[security-announce] SUSE-SU-2017:2694-1: important: Security update for the Linux Kernel

10 Oct 2017

      SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2694-1
Rating:             important
References:         #1013018 #1024450 #1031358 #1036629 #1037441 
                    #1037667 #1037669 #1037994 #1039803 #1040609 
                    #1042863 #1045154 #1047523 #1050381 #1050431 
                    #1051932 #1052311 #1052370 #1053148 #1053152 
                    #1053802 #1053933 #1054070 #1054076 #1054093 
                    #1054247 #1054706 #1055680 #1056588 #1057179 
                    #1057389 #1058524 #984530 
Cross-References:   CVE-2017-1000112 CVE-2017-1000251 CVE-2017-10661
                    CVE-2017-12762 CVE-2017-14051 CVE-2017-14140
                    CVE-2017-14340 CVE-2017-8831
Affected Products:
                    SUSE Linux Enterprise Real Time Extension 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that solves 8 vulnerabilities and has 25 fixes is
   now available.

Description:

   The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2017-1000251: The native Bluetooth stack was vulnerable to a stack
     overflow vulnerability in the processing of L2CAP configuration
      responses resulting in remote code execution in kernel space
      (bnc#1057389).
   - CVE-2017-14340: The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h
     did not verify that a filesystem has a realtime device, which allowed
     local users to cause a denial of service (NULL pointer dereference and
     OOPS) via vectors related to setting an RHINHERIT flag on a directory
     (bnc#1058524).
   - CVE-2017-14140: The move_pages system call in mm/migrate.c did not check
     the effective uid of the target process, enabling a local attacker to
     learn the memory layout of a setuid executable despite ASLR
     (bnc#1057179).
   - CVE-2017-14051: An integer overflow in the
     qla2x00_sysfs_write_optrom_ctl function in
     drivers/scsi/qla2xxx/qla_attr.c allowed local users to cause a denial of
     service (memory corruption and system crash) by leveraging root access
     (bnc#1056588).
   - CVE-2017-10661: Race condition in fs/timerfd.c allowed local users to
     gain privileges or cause a denial of service (list corruption or
     use-after-free) via simultaneous file-descriptor operations that
     leverage improper might_cancel queueing (bnc#1053152).
   - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c a user-controlled buffer
     was copied into a local buffer of constant size using strcpy without a
     length check which can cause a buffer overflow (bnc#1053148).
   - CVE-2017-8831: The saa7164_bus_get function allowed local users to cause
     a denial of service (out-of-bounds array access) or possibly have
     unspecified
     other impact by changing a certain sequence-number value, aka a "double
      fetch" vulnerability (bnc#1037994).
   - CVE-2017-1000112: Prevent race condition in net-packet code that could
     have been exploited by unprivileged users to gain root
     access.(bnc#1052311).

   The following non-security bugs were fixed:

   - ALSA: Fix Lewisburg audio issue
   - Drop commit 96234ae:kvm_io_bus_unregister_dev() should never fail
     (bsc#1055680)
   - Fixup build warnings in drivers/scsi/scsi.c (bsc#1031358)
   - NFS: Cache aggressively when file is open for writing (bsc#1053933).
   - NFS: Do drop directory dentry when error clearly requires it
     (bsc#1051932).
   - NFS: Do not flush caches for a getattr that races with writeback
     (bsc#1053933).
   - NFS: Optimize fallocate by refreshing mapping when needed (bsc#1053933).
   - NFS: invalidate file size when taking a lock (bsc#1053933).
   - PCI: fix hotplug related issues (bnc#1054247).
   - af_key: do not use GFP_KERNEL in atomic contexts (bsc#1054093).
   - avoid deadlock in xenbus (bnc#1047523).
   - blacklist 9754d45e9970 tpm: read burstcount from TPM_STS in one 32-bit
     transaction
   - blkback/blktap: do not leak stack data via response ring (bsc#1042863
     XSA-216).
   - cx231xx-audio: fix NULL-deref at probe (bsc#1050431).
   - cx82310_eth: use skb_cow_head() to deal with cloned skbs (bsc#1045154).
   - fuse: do not use iocb after it may have been freed (bsc#1054706).
   - fuse: fix fuse_write_end() if zero bytes were copied (bsc#1054706).
   - fuse: fsync() did not return IO errors (bsc#1054076).
   - fuse: fuse_flush must check mapping->flags for errors (bsc#1054706).
   - gspca: konica: add missing endpoint sanity check (bsc#1050431).
   - kabi/severities: Ignore zpci symbol changes (bsc#1054247)
   - lib/mpi: mpi_read_raw_data(): fix nbits calculation
   - media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS
     ioctl (bsc#1050431).
   - net: Fix RCU splat in af_key (bsc#1054093).
   - powerpc/fadump: add reschedule point while releasing memory (bsc#1040609
     bsc#1024450).
   - powerpc/fadump: avoid duplicates in crash memory ranges (bsc#1037669
     bsc#1037667).
   - powerpc/fadump: provide a helpful error message (bsc#1037669
     bsc#1037667).
   - powerpc/prom: Increase minimum RMA size to 512MB (bsc#984530,
     bsc#1052370).
   - powerpc/slb: Force a full SLB flush when we insert for a bad EA
     (bsc#1054070).
   - reiserfs: fix race in readdir (bsc#1039803).
   - s390/pci: do not cleanup in arch_setup_msi_irqs (bnc#1054247).
   - s390/pci: fix handling of PEC 306 (bnc#1054247).
   - s390/pci: improve error handling during fmb (de)registration
     (bnc#1054247).
   - s390/pci: improve error handling during interrupt deregistration
     (bnc#1054247).
   - s390/pci: improve pci hotplug (bnc#1054247).
   - s390/pci: improve unreg_ioat error handling (bnc#1054247).
   - s390/pci: introduce clp_get_state (bnc#1054247).
   - s390/pci: provide more debug information (bnc#1054247).
   - scsi: avoid system stall due to host_busy race (bsc#1031358).
   - scsi: close race when updating blocked counters (bsc#1031358).
   - ser_gigaset: return -ENOMEM on error instead of success (bsc#1037441).
   - supported.conf: clear mistaken external support flag for cifs.ko
     (bsc#1053802).
   - tpm: fix a kernel memory leak in tpm-sysfs.c (bsc#1050381).
   - uwb: fix device quirk on big-endian hosts (bsc#1036629).
   - xfs: fix inobt inode allocation search optimization (bsc#1013018).

