http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1

SUSE-SU-2016:1690

SUSE-SU-2016:1696

SUSE-SU-2016:1937

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.0.2

[oss-security] 20150417 USERNS allows circumventing MNT_LOCKED

74226

[containers] 20150402 [PATCH review 0/19] Locked mount and loopback mount fixes

https://bugzilla.redhat.com/show_bug.cgi?id=1226751

https://github.com/torvalds/linux/commit/ce07d891a0891d3c0d0c2d73d577490486b809e1

[linux-kernel] 20141007 [PATCH] mnt: don't allow to detach the namespace root

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):The uas driver in the     Linux kernel before 4.13.6 allows local users to cause     a denial of service (out-of-bounds read and system     crash), or possibly have unspecified other impacts via     a crafted USB device, related to     drivers/usb/storage/uas-detect.h and     drivers/usb/storage/uas.c.(CVE-2017-16530)The     implementation of big key management in     security/keys/big_key.c in the Linux kernel before     4.8.7 mishandles unsuccessful crypto registration in     conjunction with successful key-type registration,     which allows local users to cause a denial of service     (NULL pointer dereference and panic) or possibly have     unspecified other impact via a crafted application that     uses the big_key data type.(CVE-2016-9313)The Linux     kernel allows remote attackers to execute arbitrary     code via UDP traffic that triggers an unsafe second     checksum calculation during execution of a recv system     call with the MSG_PEEK flag. This may create a kernel     panic or memory corruption leading to privilege     escalation.(CVE-2016-10229)Buffer overflow in the     exitcode_proc_write function in     arch/um/kernel/exitcode.c in the Linux kernel before     3.12 allows local users to cause a denial of service or     possibly have unspecified other impact by leveraging     root privileges for a write operation.(CVE-2013-4512)It     was found that unsharing a mount namespace could allow     a user to see data beneath their restricted     namespace.(CVE-2014-9717)A divide-by-zero flaw was     discovered in the Linux kernel built with KVM     virtualization support(CONFIG_KVM). The flaw occurs in     the KVM module's Programmable Interval Timer(PIT)     emulation, when PIT counters for channel 1 or 2 are set     to zero(0) and a privileged user inside the guest     attempts to read these counters. A privileged guest     user with access to PIT I/O ports could exploit this     issue to crash the host kernel (denial of     service).(CVE-2015-7513)The ims_pcu_parse_cdc_data     function in drivers/input/misc/ims-pcu.c in the Linux     kernel before 4.5.1 allows physically proximate     attackers to cause a denial of service (system crash)     via a USB device without both a master and a slave     interface.(CVE-2016-3689)Stack-based buffer overflow in     the brcmf_cfg80211_start_ap() function in     'driverset/wireless/broadcom/brcm80211/brcmfmac/cfg8021     1.c' in the Linux kernel before 4.7.5 allows local     users to cause a denial of service (system crash) or     possibly have unspecified other impact via a long SSID     Information Element in a command to a Netlink     socket.(CVE-2016-8658)drivers/hid/hid-sony.c in the     Human Interface Device (HID) subsystem in the Linux     kernel through 3.11, when CONFIG_HID_SONY is enabled,     allows physically proximate attackers to cause a denial     of service (heap-based out-of-bounds write) via a     crafted device.(CVE-2013-2890)An issue where a provided     address with access_ok() is not checked was discovered     in i915_gem_execbuffer2_ioctl in     drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux     kernel through 4.19.13. A local attacker can craft a     malicious IOCTL function call to overwrite arbitrary     kernel memory, resulting in a Denial of Service or     privilege escalation.(CVE-2018-20669)It was found that     the permission checks performed by the Linux kernel     when a netlink message was received were not     sufficient. A local, unprivileged user could     potentially bypass these restrictions by passing a     netlink socket as stdout or stderr to a more privileged     process and altering the output of this     process.(CVE-2014-0181)An issue was discovered in the     XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the     Linux kernel. A NULL pointer dereference may occur for     a corrupted xfs image after xfs_da_shrink_inode() is     called with a NULL bp. This can lead to a system crash     and a denial of service.(CVE-2018-13094)The     irda_setsockopt function in net/irda/af_irda.c in the     Linux kernel, through 4.16, allows local users to cause     a denial of service (due to a use-after-free of the     ias_object and a system crash) or possibly have     unspecified other impact by leveraging an AF_IRDA     socket.(CVE-2018-6555)The x86/fpu (Floating Point Unit)     subsystem in the Linux kernel, when a processor     supports the xsave feature but not the xsaves feature,     does not correctly handle attempts to set reserved bits     in the xstate header via the ptrace() or rt_sigreturn()     system call. This allows local users to read the FPU     registers of other processes on the system, related to     arch/x86/kernel/fpu/regset.c and     arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)The     fst_get_iface function in driverset/wan/farsync.c in     the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory by leveraging the CAP_NET_ADMIN capability for     an SIOCWANDEV ioctl call.(CVE-2014-1444)In the Linux     kernel, through 4.15.4, the floppy driver reveals the     addresses of kernel functions and global variables     using printk calls within the function show_floppy in     drivers/block/floppy.c. An attacker can read this     information from dmesg and use the addresses to find     the locations of kernel code and data and bypass kernel     security protections such as KASLR.(CVE-2018-7273)A     flaw in 'arch/arm64/kernel/sys.c' in the Linux kernel     allows local users to bypass the 'strict page     permissions' protection mechanism and modify the     system-call table and, consequently, gain privileges by     leveraging write access.(CVE-2015-8967)The Linux kernel     before 3.11 on ARM platforms, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     properly consider user-space access to the TPIDRURW     register, which allows local users to gain privileges     via a crafted application, aka Android internal bug     28749743 and Qualcomm internal bug     CR561044.(CVE-2014-9870)A NULL pointer dereference     security flaw was found in the Linux kernel in the     vcpu_scan_ioapic() function in arch/x86/kvm/x86.c. This     allows local users with certain privileges to cause a     denial of service via a crafted system call to the KVM     subsystem.(CVE-2018-19407)It was found that current     implementation of kl5kusb105 driver failed to detect     short transfers when attempting to read the line state     and logged the content of the uninitialized heap     transfer buffer.(CVE-2017-5549)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.59 to receive various security and bugfixes.

