http://marc.info/?l=linux-kernel&m=149086968410117&w=2

DSA-3927

DSA-3945

97257

https://bugzilla.redhat.com/show_bug.cgi?id=1437431

https://lists.freedesktop.org/archives/dri-devel/2017-March/137429.html

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An information-leak vulnerability was found in the     kernel when it truncated a file to a smaller size which     consisted of an inline extent that was compressed. The     data between the new file size and the old file size     was not discarded and the number of bytes used by the     inode were not correctly decremented, which gave the     wrong report for callers of the stat(2) syscall. This     wasted metadata space and allowed for the truncated     data to be leaked, and data corruption or loss to     occur. A caller of the clone ioctl could exploit this     flaw by using only standard file-system operations     without root access to read the truncated     data.(CVE-2015-8374)

  - crypto/pcrypt.c in the Linux kernel, before 4.14.13,     mishandles freeing instances, allowing a local user     able to access the AF_ALG-based AEAD interface     (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt     (CONFIG_CRYPTO_PCRYPT) to cause a denial of service     (kfree of an incorrect pointer) or possibly have     unspecified other impact by executing a crafted     sequence of system calls. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-18075)

  - An elevation of privilege vulnerability in the Qualcomm     Wi-Fi driver could enable a local malicious application     to execute arbitrary code within the context of the     kernel. This issue is rated as High because it first     requires compromising a privileged process. Product:
    Android. Versions: N/A. Android ID: A-32835279.
    References: QC-CR#1096945.(CVE-2017-0523)

  - The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel through 4.10.14 allows local users to cause a     denial of service (out-of-bounds array access) or     possibly have unspecified other impact by changing a     certain sequence-number value, aka a 'double fetch'     vulnerability.(CVE-2017-8831)

  - A flaw was found in the way the Linux kernel's splice()     system call validated its parameters. On certain file     systems, a local, unprivileged user could use this flaw     to write past the maximum file size, and thus crash the     system.(CVE-2014-7822)

  - The vc4_get_bcl function in     drivers/gpu/drm/vc4/vc4_gem.c in the VideoCore DRM     driver in the Linux kernel before 4.9.7 does not set an     errno value upon certain overflow detections allowing     local users to cause a denial of service (incorrect     pointer dereference and OOPS) via inconsistent size     values in a VC4_SUBMIT_CL ioctl call.(CVE-2017-5577)

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets     implementation in the Linux kernel networking subsystem     handled synchronization while creating the TPACKET_V3     ring buffer. A local user able to open a raw packet     socket (requires the CAP_NET_RAW capability) could use     this flaw to elevate their privileges on the     system.(CVE-2016-8655)

  - An exploitable memory corruption flaw was found in the     Linux kernel. The append path can be erroneously     switched from UFO to non-UFO in ip_ufo_append_data()     when building an UFO packet with MSG_MORE option. If     unprivileged user namespaces are available, this flaw     can be exploited to gain root     privileges.(CVE-2017-1000112)

  - A security flaw was found in the Linux kernel in a way     that the cleancache subsystem clears an inode after the     final file truncation (removal). The new file created     with the same inode may contain leftover pages from     cleancache and the old file data instead of the new     one.(CVE-2018-16862)

  - arch/arm64/ include /asm/pgtable.h in the Linux kernel     before 3.15-rc5-next-20140519, as used in Android     before 2016-07-05 on Nexus 5X and 6P devices,     mishandles execute-only pages, which allows attackers     to gain privileges via a crafted application, aka     Android internal bug 28557020.(CVE-2014-9803)

  - A heap-buffer overflow vulnerability was found in the     arcmsr_iop_message_xfer() function in     'drivers/scsi/arcmsr/arcmsr_hba.c' file in the Linux     kernel through 4.8.2. The function does not restrict a     certain length field, which allows local users to gain     privileges or cause a denial of service via an     ARCMSR_MESSAGE_WRITE_WQBUFFER control code. This can     potentially cause kernel heap corruption and arbitrary     kernel code execution.(CVE-2016-7425)

  - An issue was discovered in the Linux kernel before     4.18.11. The ipddp_ioctl function in     drivers/net/appletalk/ipddp.c allows local users to     obtain sensitive kernel address information by     leveraging CAP_NET_ADMIN to read the ipddp_route dev     and next fields via an SIOCFINDIPDDPRT ioctl     call.(CVE-2018-20511)