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 11-SP4:

      zypper in -t patch slertesp4-linux-kernel-rt-13307=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-linux-kernel-rt-13307=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):

      kernel-rt-3.0.101.rt130-69.8.1
      kernel-rt-base-3.0.101.rt130-69.8.1
      kernel-rt-devel-3.0.101.rt130-69.8.1
      kernel-rt_trace-3.0.101.rt130-69.8.1
      kernel-rt_trace-base-3.0.101.rt130-69.8.1
      kernel-rt_trace-devel-3.0.101.rt130-69.8.1
      kernel-source-rt-3.0.101.rt130-69.8.1
      kernel-syms-rt-3.0.101.rt130-69.8.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

      kernel-rt-debuginfo-3.0.101.rt130-69.8.1
      kernel-rt-debugsource-3.0.101.rt130-69.8.1
      kernel-rt_debug-debuginfo-3.0.101.rt130-69.8.1
      kernel-rt_debug-debugsource-3.0.101.rt130-69.8.1
      kernel-rt_trace-debuginfo-3.0.101.rt130-69.8.1
      kernel-rt_trace-debugsource-3.0.101.rt130-69.8.1

References:

   https://www.suse.com/security/cve/CVE-2017-1000112.html
   https://www.suse.com/security/cve/CVE-2017-1000251.html
   https://www.suse.com/security/cve/CVE-2017-10661.html
   https://www.suse.com/security/cve/CVE-2017-12762.html
   https://www.suse.com/security/cve/CVE-2017-14051.html
   https://www.suse.com/security/cve/CVE-2017-14140.html
   https://www.suse.com/security/cve/CVE-2017-14340.html
   https://www.suse.com/security/cve/CVE-2017-8831.html
   https://bugzilla.suse.com/1013018
   https://bugzilla.suse.com/1024450
   https://bugzilla.suse.com/1031358
   https://bugzilla.suse.com/1036629
   https://bugzilla.suse.com/1037441
   https://bugzilla.suse.com/1037667
   https://bugzilla.suse.com/1037669
   https://bugzilla.suse.com/1037994
   https://bugzilla.suse.com/1039803
   https://bugzilla.suse.com/1040609
   https://bugzilla.suse.com/1042863
   https://bugzilla.suse.com/1045154
   https://bugzilla.suse.com/1047523
   https://bugzilla.suse.com/1050381
   https://bugzilla.suse.com/1050431
   https://bugzilla.suse.com/1051932
   https://bugzilla.suse.com/1052311
   https://bugzilla.suse.com/1052370
   https://bugzilla.suse.com/1053148
   https://bugzilla.suse.com/1053152
   https://bugzilla.suse.com/1053802
   https://bugzilla.suse.com/1053933
   https://bugzilla.suse.com/1054070
   https://bugzilla.suse.com/1054076
   https://bugzilla.suse.com/1054093
   https://bugzilla.suse.com/1054247
   https://bugzilla.suse.com/1054706
   https://bugzilla.suse.com/1055680
   https://bugzilla.suse.com/1056588
   https://bugzilla.suse.com/1057179
   https://bugzilla.suse.com/1057389
   https://bugzilla.suse.com/1058524
   https://bugzilla.suse.com/984530

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

opensuse-security＠opensuse.org

tags

participants (1)