.64.85.1 kernel-default-debugsource-3.12.74-60.64.85.1 kernel-default-devel-3.12.74-60.64.85.1 kernel-syms-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): kernel-xen-3.12.74-60.64.85.1 kernel-xen-base-3.12.74-60.64.85.1 kernel-xen-base-debuginfo-3.12.74-60.64.85.1 kernel-xen-debuginfo-3.12.74-60.64.85.1 kernel-xen-debugsource-3.12.74-60.64.85.1 kernel-xen-devel-3.12.74-60.64.85.1 kgraft-patch-3_12_74-60_64_85-default-1-2.3.1 kgraft-patch-3_12_74-60_64_85-xen-1-2.3.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): kernel-devel-3.12.74-60.64.85.1 kernel-macros-3.12.74-60.64.85.1 kernel-source-3.12.74-60.64.85.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x): kernel-default-man-3.12.74-60.64.85.1 - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64): kernel-ec2-3.12.74-60.64.85.1 kernel-ec2-debuginfo-3.12.74-60.64.85.1 kernel-ec2-debugsource-3.12.74-60.64.85.1 kernel-ec2-devel-3.12.74-60.64.85.1 kernel-ec2-extra-3.12.74-60.64.85.1 kernel-ec2-extra-debuginfo-3.12.74-60.64.85.1 References: https://www.suse.com/security/cve/CVE-2016-7915.html https://www.suse.com/security/cve/CVE-2017-12190.html https://www.suse.com/security/cve/CVE-2017-13166.html https://www.suse.com/security/cve/CVE-2017-15299.html https://www.suse.com/security/cve/CVE-2017-16644.html https://www.suse.com/security/cve/CVE-2017-16911.html https://www.suse.com/security/cve/CVE-2017-16912.html https://www.suse.com/security/cve/CVE-2017-16913.html https://www.suse.com/security/cve/CVE-2017-16914.html https://www.suse.com/security/cve/CVE-2017-18017.html https://www.suse.com/security/cve/CVE-2017-18204.html https://www.suse.com/security/cve/CVE-2017-18208.html https://www.suse.com/security/cve/CVE-2017-18221.html https://www.suse.com/security/cve/CVE-2018-1066.html https://www.suse.com/security/cve/CVE-2018-1068.html https://www.suse.com/security/cve/CVE-2018-5332.html https://www.suse.com/security/cve/CVE-2018-5333.html https://www.suse.com/security/cve/CVE-2018-6927.html https://www.suse.com/security/cve/CVE-2018-7566.html https://bugzilla.suse.com/1010470 https://bugzilla.suse.com/1012382 https://bugzilla.suse.com/1045330 https://bugzilla.suse.com/1055755 https://bugzilla.suse.com/1062568 https://bugzilla.suse.com/1063416 https://bugzilla.suse.com/1066001 https://bugzilla.suse.com/1067118 https://bugzilla.suse.com/1068032 https://bugzilla.suse.com/1072689 https://bugzilla.suse.com/1072865 https://bugzilla.suse.com/1074488 https://bugzilla.suse.com/1075617 https://bugzilla.suse.com/1075621 https://bugzilla.suse.com/1077182 https://bugzilla.suse.com/1077560 https://bugzilla.suse.com/1077779 https://bugzilla.suse.com/1078669 https://bugzilla.suse.com/1078672 https://bugzilla.suse.com/1078673 https://bugzilla.suse.com/1078674 https://bugzilla.suse.com/1080255 https://bugzilla.suse.com/1080287 https://bugzilla.suse.com/1080464 https://bugzilla.suse.com/1080757 https://bugzilla.suse.com/1081512 https://bugzilla.suse.com/1082299 https://bugzilla.suse.com/1083244 https://bugzilla.suse.com/1083483 https://bugzilla.suse.com/1083494 https://bugzilla.suse.com/1083640 https://bugzilla.suse.com/1084323 https://bugzilla.suse.com/1085107 https://bugzilla.suse.com/1085114 https://bugzilla.suse.com/1085447 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWsMBxIx+lLeg9Ub1AQjNzA/+OAk+++lBVtJOWDqc40f9mwsD180eFmfi wjSVtKkdZhTS76frT/yQS2sxtBBI4y7Cv/ntTbimmXMRPkW4rppArsU4ixjnXgJ5 MowAR+LtaecZJ6PyIC6Nr1as0F27tu2pmDAEzZO24WAza6TPqNf0JVaT01GXyj35 JlplS35vmAVywOztbBGpyoMQVMeRYMCM7IPqkr7R7J3opYHzTvW0cRQ6p58gHIoI HBMpk7fiztFmuFqtguAJb3elFMe54yh00B8Z6CBU820yRKTib2c0OEJVYBTMO5cM QPoR3T3K7DC5L5HNYrq1rPNGH3DrjjVhDUW/K0W5AG24Lo322Tq+rfJ3OuW0lAVj HO4IMtlgilUsYs8rwnQJsHT5rNO8rNYWMI9jxwKlZRxg6l9dvv2ocDGvt5h3llky gwNo2MURW11/WRQvmKNAsW9qyvIrc+f9NSRakqH9S4ueUMKPw/DzWXWYGHE9AH7+ V58jyibHVOLOLcKmijBK8Bdeq/26Wdq3hNJB2lMUEj+mv8hWr0i8dCvzh4VK/rlp hHkjtGRDOXI6Kk/9aPLaR3WN1OtKpExlLD3T03JMDyzlFbn6xzqK+13/d9w1carO CcZPMVFTUM0za0LN+eyaYdCYQJ0SgHA3jIE/1xbinRsvbsJjTQINFow3H8WXzxUa yGvj/bPiu+0= =PnZN -----END PGP SIGNATURE-----