[security-announce] openSUSE-SU-2017:0906-1: important: Security update for the Linux Kernel

1 Apr 2017

      openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2017:0906-1
Rating:             important
References:         #1019851 #1020602 #1022785 #1023377 #1025235 
                    #1026722 #1026914 #1027066 #1027178 #1027179 
                    #1027189 #1027190 #1027565 #1028415 #1029986 
                    #1030118 #1030573 #968697 
Cross-References:   CVE-2016-10200 CVE-2016-10208 CVE-2016-2117
                    CVE-2017-2583 CVE-2017-2584 CVE-2017-2596
                    CVE-2017-2636 CVE-2017-5669 CVE-2017-6214
                    CVE-2017-6345 CVE-2017-6346 CVE-2017-6347
                    CVE-2017-6348 CVE-2017-6353 CVE-2017-7184

Affected Products:
                    openSUSE Leap 42.1
______________________________________________________________________________

   An update that solves 15 vulnerabilities and has three
   fixes is now available.

Description:

   ======================================================================
   Still left to do:
   - Check CVE descriptions. They need to be written in the past tense. They
     are processed automatically, THERE CAN BE ERRORS IN THERE!
   - Remove version numbers from the CVE descriptions
   - Check the capitalization of the subsystems, then sort again
   - For each CVE: Check the corresponding bug if everything is okay
   - If you remove CVEs or bugs: Do not forget to change the meta information
   - Determine which of the bugs after the CVE lines is the right one

   ======================================================================

   The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel
     did not restrict the address calculated by a certain rounding operation,
     which allowed local users to map page zero, and consequently bypass a
     protection mechanism that exists for the mmap system call, by making
     crafted shmget and shmat system calls in a privileged context
     (bnc#1026914).
   - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the
     Linux kernel improperly manages lock dropping, which allowed local users
     to cause a denial of service (deadlock) via crafted operations on IrDA
     devices (bnc#1027178).
   - CVE-2017-7184: The xfrm_replay_verify_len function in
     net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size
     data after an XFRM_MSG_NEWAE update, which allowed local users to obtain
     root privileges or cause a denial of service (heap-based out-of-bounds
     access) by leveraging the CAP_NET_ADMIN capability, as demonstrated
     during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10
     linux-image-* package 4.8.0.41.52 (bnc#1030573).
   - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in
     the Linux kernel allowed local users to gain privileges or cause a
     denial of service (use-after-free) by making multiple bind system calls
     without properly ascertaining whether a socket has the SOCK_ZAPPED
     status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c
     (bnc#1028415).
   - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux
     kernel allowed local users to gain privileges or cause a denial of
     service (double free) by setting the HDLC line discipline (bnc#1027565).
   - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that
     a certain destructor exists in required circumstances, which allowed
     local users to cause a denial of service (BUG_ON) or possibly have
     unspecified other impact via crafted system calls (bnc#1027190).
   - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux
     kernel allowed local users to cause a denial of service (use-after-free)
     or possibly have unspecified other impact via a multithreaded
     application that made PACKET_FANOUT setsockopt system calls
     (bnc#1027189).
   - CVE-2017-6347: The ip_cmsg_recv_checksum function in
     net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations
     about skb data layout, which allowed local users to cause a denial of
     service (buffer over-read) or possibly have unspecified other impact via
     crafted system calls, as demonstrated by use of the MSG_MORE flag in
     conjunction with loopback UDP transmission (bnc#1027179).
   - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly
     restrict association peel-off operations during certain wait states,
     which allowed local users to cause a denial of service (invalid unlock
     and double free) via a multithreaded application.  NOTE: this
     vulnerability exists because of an incorrect fix for CVE-2017-5986
     (bnc#1025235).
   - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the
     Linux kernel allowed remote attackers to cause a denial of service
     (infinite loop and soft lockup) via vectors involving a TCP packet with
     the URG flag (bnc#1026722).
   - CVE-2016-2117: The atl2_probe function in
     drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly
     enables scatter/gather I/O, which allowed remote attackers to obtain
     sensitive information from kernel memory by reading packet data
     (bnc#968697).
   - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the
     Linux kernel did not properly validate meta block groups, which allowed
     physically proximate attackers to cause a denial of service
     (out-of-bounds read and system crash) via a crafted ext4 image
     (bnc#1023377).
   - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c
     in the Linux kernel improperly emulates the VMXON instruction, which
     allowed KVM L1 guest OS users to cause a denial of service (host OS
     memory consumption) by leveraging the mishandling of page references
     (bnc#1022785).
   - CVE-2017-2583: The load_segment_descriptor implementation in
     arch/x86/kvm/emulate.c in the Linux kernel improperly emulates a "MOV
     SS, NULL selector" instruction, which allowed guest OS users to cause a
     denial of service (guest OS crash) or gain guest OS privileges via a
     crafted application (bnc#1020602).
   - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux kernel allowed local
     users to obtain sensitive information from kernel memory or cause a
     denial of service (use-after-free) via a crafted application that
     leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt
     (bnc#1019851).

   The following non-security bugs were fixed:

   - Fix kABI breakage of musb struct in 4.1.39 (stable 4.1.39).
   - Revert "ptrace: Capture the ptracer's creds not PT_PTRACE_CAP" (stable
     4.1.39).
   - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).
   - ext4: validate s_first_meta_bg at mount time (bsc#1023377).
   - kabi/severities: Ignore x86/kvm kABI changes for 4.1.39
   - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).
   - l2tp: fix lookup for sockets not bound to a device in l2tp_ip
     (bsc#1028415).
   - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()
     (bsc#1028415).
   - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
     (bsc#1028415).
   - l2tp: lock socket before checking flags in connect() (bsc#1028415).
   - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bsc#1030118).

Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.1:

      zypper in -t patch openSUSE-2017-419=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE Leap 42.1 (i586 x86_64):

      kernel-default-4.1.39-53.1
      kernel-default-base-4.1.39-53.1
      kernel-default-base-debuginfo-4.1.39-53.1
      kernel-default-debuginfo-4.1.39-53.1
      kernel-default-debugsource-4.1.39-53.1
      kernel-default-devel-4.1.39-53.1
      kernel-obs-build-4.1.39-53.1
      kernel-obs-build-debugsource-4.1.39-53.1
      kernel-obs-qa-4.1.39-53.1
      kernel-syms-4.1.39-53.1

   - openSUSE Leap 42.1 (i686 x86_64):

      kernel-debug-4.1.39-53.1
      kernel-debug-base-4.1.39-53.1
      kernel-debug-base-debuginfo-4.1.39-53.1
      kernel-debug-debuginfo-4.1.39-53.1
      kernel-debug-debugsource-4.1.39-53.1
      kernel-debug-devel-4.1.39-53.1
      kernel-debug-devel-debuginfo-4.1.39-53.1
      kernel-ec2-4.1.39-53.1
      kernel-ec2-base-4.1.39-53.1
      kernel-ec2-base-debuginfo-4.1.39-53.1
      kernel-ec2-debuginfo-4.1.39-53.1
      kernel-ec2-debugsource-4.1.39-53.1
      kernel-ec2-devel-4.1.39-53.1
      kernel-pv-4.1.39-53.1
      kernel-pv-base-4.1.39-53.1
      kernel-pv-base-debuginfo-4.1.39-53.1
      kernel-pv-debuginfo-4.1.39-53.1
      kernel-pv-debugsource-4.1.39-53.1
      kernel-pv-devel-4.1.39-53.1
      kernel-vanilla-4.1.39-53.1
      kernel-vanilla-debuginfo-4.1.39-53.1
      kernel-vanilla-debugsource-4.1.39-53.1
      kernel-vanilla-devel-4.1.39-53.1
      kernel-xen-4.1.39-53.1
      kernel-xen-base-4.1.39-53.1
      kernel-xen-base-debuginfo-4.1.39-53.1
      kernel-xen-debuginfo-4.1.39-53.1
      kernel-xen-debugsource-4.1.39-53.1
      kernel-xen-devel-4.1.39-53.1

   - openSUSE Leap 42.1 (noarch):

      kernel-devel-4.1.39-53.1
      kernel-docs-4.1.39-53.2
      kernel-docs-html-4.1.39-53.2
      kernel-docs-pdf-4.1.39-53.2
      kernel-macros-4.1.39-53.1
      kernel-source-4.1.39-53.1
      kernel-source-vanilla-4.1.39-53.1

   - openSUSE Leap 42.1 (i686):

      kernel-pae-4.1.39-53.1
      kernel-pae-base-4.1.39-53.1
      kernel-pae-base-debuginfo-4.1.39-53.1
      kernel-pae-debuginfo-4.1.39-53.1
      kernel-pae-debugsource-4.1.39-53.1
      kernel-pae-devel-4.1.39-53.1

References:

   https://www.suse.com/security/cve/CVE-2016-10200.html
   https://www.suse.com/security/cve/CVE-2016-10208.html
   https://www.suse.com/security/cve/CVE-2016-2117.html
   https://www.suse.com/security/cve/CVE-2017-2583.html
   https://www.suse.com/security/cve/CVE-2017-2584.html
   https://www.suse.com/security/cve/CVE-2017-2596.html
   https://www.suse.com/security/cve/CVE-2017-2636.html
   https://www.suse.com/security/cve/CVE-2017-5669.html
   https://www.suse.com/security/cve/CVE-2017-6214.html
   https://www.suse.com/security/cve/CVE-2017-6345.html
   https://www.suse.com/security/cve/CVE-2017-6346.html
   https://www.suse.com/security/cve/CVE-2017-6347.html
   https://www.suse.com/security/cve/CVE-2017-6348.html
   https://www.suse.com/security/cve/CVE-2017-6353.html
   https://www.suse.com/security/cve/CVE-2017-7184.html
   https://bugzilla.suse.com/1019851
   https://bugzilla.suse.com/1020602
   https://bugzilla.suse.com/1022785
   https://bugzilla.suse.com/1023377
   https://bugzilla.suse.com/1025235
   https://bugzilla.suse.com/1026722
   https://bugzilla.suse.com/1026914
   https://bugzilla.suse.com/1027066
   https://bugzilla.suse.com/1027178
   https://bugzilla.suse.com/1027179
   https://bugzilla.suse.com/1027189
   https://bugzilla.suse.com/1027190
   https://bugzilla.suse.com/1027565
   https://bugzilla.suse.com/1028415
   https://bugzilla.suse.com/1029986
   https://bugzilla.suse.com/1030118
   https://bugzilla.suse.com/1030573
   https://bugzilla.suse.com/968697

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

[security-announce] openSUSE-SU-2017:0906-1: important: Security update for the Linux Kernel

opensuse-security＠opensuse.org