Main feature additions :

  - Improved support for Clustered File System (CephFS,     fate#318586).

  - Addition of kGraft patches now produces logging messages     to simplify auditing (fate#317827).

The following security bugs were fixed :

  - CVE-2016-1583: Prevent the usage of mmap when the lower     file system does not allow it. This could have lead to     local privilege escalation when ecryptfs-utils was     installed and /sbin/mount.ecryptfs_private was setuid     (bsc#983143).

  - CVE-2014-9717: fs/namespace.c in the Linux kernel     processes MNT_DETACH umount2 system calls without     verifying that the MNT_LOCKED flag is unset, which     allowed local users to bypass intended access     restrictions and navigate to filesystem locations     beneath a mount by calling umount2 within a user     namespace (bnc#928547).

  - CVE-2016-2185: The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#971124).

  - CVE-2016-2186: The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970958).

  - CVE-2016-2188: The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#970956).

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bsc#970948).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126 971793).

  - CVE-2016-3136: The mct_u232_msr_to_state function in     drivers/usb/serial/mct_u232.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted USB device without two interrupt-in     endpoint descriptors (bnc#970955).

  - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions (bnc#970970).

  - CVE-2016-3138: The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a USB device without both a control and a data endpoint     descriptor (bnc#970911 970970).

  - CVE-2016-3140: The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970892).

  - CVE-2016-3689: The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) via a USB device without both a     master and a slave interface (bnc#971628).

  - CVE-2016-3951: Double free vulnerability in     drivers/net/usb/cdc_ncm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly have unspecified     other impact by inserting a USB device with an invalid     USB descriptor (bnc#974418).

  - CVE-2016-4482: Fixed information leak in devio     (bnc#978401).

  - CVE-2016-4486: Fixed information leak in rtnetlink (     bsc#978822).

  - CVE-2016-4569: Fixed information leak in events via     snd_timer_user_tinterrupt (bsc#979213).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 kernel was updated to 3.12.60 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2014-9717: fs/namespace.c in the Linux kernel     processes MNT_DETACH umount2 system called without     verifying that the MNT_LOCKED flag is unset, which     allowed local users to bypass intended access     restrictions and navigate to filesystem locations     beneath a mount by calling umount2 within a user     namespace (bnc#928547).

  - CVE-2015-8816: The hub_activate function in     drivers/usb/core/hub.c in the Linux kernel did not     properly maintain a hub-interface data structure, which     allowed physically proximate attackers to cause a denial     of service (invalid memory access and system crash) or     possibly have unspecified other impact by unplugging a     USB hub device (bnc#968010).

  - CVE-2015-8845: The tm_reclaim_thread function in     arch/powerpc/kernel/process.c in the Linux kernel on     powerpc platforms did not ensure that TM suspend mode     exists before proceeding with a tm_reclaim call, which     allowed local users to cause a denial of service (TM Bad     Thing exception and panic) via a crafted application     (bnc#975533).

  - CVE-2016-0758: Fix ASN.1 indefinite length object     parsing (bsc#979867).

  - CVE-2016-2053: The asn1_ber_decoder function in     lib/asn1_decoder.c in the Linux kernel allowed attackers     to cause a denial of service (panic) via an ASN.1 BER     file that lacks a public key, leading to mishandling by     the public_key_verify_signature function in     crypto/asymmetric_keys/public_key.c (bnc#963762).

  - CVE-2016-2143: The fork implementation in the Linux     kernel on s390 platforms mishandled the case of four     page-table levels, which allowed local users to cause a     denial of service (system crash) or possibly have     unspecified other impact via a crafted application,     related to arch/s390/include/asm/mmu_context.h and     arch/s390/include/asm/pgalloc.h. (bnc#970504)

  - CVE-2016-2184: The create_fixed_stream_quirk function in     sound/usb/quirks.c in the snd-usb-audio driver in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference or     double free, and system crash) via a crafted endpoints     value in a USB device descriptor (bnc#971125).