  - A memory leak in the irda_bind function in     net/irda/af_irda.c in the Linux kernel, through 4.16,     allows local users to cause a denial of service due to     a memory consumption by repeatedly binding an AF_IRDA     socket.(CVE-2018-6554)

  - sound/core/timer.c in the Linux kernel before 4.4.1     employs a locking approach that does not consider slave     timer instances, which allows local users to cause a     denial of service (race condition, use-after-free, and     system crash) via a crafted ioctl call.(CVE-2016-2547)

  - Buffer overflow in the complete_emulated_mmio function     in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6     allows guest OS users to execute arbitrary code on the     host OS by leveraging a loop that triggers an invalid     memory copy affecting certain cancel_work_item     data.(CVE-2014-0049)

  - An issue was discovered in the F2FS filesystem code in     the Linux kernel in fs/f2fs/inode.c. A denial of     service due to a slab out-of-bounds read can occur for     a crafted f2fs filesystem image in which FI_EXTRA_ATTR     is set in an inode.(CVE-2018-13098)

  - A vulnerability was found in the Linux kernel where     having malicious IP options present would cause the     ipv4_pktinfo_prepare() function to drop/free the dst.
    This could result in a system crash or possible     privilege escalation.(CVE-2017-5970)

  - In the Linux kernel's vmw_gb_surface_define_ioctl()     function, in 'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c'     file, a 'req->mip_levels' is a user-controlled value     which is later used as a loop count limit. This allows     local unprivileged user to cause a denial of service by     a kernel lockup via a crafted ioctl call for a     '/dev/dri/renderD*' device.(CVE-2017-7346)

  - It was found that the NFSv4 server in the Linux kernel     did not properly validate layout type when processing     NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A     remote attacker could use this flaw to soft-lockup the     system and thus cause denial of service.(CVE-2017-8797)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the linux package has been released.

An update of [krb5,linux] packages for PhotonOS has been released.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2014-9940     A use-after-free flaw in the voltage and current     regulator driver could allow a local user to cause a     denial of service or potentially escalate privileges.

  - CVE-2017-7346     Li Qiang discovered that the DRM driver for VMware     virtual GPUs does not properly check user-controlled     values in the vmw_surface_define_ioctl() functions for     upper limits. A local user can take advantage of this     flaw to cause a denial of service.

  - CVE-2017-7482     Shi Lei discovered that RxRPC Kerberos 5 ticket handling     code does not properly verify metadata, leading to     information disclosure, denial of service or potentially     execution of arbitrary code.

  - CVE-2017-7533     Fan Wu and Shixiong Zhao discovered a race condition     between inotify events and VFS rename operations     allowing an unprivileged local attacker to cause a     denial of service or escalate privileges.

  - CVE-2017-7541     A buffer overflow flaw in the Broadcom IEEE802.11n PCIe     SoftMAC WLAN driver could allow a local user to cause     kernel memory corruption, leading to a denial of service     or potentially privilege escalation.

  - CVE-2017-7542     An integer overflow vulnerability in the     ip6_find_1stfragopt() function was found allowing a     local attacker with privileges to open raw sockets to     cause a denial of service.

  - CVE-2017-7889     Tommi Rantala and Brad Spengler reported that the mm     subsystem does not properly enforce the     CONFIG_STRICT_DEVMEM protection mechanism, allowing a     local attacker with access to /dev/mem to obtain     sensitive information or potentially execute arbitrary     code.

  - CVE-2017-9605     Murray McAllister discovered that the DRM driver for     VMware virtual GPUs does not properly initialize memory,     potentially allowing a local attacker to obtain     sensitive information from uninitialized kernel memory     via a crafted ioctl call.

  - CVE-2017-10911     / XSA-216

  Anthony Perard of Citrix discovered an information leak flaw in Xen   blkif response handling, allowing a malicious unprivileged guest to   obtain sensitive information from the host or other guests.

  - CVE-2017-11176     It was discovered that the mq_notify() function does not     set the sock pointer to NULL upon entry into the retry     logic. An attacker can take advantage of this flaw     during a userspace close of a Netlink socket to cause a     denial of service or potentially cause other impact.

