Bug ID 1034330
Summary VUL-0: CVE-2017-7874: kernel-source: does not properly verify the source of a Netlink message
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-7874
====================================================
Description

udevd in udev 232, when the Linux kernel 4.8.0 is used, does not properly
verify the source of a Netlink message, which allows local users to execute
arbitrary commands by leveraging access to the NETLINK_KOBJECT_UEVENT family,
and the presence of the /lib/udev/rules.d/50-udev-default.rules file, to
provide a crafted REMOVE_CMD value.
====================================================

Hyperlink:

[1]
https://packetstormsecurity.com/files/142152/Linux-Kernel-4.8.0-udev-232-Privilege-Escalation.html

Not sure, If it is applicable to (open-)SUSE, but v.232 can be used in TW
branch. Need to be rechecked.

You are receiving this mail because: