SUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive
various security and bugfixes. The following security bugs were
fixed :

- CVE-2016-5243: The tipc_nl_compat_link_dump function in
net/tipc/netlink_compat.c in the Linux kernel did not
properly copy a certain string, which allowed local
users to obtain sensitive information from kernel stack
memory by reading a Netlink message (bnc#983212)

- CVE-2016-10200: Race condition in the L2TPv3 IP
Encapsulation feature in the Linux kernel allowed local
users to gain privileges or cause a denial of service
(use-after-free) by making multiple bind system calls
without properly ascertaining whether a socket has the
SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and
net/l2tp/l2tp_ip6.c (bnc#1028415)

- CVE-2017-2647: The KEYS subsystem in the Linux kernel
allowed local users to gain privileges or cause a denial
of service (NULL pointer dereference and system crash)
via vectors involving a NULL value for a certain match
field, related to the keyring_search_iterator function
in keyring.c (bsc#1030593).

- CVE-2017-2671: The ping_unhash function in
net/ipv4/ping.c in the Linux kernel was too late in
obtaining a certain lock and consequently could not
ensure that disconnect function calls are safe, which
allowed local users to cause a denial of service (panic)
by leveraging access to the protocol value of
IPPROTO_ICMP in a socket system call (bnc#1031003)

- CVE-2017-5669: The do_shmat function in ipc/shm.c in the
Linux kernel did not restrict the address calculated by
a certain rounding operation, which allowed local users
to map page zero, and consequently bypass a protection
mechanism that exists for the mmap system call, by
making crafted shmget and shmat system calls in a
privileged context (bnc#1026914)

- CVE-2017-5970: The ipv4_pktinfo_prepare function in
net/ipv4/ip_sockglue.c in the Linux kernel allowed
attackers to cause a denial of service (system crash)
via (1) an application that made crafted system calls or
possibly (2) IPv4 traffic with invalid IP options
(bsc#1024938)

- CVE-2017-5986: Race condition in the
sctp_wait_for_sndbuf function in net/sctp/socket.c in
the Linux kernel allowed local users to cause a denial
of service (assertion failure and panic) via a
multithreaded application that peels off an association
in a certain buffer-full state (bsc#1025235)

- CVE-2017-6074: The dccp_rcv_state_process function in
net/dccp/input.c in the Linux kernel mishandled
DCCP_PKT_REQUEST packet data structures in the LISTEN
state, which allowed local users to obtain root
privileges or cause a denial of service (double free)
via an application that made an IPV6_RECVPKTINFO
setsockopt system call (bnc#1026024)

- CVE-2017-6214: The tcp_splice_read function in
net/ipv4/tcp.c in the Linux kernel allowed remote
attackers to cause a denial of service (infinite loop
and soft lockup) via vectors involving a TCP packet with
the URG flag (bnc#1026722)

- CVE-2017-6348: The hashbin_delete function in
net/irda/irqueue.c in the Linux kernel improperly
managed lock dropping, which allowed local users to
cause a denial of service (deadlock) via crafted
operations on IrDA devices (bnc#1027178)

- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did
not properly restrict association peel-off operations
during certain wait states, which allowed local users to
cause a denial of service (invalid unlock and double
free) via a multithreaded application. NOTE: this
vulnerability exists because of an incorrect fix for
CVE-2017-5986 (bnc#1027066)

- CVE-2017-6951: The keyring_search_aux function in
security/keys/keyring.c in the Linux kernel allowed
local users to cause a denial of service (NULL pointer
dereference and OOPS) via a request_key system call for
the 'dead' type (bsc#1029850).

- CVE-2017-7184: The xfrm_replay_verify_len function in
net/xfrm/xfrm_user.c in the Linux kernel did not
validate certain size data after an XFRM_MSG_NEWAE
update, which allowed local users to obtain root
privileges or cause a denial of service (heap-based
out-of-bounds access) by leveraging the CAP_NET_ADMIN
capability (bsc#1030573)

- CVE-2017-7187: The sg_ioctl function in
drivers/scsi/sg.c in the Linux kernel allowed local
users to cause a denial of service (stack-based buffer
overflow) or possibly have unspecified other impact via
a large command size in an SG_NEXT_CMD_LEN ioctl call,
leading to out-of-bounds write access in the sg_write
function (bnc#1030213)

- CVE-2017-7261: The vmw_surface_define_ioctl function in
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux
kernel did not check for a zero value of certain levels
data, which allowed local users to cause a denial of
service (ZERO_SIZE_PTR dereference, and GPF and possibly
panic) via a crafted ioctl call for a /dev/dri/renderD*
device (bnc#1031052)

- CVE-2017-7294: The vmw_surface_define_ioctl function in
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux
kernel did not validate addition of certain levels data,
which allowed local users to trigger an integer overflow
and out-of-bounds write, and cause a denial of service
(system hang or crash) or possibly gain privileges, via
a crafted ioctl call for a /dev/dri/renderD* device
(bnc#1031440)

- CVE-2017-7308: The packet_set_ring function in
net/packet/af_packet.c in the Linux kernel did not
properly validate certain block-size data, which allowed
local users to cause a denial of service (overflow) or
possibly have unspecified other impact via crafted
system calls (bnc#1031579)

- CVE-2017-7482: Several missing length checks ticket
decode allowing for information leak or potentially code
execution (bsc#1046107).

- CVE-2017-7487: The ipxitf_ioctl function in
net/ipx/af_ipx.c in the Linux kernel mishandled
reference counts, which allowed local users to cause a
denial of service (use-after-free) or possibly have
unspecified other impact via a failed SIOCGIFADDR ioctl
call for an IPX interface (bsc#1038879).

- CVE-2017-7533: Race condition in the fsnotify
implementation in the Linux kernel allowed local users
to gain privileges or cause a denial of service (memory
corruption) via a crafted application that leverages
simultaneous execution of the inotify_handle_event and
vfs_rename functions (bnc#1049483 1050677 ).

- CVE-2017-7542: The ip6_find_1stfragopt function in
net/ipv6/output_core.c in the Linux kernel allowed local
users to cause a denial of service (integer overflow and
infinite loop) by leveraging the ability to open a raw
socket (bnc#1049882).

- CVE-2017-7616: Incorrect error handling in the
set_mempolicy and mbind compat syscalls in
mm/mempolicy.c in the Linux kernel allowed local users
to obtain sensitive information from uninitialized stack
data by triggering failure of a certain bitmap operation
(bsc#1033336)

- CVE-2017-8831: The saa7164_bus_get function in
drivers/media/pci/saa7164/saa7164-bus.c in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds array access) or possibly have
unspecified other impact by changing a certain
sequence-number value, aka a 'double fetch'
vulnerability. This requires a malicious PCI Card.
(bnc#1037994).

- CVE-2017-8890: The inet_csk_clone_lock function in
net/ipv4/inet_connection_sock.c in the Linux kernel
allowed attackers to cause a denial of service (double
free) or possibly have unspecified other impact by
leveraging use of the accept system call (bsc#1038544).

- CVE-2017-8924: The edge_bulk_in_callback function in
drivers/usb/serial/io_ti.c in the Linux kernel allowed
local users to obtain sensitive information (in the
dmesg ringbuffer and syslog) from uninitialized kernel
memory by using a crafted USB device (posing as an io_ti
USB serial device) to trigger an integer underflow
(bnc#1037182).

- CVE-2017-8925: The omninet_open function in
drivers/usb/serial/omninet.c in the Linux kernel allowed
local users to cause a denial of service (tty
exhaustion) by leveraging reference count mishandling
(bnc#1038981).

- CVE-2017-9074: The IPv6 fragmentation implementation in
the Linux kernel did not consider that the nexthdr field
may be associated with an invalid option, which allowed
local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact
via crafted socket and send system calls (bnc#1039882).

- CVE-2017-9075: The sctp_v6_create_accept_sk function in
net/sctp/ipv6.c in the Linux kernel mishandled
inheritance, which allowed local users to cause a denial
of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890
(bsc#1039883).

- CVE-2017-9076: The dccp_v6_request_recv_sock function in
net/dccp/ipv6.c in the Linux kernel mishandled
inheritance, which allowed local users to cause a denial
of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890
(bnc#1039885).

- CVE-2017-9077: The tcp_v6_syn_recv_sock function in
net/ipv6/tcp_ipv6.c in the Linux kernel mishandled
inheritance, which allowed local users to cause a denial
of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890
(bsc#1040069).

- CVE-2017-9242: The __ip6_append_data function in
net/ipv6/ip6_output.c in the Linux kernel was too late
in checking whether an overwrite of an skb data
structure may occur, which allowed local users to cause
a denial of service (system crash) via crafted system
calls (bnc#1041431).

- CVE-2017-10661: Race condition in fs/timerfd.c in the
Linux kernel allowed local users to gain privileges or
cause a denial of service (list corruption or
use-after-free) via simultaneous file-descriptor
operations that leverage improper might_cancel queueing
(bnc#1053152).

- CVE-2017-11176: The mq_notify function in the Linux
kernel did not set the sock pointer to NULL upon entry
into the retry logic. During a user-space close of a
Netlink socket, it allowed attackers to cause a denial
of service (use-after-free) or possibly have unspecified
other impact (bnc#1048275).

- CVE-2017-11473: Buffer overflow in the
mp_override_legacy_irq() function in
arch/x86/kernel/acpi/boot.c in the Linux kernel allowed
local users to gain privileges via a crafted ACPI table
(bnc#1049603).

- CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A
user-controlled buffer is copied into a local buffer of
constant size using strcpy without a length check which
can cause a buffer overflow. (bnc#1053148).

- CVE-2017-14051: An integer overflow in the
qla2x00_sysfs_write_optrom_ctl function in
drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel
allowed local users to cause a denial of service (memory
corruption and system crash) by leveraging root access
(bnc#1056588).

- CVE-2017-1000112: Fixed a race condition in net-packet
code that could have been exploited by unprivileged
users to gain root access. (bsc#1052311).

- CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds
Write. Due to a missing bounds check, and the fact that
parport_ptr integer is static, a 'secure boot' kernel
command line adversary could have overflowed the
parport_nr array in the following code (bnc#1039456).

- CVE-2017-1000365: The Linux Kernel imposes a size
restriction on the arguments and environmental strings
passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the
size), but did not take the argument and environment
pointers into account, which allowed attackers to bypass
this limitation (bnc#1039354).

- CVE-2017-1000380: sound/core/timer.c in the Linux kernel
was vulnerable to a data race in the ALSA /dev/snd/timer
driver resulting in local users being able to read
information belonging to other users, i.e.,
uninitialized memory contents may be disclosed when a
read and an ioctl happen at the same time (bnc#1044125).
The following non-security bugs were fixed :

- acpi: Disable APEI error injection if securelevel is set
(bsc#972891, bsc#1023051).

- blkback/blktap: do not leak stack data via response ring
(bsc#1042863 XSA-216).

- btrfs: cleanup code of btrfs_balance_delayed_items()
(bsc#1034838).

- btrfs: do not run delayed nodes again after all nodes
flush (bsc#1034838).

- btrfs: remove btrfs_end_transaction_dmeta()
(bsc#1034838).

- btrfs: remove residual code in delayed inode async
helper (bsc#1034838).

- btrfs: use flags instead of the bool variants in delayed
node (bsc#1034838).

- cifs: cifs_get_root shouldn't use path with tree name,
alternate fix (bsc#963655, bsc#979681, bsc#1027406).

- dentry name snapshots (bsc#1049483).

- firmware: fix directory creation rule matching with make
3.80 (bsc#1012422).

- firmware: fix directory creation rule matching with make
3.82 (bsc#1012422).

- Fix vmalloc_fault oops during lazy MMU updates
(bsc#948562) (bsc#948562).

- hv: do not lose pending heartbeat vmbus packets
(bnc#1006919, bnc#1053760).

- jbd: do not wait (forever) for stale tid caused by
wraparound (bsc#1020229).

- jbd: Fix oops in journal_remove_journal_head()
(bsc#1017143).

