SUSE SLES12 Security Update : kernel (SUSE-SU-2017:0471-1)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to 3.12.61 to
receive various security and bugfixes. The following feature was
implemented :

- The ext2 filesystem got reenabled and supported to allow
support for 'XIP' (Execute In Place) (FATE#320805). The
following security bugs were fixed :

- CVE-2017-5551: The tmpfs filesystem implementation in
the Linux kernel preserved the setgid bit during a
setxattr call, which allowed local users to gain group
privileges by leveraging the existence of a setgid
program with restrictions on execute permissions
(bsc#1021258).

- CVE-2016-7097: The filesystem implementation in the
Linux kernel preserved the setgid bit during a setxattr
call, which allowed local users to gain group privileges
by leveraging the existence of a setgid program with
restrictions on execute permissions (bnc#995968).

- CVE-2017-2583: A Linux kernel built with the
Kernel-based Virtual Machine (CONFIG_KVM) support was
vulnerable to an incorrect segment selector(SS) value
error. A user/process inside guest could have used this
flaw to crash the guest resulting in DoS or potentially
escalate their privileges inside guest. (bsc#1020602).

- CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux
kernel allowed local users to obtain sensitive
information from kernel memory or cause a denial of
service (use-after-free) via a crafted application that
leverages instruction emulation for fxrstor, fxsave,
sgdt, and sidt (bnc#1019851).

- CVE-2016-10088: The sg implementation in the Linux
kernel did not properly restrict write operations in
situations where the KERNEL_DS option is set, which
allowed local users to read or write to arbitrary kernel
memory locations or cause a denial of service
(use-after-free) by leveraging access to a /dev/sg
device, related to block/bsg.c and drivers/scsi/sg.c.
NOTE: this vulnerability exists because of an incomplete
fix for CVE-2016-9576 (bnc#1017710).

- CVE-2016-8645: The TCP stack in the Linux kernel
mishandled skb truncation, which allowed local users to
cause a denial of service (system crash) via a crafted
application that made sendto system calls, related to
net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c
(bnc#1009969).

- CVE-2016-8399: An elevation of privilege vulnerability
in the kernel networking subsystem could enable a local
malicious application to execute arbitrary code within
the context of the kernel. This issue is rated as
Moderate because it first requires compromising a
privileged process and current compiler optimizations
restrict access to the vulnerable code. Product:
Android. Versions: Kernel-3.10, Kernel-3.18. Android ID:
A-31349935 (bnc#1014746).

- CVE-2016-9806: Race condition in the netlink_dump
function in net/netlink/af_netlink.c in the Linux kernel
allowed local users to cause a denial of service (double
free) or possibly have unspecified other impact via a
crafted application that made sendmsg system calls,
leading to a free operation associated with a new dump
that started earlier than anticipated (bnc#1013540).

- CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux
kernel did not properly initialize Code Segment (CS) in
certain error cases, which allowed local users to obtain
sensitive information from kernel stack memory via a
crafted application (bnc#1013038).

- CVE-2016-9793: The sock_setsockopt function in
net/core/sock.c in the Linux kernel mishandled negative
values of sk_sndbuf and sk_rcvbuf, which allowed local
users to cause a denial of service (memory corruption
and system crash) or possibly have unspecified other
impact by leveraging the CAP_NET_ADMIN capability for a
crafted setsockopt system call with the (1)
SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option
(bnc#1013531).

- CVE-2016-7910: Use-after-free vulnerability in the
disk_seqf_stop function in block/genhd.c in the Linux
kernel allowed local users to gain privileges by
leveraging the execution of a certain stop operation
even if the corresponding start operation had failed
(bnc#1010716).

- CVE-2015-8962: Double free vulnerability in the
sg_common_write function in drivers/scsi/sg.c in the
Linux kernel allowed local users to gain privileges or
cause a denial of service (memory corruption and system
crash) by detaching a device during an SG_IO ioctl call
(bnc#1010501).

- CVE-2016-7913: The xc2028_set_config function in
drivers/media/tuners/tuner-xc2028.c in the Linux kernel
allowed local users to gain privileges or cause a denial
of service (use-after-free) via vectors involving
omission of the firmware name from a certain data
structure (bnc#1010478).