  - CVE-2016-2185: The ati_remote2_probe function in     drivers/input/misc/ati_remote2.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#971124).

  - CVE-2016-2186: The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970958).

  - CVE-2016-2188: The iowarrior_probe function in     drivers/usb/misc/iowarrior.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted endpoints value in a USB device descriptor     (bnc#970956).

  - CVE-2016-2782: The treo_attach function in     drivers/usb/serial/visor.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact by inserting a     USB device that lacks a (1) bulk-in or (2) interrupt-in     endpoint (bnc#968670).

  - CVE-2016-2847: fs/pipe.c in the Linux kernel did not     limit the amount of unread data in pipes, which allowed     local users to cause a denial of service (memory     consumption) by creating many pipes with non-default     sizes (bnc#970948).

  - CVE-2016-3134: The netfilter subsystem in the Linux     kernel did not validate certain offset fields, which     allowed local users to gain privileges or cause a denial     of service (heap memory corruption) via an     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

  - CVE-2016-3136: The mct_u232_msr_to_state function in     drivers/usb/serial/mct_u232.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted USB device without two interrupt-in     endpoint descriptors (bnc#970955).

  - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the     Linux kernel allowed physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a USB device without both an     interrupt-in and an interrupt-out endpoint descriptor,     related to the cypress_generic_port_probe and     cypress_open functions (bnc#970970).

  - CVE-2016-3138: The acm_probe function in     drivers/usb/class/cdc-acm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (NULL pointer dereference and system crash) via     a USB device without both a control and a data endpoint     descriptor (bnc#970911).

  - CVE-2016-3139: The wacom_probe function in     drivers/input/tablet/wacom_sys.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970909).

  - CVE-2016-3140: The digi_port_init function in     drivers/usb/serial/digi_acceleport.c in the Linux kernel     allowed physically proximate attackers to cause a denial     of service (NULL pointer dereference and system crash)     via a crafted endpoints value in a USB device descriptor     (bnc#970892).

  - CVE-2016-3156: The IPv4 implementation in the Linux     kernel mishandled destruction of device objects, which     allowed guest OS users to cause a denial of service     (host OS networking outage) by arranging for a large     number of IP addresses (bnc#971360).

  - CVE-2016-3672: The arch_pick_mmap_layout function in     arch/x86/mm/mmap.c in the Linux kernel did not properly     randomize the legacy base address, which made it easier     for local users to defeat the intended restrictions on     the ADDR_NO_RANDOMIZE flag, and bypass the ASLR     protection mechanism for a setuid or setgid program, by     disabling stack-consumption resource limits     (bnc#974308).

  - CVE-2016-3689: The ims_pcu_parse_cdc_data function in     drivers/input/misc/ims-pcu.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) via a USB device without both a     master and a slave interface (bnc#971628).

  - CVE-2016-3951: Double free vulnerability in     drivers/net/usb/cdc_ncm.c in the Linux kernel allowed     physically proximate attackers to cause a denial of     service (system crash) or possibly have unspecified     other impact by inserting a USB device with an invalid     USB descriptor (bnc#974418).

  - CVE-2016-4482: The proc_connectinfo function in     drivers/usb/core/devio.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via a crafted USBDEVFS_CONNECTINFO ioctl call     (bnc#978401).

  - CVE-2016-4486: The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory by reading a Netlink message (bnc#978822).

  - CVE-2016-4565: The InfiniBand (aka IB) stack in the     Linux kernel incorrectly relied on the write system     call, which allowed local users to cause a denial of     service (kernel memory write operation) or possibly have     unspecified other impact via a uAPI interface     (bnc#979548).

  - CVE-2016-4569: The snd_timer_user_params function in     sound/core/timer.c in the Linux kernel did not     initialize a certain data structure, which allowed local     users to obtain sensitive information from kernel stack     memory via crafted use of the ALSA timer interface     (bnc#979213).

  - CVE-2016-4578: sound/core/timer.c in the Linux kernel     did not initialize certain r1 data structures, which     allowed local users to obtain sensitive information from     kernel stack memory via crafted use of the ALSA timer     interface, related to the (1) snd_timer_user_ccallback     and (2) snd_timer_user_tinterrupt functions     (bnc#979879).

  - CVE-2016-4805: Use-after-free vulnerability in     drivers/net/ppp/ppp_generic.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption and system crash, or spinlock) or possibly     have unspecified other impact by removing a network     namespace, related to the ppp_register_net_channel and     ppp_unregister_channel functions (bnc#980371).

  - CVE-2016-5244: Fixed an infoleak in rds_inc_info_copy     (bsc#983213).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124826	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1503)	Nessus	Huawei Local Security Checks	critical
93168	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1696-1)	Nessus	SuSE Local Security Checks	high
93165	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1690-1)	Nessus	SuSE Local Security Checks	high
92007	openSUSE Security Update : the Linux Kernel (openSUSE-2016-862)	Nessus	SuSE Local Security Checks	high

CVE-2014-9717

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high

high