- kernel-binary.spec: Propagate MAKE_ARGS to %build
(bsc#1012422)

- keys: Disallow keyrings beginning with '.' to be joined
as session keyrings (bnc#1035576).

- nfs: Avoid getting confused by confused server
(bsc#1045416).

- nfsd4: minor NFSv2/v3 write decoding cleanup
(bsc#1034670).

- nfsd: check for oversized NFSv2/v3 arguments
(bsc#1034670).

- nfsd: do not risk using duplicate owner/file/delegation
ids (bsc#1029212).

- nfsd: stricter decoding of write-like NFSv2/v3 ops
(bsc#1034670).

- nfs: Make nfs_readdir revalidate less often
(bsc#1048232).

- pciback: check PF instead of VF for PCI_COMMAND_MEMORY
(bsc#957990).

- pciback: only check PF if actually dealing with a VF
(bsc#999245).

- pciback: Save the number of MSI-X entries to be copied
later (bsc#957988).

- Remove superfluous make flags (bsc#1012422)

- Return short read or 0 at end of a raw device, not EIO
(bsc#1039594).

- Revert 'fs/cifs: fix wrongly prefixed path to root
(bsc#963655, bsc#979681)

- scsi: lpfc: avoid double free of resource identifiers
(bsc#989896).

- scsi: virtio_scsi: fix memory leak on full queue
condition (bsc#1028880).

- sunrpc: Clean up the slot table allocation
(bsc#1013862).

- sunrpc: Initalise the struct xprt upon allocation
(bsc#1013862).

- usb: serial: kl5kusb105: fix line-state error handling
(bsc#1021256).

- usb: wusbcore: fix NULL-deref at probe (bsc#1045487).

- Use make --output-sync feature when available
(bsc#1012422).

- Use PF_LESS_THROTTLE in loop device thread
(bsc#1027101).