- CVE-2016-7911: Race condition in the get_task_ioprio
function in block/ioprio.c in the Linux kernel allowed
local users to gain privileges or cause a denial of
service (use-after-free) via a crafted ioprio_get system
call (bnc#1010711).

- CVE-2015-8964: The tty_set_termios_ldisc function in
drivers/tty/tty_ldisc.c in the Linux kernel allowed
local users to obtain sensitive information from kernel
memory by reading a tty data structure (bnc#1010507).

- CVE-2015-8963: Race condition in kernel/events/core.c in
the Linux kernel allowed local users to gain privileges
or cause a denial of service (use-after-free) by
leveraging incorrect handling of an swevent data
structure during a CPU unplug operation (bnc#1010502).

- CVE-2016-7914: The assoc_array_insert_into_terminal_node
function in lib/assoc_array.c in the Linux kernel did
not check whether a slot is a leaf, which allowed local
users to obtain sensitive information from kernel memory
or cause a denial of service (invalid pointer
dereference and out-of-bounds read) via an application
that uses associative-array data structures, as
demonstrated by the keyutils test suite (bnc#1010475).

- CVE-2016-8633: drivers/firewire/net.c in the Linux
kernel allowed remote attackers to execute arbitrary
code via crafted fragmented packets (bnc#1008833).

- CVE-2016-9083: drivers/vfio/pci/vfio_pci.c in the Linux
kernel allowed local users to bypass integer overflow
checks, and cause a denial of service (memory
corruption) or have unspecified other impact, by
leveraging access to a vfio PCI device file for a
VFIO_DEVICE_SET_IRQS ioctl call, aka a 'state machine
confusion bug (bnc#1007197).

- CVE-2016-9084: drivers/vfio/pci/vfio_pci_intrs.c in the
Linux kernel misused the kzalloc function, which allowed
local users to cause a denial of service (integer
overflow) or have unspecified other impact by leveraging
access to a vfio PCI device file (bnc#1007197).

- CVE-2016-7042: The proc_keys_show function in
security/keys/proc.c in the Linux kernel uses an
incorrect buffer size for certain timeout data, which
allowed local users to cause a denial of service (stack
memory corruption and panic) by reading the /proc/keys
file (bnc#1004517).

- CVE-2015-8956: The rfcomm_sock_bind function in
net/bluetooth/rfcomm/sock.c in the Linux kernel allowed
local users to obtain sensitive information or cause a
denial of service (NULL pointer dereference) via vectors
involving a bind system call on a Bluetooth RFCOMM
socket (bnc#1003925).

- CVE-2016-8658: Stack-based buffer overflow in the
brcmf_cfg80211_start_ap function in
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021
1.c in the Linux kernel allowed local users to cause a
denial of service (system crash) or possibly have
unspecified other impact via a long SSID Information
Element in a command to a Netlink socket (bnc#1004462).

- CVE-2016-7425: The arcmsr_iop_message_xfer function in
drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did
not restrict a certain length field, which allowed local
users to gain privileges or cause a denial of service
(heap-based buffer overflow) via an
ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).

- CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in
the Linux kernel allowed local users to cause a denial
of service (NULL pointer dereference and system crash)
by using an ABORT_TASK command to abort a device write
operation (bnc#994748).

- CVE-2016-6828: The tcp_check_send_head function in
include/net/tcp.h in the Linux kernel did not properly
maintain certain SACK state after a failed data copy,
which allowed local users to cause a denial of service
(tcp_xmit_retransmit_queue use-after-free and system
crash) via a crafted SACK option (bnc#994296).

- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel
did not properly determine the rate of challenge ACK
segments, which made it easier for remote attackers to
hijack TCP sessions via a blind in-window attack
(bnc#989152).

- CVE-2016-6130: Race condition in the sclp_ctl_ioctl_sccb
function in drivers/s390/char/sclp_ctl.c in the Linux
kernel allowed local users to obtain sensitive
information from kernel memory by changing a certain
length value, aka a 'double fetch' vulnerability
(bnc#987542).

- CVE-2016-6480: Race condition in the ioctl_send_fib
function in drivers/scsi/aacraid/commctrl.c in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds access or system crash) by changing a
certain size value, aka a 'double fetch' vulnerability
(bnc#991608).

- CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt
implementation in the netfilter subsystem in the Linux
kernel allowed local users to cause a denial of service
(out-of-bounds read) or possibly obtain sensitive
information from kernel heap memory by leveraging
in-container root access to provide a crafted offset
value that leads to crossing a ruleset blob boundary
(bnc#986362 bnc#986365).

- CVE-2016-5828: The start_thread function in
arch/powerpc/kernel/process.c in the Linux kernel on
powerpc platforms mishandled transactional state, which
allowed local users to cause a denial of service
(invalid process state or TM Bad Thing exception, and
system crash) or possibly have unspecified other impact
by starting and suspending a transaction before an exec
system call (bnc#986569).

- CVE-2014-9904: The snd_compress_check_input function in
sound/core/compress_offload.c in the ALSA subsystem in
the Linux kernel did not properly check for an integer
overflow, which allowed local users to cause a denial of
service (insufficient memory allocation) or possibly
have unspecified other impact via a crafted
SNDRV_COMPRESS_SET_PARAMS ioctl call (bnc#986811).

- CVE-2016-5829: Multiple heap-based buffer overflows in
the hiddev_ioctl_usage function in
drivers/hid/usbhid/hiddev.c in the Linux kernel allow
local users to cause a denial of service or possibly
have unspecified other impact via a crafted (1)
HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call
(bnc#986572).

- CVE-2016-4470: The key_reject_and_link function in
security/keys/key.c in the Linux kernel did not ensure
that a certain data structure is initialized, which
allowed local users to cause a denial of service (system
crash) via vectors involving a crafted keyctl request2
command (bnc#984755). The following non-security bugs
were fixed :

- base: make module_create_drivers_dir race-free
(bnc#983977).

-
btrfs-8448-improve-performance-on-fsync-against-new-inod
e.patch: Disable (bsc#981597).

- btrfs: account for non-CoW'd blocks in
btrfs_abort_transaction (bsc#983619).

- btrfs: be more precise on errors when getting an inode
from disk (bsc#981038).

- btrfs: do not create or leak aliased root while cleaning
up orphans (bsc#994881).

- btrfs: ensure that file descriptor used with subvol
ioctls is a dir (bsc#999600).

- btrfs: fix relocation incorrectly dropping data
references (bsc#990384).

- btrfs: handle quota reserve failure properly
(bsc#1005666).

- btrfs: improve performance on fsync against new inode
after rename/unlink (bsc#981038).

- btrfs: increment ctx->pos for every emitted or skipped
dirent in readdir (bsc#981709).

- btrfs: remove old tree_root dirent processing in
btrfs_real_readdir() (bsc#981709).

- cdc-acm: added sanity checking for probe() (bsc#993891).

- ext2: Enable ext2 driver in config files (bsc#976195,
fate#320805)

- ext4: Add parameter for tuning handling of ext2
(bsc#976195).

- ext4: Fixup handling for custom configs in tuning.

- ftrace/x86: Set ftrace_stub to weak to prevent gcc from
using short jumps to it (bsc#984419).

- ipv6: Fix improper use or RCU in
patches.kabi/ipv6-add-complete-rcu-protection-around-np-
opt.kabi.patch. (bsc#961257)

- ipv6: KABI workaround for ipv6: add complete rcu
protection around np->opt.

- kabi: prevent spurious modversion changes after
bsc#982544 fix (bsc#982544).

- kabi: reintroduce sk_filter (kabi).

- kaweth: fix firmware download (bsc#993890).

- kaweth: fix oops upon failed memory allocation
(bsc#993890).

- kgraft/iscsi-target: Do not block kGraft in iscsi_np
kthread (bsc#1010612, fate#313296).

- kgraft/xen: Do not block kGraft in xenbus kthread
(bsc#1017410, fate#313296).

- kgr: ignore zombie tasks during the patching
(bnc#1008979).

- mm/swap.c: flush lru pvecs on compound page arrival
(bnc#983721).

- mm: thp: fix SMP race condition between THP page fault
and MADV_DONTNEED (VM Functionality, bnc#986445).

- modsign: Print appropriate status message when accessing
UEFI variable (bsc#958606).

- mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
(bsc#1011820).

- mpt3sas: Fix panic when aer correct error occurred
(bsc#997708, bsc#999943).

- netfilter: allow logging fron non-init netns
(bsc#970083).

- netfilter: bridge: do not leak skb in error paths
(bsc#982544).

- netfilter: bridge: forward IPv6 fragmented packets
(bsc#982544).

- netfilter: bridge: Use __in6_dev_get rather than
in6_dev_get in br_validate_ipv6 (bsc#982544).

- nfs: Do not write enable new pages while an invalidation
is proceeding (bsc#999584).

- nfs: Fix a regression in the read() syscall
(bsc#999584).

- pci/aer: Clear error status registers during enumeration
and restore (bsc#985978).

- ppp: defer netns reference release for ppp channel
(bsc#980371).

- reiserfs: fix race in prealloc discard (bsc#987576).

- scsi: ibmvfc: Fix I/O hang when port is not mapped
(bsc#971989)

- scsi: Increase REPORT_LUNS timeout (bsc#982282).

- series.conf: move stray netfilter patches to the right
section

- squashfs3: properly handle dir_emit() failures
(bsc#998795).

- supported.conf: Add ext2

- timers: Use proper base migration in add_timer_on()
(bnc#993392).

- tty: audit: Fix audit source (bsc#1016482).

- tty: Prevent ldisc drivers from re-using stale tty
fields (bnc#1010507).

- usb: fix typo in wMaxPacketSize validation (bsc#991665).

- usb: validate wMaxPacketValue entries in endpoint
descriptors (bnc#991665).

- xen: Fix refcnt regression in xen netback introduced by
changes made for bug#881008 (bnc#978094)

- xfs: allow lazy sb counter sync during filesystem freeze
sequence (bsc#980560).

- xfs: fixed signedness of error code in
xfs_inode_buf_verify (bsc#1003153).

- xfs: fix premature enospc on inode allocation
(bsc#984148).

- xfs: get rid of XFS_IALLOC_BLOCKS macros (bsc#984148).

- xfs: get rid of XFS_INODE_CLUSTER_SIZE macros
(bsc#984148).

- xfs: refactor xlog_recover_process_data() (bsc#1019300).

- xfs: Silence warnings in xfs_vm_releasepage()
(bnc#915183 bsc#987565).