  - CVE-2017-1000363     Roee Hay reported that the lp driver does not properly     bounds-check passed arguments, allowing a local attacker     with write access to the kernel command line arguments     to execute arbitrary code.

  - CVE-2017-1000365     It was discovered that argument and environment pointers     are not taken properly into account to the imposed size     restrictions on arguments and environmental strings     passed through RLIMIT_STACK/RLIMIT_INFINITY. A local     attacker can take advantage of this flaw in conjunction     with other flaws to execute arbitrary code.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2017-7346     Li Qiang discovered that the DRM driver for VMware     virtual GPUs does not properly check user-controlled     values in the vmw_surface_define_ioctl() functions for     upper limits. A local user can take advantage of this     flaw to cause a denial of service.

  - CVE-2017-7482     Shi Lei discovered that RxRPC Kerberos 5 ticket handling     code does not properly verify metadata, leading to     information disclosure, denial of service or potentially     execution of arbitrary code.

  - CVE-2017-7533     Fan Wu and Shixiong Zhao discovered a race condition     between inotify events and VFS rename operations     allowing an unprivileged local attacker to cause a     denial of service or escalate privileges.

  - CVE-2017-7541     A buffer overflow flaw in the Broadcom IEEE802.11n PCIe     SoftMAC WLAN driver could allow a local user to cause     kernel memory corruption, leading to a denial of service     or potentially privilege escalation.

  - CVE-2017-7542     An integer overflow vulnerability in the     ip6_find_1stfragopt() function was found allowing a     local attacker with privileges to open raw sockets to     cause a denial of service.

  - CVE-2017-9605     Murray McAllister discovered that the DRM driver for     VMware virtual GPUs does not properly initialize memory,     potentially allowing a local attacker to obtain     sensitive information from uninitialized kernel memory     via a crafted ioctl call.

  - CVE-2017-10810     Li Qiang discovered a memory leak flaw within the VirtIO     GPU driver resulting in denial of service (memory     consumption).

  - CVE-2017-10911 / XSA-216     Anthony Perard of Citrix discovered an information leak     flaw in Xen blkif response handling, allowing a     malicious unprivileged guest to obtain sensitive     information from the host or other guests.

  - CVE-2017-11176     It was discovered that the mq_notify() function does not     set the sock pointer to NULL upon entry into the retry     logic. An attacker can take advantage of this flaw     during a user-space close of a Netlink socket to cause a     denial of service or potentially cause other impact.

  - CVE-2017-1000365     It was discovered that argument and environment pointers     are not taken properly into account to the imposed size     restrictions on arguments and environmental strings     passed through RLIMIT_STACK/RLIMIT_INFINITY. A local     attacker can take advantage of this flaw in conjunction     with other flaws to execute arbitrary code.

It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900)

It was discovered that the Linux kernel did not properly restrict access to /proc/iomem. A local attacker could use this to expose sensitive information. (CVE-2015-8944)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3364-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900)

It was discovered that the Linux kernel did not properly restrict access to /proc/iomem. A local attacker could use this to expose sensitive information. (CVE-2015-8944)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900)

It was discovered that the Linux kernel did not properly restrict access to /proc/iomem. A local attacker could use this to expose sensitive information. (CVE-2015-8944)

It was discovered that a use-after-free vulnerability existed in the performance events and counters subsystem of the Linux kernel for ARM64. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2015-8955)

It was discovered that the SCSI generic (sg) driver in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-8962)

Sasha Levin discovered that a race condition existed in the performance events and counters subsystem of the Linux kernel when handling CPU unplug events. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8963)

Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the TTY implementation in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory).
(CVE-2015-8964)

It was discovered that the fcntl64() system call in the Linux kernel did not properly set memory limits when returning on 32-bit ARM processors. A local attacker could use this to gain administrative privileges. (CVE-2015-8966)

It was discovered that the system call table for ARM 64-bit processors in the Linux kernel was not write-protected. An attacker could use this in conjunction with another kernel vulnerability to execute arbitrary code. (CVE-2015-8967)

It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
(CVE-2016-10088)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Linux kernel did not properly initialize a Wake- on-Lan data structure. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2014-9900)

Dmitry Vyukov, Andrey Konovalov, Florian Westphal, and Eric Dumazet discovered that the netfiler subsystem in the Linux kernel mishandled IPv6 packet reassembly. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2016-9755)

