openSUSE Security Update : the Linux Kernel (openSUSE-2017-419)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various
security and bugfixes.

The following security bugs were fixed :

- CVE-2017-5669: The do_shmat function in ipc/shm.c in the
Linux kernel did not restrict the address calculated by
a certain rounding operation, which allowed local users
to map page zero, and consequently bypass a protection
mechanism that exists for the mmap system call, by
making crafted shmget and shmat system calls in a
privileged context (bnc#1026914).

- CVE-2017-6348: The hashbin_delete function in
net/irda/irqueue.c in the Linux kernel improperly
manages lock dropping, which allowed local users to
cause a denial of service (deadlock) via crafted
operations on IrDA devices (bnc#1027178).

- CVE-2017-7184: The xfrm_replay_verify_len function in
net/xfrm/xfrm_user.c in the Linux kernel did not
validate certain size data after an XFRM_MSG_NEWAE
update, which allowed local users to obtain root
privileges or cause a denial of service (heap-based
out-of-bounds access) by leveraging the CAP_NET_ADMIN
capability, as demonstrated during a Pwn2Own competition
at CanSecWest 2017 for the Ubuntu 16.10 linux-image-*
package 4.8.0.41.52 (bnc#1030573).

- CVE-2016-10200: Race condition in the L2TPv3 IP
Encapsulation feature in the Linux kernel allowed local
users to gain privileges or cause a denial of service
(use-after-free) by making multiple bind system calls
without properly ascertaining whether a socket has the
SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and
net/l2tp/l2tp_ip6.c (bnc#1028415).

- CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in
the Linux kernel allowed local users to gain privileges
or cause a denial of service (double free) by setting
the HDLC line discipline (bnc#1027565).

- CVE-2017-6345: The LLC subsystem in the Linux kernel did
not ensure that a certain destructor exists in required
circumstances, which allowed local users to cause a
denial of service (BUG_ON) or possibly have unspecified
other impact via crafted system calls (bnc#1027190).

- CVE-2017-6346: Race condition in net/packet/af_packet.c
in the Linux kernel allowed local users to cause a
denial of service (use-after-free) or possibly have
unspecified other impact via a multithreaded application
that made PACKET_FANOUT setsockopt system calls
(bnc#1027189).

- CVE-2017-6347: The ip_cmsg_recv_checksum function in
net/ipv4/ip_sockglue.c in the Linux kernel has incorrect
expectations about skb data layout, which allowed local
users to cause a denial of service (buffer over-read) or
possibly have unspecified other impact via crafted
system calls, as demonstrated by use of the MSG_MORE
flag in conjunction with loopback UDP transmission
(bnc#1027179).

- CVE-2017-6353: net/sctp/socket.c in the Linux kernel did
not properly restrict association peel-off operations
during certain wait states, which allowed local users to
cause a denial of service (invalid unlock and double
free) via a multithreaded application. NOTE: this
vulnerability exists because of an incorrect fix for
CVE-2017-5986 (bnc#1025235).

- CVE-2017-6214: The tcp_splice_read function in
net/ipv4/tcp.c in the Linux kernel allowed remote
attackers to cause a denial of service (infinite loop
and soft lockup) via vectors involving a TCP packet with
the URG flag (bnc#1026722).

- CVE-2016-2117: The atl2_probe function in
drivers/net/ethernet/atheros/atlx/atl2.c in the Linux
kernel incorrectly enables scatter/gather I/O, which
allowed remote attackers to obtain sensitive information
from kernel memory by reading packet data (bnc#968697).

- CVE-2016-10208: The ext4_fill_super function in
fs/ext4/super.c in the Linux kernel did not properly
validate meta block groups, which allowed physically
proximate attackers to cause a denial of service
(out-of-bounds read and system crash) via a crafted ext4
image (bnc#1023377).

- CVE-2017-2596: The nested_vmx_check_vmptr function in
arch/x86/kvm/vmx.c in the Linux kernel improperly
emulates the VMXON instruction, which allowed KVM L1
guest OS users to cause a denial of service (host OS
memory consumption) by leveraging the mishandling of
page references (bnc#1022785).

- CVE-2017-2583: The load_segment_descriptor
implementation in arch/x86/kvm/emulate.c in the Linux
kernel improperly emulates a 'MOV SS, NULL selector'
instruction, which allowed guest OS users to cause a
denial of service (guest OS crash) or gain guest OS
privileges via a crafted application (bnc#1020602).

- CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux
kernel allowed local users to obtain sensitive
information from kernel memory or cause a denial of
service (use-after-free) via a crafted application that
leverages instruction emulation for fxrstor, fxsave,
sgdt, and sidt (bnc#1019851).

The following non-security bugs were fixed :

- Fix kABI breakage of musb struct in 4.1.39 (stable
4.1.39).

- Revert 'ptrace: Capture the ptracer's creds not
PT_PTRACE_CAP' (stable 4.1.39).

- ext4: fix fencepost in s_first_meta_bg validation
(bsc#1029986).

- ext4: validate s_first_meta_bg at mount time
(bsc#1023377).

- kabi/severities: Ignore x86/kvm kABI changes for 4.1.39

- l2tp: fix address test in __l2tp_ip6_bind_lookup()
(bsc#1028415).

- l2tp: fix lookup for sockets not bound to a device in
l2tp_ip (bsc#1028415).

- l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6
bind() (bsc#1028415).

- l2tp: hold socket before dropping lock in l2tp_ip{,
6}_recv() (bsc#1028415).

- l2tp: lock socket before checking flags in connect()
(bsc#1028415).

- mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
(bsc#1030118).

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1019851
https://bugzilla.opensuse.org/show_bug.cgi?id=1020602
https://bugzilla.opensuse.org/show_bug.cgi?id=1022785
https://bugzilla.opensuse.org/show_bug.cgi?id=1023377
https://bugzilla.opensuse.org/show_bug.cgi?id=1025235
https://bugzilla.opensuse.org/show_bug.cgi?id=1026722
https://bugzilla.opensuse.org/show_bug.cgi?id=1026914
https://bugzilla.opensuse.org/show_bug.cgi?id=1027066
https://bugzilla.opensuse.org/show_bug.cgi?id=1027178
https://bugzilla.opensuse.org/show_bug.cgi?id=1027179
https://bugzilla.opensuse.org/show_bug.cgi?id=1027189
https://bugzilla.opensuse.org/show_bug.cgi?id=1027190
https://bugzilla.opensuse.org/show_bug.cgi?id=1027565
https://bugzilla.opensuse.org/show_bug.cgi?id=1028415
https://bugzilla.opensuse.org/show_bug.cgi?id=1029986
https://bugzilla.opensuse.org/show_bug.cgi?id=1030118
https://bugzilla.opensuse.org/show_bug.cgi?id=1030573
https://bugzilla.opensuse.org/show_bug.cgi?id=968697

Solution :

Update the affected the Linux Kernel packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now