- xhci: silence warnings in switch (bnc#991665).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1003153
https://bugzilla.suse.com/1003925
https://bugzilla.suse.com/1004462
https://bugzilla.suse.com/1004517
https://bugzilla.suse.com/1005666
https://bugzilla.suse.com/1007197
https://bugzilla.suse.com/1008833
https://bugzilla.suse.com/1008979
https://bugzilla.suse.com/1009969
https://bugzilla.suse.com/1010040
https://bugzilla.suse.com/1010475
https://bugzilla.suse.com/1010478
https://bugzilla.suse.com/1010501
https://bugzilla.suse.com/1010502
https://bugzilla.suse.com/1010507
https://bugzilla.suse.com/1010612
https://bugzilla.suse.com/1010711
https://bugzilla.suse.com/1010716
https://bugzilla.suse.com/1011820
https://bugzilla.suse.com/1012422
https://bugzilla.suse.com/1013038
https://bugzilla.suse.com/1013531
https://bugzilla.suse.com/1013540
https://bugzilla.suse.com/1013542
https://bugzilla.suse.com/1014746
https://bugzilla.suse.com/1016482
https://bugzilla.suse.com/1017410
https://bugzilla.suse.com/1017589
https://bugzilla.suse.com/1017710
https://bugzilla.suse.com/1019300
https://bugzilla.suse.com/1019851
https://bugzilla.suse.com/1020602
https://bugzilla.suse.com/1021258
https://bugzilla.suse.com/881008
https://bugzilla.suse.com/915183
https://bugzilla.suse.com/958606
https://bugzilla.suse.com/961257
https://bugzilla.suse.com/970083
https://bugzilla.suse.com/971989
https://bugzilla.suse.com/976195
https://bugzilla.suse.com/978094
https://bugzilla.suse.com/980371
https://bugzilla.suse.com/980560
https://bugzilla.suse.com/981038
https://bugzilla.suse.com/981597
https://bugzilla.suse.com/981709
https://bugzilla.suse.com/982282
https://bugzilla.suse.com/982544
https://bugzilla.suse.com/983619
https://bugzilla.suse.com/983721
https://bugzilla.suse.com/983977
https://bugzilla.suse.com/984148
https://bugzilla.suse.com/984419
https://bugzilla.suse.com/984755
https://bugzilla.suse.com/985978
https://bugzilla.suse.com/986362
https://bugzilla.suse.com/986365
https://bugzilla.suse.com/986445
https://bugzilla.suse.com/986569
https://bugzilla.suse.com/986572
https://bugzilla.suse.com/986811
https://bugzilla.suse.com/986941
https://bugzilla.suse.com/987542
https://bugzilla.suse.com/987565
https://bugzilla.suse.com/987576
https://bugzilla.suse.com/989152
https://bugzilla.suse.com/990384
https://bugzilla.suse.com/991608
https://bugzilla.suse.com/991665
https://bugzilla.suse.com/993392
https://bugzilla.suse.com/993890
https://bugzilla.suse.com/993891
https://bugzilla.suse.com/994296
https://bugzilla.suse.com/994748
https://bugzilla.suse.com/994881
https://bugzilla.suse.com/995968
https://bugzilla.suse.com/997708
https://bugzilla.suse.com/998795
https://bugzilla.suse.com/999584
https://bugzilla.suse.com/999600
https://bugzilla.suse.com/999932
https://bugzilla.suse.com/999943
https://www.suse.com/security/cve/CVE-2014-9904.html
https://www.suse.com/security/cve/CVE-2015-8956.html
https://www.suse.com/security/cve/CVE-2015-8962.html
https://www.suse.com/security/cve/CVE-2015-8963.html
https://www.suse.com/security/cve/CVE-2015-8964.html
https://www.suse.com/security/cve/CVE-2016-10088.html
https://www.suse.com/security/cve/CVE-2016-4470.html
https://www.suse.com/security/cve/CVE-2016-4998.html
https://www.suse.com/security/cve/CVE-2016-5696.html
https://www.suse.com/security/cve/CVE-2016-5828.html
https://www.suse.com/security/cve/CVE-2016-5829.html
https://www.suse.com/security/cve/CVE-2016-6130.html
https://www.suse.com/security/cve/CVE-2016-6327.html
https://www.suse.com/security/cve/CVE-2016-6480.html
https://www.suse.com/security/cve/CVE-2016-6828.html
https://www.suse.com/security/cve/CVE-2016-7042.html
https://www.suse.com/security/cve/CVE-2016-7097.html
https://www.suse.com/security/cve/CVE-2016-7425.html
https://www.suse.com/security/cve/CVE-2016-7910.html
https://www.suse.com/security/cve/CVE-2016-7911.html
https://www.suse.com/security/cve/CVE-2016-7913.html
https://www.suse.com/security/cve/CVE-2016-7914.html
https://www.suse.com/security/cve/CVE-2016-8399.html
https://www.suse.com/security/cve/CVE-2016-8633.html
https://www.suse.com/security/cve/CVE-2016-8645.html
https://www.suse.com/security/cve/CVE-2016-8658.html
https://www.suse.com/security/cve/CVE-2016-9083.html
https://www.suse.com/security/cve/CVE-2016-9084.html
https://www.suse.com/security/cve/CVE-2016-9756.html
https://www.suse.com/security/cve/CVE-2016-9793.html
https://www.suse.com/security/cve/CVE-2016-9806.html
https://www.suse.com/security/cve/CVE-2017-2583.html
https://www.suse.com/security/cve/CVE-2017-2584.html
https://www.suse.com/security/cve/CVE-2017-5551.html
http://www.nessus.org/u?da7d6919

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server for SAP 12:zypper in -t patch
SUSE-SLE-SAP-12-2017-247=1

SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
SUSE-SLE-SERVER-12-2017-247=1

SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch
SUSE-SLE-Module-Public-Cloud-12-2017-247=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true