Alexander Potapenko discovered a race condition in the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-1000380)

It was discovered that the Linux kernel did not clear the setgid bit during a setxattr call on a tmpfs filesystem. A local attacker could use this to gain elevated group privileges. (CVE-2017-5551)

Murray McAllister discovered that an integer overflow existed in the VideoCore DRM driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-5576)

Li Qiang discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly validate some ioctl arguments. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-7346)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly check for the end of buffer. A remote attacker could use this to craft requests that cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7895)

It was discovered that an integer underflow existed in the Edgeport USB Serial Converter device driver of the Linux kernel. An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-8924)

It was discovered that the USB ZyXEL omni.net LCD PLUS driver in the Linux kernel did not properly perform reference counting. A local attacker could use this to cause a denial of service (tty exhaustion).
(CVE-2017-8925)

Jann Horn discovered that bpf in Linux kernel does not restrict the output of the print_bpf_insn function. A local attacker could use this to obtain sensitive address information. (CVE-2017-9150)

Murray McAllister discovered that the DRM driver for VMware Virtual GPUs in the Linux kernel did not properly initialize memory. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-9605).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.74 to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-1000365: The Linux Kernel imposes a size     restriction on the arguments and environmental strings     passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the     size), but did not take the argument and environment     pointers into account, which allowed attackers to bypass     this limitation. (bnc#1039354).

  - CVE-2017-1000380: sound/core/timer.c in the Linux kernel     is vulnerable to a data race in the ALSA /dev/snd/timer     driver resulting in local users being able to read     information belonging to other users, i.e.,     uninitialized memory contents may be disclosed when a     read and an ioctl happen at the same time (bnc#1044125).

  - CVE-2017-7346: The vmw_gb_surface_define_ioctl function     in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate certain levels data, which     allowed local users to cause a denial of service (system     hang) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031796).

  - CVE-2017-9242: The __ip6_append_data function in     net/ipv6/ip6_output.c in the Linux kernel is too late in     checking whether an overwrite of an skb data structure     may occur, which allowed local users to cause a denial     of service (system crash) via crafted system calls     (bnc#1041431).

  - CVE-2017-9076: The dccp_v6_request_recv_sock function in     net/dccp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039885).

  - CVE-2017-9077: The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1040069).

  - CVE-2017-9075: The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandled     inheritance, which allowed local users to cause a denial     of service or possibly have unspecified other impact via     crafted system calls, a related issue to CVE-2017-8890     (bnc#1039883).

  - CVE-2017-9074: The IPv6 fragmentation implementation in     the Linux kernel did not consider that the nexthdr field     may be associated with an invalid option, which allowed     local users to cause a denial of service (out-of-bounds     read and BUG) or possibly have unspecified other impact     via crafted socket and send system calls (bnc#1039882).

  - CVE-2017-8924: The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allowed     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an io_ti     USB serial device) to trigger an integer underflow.
    (bsc#1038982)

  - CVE-2017-8925: The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel allowed     local users to cause a denial of service (tty     exhaustion) by leveraging reference count mishandling.
    (bsc#1038981)

  - CVE-2017-7487: The ipxitf_ioctl function in     net/ipx/af_ipx.c in the Linux kernel mishandled     reference counts, which allowed local users to cause a     denial of service (use-after-free) or possibly have     unspecified other impact via a failed SIOCGIFADDR ioctl     call for an IPX interface (bnc#1038879).

  - CVE-2017-8890: The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allowed attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call (bnc#1038544).

  - CVE-2017-9150: The do_check function in     kernel/bpf/verifier.c in the Linux kernel did not make     the allow_ptr_leaks value available for restricting the     output of the print_bpf_insn function, which allowed     local users to obtain sensitive address information via     crafted bpf system calls (bnc#1040279).

  - CVE-2017-7618: crypto/ahash.c in the Linux kernel     allowed attackers to cause a denial of service (API     operation calling its own callback, and infinite     recursion) by triggering EBUSY on a full queue     (bnc#1033340).