- xen/PCI-MSI: fix sysfs teardown in DomU (bsc#986924).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1006919
https://bugzilla.suse.com/1012422
https://bugzilla.suse.com/1013862
https://bugzilla.suse.com/1017143
https://bugzilla.suse.com/1020229
https://bugzilla.suse.com/1021256
https://bugzilla.suse.com/1023051
https://bugzilla.suse.com/1024938
https://bugzilla.suse.com/1025013
https://bugzilla.suse.com/1025235
https://bugzilla.suse.com/1026024
https://bugzilla.suse.com/1026722
https://bugzilla.suse.com/1026914
https://bugzilla.suse.com/1027066
https://bugzilla.suse.com/1027101
https://bugzilla.suse.com/1027178
https://bugzilla.suse.com/1027179
https://bugzilla.suse.com/1027406
https://bugzilla.suse.com/1028415
https://bugzilla.suse.com/1028880
https://bugzilla.suse.com/1029212
https://bugzilla.suse.com/1029850
https://bugzilla.suse.com/1030213
https://bugzilla.suse.com/1030573
https://bugzilla.suse.com/1030575
https://bugzilla.suse.com/1030593
https://bugzilla.suse.com/1031003
https://bugzilla.suse.com/1031052
https://bugzilla.suse.com/1031440
https://bugzilla.suse.com/1031481
https://bugzilla.suse.com/1031579
https://bugzilla.suse.com/1031660
https://bugzilla.suse.com/1033287
https://bugzilla.suse.com/1033336
https://bugzilla.suse.com/1034670
https://bugzilla.suse.com/1034838
https://bugzilla.suse.com/1035576
https://bugzilla.suse.com/1037182
https://bugzilla.suse.com/1037183
https://bugzilla.suse.com/1037994
https://bugzilla.suse.com/1038544
https://bugzilla.suse.com/1038564
https://bugzilla.suse.com/1038879
https://bugzilla.suse.com/1038883
https://bugzilla.suse.com/1038981
https://bugzilla.suse.com/1038982
https://bugzilla.suse.com/1039349
https://bugzilla.suse.com/1039354
https://bugzilla.suse.com/1039456
https://bugzilla.suse.com/1039594
https://bugzilla.suse.com/1039882
https://bugzilla.suse.com/1039883
https://bugzilla.suse.com/1039885
https://bugzilla.suse.com/1040069
https://bugzilla.suse.com/1041431
https://bugzilla.suse.com/1042364
https://bugzilla.suse.com/1042863
https://bugzilla.suse.com/1042892
https://bugzilla.suse.com/1044125
https://bugzilla.suse.com/1045416
https://bugzilla.suse.com/1045487
https://bugzilla.suse.com/1046107
https://bugzilla.suse.com/1048232
https://bugzilla.suse.com/1048275
https://bugzilla.suse.com/1049483
https://bugzilla.suse.com/1049603
https://bugzilla.suse.com/1049882
https://bugzilla.suse.com/1050677
https://bugzilla.suse.com/1052311
https://bugzilla.suse.com/1053148
https://bugzilla.suse.com/1053152
https://bugzilla.suse.com/1053760
https://bugzilla.suse.com/1056588
https://bugzilla.suse.com/870618
https://bugzilla.suse.com/948562
https://bugzilla.suse.com/957988
https://bugzilla.suse.com/957990
https://bugzilla.suse.com/963655
https://bugzilla.suse.com/972891
https://bugzilla.suse.com/979681
https://bugzilla.suse.com/983212
https://bugzilla.suse.com/986924
https://bugzilla.suse.com/989896
https://bugzilla.suse.com/999245
https://www.suse.com/security/cve/CVE-2016-10200.html
https://www.suse.com/security/cve/CVE-2016-5243.html
https://www.suse.com/security/cve/CVE-2017-1000112.html
https://www.suse.com/security/cve/CVE-2017-1000363.html
https://www.suse.com/security/cve/CVE-2017-1000365.html
https://www.suse.com/security/cve/CVE-2017-1000380.html
https://www.suse.com/security/cve/CVE-2017-10661.html
https://www.suse.com/security/cve/CVE-2017-11176.html
https://www.suse.com/security/cve/CVE-2017-11473.html
https://www.suse.com/security/cve/CVE-2017-12762.html
https://www.suse.com/security/cve/CVE-2017-14051.html
https://www.suse.com/security/cve/CVE-2017-2647.html
https://www.suse.com/security/cve/CVE-2017-2671.html
https://www.suse.com/security/cve/CVE-2017-5669.html
https://www.suse.com/security/cve/CVE-2017-5970.html
https://www.suse.com/security/cve/CVE-2017-5986.html
https://www.suse.com/security/cve/CVE-2017-6074.html
https://www.suse.com/security/cve/CVE-2017-6214.html
https://www.suse.com/security/cve/CVE-2017-6348.html
https://www.suse.com/security/cve/CVE-2017-6353.html
https://www.suse.com/security/cve/CVE-2017-6951.html
https://www.suse.com/security/cve/CVE-2017-7184.html
https://www.suse.com/security/cve/CVE-2017-7187.html
https://www.suse.com/security/cve/CVE-2017-7261.html
https://www.suse.com/security/cve/CVE-2017-7294.html
https://www.suse.com/security/cve/CVE-2017-7308.html
https://www.suse.com/security/cve/CVE-2017-7482.html
https://www.suse.com/security/cve/CVE-2017-7487.html
https://www.suse.com/security/cve/CVE-2017-7533.html
https://www.suse.com/security/cve/CVE-2017-7542.html
https://www.suse.com/security/cve/CVE-2017-7616.html
https://www.suse.com/security/cve/CVE-2017-8831.html
https://www.suse.com/security/cve/CVE-2017-8890.html
https://www.suse.com/security/cve/CVE-2017-8924.html
https://www.suse.com/security/cve/CVE-2017-8925.html
https://www.suse.com/security/cve/CVE-2017-9074.html
https://www.suse.com/security/cve/CVE-2017-9075.html
https://www.suse.com/security/cve/CVE-2017-9076.html
https://www.suse.com/security/cve/CVE-2017-9077.html
https://www.suse.com/security/cve/CVE-2017-9242.html
http://www.nessus.org/u?2ad28a4c

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch
slessp3-kernel-source-13284=1

SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch
slexsp3-kernel-source-13284=1

SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch
sleposp3-kernel-source-13284=1

SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch
dbgsp3-kernel-source-13284=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true