Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.74 to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2017-1000111: fix race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365).
- CVE-2017-1000112: fix race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311).
The following non-security bugs were fixed:
- powerpc/numa: fix regression that could cause kernel panics during installation (bsc#1048914).
- bcache: force trigger gc (bsc#1038078).
- bcache: only recovery I/O error for writethrough mode (bsc#1043652).
Список пакетов
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise High Availability Extension 12 SP2
SUSE Linux Enterprise Live Patching 12
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Software Development Kit 12 SP2
SUSE Linux Enterprise Workstation Extension 12 SP2
Ссылки
- Link for SUSE-SU-2017:2131-1
- E-Mail link for SUSE-SU-2017:2131-1
- SUSE Security Ratings
- SUSE Bug 1038078
- SUSE Bug 1043652
- SUSE Bug 1048914
- SUSE Bug 1052311
- SUSE Bug 1052365
- SUSE CVE CVE-2017-1000111 page
- SUSE CVE CVE-2017-1000112 page
Описание
Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
Затронутые продукты
Ссылки
- CVE-2017-1000111
- SUSE Bug 1052365
- SUSE Bug 1052367
Описание
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
Затронутые продукты
Ссылки
- CVE-2017-1000112
- SUSE Bug 1052311
- SUSE Bug 1052365
- SUSE Bug 1052368
- SUSE Bug 1072117
- SUSE Bug 1072162
- SUSE Bug 1115893