  - CVE-2017-7616: Incorrect error handling in the     set_mempolicy and mbind compat syscalls in     mm/mempolicy.c in the Linux kernel allowed local users     to obtain sensitive information from uninitialized stack     data by triggering failure of a certain bitmap operation     (bnc#1033336).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE Leap 42.2 kernel was updated to 4.4.72 to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2017-1000364: An issue was discovered in the size of     the stack guard page on Linux, specifically a 4k stack     guard page is not sufficiently large and can be 'jumped'     over (the stack guard page is bypassed), this affects     Linux Kernel versions 4.11.5 and earlier (the stackguard     page was introduced in 2010) (bnc#1039348).

  - CVE-2017-1000380: sound/core/timer.c in the Linux kernel     is vulnerable to a data race in the ALSA /dev/snd/timer     driver resulting in local users being able to read     information belonging to other users, i.e.,     uninitialized memory contents may be disclosed when a     read and an ioctl happen at the same time (bnc#1044125).

  - CVE-2017-7346: The vmw_gb_surface_define_ioctl function     in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel did not validate certain levels data, which     allowed local users to cause a denial of service (system     hang) via a crafted ioctl call for a /dev/dri/renderD*     device (bnc#1031796).

  - CVE-2017-9242: The __ip6_append_data function in     net/ipv6/ip6_output.c in the Linux kernel is too late in     checking whether an overwrite of an skb data structure     may occur, which allowed local users to cause a denial     of service (system crash) via crafted system calls     (bnc#1041431).

The following non-security bugs were fixed :

  - ASoC: Intel: Skylake: Uninitialized variable in     probe_codec() (bsc#1043231).

  - IB/core: Fix kernel crash during fail to initialize     device (bsc#1022595 FATE#322350).

  - IB/core: For multicast functions, verify that LIDs are     multicast LIDs (bsc#1022595 FATE#322350).

  - IB/core: If the MGID/MLID pair is not on the list return     an error (bsc#1022595 FATE#322350).

  - IB/ipoib: Fix deadlock between ipoib_stop and mcast join     flow (bsc#1022595 FATE#322350).

  - Make __xfs_xattr_put_listen preperly report errors     (bsc#1041242).

  - NFS: Fix an LOCK/OPEN race when unlinking an open file     (git-fixes).

  - NFSv4: Fix the underestimation of delegation XDR space     reservation (git-fixes).

  - NFSv4: fix a reference leak caused WARNING messages     (git-fixes).

  - PM / QoS: Fix memory leak on resume_latency.notifiers     (bsc#1043231).

  - SUNRPC: Silence WARN_ON when NFSv4.1 over RDMA is in use     (git-fixes).

  - SUNRPC: ensure correct error is reported by     xs_tcp_setup_socket() (git-fixes).

  - Update patches.fixes/xen-silence-efi-error-messge.patch     (bnc#1039900).

  - [media] vb2: Fix an off by one error in     'vb2_plane_vaddr' (bsc#1043231).

  - bcache: fix calling ida_simple_remove() with incorrect     minor (bsc#1038085).

  - bna: add missing per queue ethtool stat (bsc#966321     FATE#320156).

  - bna: integer overflow bug in debugfs (bsc#966321     FATE#320156).

  - bonding: avoid defaulting hard_header_len to ETH_HLEN on     slave removal (bsc#1042286).

  - bonding: do not use stale speed and duplex information     (bsc#1042286).

  - bonding: prevent out of bound accesses (bsc#1042286).

  - brcmfmac: add fallback for devices that do not report     per-chain values (bsc#1043231).

  - brcmfmac: avoid writing channel out of allocated array     (bsc#1043231).

  - ceph: fix potential use-after-free (bsc#1043371).

  - ceph: memory leak in ceph_direct_read_write callback     (bsc#1041810).

  - cfq-iosched: fix the delay of cfq_group's vdisktime     under iops mode (bsc#1012829).

  - cgroup: remove redundant cleanup in css_create     (bsc#1012829).

  - cifs: small underflow in cnvrtDosUnixTm() (bnc#1043935).

  - drm/mgag200: Fix to always set HiPri for G200e4     (bsc#1015452, bsc#995542).

  - drm/nouveau/tmr: fully separate alarm execution/pending     lists (bsc#1043467).

  - efi: Do not issue error message when booted under Xen     (bnc#1036638).

  - ext4: fix data corruption for mmap writes (bsc#1012829).

  - ext4: fix data corruption with EXT4_GET_BLOCKS_ZERO     (bsc#1012829).

  - fuse: fix clearing suid, sgid for chown() (bsc#1012829).

  - ibmvnic: Check adapter state during ibmvnic_poll     (fate#322021, bsc#1040855).

  - ibmvnic: Deactivate RX pool buffer replenishment on     H_CLOSED (fate#322021, bsc#1040855).

  - ibmvnic: Fix cleanup of SKB's on driver close     (fate#322021, bsc#1040855).

  - ibmvnic: Halt TX and report carrier off on H_CLOSED     return code (fate#322021, bsc#1040855).

  - ibmvnic: Handle failover after failed init crq     (fate#322021, bsc#1040855).

  - ibmvnic: Non-fatal error handling (fate#322021,     bsc#1040855).

  - ibmvnic: Reset sub-crqs during driver reset     (fate#322021, bsc#1040855).

  - ibmvnic: Reset the CRQ queue during driver reset     (fate#322021, bsc#1040855).

  - ibmvnic: Reset tx/rx pools on driver reset (fate#322021,     bsc#1040855).

  - ibmvnic: Return failure on attempted mtu change     (bsc#1043236).

  - ibmvnic: Send gratuitous arp on reset (fate#322021,     bsc#1040855).

  - ibmvnic: Track state of adapter napis (fate#322021,     bsc#1040855).

  - ipv6: Do not use ufo handling on later transformed     packets (bsc#1042286).

  - ipv6: fix endianness error in icmpv6_err (bsc#1042286).

  - kABI: protect struct fib_info (kabi).

  - kABI: protect struct pglist_data (kabi).

  - kABI: protect struct xlog (bsc#1043598).

  - kernel-binary.spec: Propagate MAKE_ARGS to %build     (bsc#1012422)

  - l2tp: fix race in l2tp_recv_common() (bsc#1042286).

  - libceph: NULL deref on crush_decode() error path     (bsc#1044015).

  - md: allow creation of mdNNN arrays via     md_mod/parameters/new_array (bsc#1032339).

  - md: support disabling of create-on-open semantics     (bsc#1032339).

  - mm/hugetlb: check for reserved hugepages during memory     offline (bnc#971975 VM -- git fixes).

  - mm/hugetlb: fix incorrect hugepages count during mem     hotplug (bnc#971975 VM -- git fixes).

  - mmc: Downgrade error level (bsc#1042536).

  - module: fix memory leak on early load_module() failures     (bsc#1043014).

  - net: bridge: start hello timer only if device is up     (bnc#1012382).

  - net: fix compile error in skb_orphan_partial()     (bnc#1012382).

  - net: ipv6: set route type for anycast routes     (bsc#1042286).

  - netfilter: nf_conntrack_sip: extend request line     validation (bsc#1042286).

  - netfilter: nf_ct_expect: remove the redundant slash when     policy name is empty (bsc#1042286).

  - netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at     flowi6_flags (bsc#1042286).

  - netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper     fails to register (bsc#1042286).

  - netfilter: nfnetlink_queue: reject verdict request from     different portid (bsc#1042286).

  - netfilter: restart search if moved to other chain     (bsc#1042286).

  - netfilter: use fwmark_reflect in nf_send_reset     (bsc#1042286).

  - netxen_nic: set rcode to the return status from the call     to netxen_issue_cmd (bsc#966339 FATE#320150).

  - nfs: Fix 'Do not increment lock sequence ID after     NFS4ERR_MOVED' (git-fixes).

  - nsfs: mark dentry with DCACHE_RCUACCESS (bsc#1012829).

  - nvme: submit nvme_admin_activate_fw to admin queue     (bsc#1044532).

  - percpu: remove unused chunk_alloc parameter from     pcpu_get_pages() (bnc#971975 VM -- git fixes).

  - perf/x86/intel/rapl: Make Knights Landings support     functional (bsc#1042517).

  - powerpc/64: Fix flush_(d|i)cache_range() called from     modules (bnc#863764 fate#315275, LTC#103998).

  - quota: fill in Q_XGETQSTAT inode information for     inactive quotas (bsc#1042356).

  - radix-tree: fix radix_tree_iter_retry() for tagged     iterators (bsc#1012829).

  - rpm/kernel-binary.spec: remove superfluous flags This     should make build logs more readable and people adding     more flags should have easier time finding a place to     add them in the spec file.

  - rpm/kernel-spec-macros: Fix the check if there is no     rebuild counter (bsc#1012060)

  - rtnl: reset calcit fptr in rtnl_unregister()     (bsc#1042286).

  - series.conf: remove silly comment

  - tcp: account for ts offset only if tsecr not zero     (bsc#1042286).

  - tcp: fastopen: accept data/FIN present in SYNACK message     (bsc#1042286).

  - tcp: fastopen: avoid negative sk_forward_alloc     (bsc#1042286).

  - tcp: fastopen: call tcp_fin() if FIN present in SYNACK     (bsc#1042286).

  - tcp: fastopen: fix rcv_wup initialization for TFO server     on SYN/data (bsc#1042286).

  - tpm: Downgrade error level (bsc#1042535).

  - udp: avoid ufo handling on IP payload compression     packets (bsc#1042286).

  - udplite: call proper backlog handlers (bsc#1042286).

  - x86/PCI: Mark Broadwell-EP Home Agent 1 as having     non-compliant BARs (bsc#9048891).

  - xen/mce: do not issue error message for failed     /dev/mcelog registration (bnc#1036638).

  - xen: add sysfs node for guest type (bnc#1037840).

  - xfrm: Fix memory leak of aead algorithm name     (bsc#1042286).

  - xfs: add missing include dependencies to xfs_dir2.h     (bsc#1042421).

  - xfs: do not warn on buffers not being recovered due to     LSN (bsc#1043598).

  - xfs: fix xfs_mode_to_ftype() prototype (bsc#1043598).

  - xfs: log recovery tracepoints to track current lsn and     buffer submission (bsc#1043598).

  - xfs: pass current lsn to log recovery buffer validation     (bsc#1043598).

  - xfs: refactor log record unpack and data processing     (bsc#1043598).

  - xfs: replace xfs_mode_to_ftype table with switch     statement (bsc#1042421).

  - xfs: rework log recovery to submit buffers on LSN     boundaries (bsc#1043598).

  - xfs: rework the inline directory verifiers     (bsc#1042421).

  - xfs: sanity check directory inode di_size (bsc#1042421).

  - xfs: sanity check inode di_mode (bsc#1042421).

  - xfs: update metadata LSN in buffers during log recovery     (bsc#1043598).

  - xfs: verify inline directory data forks (bsc#1042421).

  - zswap: do not param_set_charp while holding spinlock (VM     Functionality, bsc#1042886).

ID	Name	Product	Family	Severity
124806	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1482)	Nessus	Huawei Local Security Checks	high
121680	Photon OS 1.0: Linux PHSA-2017-0011	Nessus	PhotonOS Local Security Checks	high
111860	Photon OS 1.0: Krb5 / Linux PHSA-2017-0011 (deprecated)	Nessus	PhotonOS Local Security Checks	high
102550	Debian DSA-3945-1 : linux - security update (Stack Clash)	Nessus	Debian Local Security Checks	high
102211	Debian DSA-3927-1 : linux - security update (Stack Clash)	Nessus	Debian Local Security Checks	high
102071	Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3371-1)	Nessus	Ubuntu Local Security Checks	medium
101973	Ubuntu 16.04 LTS : linux-aws, linux-gke vulnerabilities (USN-3364-3)	Nessus	Ubuntu Local Security Checks	medium
101952	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3364-2)	Nessus	Ubuntu Local Security Checks	medium
101951	Ubuntu 16.04 LTS : linux, linux-raspi2, linux-snapdragon vulnerabilities (USN-3364-1)	Nessus	Ubuntu Local Security Checks	medium
101928	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3360-1)	Nessus	Ubuntu Local Security Checks	critical
101894	Ubuntu 16.10 : linux, linux-raspi2 vulnerabilities (USN-3359-1)	Nessus	Ubuntu Local Security Checks	critical
101893	Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3358-1)	Nessus	Ubuntu Local Security Checks	medium
101762	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:1853-1) (Stack Clash)	Nessus	SuSE Local Security Checks	high
101127	openSUSE Security Update : the Linux Kernel (openSUSE-2017-716) (Stack Clash)	Nessus	SuSE Local Security Checks	medium

CVE-2017-7346

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins